Details
-
Suggestion
-
Resolution: Unresolved
Description
Some feedback about the git auth proxy (which allows pushing back to your repository without any additional configuration) is that it opens an avenue for a potential attacker to commit back to a repository. Under such a scenario, either a compromised Docker image or tool executed as part of the build process would attempt to commit back to a repository. Without user vigilance, such a change could go unnoticed.
Current mitigations include:
- Applying branch restrictions if there is concern about malicious parties attempting to write back to a repository.
- Cryptographic verification of untrusted third party tools (e.g verifying SHAs/digests of Docker images).
- Code review process to ensure untrusted tooling is not introduced into the pipeline.
As it stands, we would suggest verification of any tooling used in a build, as a poisoned tool can already 'steal' code, credentials stored in env vars, or write back from any system that has credentials available to do so.
For future work, we could make the git auth proxy 'opt out' via a configuration option in the bitbucket-pipelines.yml file. This would reduce risk of a tool being able to write back, without the need for configuring branch permissions.