Private repository names are discoverable

Gavin Wahl avatarGavin Wahl created an issue

By guessing repository names, anyone can discover the names of someone's private repos. For example, my user, gavinwahl, has a private repo named private-repo. By visiting https://bitbucket.org/gavinwahl/private-repo this can be confirmed, because the page returns a redirect to the login page. I do not have a private repo named 'foo', and you know this because https://bitbucket.org/gavinwahl/foo returns a 404.

It should not be possible to gain any information about a user's private repositories. By using different behavior for repositories that exist or don't, anyone can learn whether a specific repository name exists or not.

Comments (3)

  1. Erik van Zijst

    We get this issue raised every so often, yet have decided to keep the behavior as is.

    Always returning a 404 is known to confuse legitimate access by people who don't realize they are logged out, or users that have multiple accounts and are logged in with the one that does not have access to the repo. Or simply users that don't realize they've had their access revoked.

    We have seen people freak out thinking their repos has vanished and raising support requests before they figure out it's a privilege problem.

    We don't think the loss of privacy by being able to guess the existence of a resource you cannot access is worse than the confusion during legitimate use, although we do understand that some people might have a different opinion.

  2. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.