fix: Update Go-SCM to v1.15.17 for Bitbucket Group Permissions#2479
fix: Update Go-SCM to v1.15.17 for Bitbucket Group Permissions#2479chmouel merged 4 commits intotektoncd:mainfrom
Conversation
Fixes group membership checks in Bitbucket Server by properly URL-encoding group names and checking repository-level group permissions.
Enables testing ACL checks for repository-level group permissions alongside existing project-level group checks.
Summary of ChangesHello @tricktron, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the reliability and accuracy of Bitbucket Data Center authorization by upgrading a core dependency. The changes ensure that group-based permissions, especially those involving spaces in group names and repository-level access, are correctly evaluated, resolving long-standing issues that could lead to incorrect access decisions. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
the e2e errors are expected, only the folks that are owner on the pac repo can run them (since we use pull_request_target and secrets) |
There was a problem hiding this comment.
Code Review
This pull request updates the go-scm dependency to version v1.15.17 to address bugs related to Bitbucket Data Center group permission checks and adds a new test mock helper for repository-level group permissions. However, a security audit identified high-severity vulnerabilities: the updated go-scm library lacks proper URL path escaping for project and repository names, potentially leading to path traversal and API injection. Additionally, the Bitbucket Data Center provider in pipelines-as-code relies on untrusted fields from webhook payloads for security-sensitive operations, which could allow attackers to bypass membership checks or hijack pipeline executions. Furthermore, an issue was found in the new test helper function that might result in invalid mock responses.
| // getProjectGroups returns the groups which have some permissions in the project | ||
| func getProjectGroups(ctx context.Context, org string, os *organizationService, opts *scm.ListOptions) ([]*projGroup, error) { | ||
| func getProjectGroups(ctx context.Context, org string, client *wrapper, opts *scm.ListOptions) ([]*projGroup, error) { | ||
| path := fmt.Sprintf("rest/api/1.0/projects/%s/permissions/groups?%s", org, encodeListOptions(opts)) |
There was a problem hiding this comment.
The org parameter is interpolated directly into the API path without escaping. If the organization name contains special characters like / or .., it can lead to path traversal or API injection. This is particularly sensitive as this path is used for authorization checks.
| path := fmt.Sprintf("rest/api/1.0/projects/%s/permissions/groups?%s", org, encodeListOptions(opts)) | |
| path := fmt.Sprintf("rest/api/1.0/projects/%s/permissions/groups?%s", url.PathEscape(org), encodeListOptions(opts)) |
| } | ||
|
|
||
| func projectUsersPermissionsPath(org string, opts *scm.ListOptions) string { | ||
| return fmt.Sprintf("rest/api/1.0/projects/%s/permissions/users?%s", org, encodeListOptions(opts)) |
There was a problem hiding this comment.
The org parameter is used in the API path without escaping. This can be exploited to manipulate the request path and hit unintended API endpoints.
| return fmt.Sprintf("rest/api/1.0/projects/%s/permissions/users?%s", org, encodeListOptions(opts)) | |
| return fmt.Sprintf("rest/api/1.0/projects/%s/permissions/users?%s", url.PathEscape(org), encodeListOptions(opts)) |
| } | ||
|
|
||
| func getRepoGroups(ctx context.Context, namespace, name string, client *wrapper, opts *scm.ListOptions) ([]*projGroup, error) { | ||
| path := fmt.Sprintf("rest/api/1.0/projects/%s/repos/%s/permissions/groups?%s", namespace, name, encodeListOptions(opts)) |
There was a problem hiding this comment.
The namespace and name parameters are used in the API path without escaping. This allows for path traversal and manipulation of the Bitbucket API request structure.
| path := fmt.Sprintf("rest/api/1.0/projects/%s/repos/%s/permissions/groups?%s", namespace, name, encodeListOptions(opts)) | |
| path := fmt.Sprintf("rest/api/1.0/projects/%s/repos/%s/permissions/groups?%s", url.PathEscape(namespace), url.PathEscape(name), encodeListOptions(opts)) |
| if groups == nil { | ||
| fmt.Fprintf(rw, "{\"values\": []}") | ||
| } |
There was a problem hiding this comment.
When groups is nil, the response writer rw is written to by fmt.Fprintf, but the function execution continues, causing a second write by fmt.Fprint at the end of the handler. This results in a malformed JSON response body (e.g., {"values": []}{"values":null}). To fix this, you should add a return statement after the first write to exit the handler early.
if groups == nil {
fmt.Fprint(rw, `{"values": []}`)
return
}|
/ok-to-test |
🔍 PR Lint Feedback
|
|
@chmouel I should add some more tests to check the bug fixes in go-scm. |
The 4 Mux permission helpers wrote double responses when input was nil due to missing returns. Extract shared muxPermissions helper and add test coverage for project/repo group-based access.
|
@chmouel Ok, I added the tests. We are not in a hurry for this as we will receive these updates anyway only with our openshift-pipelines update. As far as I can see the bitbucket e2e tests don't test this additional feature. So in my opinion you can already merge this. |
|
/ok-to-test |
|
Thank you 🙏🏻 |
📝 Description of the Change
Bumps vendored
jenkins-x/go-scmto v1.15.17 to fix three bugs in Bitbucket Data Center group-based permission checking: URL-encoding of group names with spaces, error short-circuiting that aborted authorization checks, and missing repository-level group permission lookups. Adds missing test mock for repo-level group permissions to fix test failures caused by the newIsCollaborator()group lookup.Changes
MuxRepoGroupMembershiptest helper and wire it intoacl_test.goto mock the new/permissions/groupsendpoint hit byIsCollaborator()👨🏻 Linked Jira
🔗 Linked GitHub Issue
Fixes #2477
🚀 Type of Change
fix:)feat:)feat!:,fix!:)docs:)chore:)refactor:)enhance:)deps:)🧪 Testing Strategy
🤖 AI Assistance
If you have used AI assistance, please provide the following details:
Which LLM was used?
Extent of AI Assistance:
Important
If the majority of the code in this PR was generated by an AI, please add a
Co-authored-bytrailer to your commit message.For example:
Co-authored-by: Gemini gemini@google.com
Co-authored-by: ChatGPT noreply@chatgpt.com
Co-authored-by: Claude noreply@anthropic.com
Co-authored-by: Cursor noreply@cursor.com
Co-authored-by: Copilot Copilot@users.noreply.github.com
**💡You can use the script
./hack/add-llm-coauthor.shto automatically addthese co-author trailers to your commits.
✅ Submitter Checklist
fix:,feat:) matches the "Type of Change" I selected above.make testandmake lintlocally to check for and fix anyissues. For an efficient workflow, I have considered installing
pre-commit and running
pre-commit installtoautomate these checks.