Notifyr 5.3 release notes
Release date: 14 Jan 2021
This version of Notifyr - Notifications for Bitbucket 5.3 is focused on security and compatibility.
It's recommended to update your Notifyr installation to at least this version as it fixes some potential security issues.
Read the Notifyr Security Advisory 2021-01-15 for more information
To improving Notifyr and to be sure customers can safely continue using Notifyr in their critical systems, last December ASK Software joined the Bug Crowd bounty program. This program crowd-sources the research to potential security leaks and provides a bounty for those issues found. This research found 2 critical errors that have been addressed in Notifyr 5.3.
1. Cross Site Request Forgery for email templates
Cross Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. For Notifyr this meant that authenticated users could change the email templates without being a Bitbucket administrator.
This has been fixed by adding additional permission checks on the pages involved and adding xsrf-tokens to the forms. These tokens prevent users from unintentionally submitting malicious data.
2. Local file including in email templates
The default configuration of jTwig, the templating implementation used in Notifyr allows users to include files from every directory on the server. The content of those files will then be included in the notifications.
The configuration has been changed so that only files from allowed paths are now included. There are currently no allowed paths configured.
This section will contain information about the Notifyr - Notifications for Bitbucket 5.3.x minor releases as they become available.
- Added additional security checks to admin pages
- Added XSRF-tokens to prevent submission of malicious data
Notifyr can't succeed without your feedback, insight, and recommendations for improvement. Please keep sending your feedback. Thanks so much!