Closed Bug 1515100 Opened 6 years ago Closed 6 years ago

Display warning about not leaking information in Lando for confidential revisions

Categories

(Conduit :: Lando, enhancement)

Product:
Conduit
Component:
Lando
Version:
Production
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcote, Assigned: imadueme)

References

(Blocks 1 open bug)

Details

(Keywords: conduit-story, conduit-triaged)

Attachments

(2 files)

transplants: Add security bug approval process warning (bug 1515100)
47 bytes, text/x-phabricator-request
Details | Review
template_helpers: autolink to Security Bug Approval Process wiki (bug 1515100)
47 bytes, text/x-phabricator-request
Details | Review
When someone is about to land a confidential revision, we should warn them about not including revealing information in the commit message. There are some guidelines at https://wiki.mozilla.org/Security/Bug_Approval_Process. Although we don't follow all of them exactly, there is some good information there about how to be careful with security patches. There is more we can and should do to automatically enforce and/or help with some of these policies, but we should start with a simple warning.
Keywords: conduit-story, conduit-triaged
Assignee: nobody → imadueme
Status: NEW → ASSIGNED

So I've verified that BMO already tags a revision with the proper security group project. These projects are accessible via the 'projects' attachment in differential.revision.search.

One problem: I've run into a situation where it could be that a reviewer or subscriber tasked with landing the revision isn't part of the security group connected to that project tag. Phabricator doesn't let you query project information if you aren't a part of that group. Because lando-api uses the user's api key when landing things, we're in the situation where the user can see the revision (since they are a reviewer) but can't see the project.

We'd either need to have lando-api have an all seeing api key, or use the fact that the user can query the revision but not the project to assume it is a confidential revision.

Let me know how you'd like to proceed with this or if I'm misunderstanding something in the doc. Thanks!

Flags: needinfo?(smacleod)

(In reply to Israel Madueme [:imadueme] from comment #2)

Phabricator doesn't let you query project information if you aren't a part of that group.

Am I correct that you mean project.search will not allow you to query the project, but differential.revision.search will still return the PHID for the project in the projects attachment? In other words, we can find the PHIDs of the projects, but can't query those PHIDs to find more project information?

If I'm correct:

We'd either need to have lando-api have an all seeing api key, or use the fact that the user can query the revision but not the project to assume it is a confidential revision.

I think a good solution here would be to provide the #secure-revision project's PHID as configuration to Lando. We don't really care about differentiating between different types of security groups, just whether something is confidential or not (at least for now). We could then not bother querying the projects at all, just checking the projects attachment for the PHID we care about.

From your investigation so far do you believe that would work?

Flags: needinfo?(smacleod)

(In reply to Steven MacLeod [:smacleod] from comment #3)

Am I correct that you mean project.search will not allow you to query the project, but differential.revision.search will still return the PHID for the project in the projects attachment? In other words, we can find the PHIDs of the projects, but can't query those PHIDs to find more project information?

Yup, exactly.

We'd either need to have lando-api have an all seeing api key, or use the fact that the user can query the revision but not the project to assume it is a confidential revision.

I think a good solution here would be to provide the #secure-revision project's PHID as configuration to Lando. We don't really care about differentiating between different types of security groups, just whether something is confidential or not (at least for now). We could then not bother querying the projects at all, just checking the projects attachment for the PHID we care about.

This will work, but, do we care about only showing these messages for specific repos? E.g. the same message shows up for mozilla-central and vct? I guess this is at least a good start.

Flags: needinfo?(smacleod)

(In reply to Israel Madueme [:imadueme] from comment #4)

This will work, but, do we care about only showing these messages for specific repos? E.g. the same message shows up for mozilla-central and vct? I guess this is at least a good start.

Ya, this can be all repositories. Our focus is Firefox but it's not a big deal to warn other people when landing sensitive changes.

Flags: needinfo?(smacleod)

Prior to this commit lando-api could not differentiate between a secure
revision and a public revision; it could only see or not see a revision.
This change allows the api to inform clients if a revision that they can
see is a security revision.

Attachment #9041810 - Attachment description: stacks: Add 'is_secure' field (bug 1515100) → transplants: Add security bug approval process warning (bug 1515100)

Linkify 'Security Bug Approval Process' to the appropriate wiki in landing warnings.

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: