No authentication needed on push to private repo?

Issue #14308 closed
Jerry Gassie
created an issue
  1. I created a private empty repository in bitbucket (using browser)
  2. I associated a local VS13 project with the bitbucket repo url (using VS)
  3. I was able to push files to the bitbucket url without authenticating (using VS)

Why was I able to push data to a private bitbucket repo url, and I was never prompted for credentials? So anyone who had the url could have pushed data to my private repo? When I check repo settings, the checkbox is still enabled for "This is a private repository"...

Comments (8)

  1. Daniel Tao staff

    I assure you, you cannot push to private repositories without​ authenticating somehow.

    Do you know if you're using an HTTPS URL or an SSH URL? If HTTPS, my best guess is that VS has cached your credentials from a previous time you authenticated with Bitbucket (Windows has a credentials manager that it may integrate with). If SSH, then it is using the public SSH key that's on your computer.

    If you'd like some more peace of mind you could install a VM using a tool like VirtualBox or VMware Fusion and attempt to access your repo from there. Or just ask a friend to try on their computer :)

  2. Jerry Gassie reporter

    Well I just used the https url supplied by bitbucket... but I never 'authenticated' from VS to bitbucket ever... this was the first time I had ever tried.

    with the windows version of Git, under Git Bash I created a keypair, but this still does not make any sense to me how the connection was at all trusted... Unless VS recognized that my Chrome session had already authenticated, but that wouldn't make any sense.

  3. Daniel Tao staff

    I wish I better understood how Windows credential management worked, @Jerry Gassie. I can assure you that somehow VS was authenticating with Bitbucket, and my only guess is that it was using some shared cache maintained by the operating system (which wouldn't be so surprising, considering VS is a Microsoft product).

    Again, if you're looking for peace of mind I'd recommend trying this out in a VM. If you're feeling especially scientific you could create a fresh VM, install VS code, and attempt to push changes from VS code to your remote URL without accessing Bitbucket in any way (on the VM) beforehand. Then log in to Bitbucket in your browser, or interact with Bitbucket via CLI, and try again.

  4. Martin Wolff

    Windows alone isn't the issue. I could do this just now too on an macOS setup. I was pretty surprised—I was expecting...something? Some request for password or something.

    Even worse, I was able to push after explicitly logging out of the Bitbucket website, so I'd like to know a bit too what's happening? I'm sure it is fine, but it is slightly disturbing to be logged out and do a git push and have it work.

  5. Daniel Tao staff

    @Martin Wolff your session with the website is unrelated to how the git client authenticates to the service. If you are using an SSH-based URL, then your SSH agent is responsible for providing the key, which is a file stored on your local file system. In most cases it does this automatically for you. If you are using an HTTPS-based URL, then more than likely you had to enter your username & password the first time you interacted with Bitbucket via the CLI and your system may or may not have cached those credentials. (It would depend on the system. I wish I had more comprehensive knowledge of all the various mechanisms for caching credentials out there, but alas I do not.)

    If you still have concerns, feel free to raise a support ticket and our support team should be able to work with you to figure out exactly what's going on in your particular setup to put your mind at ease.

  6. Log in to comment