Closed Bug 1290507 Opened 8 years ago Closed 7 years ago

Request to grant DataHero to all Github mozilla org repos

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gene, Unassigned)

Details

Andrea has requested that DataHero be granted access to the github mozilla org (github.com/mozilla)

"Granting access will give this application the ability to access private data in the mozilla organization. "

Please review what data would be made available to DataHero, what security practices DataHero employs to protect this data (this may involve a vendor security review)

https://github.com/orgs/mozilla/policies/applications/40563
hey there, i am just curious about this software and they offered a 14-day trial. I am just kicking tires. I can already see what i need to see in order to evaluate the software. I only need it to be able to access MozillaFoundation/Advocacy. Does that help?
:andreawood,
   Sounds good. If you're looking to use it on https://github.com/MozillaFoundation/Advocacy then I think you may have tried to enable it on the wrong GitHub organization because the request game in on https://github.com/mozilla not https://github.com/MozillaFoundation

If that's the case, since https://github.com/MozillaFoundation/Advocacy is a public repo, you may be able to just add it to the MozillaFoundation github org, deny it's access to private content and it should still work.

If that doesn't work and it indeed requires access to private data and because it's a tool which operates on a GitHub Organization-wide level (not a repo level) we should review what that data is (in the MozillaFoundation org) and how DataHero handles it before granting them access to it.
OK -- Right now it is only pulling data from MozillaFoundation/Advocacy. I'm not sure why / how it sent a request to other repos. Might be a bug on their end, honestly.

Here's a screengrab:
https://www.evernote.com/l/AMpKddBKvO1Nt5zFfrTDfMMk-1Rg_Mi9XzU

So perhaps we can close this bug?
Maybe Hal can help figure this out (as he's and admin of both orgs). Hal, any idea what's going on here. In the MozillaFoundation org do you see DataHero as an approved third party provider? If so, then maybe the request to the "Mozilla" org was just a mistake and the right one went to MozillaFoundation (and somebody approved it potentially, I don't have a view).

If it is now an approved third party site in the MozillaFoundation org, we should still review it since the access it would have is not repo specific but instead applies to the whole org.
Assignee: jbryner → gene
Flags: needinfo?(hwine)
(In reply to Gene Wood [:gene] from comment #4)
> Maybe Hal can help figure this out (as he's and admin of both orgs).

Actually, I'm not -- I have no idea who is. 'MozillaFoundation' isn't even listed at:
  https://wiki.mozilla.org/Github#Is_.22mozilla.22_the_only_github_.22organization.22_related_to_Mozilla.3F

I'll see if I can get that information via email.

> Hal,
> any idea what's going on here?

No idea -- the Advocacy repo doesn't exist in the 'mozilla' organization, yet the email clearly mentions the mozilla org.
Flags: needinfo?(hwine)
Assignee: gene → hwine
I added Chris De Cairos from the Foundation who can probably help answer some of these Qs.
Flags: needinfo?(cade)
(In reply to Hal Wine [:hwine] (use NI) from comment #5)
> (In reply to Gene Wood [:gene] from comment #4)
> > Maybe Hal can help figure this out (as he's and admin of both orgs).
> 
> Actually, I'm not -- I have no idea who is. 'MozillaFoundation' isn't even
> listed at:
>  
> https://wiki.mozilla.org/Github#Is_.22mozilla.22_the_only_github_.
> 22organization.22_related_to_Mozilla.3F

We should totally add it in there!

I think what happened here is that when DataHero asked for access to Andrea's GitHub Account, it asked for access to all of the organizations she belongs to, even though she only wanted to use it for one repository.

Seems like a classic tale of a service not requesting specific enough permissions when connecting to someone's account...

That said, we can probably ignore the request on the mozilla org. 

I've enabled third party access restrictions on our MozillaFoundation org though, so Andrea, you will probably have to request access for DataHero again because I don't see a request for it in my org settings page.

I also am not impressed that their privacy policy link here: https://datahero.com/what-is-datahero/security/ links to "localhost:9000"
Flags: needinfo?(cade)
:cade aha, good idea. That would make sense (regarding why the request went to the "mozilla" org.

That aside though, regardless of which github org we're talking about, if it's one that Mozilla (moco or mofo) is responsible for, we (infosec) should review the private data that's present in the github ord ("MozillaFoundation" in this case) and the vendor practices of DataHero to ensure that it's safe.

:cade is your intent to grant access to DataHero for the MozillaFoundation org? If so we really should review the data and the vendor first for security.
Flags: needinfo?(cade)
i wasn't planning on allowing it just yet.

The MozillaFoundation org has six private repos, five which don't seem to be very active right now, and one that we use to collaborate on security bugs and on other User data related tasks.

I'm always game for a proper RRA and vendor review
Flags: needinfo?(cade)
It was only a trial. I don't believe it made any subsequent request for data after the initial pull from my repo. There's no further action needed, you can deny access to DataHero for now. If we decide to use it I will talk to Chris first to make sure I don't break anything. 

thanks all
I don't think this bug is actionable at this point, and certainly not by me. :)

Gene - you probably want to close.
Assignee: hwine → nobody
Status: ASSIGNED → NEW
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.