Bitbucket Pipelines: "Pushing back to your repository" feature introduces security issue

Issue #18228 duplicate
Ryan Bannon created an issue

Hello,

This issue is in regards to the new feature in BP that allows pushes back up to a repository without the need for authentication. I believe this creates a big security hole in what was (before this feature was introduced) a more secure system.

For example, consider a CI workflow where developers merge in PRs from outside developers. Aside from code reviews (which are subject to human error), there would be nothing stopping a malicious outside developer from writing a script that pushes code back up to the repository. Perhaps this could be prevented by locking down the repository with branch permissions (i.e. only allow code in via a PR merge), but then BP cannot use a bot account to do automated pushes.

It seems to me that the old system -- base64 encoding an SSH key -- while slightly inconvenient, was very secure. With the new HTTP pushing feature, that security is lost for a minor gain in convenience.

If I'm missing something here, I'd REALLY like to know what, because from my POV this is a big step backwards.

For reference, please see https://community.atlassian.com/t5/Bitbucket-Pipelines-articles/Pushing-back-to-your-repository/ba-p/958407?utm_campaign=mentions_comment&utm_content=topic&utm_medium=email&utm_source=atlcomm

(I have made several comments in the thread regarding this security hole. In particular, I was requesting further discussion, but got no response. I'm hoping raising the issue here will help.)

Thanks,

Ryan

Comments (1)

  1. Log in to comment