1. a-v-r Avatar a-v-r
  2. Bitbucket Server
  3. Bitbucket HTTP-Request Hook
  4. Issues

Encrypt password

Issue #39 new
Michael Afidchao created an issue

As mentioned in issue #28 , passwords are stored in plain text in the audit log, and thus anyone with admin access to the repository can see these credentials. Even if you scrub the audit log, you can also view this with right click -> Inspect in your web browser.

Is it possible to encrypt these passwords so they aren't in plain text? Another Bitbucket webbook "Stash Hook Mirror" has done this and stores a key within the database: https://github.com/ef-labs/stash-hook-mirror/blob/master/src/main/java/com/englishtown/bitbucket/hook/DefaultPasswordEncryptor.java

https://github.com/ef-labs/stash-hook-mirror/blob/master/src/main/java/com/englishtown/bitbucket/hook/MirrorRepositoryHook.java#L301

Even if still not safe from an attack within as you mentioned, it at least requires access to the database (which should be harder to get access to compared to repo admin).

Comments (1)

  1. Alexander Renteln

    Hi Michael,

    Thank you very much for your feedback.

    And yes, you're right. I saw the code from the mirror plugin too. I can't promise any time frame, but I'll definitely put it in, when I get to it. If you are in any hurry, pull requests are always welcome... ;-)

    Best, Alex

  2. Log in to comment
Assignee
Type
enhancement
Priority
minor
Status
new
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!