1. Bitbucket Website
  2. Public Issue Tracker
  3. master

Issues

Issue #3958 closed

Your commits in repositories which you are not allowed to view are shown in newsfeed (BB-4112)

Mateusz Heleniak
created an issue

I would say this is a security issue.

This is not standard situation as your commit is used in private repository where you don't have access.

A way to reproduce this is to use Symfony2 Standard as a base of your private application. Importing commit history of Symfony2 to your repo will show your newly created repo for every contributor to Symfony2 Standard repository who has account in BitBucket (and probably other open source projects).

For example right now I can see in "Recent activity" that I have

"committed to symfony-mlk

e7b7b0f36646 replaced app/bootstrap wildcard with explicit entry this could be done as app/bootstrap_cache.php.cache is no longer created and used (see 8a7be4fdcac34685757439f86fbd64bee6643cc8) 3 days ago "

"symfony-mlk" is a private repo which is not mine and I am not allowed to view it - so I shouldn't even see the name of this repo in my activity stream and know when this repository was updated to my commit from Symfony2 repo. This may be security risk for currently deployed projects with readable repo name (e.g. host name = repo name).

Comments (7)

  1. Brodie Rao

    The only entry I see in our newsfeed system for that commit/repo came from mheleniak/symfony-mlk (which now seems to be deleted from the site). Are you sure it was really for another repository and not your own?

  2. Mateusz Heleniak reporter

    Yes. I am sure. I have never created repo called 'symfony-mlk'. There were also other similar cases.

    This is site-wide issue - not connected with specific repo - but with the way the newsfeed currently works.

    The situation probably can be reversed for easier testing. Create private repository with random name via importing https://github.com/symfony/symfony-standard After that please check if in the newsfeed of fabpot's account there will be your newly created private repo.

  3. Brodie Rao

    OK, I've done the following things:

    fabpot's news feed is still the same as it was before I did anything—there aren't any events from my repos.

    I think I've figured out what happened. I misinterpreted the event data I saw—that event came from another user. He created an empty, public repo named symfony-mlk, pushed up the entire repo (this is when you got the news feed entry), deleted the repo, and recreated it as a private repo (this is when you saw the link to the commit and clicked on it).

    So the problem is that our permission checks to see if you can view an event (after the fact) don't apply to events from deleted repos, and if a new repo is made later on with the same user/name, its permissions don't apply to that event either. It can be a bit confusing, but I think this is an acceptable limitation.

  4. Mateusz Heleniak reporter

    Can you investigate this further? As I am still seeing this happening every once in a while.

    This is not just a minor issue for me - I am worried about security. If notifications are not working properly and can skip permission checks... then there can be more holes like this.

    To help debugging - right now in my activity stream there is: "

    committed to kolba/symf21-temp

    e7b7b0f36646 replaced app/bootstrap wildcard with explicit entry this could be done as `app/bootstrap_cache.php.cache` is no longer created and used (see 8a7be4fdcac34685757439f86fbd64bee6643cc8) 59 minutes ago"

  5. Log in to comment