Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How safe is Fisheye?

Aaron Jones4
Aaron Jones March 3, 2013

We're in the process of getting up and running on a many of Atlassian's products, but Fisheye is causing a lot of concern. Most of the concern centers around the ability to download the raw source code and the fear is that some malicious person could script the traversing of a repository and download the entire thing.

Does Fisheye have any protection against this sort of attack? Can the Raw view and download raw files buttons be disabled (other than a CSS hack)? Or has this been completely overlooked?

Answer
Watch
Like Be the first to like this
425 views

3 answers

1 accepted

2 votes
Answer accepted
Tom Davies
Tom Davies
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 4, 2013

You can set FishEye's permissions so that only a particular set of users can see a particular repository.

It sounds as though you want to have users who can see files in a repository without seeing 'too much' of it. Is that correct?

If particular parts of a repository are particularly sensitive you can map the same VCS repository to several FishEye repositories, each of which scans a different subset of the VCS repository, and each of which has a different set of permissions.

There is no way of preventing a user who has access to a repository downloading the source of all the files in the repository -- even if it was possible to remove access to raw source code they could simply download the difference between each revision and compose them.

Reply
1 vote
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 3, 2013

Why script a web crawler when you could just check out the repository?

I think the idea is you only give access to people who have access to the source repo... in this respect fisheye is very weak, because it doesn't have the capability to read the permissions of your source repo, be that subversion or perforce or whatever, therefore you need to define all your permissions twice.

Stash is a bit more integrated and "industrial".

View More Comments
Aaron Jones4
Aaron Jones March 3, 2013

A web crawler is just one approach. You could use wget or curl in much the same way.

The hope was to allow more people access to Fisheye than we provide to the respository because of licensing restrictions (Perforce) and because it's more intuitive to use - especially for QAs. However, with that expanded availability comes greater risk.

If Fisheye has no protections for this, we could certainly be at an impass.

Like
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 3, 2013

I put wget/curl in the same basket as web crawlers. You could save yourself some money and just run p4web in guest mode.

But, my point stands, if you are concerned about people seeing code they should not, you should only give access to fisheye to those people that have read access to everything in p4, and also see https://jira.atlassian.com/browse/FE-226

Like
Reply
0 votes
Aaron Jones4
Aaron Jones March 4, 2013

Lukasz Pater over at Atlassian was actually able to help me with this via a ticket I'd opened. To remove access to the raw source, we need to create a small plugin that would prevent access to a specified url, or log that access. To do that you'd need to create a servlet filter module.

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String url = ((HttpServletRequest)servletRequest).getRequestURL().toString();
        if (url.contains("/~raw")) {
            ((HttpServletResponse)servletResponse).sendError(403);
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
}

The code returns a 403 Forbidden error whenever someone attempts to access any of the raw source. While this isn't a complete answer, it certainly makes it more difficult to get at the raw source without additional effort and satisfies our needs. This combined with the other recommendations about limiting repo visibility should put us in an acceptable situation.

Reply

Suggest an answer

Log in or Sign up to answer
Fisheye
Fisheye/Crucible
TAGS
AUG Leaders

Atlassian Community Events

    See all events