Check that user name in a commit matches the authentication credentials

Hi all,

when experimenting with our own instance of Bitbucket, we determined that it is possible to

clone a repository
configure the local clone with an arbitrary user name and email
create commits
push to Bitbucket server using SSH, such that the author of the commits does not match the user authenticating over SSH.

This could allow a developer to submit commits on behalf of another user without the consent of the latter (we tested this).

Is there any way to check upon a push that all commits being pushed are (co-)authored by the user authenticating to the server?

Thanks in advance!

Damian

1 answer

0 votes

We investigated this further and found out that Azure Dev Ops,for example, does log the user credentials used to push commits (see attached).

Is this information logged in Bitbucket as well?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.