-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JENKINS-73468] Fix mistaken doCheckServerUrl AccessDeniedException #864
base: master
Are you sure you want to change the base?
Conversation
@Pldi23 Why was |
I don't remember details and don't have access to SECURITY-2033 anymore to restore my memory, but looking at the code I assume that attacker can access Bitbucket configuration and be able to obtain url which can be a part of another attack. |
@Pldi23 With the fix I propose, only authenticated and authorized users could access the bitbucket URL. So per my understanding those endpoints are still safe. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Dohbedoh Yeah, looks safe from my point of view!
src/test/java/com/cloudbees/jenkins/plugins/bitbucket/Security2033Test.java
Show resolved
Hide resolved
Otherwise, I agree with Dima, it looks safe |
cc @jenkinsci/bitbucket-branch-source-plugin-developers |
Similar to what was once done for another field https://github.com/jenkinsci/bitbucket-branch-source-plugin/pull/377/files.
And I think was introduced by 95d5766.
Your checklist for this pull request