Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-20115

Bitbucket Accepts Invalid 'MODEL_BRANCH' Configuration for Release Branches, Resulting in Unenforced Permissions

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • 8.19.3
    • Repository - Branch Permissions
    • None

      Problem

      Bitbucket accepts a branch permission when "id" is set to "RELEASE" and "type.id" is "MODEL_BRANCH," but silently fails to enforce the intended restrictions.

      Environment

      Observed in Bitbucket Data Center 8.19.3.

      Occurs regardless of whether third-party plugins are installed.

      Happens when configuring branch permissions via the REST API.

      Steps to Reproduce

      1. Create or select a repository in a Bitbucket instance.
      2. Send a POST request to the branch-permissions endpoint using "MODEL_BRANCH" with "id" set to "RELEASE," for example: { "matcher": Unknown macro: { "id"}

        , "type": "read-only", ... }

      3. Verify that the rule appears in Bitbucket under Repository Settings → Branch Permissions.
      4. Attempt to push or delete a "release/" branch. Bitbucket permits the action without restriction.

      Expected Results

      Bitbucket should reject the request, possibly explaining that only "development" or "production" is valid for "MODEL_BRANCH." 

      Older API documents, such as the one for version 7.21, clearly explain the distinctions:
      Bitbucket Server REST API 7.21

      The request matcher and type must conform to the following.

      • The matcher can be one of the following types
      • 'BRANCH' represents a specific Branch name. You must supply the fully qualified name of the ref to restrict, e.g. "refs/heads/master" instead of "master".
      • 'PATTERN' represents a wildcard pattern that may match multiple branches. You must specify a valid Branch Permission Pattern.
      • 'MODEL_CATEGORY' represents Branch prefixes in the Branching model for the repository. The 'id' must be one of
        • 'FEATURE'
        • 'BUGFIX'
        • 'HOTFIX'
        • 'RELEASE'See the Branch REST API for more information.
      • 'MODEL_BRANCH' represents either the Development or Production branch in the branching model for the repository. The 'id' must be one of
        • 'development'
        • 'production'See the Branch REST API for more information.

      In summary, for MODEL_BRANCH, the id must be either 'development' or 'production'. For MODEL_CATEGORY, it would be one of 'FEATURE', 'BUGFIX', 'HOTFIX', or 'RELEASE'.

      Actual Results

      The API returns HTTP 200 and creates a branch permission record that is displayed in the UI.

      Despite showing a "read-only" or "prevent all changes" rule for release branches, Bitbucket allows all actions on them (e.g., pushing code, deleting refs).

      echo "testing `date`" >> File000Y.txt && git add * && git ci -m "Test api last commit" && git push
[release/1.0 0f2d856] Test api last commit
 1 file changed, 1 insertion(+)
 create mode 100644 File000Y.txt
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 8 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 314 bytes | 314.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote:
remote: Create pull request for release/1.0:
remote:   https://bitbucket.test.cc/projects/CRP/repos/mergetest/pull-requests?create&sourceBranch=refs%2Fheads%2Frelease%2F1.0
remote:
To ssh://bitbucket.test.cc:7999/crp/mergetest.git
   0cbe4c3..0f2d856  release/1.0 -> release/1.0

      This was the result after attempting to cascade merge branches with the delete option enabled.

      {"affectedObjects":[{"id":"5","name":"CRP","type":"PROJECT"},{"id":"222","name":"mergetest","type":"REPOSITORY"}],"auditType":{"action":"Branch deleted","actionI18nKey":"bitbucket.service.branch.audit.action.branchdeleted","area":"END_USER_ACTIVITY","category":"Repositories","categoryI18nKey":"bitbucket.service.audit.category.repositories","level":"ADVANCED"},"author":{"id":"2","name":"Admin","type":"NORMAL"},"changedValues":[],"extraAttributes":[{"name":"Branch","nameI18nKey":"bitbucket.service.branch.audit.attribute.branchdeleted.branch","value":"release/1.1"},{"name":"Load balancer/proxy IP address","nameI18nKey":"atlassian.audit.event.attribute.forwarder","value":"10.255.0.19"}],"method":"Browser","node":"f7fd4349-af14-41c8-99af-cdd2db680b25","source":"10.255.0.1","system":"https://bitbucket.test.cc","timestamp":{"epochSecond":1751633474,"nano":761000000},"version":"1.0"}

      Workaround

      Do not use "MODEL_BRANCH" for release branches. Instead, use "MODEL_CATEGORY" with "id": "RELEASE."

      Example:

      { "matcher": { "id": "RELEASE", "type":
{ "id": "MODEL_CATEGORY" }
}, "type": "read-only", ... }

      Notes

              Unassigned Unassigned
              620836780f8d Augusto Lima
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: