Closed
Bug 598765
Opened 14 years ago
Closed 14 years ago
Security Review for Customer Care
Categories
(mozilla.org :: Security Assurance: Applications, task)
mozilla.org
Security Assurance: Applications
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: abuchanan, Assigned: mcoates)
References
Details
Code not ready yet, just filing in advance. Shooting for code freeze on Thrusday night.
|
||
Updated•14 years ago
|
Assignee: infrasec → mcoates
|
|
||
Comment 1•14 years ago
|
||
We can't really commit to a time unless we know how much code we are dealing with. We usually request a week for a review, depending upon the size of the code, that can go up or down.
|
Reporter | |
Comment 2•14 years ago
|
||
(In reply to comment #1) > We can't really commit to a time unless we know how much code we are dealing > with. We usually request a week for a review, depending upon the size of the > code, that can go up or down. Understood. I think you'll see the amount of code is very small. I'll be able to hand off code first thing Friday (tomorrow) morning at the latest.
|
|
Reporter | |
Comment 3•14 years ago
|
||
(In reply to comment #2) > (In reply to comment #1) > > We can't really commit to a time unless we know how much code we are dealing > > with. We usually request a week for a review, depending upon the size of the > > code, that can go up or down. > > Understood. I think you'll see the amount of code is very small. I'll be able > to hand off code first thing Friday (tomorrow) morning at the latest. Well it's not Friday morning :) but I have some code: http://github.com/fwenzel/kitsune/tree/custcare I think you want to pay attention to apps/customercare and apps/twitter Let me know if I can explain the workflow or help somehow. Thanks
|
Assignee | |
Comment 4•14 years ago
|
||
Alex, Can you update this bug with the information requested here: https://wiki.mozilla.org/WebAppSec/Security_Review_Request Thanks!
|
|
Reporter | |
Comment 5•14 years ago
|
||
A quick intro to what this app does. App shows recent tweets that mention Firefox, allows the user to sign into their Twitter account using OAuth, and respond to these tweets. The tweet reply dialog also includes pre-written messages that the user can respond with. These messages are retrieved from a database, and SUMO admins can edit the message categories and text. 1. Where is the source code located? http://github.com/fwenzel/kitsune/tree/custcare (will update you when it's been merged to master) 2. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on. https://184.106.236.207/en-US/army-of-awesome (will update you when it's been staged at master.support.m.c) 3. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs. Product: support.mozilla.com Component: Component Link: https://bugzilla.mozilla.org/enter_bug.cgi?product=support.mozilla.com&component=Customer%20Care 4. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS. Twitter -- queries search API to collect tweets. Implements Twitter OAuth 5. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role. Twitter login, yes, uses your Twitter account 6. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.) Twitter OAuth compromised. 7. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? Urgent. Target launch is Thursday 9/30 Sorry for the short notice :(
|
|
Assignee | |
Comment 6•14 years ago
|
||
I've started looking at the code. I can make some progress with just code, but I'll need the full running app for testing. The app isn't too complex so the testing should go quickly. Plan on giving me at least 2 full days between completion of the app and your go live date. Of course you'll need to budget some time in there to fix any identified issues. If the app is working tonight/tomorrow morning then I can use Tuesday and Wednesday for the rest of testing.
|
|
Reporter | |
Comment 7•14 years ago
|
||
(In reply to comment #6) > I've started looking at the code. I can make some progress with just code, but > I'll need the full running app for testing. The app isn't too complex so the > testing should go quickly. > > Plan on giving me at least 2 full days between completion of the app and your > go live date. Of course you'll need to budget some time in there to fix any > identified issues. > > If the app is working tonight/tomorrow morning then I can use Tuesday and > Wednesday for the rest of testing. https://184.106.236.207/en-US/army-of-awesome ^ should work until we get master.support.m.c updated (tonight) The relevant code can be considered complete. Only things left are CSS fixes. Thanks.
|
|
Assignee | |
Comment 8•14 years ago
|
||
What is the git command to pull down the relevant code? The standard git clone for this resource skips the customercare and twitter directories. Is the other code in scope at all or unrelated?
|
|
Reporter | |
Comment 9•14 years ago
|
||
You might try... git fetch origin custcare git checkout -b custcare remotes/origin/custcare
|
|
Assignee | |
Comment 10•14 years ago
|
||
Ah, just downloading the zip file worked.
|
|
Assignee | |
Comment 11•14 years ago
|
||
Testing site URL: http://master.support.mozilla.com/en-US/army-of-awesome
|
||
Comment 12•14 years ago
|
||
Removing bugs 600369, 600382, and 600394 as blockers since they affect SUMO in general, not Customer Care specifically
|
|
Assignee | |
Comment 13•14 years ago
|
||
(In reply to comment #12) > Removing bugs 600369, 600382, and 600394 as blockers since they affect SUMO in > general, not Customer Care specifically Will they be resolved before customer care is live? While the bugs may also relate to SUMO as a whole, the twitter aspect of customer care will be a target for attackers and I'd like to make sure these additional security controls are in place.
|
|
Reporter | |
Comment 14•14 years ago
|
||
(In reply to comment #13) > (In reply to comment #12) > > Removing bugs 600369, 600382, and 600394 as blockers since they affect SUMO in > > general, not Customer Care specifically > > Will they be resolved before customer care is live? While the bugs may also > relate to SUMO as a whole, the twitter aspect of customer care will be a target > for attackers and I'd like to make sure these additional security controls are > in place. We *might* be able to get 600382 and 600394 in for the initial launch. I'd have to research how much work those will take. 600369 (brute force blocking) is likely too big a project.
|
||
Comment 15•14 years ago
|
||
(In reply to comment #13) > Will they be resolved before customer care is live? While the bugs may also > relate to SUMO as a whole, the twitter aspect of customer care will be a target > for attackers and I'd like to make sure these additional security controls are > in place. Of those three bugs: * Bug 600382 is trivial, and I've moved it back into 2.2.5 and will handle it. * Bug 600394 is non-trivial, and will likely take more time than we have before 2.2.5 is supposed to launch. * Bug 600369 is not possible before SUMO 2.4, since the primary login/logout is still handled by Tiki, and involves patching upstream code, anyway, so is far more complex than we can do by Tuesday.
|
|
Assignee | |
Comment 16•14 years ago
|
||
The initial security review is complete. I'll take a look at the next version of code on Monday to review the fixes.
|
|
||
Comment 17•14 years ago
|
||
Via email from Michael: "All security bugs have been addressed and verified on master." Closing this bug as FIXED.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•