❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

Good iterations on the previous PR. I think we can only enable this feature if webook auth is enabled. Otherwise it's an easy SSRF

Good iterations on the previous PR. I think we can only enable this feature if webook auth is enabled. Otherwise it's an easy SSRF

Would mandating that the request from webhook handler would be made only if the repo creds are present in the system. If there is no secret present for the given URL, then we will not do the call to get the diffs.

In that case, even for a public repository, users may need to add the repocreds.

If there is no valid repo creds for a given URL, then no external call is made and the changeset remains empty. Would this check be sufficient to avoid SSRF.

if repoCreds == nil {
		return []string{}, fmt.Errorf("unable to retrive repository credentials for bitbucket workspace %s and reposlug %s", workspace, repoSlug)
	}

Codecov Report

Attention: Patch coverage is 78.89908% with 23 lines in your changes missing coverage. Please review.

Project coverage is 55.91%. Comparing base (fe347e3) to head (c72b169).
Report is 451 commits behind head on master.

@@            Coverage Diff             @@
##           master   #21811      +/-   ##
==========================================
+ Coverage   55.88%   55.91%   +0.02%     
==========================================
  Files         343      343              
  Lines       57333    57437     +104     
==========================================
+ Hits        32042    32117      +75     
- Misses      22644    22671      +27     
- Partials     2647     2649       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

I don't think that's sufficient. Allowing a completely unauthenticated user to cause a credentialed API call would allow anyone with network access to use Argo to launch a DoS attack or to DoS Argo itself.

@crenshaw-dev Could you please check my recent change, where I am relying on settings.WebhookBitbucketServerSecret to check if its an authenticated webhook or not. If this is set, then all the webhook calls are checked for signature validity. Please advise if there is a better way to do the same.

@crenshaw-dev I have addressed your review comments and the PR is ready for review. Can it be considered for release-3.0 release milestone ?

Steps to verify this feature:

1. Disable the periodic polling of the git repositories by the following command to ensure that all refreshes happen only via webhook notifications.

kubectl patch cm argocd-cm -n argocd -p '{"data": {"timeout.reconciliation": "0"}}'

2. Set the debug logs in Argo CD Server component using the following command to verify changed files are being calculated correctly.

kubectl patch cm argocd-cmd-params-cm -n argocd -p '{"data": {"server.log.level": "debug"}}'

3. Restart the argocd-server deployment to ensure that the log level configuration change is picked up by the application.

kubectl scale deploy argocd-server -n argocd --replicas=0
kubectl scale deploy argocd-server -n argocd --replicas=1

4. Create a webhook for the private repository using the steps provided in https://support.atlassian.com/bitbucket-cloud/docs/manage-webhooks/

5. Create a Repository webhook token in BitBucket for the private repository and add the repository secret as follows
   Detailed steps provided in this link : https://support.atlassian.com/bitbucket-cloud/docs/create-a-repository-access-token/

argocd login <server_hostname> --username admin --password $(kubectl get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d) --insecure
export WEBHOOK_TOKEN=<token_from_bb_console>
argocd repo add https://bitbucket.org/anandjoseph/argocd-sample-pvt.git --username x-token-auth --password $(echo $WEBHOOK_TOKEN)

6. Create a webhook in BitBucket, update the webhook UUID in secret

export WEBHOOK_UUID=<uuid_from_bb_console>
kubectl patch secret argocd-secret -n argocd -p '{"stringData": {"webhook.bitbucket.uuid": "$WEBHOOK_UUID"}}'

7. Check the logs and see if you find some debug logs as below

{"level":"debug","msg":"https://bitbucket.org/anandjoseph/argocd-sample-pvt.git has credentials","time":"2025-05-18T07:53:49Z"}
{"level":"debug","msg":"quay.io/rh-ee-anjoseph has credentials","time":"2025-05-18T07:53:49Z"}
{"level":"debug","msg":"found a matching repository for URL https://bitbucket.org/anandjoseph/argocd-sample-pvt","time":"2025-05-18T07:53:49Z"}
{"level":"debug","msg":"fetched user/password for repository URL 'https://bitbucket.org/anandjoseph/argocd-sample-pvt.git', initializing basic auth client","time":"2025-05-18T07:53:49Z"}
{"level":"debug","msg":"created bitbucket client with base URL 'https://api.bitbucket.org/2.0'","time":"2025-05-18T07:53:49Z"}
{"level":"debug","msg":"invoking diffstat call with parameters: [Owner:anandjoseph, RepoSlug:argocd-sample-pvt, Spec:..397e8a657cc47a32b8c4e150cb731a0f9d3cb751]","time":"2025-05-18T07:53:49Z"}
{"level":"debug","msg":"changed files for spec ..397e8a657cc47a32b8c4e150cb731a0f9d3cb751: [guestbook/guestbook-ui-deployment.yaml]","time":"2025-05-18T07:53:50Z"}
{"level":"info","msg":"Received push event repo: https://bitbucket.org/anandjoseph/argocd-sample-pvt, revision: change_version_28, touchedHead: false","time":"2025-05-18T07:53:51Z"}

Unfortunately, this fix is only for Bitbucket Cloud, not for Bitbucket DataCentre (DC, Server).