Update:
A full year after writing this article, Bitbucket has gone ahead and implemented the required features to mitigate the issue described. Its unclear if CircleCI has done the same or not though.
@pdeva just came across your post on a security vulnerability in Bitbucket Pipelines: https://t.co/tGiP6dyjm0 We've actually released 2 features in Bitbucket recently which prevent users from deploying changes from any branch: deployment variables and permissions! 🥳
— Aneita Yang (@aneitayang) June 4, 2019
You can read more about the feature here: https://t.co/dWL17DG952. We'd love it if you could update your post with a link to this blog too! 😀
— Aneita Yang (@aneitayang) June 4, 2019
Original:
I am fairly certain the issue described below applies to other hosted CI services too. However, since I haven't had a chance to examine them, I will not mention them in this article.
The Basics
Both Bitbucket Pipeline and CircleCI allow you to deploy to your production or dev environment by editing a config file that you check in to your git repo along with your source code.
Here is a sample Bitbucket Pipeline config file that deploys the master branch to production and all other branches to dev environments.
Note that, its the environment variables like PROD_AWS_ACCESS_KEY_ID and DEV_AWS_ACCESS_KEY_ID in each of the above 'steps', that define whether the deployment goes to production or dev environment. These environment variables can be defined by the repository admin such that their actual values are not visible to anyone.
The Problem
Since the deployment is controlled completely by the config file, this doesn't stop any dev from modifying the config file to deploy to production. Eg:
Any developer with write permission on your team can check this is in your git repo and now any branch pushed gets deployed straight to production!!!
Potential Fix
The problem stems from the fact that the admin interface of either Bitbucket Pipeline or Circle CI doesn't allow limiting the visibilty of defined Environment Variables to a specific branch.
A simple filter that said the variable PROD_AWS_ACCESS_KEY_ID is only visible while executing the master branch would solve the issue described above.
But can't you trust your devs enough?
Both Bitbucket and Github have a 'branch restriction' feature that limits who can push to a specific branch, eg the master branch. This is at odds with that security feature, since now literally anyone with write permissions can deploy directly to your production environment.
This can even happen by accident by any developer while editing the config file and copy/pasting portions of code that reference the production environment.
Relevant Bugs
I have opened Bitbucket Bug 16579 and a discussion on CircleCI forum.
As of writing this post, Atlassian seems to have acknowledged the bug but it seems to be low priority for them, since its scheduled for an end of 2018 fix. CircleCI has not even responded to the forum post. Their official support is for paid accounts only, which I currently do not use.
Conclusion
This is a huge, massive security issue with both Bitbucket Pipeline and CircleCI. While Atlassian has atleast acknowledged the issue, it is surprising that its so low on their priority list.