From f6f75ae2820c816a84e5d55dee2579b1f83741de Mon Sep 17 00:00:00 2001 From: squid-protocol Date: Fri, 17 Jul 2026 09:08:39 -0400 Subject: [PATCH] fix(insights): remove markdown formatting artifact in url validator --- templates/bitbucket/bitbucket_insights.py | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/templates/bitbucket/bitbucket_insights.py b/templates/bitbucket/bitbucket_insights.py index 496e7a6a..453365f1 100644 --- a/templates/bitbucket/bitbucket_insights.py +++ b/templates/bitbucket/bitbucket_insights.py @@ -71,9 +71,18 @@ def publish_insights(sarif_path: str): }) report_id = "gitgalaxy-audit-report" - base_url = f"http://localhost:29418/2.0/repositories/{workspace}/{repo}/commit/{commit}/reports/{report_id}" + # Bitbucket's proxy requires HTTP (not HTTPS) to automatically inject the Auth header + base_url = f"http://api.bitbucket.org/2.0/repositories/{workspace}/{repo}/commit/{commit}/reports/{report_id}" - # 4. Create the Parent Report (PUT) + # 4. Set up the Proxy Handler for Bitbucket Pipelines + proxy_handler = urllib.request.ProxyHandler({ + 'http': 'http://localhost:29418', + 'https': 'http://localhost:29418' + }) + opener = urllib.request.build_opener(proxy_handler) + urllib.request.install_opener(opener) + + # Create the Parent Report (PUT) report_payload = json.dumps({ "title": "GitGalaxy Spectral Audit", "details": f"GitGalaxy mapped {len(bitbucket_annotations)} architectural threats.", @@ -81,9 +90,9 @@ def publish_insights(sarif_path: str): "result": "FAILED" if any(a["severity"] == "HIGH" for a in bitbucket_annotations) else "PASSED" }).encode("utf-8") - # Enforce loopback destination boundaries to neutralize remote protocol exploits - if not base_url.startswith("http://localhost:29418/"): - print("❌ Security Violation: Invalid localized API destination.") + # Enforce API destination boundaries to neutralize remote protocol exploits + if not base_url.startswith("http://api.bitbucket.org/"): + print("❌ Security Violation: Invalid API destination.") sys.exit(1) req = urllib.request.Request(base_url, data=report_payload, method="PUT") @@ -105,8 +114,8 @@ def publish_insights(sarif_path: str): chunk = bitbucket_annotations[i:i + chunk_size] chunk_payload = json.dumps(chunk).encode("utf-8") - if not annotations_url.startswith("http://localhost:29418/"): - print("❌ Security Violation: Invalid localized API destination.") + if not annotations_url.startswith("http://api.bitbucket.org/"): + print("❌ Security Violation: Invalid API destination.") sys.exit(1) req = urllib.request.Request(annotations_url, data=chunk_payload, method="POST")