Security Vulnerability: Raw Auth Token Exposed in Bitbucket Client Error Responses #142
Description
We're encountering a critical security issue with the Node.js Bitbucket client. Specifically, error responses returned by the client include the full raw authorization token in the serialized request object under request.headers.authorization.
This behavior poses a significant security vulnerability, as it risks exposing credentials in logs and monitoring tools.
This issue is not limited to a single API method—we first observed it with client.source.read(), but it's likely present across all endpoints where errors are thrown and serialized.
Example Response (Sensitive Data Redacted)
{
name: 'HTTPError',
error: {
type: 'error',
error: {
message: 'test-branch',
},
},
headers: {...},
request: {
method: 'GET',
url: 'https://api.bitbucket.org/2.0/repositories/test/refs/branches/test-branch',
headers: {
accept: 'application/json',
'user-agent': 'bitbucket.js/2.8.0',
authorization: 'Basic dXNlc***',
},
request: {
validate: {
name: {
required: true,
type: 'string',
},
repo_slug: {
required: true,
type: 'string',
},
workspace: {
required: true,
type: 'string',
},
},
},
},
status: 404,
message: 'Not Found',
stack: '...',
}
Please consider stripping or masking the authorization header from error responses before they are exposed to consumers of the client (offending line). This would greatly reduce the risk of unintentional token leakage in logs or error monitoring.