Huge Security Issue with Environment Variables

Issue #16579 duplicate
Prashant Deva
created an issue

Attached to this issue is a bitbucket-pipelines.yml for reference.

As you can see, we use the env vars PROD_AWS_ACCESS_KEY_ID and PROD_AWS_ACCESS_KEY_SECRET, to deploy master branch to our production instance.

However, any developer can change the bitbucket-pipelines.yml and use those env vars for the 'default' pipeline and thus deploy dev code or any other malicious code to the production environment. In fact, this can even happen by accident by a developer editing the file and copy/pasting portions of it to a different step.

There is no way to limit the visibility of these env vars defined in bitbucket project to ensure they are only available while running the master branch pipeline.

This seems to be a huge security issue, allowing any developer to modify the bitbucket-pipelines.yml file and deploy absolutely anything to the production environment.

Comments (2)

  1. Aneita Yang staff

    Hi @Prashant Deva,

    Thanks for reaching out and for the suggestion. This isn't a security issue - only users with write access to the repository can access these keys and deploy to production. However, I can understand your concern and we're currently tracking 2 similar requests which I think address your main concerns:

    • Ability to restrict who can deploy changes (#13676)
    • Ability to limit the access to environment variables to either a branch/pipeline or a user (#14231)

    I encourage you to vote for / watch those issues if they are enhancements that you would like to see in Pipelines. No progress on either of the requests so far, but we'd like to have something in place to let teams restrict who can deploy changes by the end of 2018.

    Aneita

  2. Log in to comment