Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,368,846
Community Members
 
Community Events
168
Community Groups

Audit security commit from unknown user

This is related to:

https://community.atlassian.com/t5/Bitbucket-questions/Is-there-a-way-to-disable-commits-from-unknown-users-on-a/qaq-p/624451

 

When a user has a improperly configured email on their PC, they can push commits that show up as "unknown" or "this user cannot be mapped to an Atlassian account".

Knowing who just pushed a commit is dependent on the person pushing the commit telling you they are the ones who pushed the commit. They must either tell you in person or properly configure their email before pushing the commit. Otherwise they can configure random information and push a commit that shows up as a unknown user.

My main issue is this can also be used by malicious people to push commits from "unknown" users and we can't tell who's machine or key was compromised.

We have a lot of commits from unknown users. While we think we've been able to verify most of them, we aren't certain they are all authorized commits.

In 2017 (see article) it was said there was no way to disallow this from happening. Are there any better options today? Are their any Atlassian workflows that can be adopted to prevent commits from unknown users.

 

 

 

 

 

 

1 answer

0 votes
Caroline R Atlassian Team Sep 22, 2022

Hi, @travistst, thank you for reaching out to Atlassian Community.

You are correct, credentials and commit authors are two separate concepts and are unrelated to each other. So, when a push is made to Bitbucket, we receive the user credentials and check if the provided credentials are able to push to the repository the user is trying to. If the HTTPS or SSH credentials are correct, the push is performed, otherwise, it will fail. This is what we use to check for security and confirm the user who is pushing to Bitbucket is who they say they are.

The commit author, which is a different configuration from their credentials, is not checked on push time, and this is expected. What you see on the commits page is this configuration coming from Git, and not the credentials used to authenticate against Bitbucket. 

So what we recommend in this case is to ask the users who work on this workspace to run the following commands on their accounts and confirm if their emails are configured correctly: 

git config --global --list

git config --local --list

git config --system --list

Just to clarify, in order to set the username and email on Git, they can run these commands:

Set your username:
git config --global user.name "FIRST_NAME LAST_NAME"

Set your email:
git config --global user.email "MY_NAME@example.com"

We still have that feature request to prevent unknown committers from pushing to a repository, so I would suggest that you add your vote there (by selecting the Vote for this issue link) as the number of votes helps the development team and product managers better understand the demand for new features:

You are more than welcome to leave any feedback, and you can also add yourself as a watcher (by selecting the Start watching this issue link) if you'd like to get notified via email on updates.

Implementation of new features is done as per our policy here and any updates will be posted in the feature request. 

Kind regards,
Caroline

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Site Admin
TAGS

Atlassian Community Events