How safe is Fisheye?

Aaron Jones March 3, 2013

We're in the process of getting up and running on a many of Atlassian's products, but Fisheye is causing a lot of concern. Most of the concern centers around the ability to download the raw source code and the fear is that some malicious person could script the traversing of a repository and download the entire thing.

Does Fisheye have any protection against this sort of attack? Can the Raw view and download raw files buttons be disabled (other than a CSS hack)? Or has this been completely overlooked?

3 answers

1 accepted

2 votes
Answer accepted
Tom Davies
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 4, 2013

You can set FishEye's permissions so that only a particular set of users can see a particular repository.

It sounds as though you want to have users who can see files in a repository without seeing 'too much' of it. Is that correct?

If particular parts of a repository are particularly sensitive you can map the same VCS repository to several FishEye repositories, each of which scans a different subset of the VCS repository, and each of which has a different set of permissions.

There is no way of preventing a user who has access to a repository downloading the source of all the files in the repository -- even if it was possible to remove access to raw source code they could simply download the difference between each revision and compose them.

1 vote
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 3, 2013

Why script a web crawler when you could just check out the repository?

I think the idea is you only give access to people who have access to the source repo... in this respect fisheye is very weak, because it doesn't have the capability to read the permissions of your source repo, be that subversion or perforce or whatever, therefore you need to define all your permissions twice.

Stash is a bit more integrated and "industrial".

Aaron Jones March 3, 2013

A web crawler is just one approach. You could use wget or curl in much the same way.

The hope was to allow more people access to Fisheye than we provide to the respository because of licensing restrictions (Perforce) and because it's more intuitive to use - especially for QAs. However, with that expanded availability comes greater risk.

If Fisheye has no protections for this, we could certainly be at an impass.

JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 3, 2013

I put wget/curl in the same basket as web crawlers. You could save yourself some money and just run p4web in guest mode.

But, my point stands, if you are concerned about people seeing code they should not, you should only give access to fisheye to those people that have read access to everything in p4, and also see https://jira.atlassian.com/browse/FE-226

0 votes
Aaron Jones March 4, 2013

Lukasz Pater over at Atlassian was actually able to help me with this via a ticket I'd opened. To remove access to the raw source, we need to create a small plugin that would prevent access to a specified url, or log that access. To do that you'd need to create a servlet filter module.

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String url = ((HttpServletRequest)servletRequest).getRequestURL().toString();
        if (url.contains("/~raw")) {
            ((HttpServletResponse)servletResponse).sendError(403);
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
}

The code returns a 403 Forbidden error whenever someone attempts to access any of the raw source. While this isn't a complete answer, it certainly makes it more difficult to get at the raw source without additional effort and satisfies our needs. This combined with the other recommendations about limiting repo visibility should put us in an acceptable situation.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events