bitbucket parser is missing HMAC signature verification #209
Description
Unlike for github and gitlab, this repository does not validate signatures for bitbucket webhooks. This is a major security issue.
For bitbucket webhooks, there are two pieces of information:
- UUID
- HMAC secret
They cannot be the same, as the HMAC secret must not appear in the message itself.
The HMAC signing was added in 2023: https://www.atlassian.com/blog/bitbucket/enhanced-webhook-security
Currently this repository check the UUID but it does not check the HMAC signature.