One of our customers would like to assess the security, possible limitations and hardening of the framework running the Atlassian plugin, the questions are related to this. The questions don’t relate to a specific add-on, rather we need a general answer where it is possible. If this might be different for each Atlassian product, please focus on Bitbucket now.
How does the plugin run? Does a plugin run as a standalone process with its own memory space and permissions, or on a separate thread assigned to the application process? Is there only one way to run a plugin or there are more possible opportunity (e.g. Java running in a container, native application running)?
Does/can a plugin have network communication capabilities? (Either in the application layer (such as http), or in the network layer (such as TCP or UDP).)
If so, can any restrictions be configured (e.g. What IP addresses or URL can the plugin access? Can a plugin start a listener?) in the plugin or in the plugin configuration or in the environment what is running the plugin. If so, where?
Can a plugin handle files through OS-level file handling functions? If so, can it be restricted?
Is it possible to restrict to what files, objects, data is accessible by the plugin (through API, interprocess communication, etc) Where are the settings for this restrictions and how/where are they enforced? (enforced by the plugin framework, by the OS, the plugin restricts itself, etc)
Does the plugin have the capability to execute any application, script or other code?
What user name and rights does the plugin run on? Can I have a dedicated user with limited privileges?
Can the integrity of the plugin be verified? Can this check be enforced automatically, e.g. with an assigned hash value?
Is there a shareable technology description about the structure and operation of the plugin framework? I’m not thinking about the description of the SDK, how to develop a plugin, but how the environment will run the plugin? How do it provide the interfaces, etc.
Thanks in advance for looking into this!
We are excited to announce the open beta program for self-hosted runners. Bitbucket Pipelines Runners is available to everyone. Please try it and let us know your feedback. If you have any issue...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events