Bitbucket Pipelines: "Pushing back to your repository" feature introduces security issue

Issue #18228 duplicate
Ryan Bannon created an issue


This issue is in regards to the new feature in BP that allows pushes back up to a repository without the need for authentication. I believe this creates a big security hole in what was (before this feature was introduced) a more secure system.

For example, consider a CI workflow where developers merge in PRs from outside developers. Aside from code reviews (which are subject to human error), there would be nothing stopping a malicious outside developer from writing a script that pushes code back up to the repository. Perhaps this could be prevented by locking down the repository with branch permissions (i.e. only allow code in via a PR merge), but then BP cannot use a bot account to do automated pushes.

It seems to me that the old system -- base64 encoding an SSH key -- while slightly inconvenient, was very secure. With the new HTTP pushing feature, that security is lost for a minor gain in convenience.

If I'm missing something here, I'd REALLY like to know what, because from my POV this is a big step backwards.

For reference, please see

(I have made several comments in the thread regarding this security hole. In particular, I was requesting further discussion, but got no response. I'm hoping raising the issue here will help.)



Comments (1)

  1. Log in to comment