SECURITY - At symbol Random Reference to non-team member

Issue #18008 resolved
Scott Kennedy created an issue

Steps to reproduce:

  1. Create a new branch
  2. Commit code with a commit message a. We are using SourceTree but should happen with git cli as well b. If it's a single commit it uses the commit message as the title. We copy paste to description but If we have multiple commits, the messages fill the description section.

Either way, if the @ symbol is in a commit message in the description section of a pull request the system makes a random reference to a user account outside of our team.

First occurrence was a link to https://bitbucket.org/Section/profile/teams because of @ section was used in our commit message (php laravel blade template language)

Second occurrence to test the theory pull-requests: 86 on affiliate repository Links to https://bitbucket.org/extrazozer/ because of @ extrazozer made the connection

I want to make sure this does not give access to these users to our code. I was unable to find any link back to this reference from the /extrazozer account

Comments (4)

  1. Scott Kennedy reporter

    all of our pull request descriptions are auto generated (unless we have to copy paste from the title to description on single commit messages)

  2. Scott Kennedy reporter

    in the actual commit that contains the @ section, it does not reference this user. So in one spot it shows the proper string and on the pull request it shows as a link to the user

  3. Nick A

    We have seen the same thing. We've tagged a user on our team and the resulting full name was unfamiliar to us. We're wondering if it also has to do with the disappearance of the autocomplete feature when typing a team member's name

  4. Alastair Wilkes staff

    Hi Scott,

    Thanks for the report. Since this bug was opened, mention behavior has been modified such that this should not occur anymore.

    In the past (i.e. when this bug was reported), while these references did appear as user mentions in the UI, rest assured that users without access were never really mentioned. They did not receive notifications, etc. That said, we apologize for any alarm this behavior caused you and your team.

    Thanks,
    Alastair
    Bitbucket PM

  5. Log in to comment