Bitbucket Connect Library uses .eval(), preveting to use CSP without 'unsafe-inline' as required

In the Requirements for Connect Cloud Apps adding a Content Security Policy (CSP) is required.
Using ‘unsafe-inline’ and ‘unsafe-eval’ for scripts is forbidden.

(via https://developer.atlassian.com/platform/marketplace/security-requirements/#implementation-details-for-connect-apps)

However, when appling this policy to a Bitbucket Connect app, the connect library itself uses a JavaScipt eval! Therefore requiring a ‘unsafe-eval’ in the Content Security Policy!

Source: https://bitbucket.org/atlassian-connect/all.js

Is there a way to prevent this eval? Is this a oversight on Atlassian Bitbucket side? Or are the CSP rules different for Bitbucket Cloud?

14 Likes

Hi @RomanStoffel,

We were already notified of this limitation from Bitbucket Connect’s all.js library. We have reached out to the Bitbucket team internally for a resolution and will get back if we find a workaround since it requires setting unsafe-eval directive. However, the current eval usage in this library does not allow parsing 3rd party Javascript code, so it is not a vulnerability. These directives usage are suggested when they are practicable. We understand CSP policies have no one size fits all solution. We acknowledge this issue and work towards a fix. Thanks for flagging it.

2 Likes

Hi @SrivathsavGandrathi ,
How is a vendor supposed to handle this issue? With the new security requirements, does a vendor need to ask for an exemption?

Hi @marc ,

The requirement is to set Content Security Policy header, instructions on directives are not a hard requirement but a strong recommendation as we understand that there is no one size fits all CSP policy that we can enforce. In Bitbucket Connect case, unsafe eval recommendation seems to be currently not practicable due to eval usage. No exemption requests are required.

1 Like