Unlike for github and gitlab, this repository does not validate signatures for bitbucket webhooks. This is a major security issue.
For bitbucket webhooks, there are two pieces of information:
They cannot be the same, as the HMAC secret must not appear in the message itself.
The HMAC signing was added in 2023: https://www.atlassian.com/blog/bitbucket/enhanced-webhook-security
Currently this repository check the UUID but it does not check the HMAC signature.
Unlike for github and gitlab, this repository does not validate signatures for bitbucket webhooks. This is a major security issue.
For bitbucket webhooks, there are two pieces of information:
They cannot be the same, as the HMAC secret must not appear in the message itself.
The HMAC signing was added in 2023: https://www.atlassian.com/blog/bitbucket/enhanced-webhook-security
Currently this repository check the UUID but it does not check the HMAC signature.