From 2f69219b5c0355b4ae7ed3092b73af52cc25e112 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Mon, 24 Nov 2025 23:43:11 -0800 Subject: [PATCH 1/2] Fixed Bitbucket authenticated cloning bug --- CHANGELOG.md | 3 +++ Cargo.toml | 2 +- README.md | 4 +--- src/git_binary.rs | 35 ++++++++++++++++++++++++++++++++++- 4 files changed, 39 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 827890b..f4862db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ All notable changes to this project will be documented in this file. +## [v1.68.0] +- Fixed Bitbucket authenticated cloning bug + ## [v1.67.0] - Added checksum to GitLab rule - Fixed deduplication to consider rule identifiers so overlapping patterns are not merged before validation diff --git a/Cargo.toml b/Cargo.toml index 1e48257..f255862 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,7 +10,7 @@ publish = false [package] name = "kingfisher" -version = "1.67.0" +version = "1.68.0" description = "MongoDB's blazingly fast and accurate secret scanning and validation tool" edition.workspace = true rust-version.workspace = true diff --git a/README.md b/README.md index 1f7649a..91ef7bf 100644 --- a/README.md +++ b/README.md @@ -934,9 +934,7 @@ kingfisher scan bitbucket --workspace my-team --bitbucket-exclude my-team/**/exp Kingfisher supports Bitbucket Cloud and Bitbucket Server credentials: -- **Workspace API token (Cloud)** – set `KF_BITBUCKET_TOKEN`. `KF_BITBUCKET_USERNAME` - is optional; Kingfisher automatically uses the token for Bitbucket REST APIs - and authenticates git operations as `x-token-auth`. +- **Workspace API token (Cloud)** – set `KF_BITBUCKET_TOKEN`.Kingfisher automatically uses the token for Bitbucket REST APIs and authenticates git operations as `x-token-auth`. - **Bitbucket Server token** – set `KF_BITBUCKET_USERNAME` and either `KF_BITBUCKET_TOKEN` or `KF_BITBUCKET_PASSWORD`. - **Legacy app password (Cloud)** – set `KF_BITBUCKET_USERNAME` and diff --git a/src/git_binary.rs b/src/git_binary.rs index 15728f6..e2bc9b4 100644 --- a/src/git_binary.rs +++ b/src/git_binary.rs @@ -156,9 +156,12 @@ impl Git { } else if let Some(token) = bitbucket_access_token.clone() { Some(("x-token-auth".to_string(), token)) } else if let (Some(username), Some(password)) = - (bitbucket_username.clone(), bitbucket_basic_password) + (bitbucket_username.clone(), bitbucket_basic_password.clone()) { Some((username, password)) + } else if let Some(token) = bitbucket_token.clone() { + // Allow token-only authentication (common for x-token-auth URLs). + Some(("x-token-auth".to_string(), token)) } else { None }; @@ -169,6 +172,7 @@ impl Git { let has_bitbucket_oauth_token = bitbucket_oauth_token.is_some(); let has_bitbucket_credentials = has_bitbucket_oauth_token || bitbucket_access_token.is_some() + || bitbucket_token.is_some() || (has_bitbucket_username && has_bitbucket_password); let has_azure_token = ["KF_AZURE_TOKEN", "KF_AZURE_PAT"] .iter() @@ -454,6 +458,21 @@ mod tests { }); } + #[test] + fn test_repo_arg_for_clone_uses_token_only_auth() { + let url = + GitUrl::try_from(url::Url::parse("https://bitbucket.org/workspace/demo.git").unwrap()) + .unwrap(); + + temp_env::with_vars(&[("KF_BITBUCKET_TOKEN", Some("token123"))], || { + let git = Git::new(false); + assert_eq!( + git.repo_arg_for_clone(&url), + "https://x-token-auth:token123@bitbucket.org/workspace/demo.git" + ); + }); + } + #[test] fn test_repo_arg_for_clone_leaves_non_bitbucket_urls_untouched() { let url = GitUrl::try_from( @@ -484,6 +503,20 @@ mod tests { }); } + #[test] + fn test_git_new_bitbucket_token_without_username() { + temp_env::with_var("KF_BITBUCKET_TOKEN", Some("token123"), || { + let git = Git::new(false); + assert_eq!(git.credentials.len(), 4); + assert!(git.credentials.iter().any(|value| value == BITBUCKET_CREDENTIAL_HELPER)); + assert_eq!(git.bitbucket_access_token.as_deref(), None); + assert_eq!( + git.bitbucket_basic_auth, + Some(("x-token-auth".to_string(), "token123".to_string())) + ); + }); + } + #[test] fn test_git_new_bitbucket_trims_whitespace() { let trimmed_token = "AT1234567890_ACCESS_TOKEN_EXAMPLE_WITH_UNDERSCORE"; From 9718fc1dc436eb9c05d37082d3047c29e04b9b43 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Mon, 24 Nov 2025 23:45:10 -0800 Subject: [PATCH 2/2] Fixed Bitbucket authenticated cloning bug --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 91ef7bf..09515a5 100644 --- a/README.md +++ b/README.md @@ -934,7 +934,7 @@ kingfisher scan bitbucket --workspace my-team --bitbucket-exclude my-team/**/exp Kingfisher supports Bitbucket Cloud and Bitbucket Server credentials: -- **Workspace API token (Cloud)** – set `KF_BITBUCKET_TOKEN`.Kingfisher automatically uses the token for Bitbucket REST APIs and authenticates git operations as `x-token-auth`. +- **Workspace API token (Cloud)** – set `KF_BITBUCKET_TOKEN`. Kingfisher automatically uses the token for Bitbucket REST APIs and authenticates git operations as `x-token-auth`. - **Bitbucket Server token** – set `KF_BITBUCKET_USERNAME` and either `KF_BITBUCKET_TOKEN` or `KF_BITBUCKET_PASSWORD`. - **Legacy app password (Cloud)** – set `KF_BITBUCKET_USERNAME` and