Closed Bug 1506258 (bmo-phab-missing-userids) Opened 6 years ago Closed 5 years ago

Phabricator gets stuck if users disappear from BMO

Categories

(bugzilla.mozilla.org :: Phabricator Integration, defect)

Product:
bugzilla.mozilla.org
Component:
Phabricator Integration
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: dylan, Assigned: dylan)

References

(Depends on 1 open bug)

Details

(Keywords: conduit-triaged)

Attachments

(1 file)

missing_users.csv
435 bytes, text/csv
Details
Attached file missing_users.csv 
We assumed that user ids never disappear, but in some cases they can. Attached to this bug is a list of userids that do not exist.

- we need to check and fix any of these that still exist in phabricator
- the merge-users.pl script needs be not be used, or we need to guarantee this doesn't happen
- Either Bugzilla::Extension::PhabBugz::User needs to make bugzilla_user is never undefined (by changing the type to User instead of Maybe[User]), or *every* call site must check for it being undefined.
Alias: bmo-phab-missing-userids
Can you query if any of the userids in the attached file exist on phabricator?
Flags: needinfo?(dkl)
Flags: needinfo?(dkl)
Depends on: 1507812
I coincidentally came across this bug and saw potentially sensitive information in the database dumps in comment 3, comment 4 and comment 5. Out of caution, I'm marking this bug as mozilla-confidential to limit the exposure of this information.

If the information isn't that sensitive, disregard my comment and remove the mozilla-confidential flag.
If the bug should be public, I think that you can ask the BMO admins to purge these comments before marking the bug as public.
Group: mozilla-employee-confidential
(In reply to Rob Wu [:robwu] from comment #6)
> I coincidentally came across this bug and saw potentially sensitive
> information in the database dumps in comment 3, comment 4 and comment 5. Out
> of caution, I'm marking this bug as mozilla-confidential to limit the
> exposure of this information.

Thanks for catching this and taking action.

dkl: It seems you've leaked a couple 'accountSecret' fields, which definitely sounds sensitive. Am I missing something that indicates these aren't sensitive in our case? If not, any idea what the exact purpose of the field is and how we can ensure they are rotated?
Flags: needinfo?(dkl)
(In reply to Steven MacLeod [:smacleod] from comment #7)
> (In reply to Rob Wu [:robwu] from comment #6)
> > I coincidentally came across this bug and saw potentially sensitive
> > information in the database dumps in comment 3, comment 4 and comment 5. Out
> > of caution, I'm marking this bug as mozilla-confidential to limit the
> > exposure of this information.
> 
> Thanks for catching this and taking action.
> 
> dkl: It seems you've leaked a couple 'accountSecret' fields, which
> definitely sounds sensitive. Am I missing something that indicates these
> aren't sensitive in our case? If not, any idea what the exact purpose of the
> field is and how we can ensure they are rotated?

In hind-sight, this bug should have been private or I should have taken more care to clean out the accountSecret value before posting as a comment. The accountSecret value is used for email verification and account resets. The accountSecret is auto-generated when the new account is added to the system. It is used along side another random 32 character string which are both hashed for generating URIs suitable for resetting a password if locked out.

dkl
Flags: needinfo?(dkl)
can you just blank out those comments? This bug is about making bugzilla have proper null checks, the details don't matter for that.
Flags: needinfo?(dkl)
Flags: needinfo?(dkl)
Group: mozilla-employee-confidential
Keywords: conduit-triaged
Type: enhancement → defect
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: