I have a self-hosted BitBucket instance that I do not want accessed via https - all scm access will be via ssh. I've turned off HTTP(S) SCM, which does prevent un-authenticated scm access via https, which works:
fatal: remote error: SCM access over HTTP(S) has been disabled
However, if I attempt to git clone a non-existent repository, I instead get the message
fatal: remote error: Repository not found
The requested repository does not exist, or you do not have permission to
If I explicitly disable https scm access, why is BitBucket even reporting that the repository doesn't exist? I would have expected the first message (https disabled) instead.
An unauthenticated, random remote user shouldn't be able to confirm the presence/absence of my repositories this way.
Or am I missing something?
I think you've found a legitimate security bug in Bitbucket Server. You can create a new issue in the BSERV Jira tracker: https://jira.atlassian.com/projects/BSERV
Note: sometimes it can take a while before the Bitbucket team completes tickets in that tracker, but they have gotten much better about this over the last couple years.
Beginning on April 4th, we will be implementing push limits. This means that your push cannot be completed if it is over 3.5 GB. If you do attempt to complete a push that is over 3.5 GB, it will fail...