Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Questions about framework security, restrictions

Hello Community,

One of our customers would like to assess the security, possible limitations and hardening of the framework running the Atlassian plugin, the questions are related to this. The questions don’t relate to a specific add-on, rather we need a general answer where it is possible. If this might be different for each Atlassian product, please focus on Bitbucket now.

The questions:

  1. How does the plugin run? Does a plugin run as a standalone process with its own memory space and permissions, or on a separate thread assigned to the application process? Is there only one way to run a plugin or there are more possible opportunity (e.g. Java running in a container, native application running)?

  2. Does/can a plugin have network communication capabilities? (Either in the application layer (such as http), or in the network layer (such as TCP or UDP).)

  3. If so, can any restrictions be configured (e.g. What IP addresses or URL can the plugin access? Can a plugin start a listener?) in the plugin or in the plugin configuration or in the environment what is running the plugin. If so, where?

  4. Can a plugin handle files through OS-level file handling functions? If so, can it be restricted?

  5. Is it possible to restrict to what files, objects, data is accessible by the plugin (through API, interprocess communication, etc) Where are the settings for this restrictions and how/where are they enforced? (enforced by the plugin framework, by the OS, the plugin restricts itself, etc)

  6. Does the plugin have the capability to execute any application, script or other code?

  7. What user name and rights does the plugin run on? Can I have a dedicated user with limited privileges?

  8. Can the integrity of the plugin be verified? Can this check be enforced automatically, e.g. with an assigned hash value?

  9. Is there a shareable technology description about the structure and operation of the plugin framework? I’m not thinking about the description of the SDK, how to develop a plugin, but how the environment will run the plugin? How do it provide the interfaces, etc.

Thanks in advance for looking into this!

0 answers

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

📣 Calling Bitbucket Data Center customers to participate in research

Hi everyone, Are you Bitbucket DC customer? If so, we'd love to talk to you! Our team wants to dive deep to understand your long-term plans regarding Bitbucket DC and Atlassian Cloud. Do you plan...

110 views 2 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you