Two argument injections that were found in Bitbucket server, though only one of them was exploitable. The first was in the /rest/api/latest/projects/~USER/repos/repo1/browse endpoint, where an at parameter could be provided. They found that they could smuggle --help through the parameter, though there was no security impact here as there were no useful parameters.

The second was the /rest/api/latest/projects/PROJECTKEY/repos/REPO/archive endpoint, which turned out to be far more useful. This endpoint would take a prefix parameter, which would map to the prefix argument used for the underlying git archive sub-command. Due to the process builder using Java’s native Java_java_lang_ProcessImpl_forkAndExec function for launching the sub-command and it’s reliance on arguments being passed as a char array, by passing encoded null bytes, you could inject arguments as indexes are split by null bytes. Furthermore, the sub-command supports an --exec argument for the path to the git-upload-archive binary. The way this argument is used is it’s essentially just passed into /bin/sh via execve(), so arbitrary command execution is straightforward.