Existence and file structure of private repos can be determined by HTTP status codes

Issue #4014 wontfix
Kevin Burke
created an issue

Searching for a file in a private repo that exists will redirect you to a login screen (example: https://bitbucket.org/kevinburke/blog-theme/src/ca315864172e/apt). However searching for files with similar names will 404 (example: https://bitbucket.org/kevinburke/blog-theme/src/ca315864172e/nope). This could allow a determined attacker to determine the folder structure and files contained in Bitbucket private repositories (as well as determine the existence of private repositories).

Comments (2)

  1. Dylan Etkin

    Hi Kevin,

    Thanks for reporting. We have discussed this issue and have decided to leave the existing behavior.

    It is true that someone could brut-force their way into find out private repo names.

    However we feel that the use-case of people that are actually trying to a repo that may not have been correctly shared is more likely. In this case we would like the users to know they need to contact the owner to get the permissions sorted out.



  2. Log in to comment