Closed Bug 599979 Opened 14 years ago Closed 12 years ago

Security review for bugzilla-push extension

Categories

(mozilla.org :: Security Assurance: Applications, task)

Product:
mozilla.org
Component:
Security Assurance: Applications
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: christian, Assigned: dchanm+bugzilla)

References

Details

(Whiteboard: [completed secreview]) 

# A quick intro to what this app does.

A Bugzilla server-side extension that enables integration with a message broker via AMQP or STOMP. I want to roll this out on bmo this quarter.

# Where is the source code located?

http://github.com/LegNeato/bugzilla-push

# Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.

https://landfill.bugzilla.org/push/

# Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.

Don't have one set up yet. I guess file a ticket on GitHub or send me an email. I'll work on getting a component up.

# Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.

It will be interacting with bmo's bugzilla install and pulse.mozilla.org

# Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.

The broker does. For security we are planning to deploy with it wide open (and not send messages about items a public user can't see)

# What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)

Private bug information (security, MoCo, legal, etc) could be exposed.

# This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

Not too urgent, though there is a quarterly goal to have pulse.mozilla.org up, running, and supported. Pulse is a lot less useful without this in place on bmo.
Blocks: 589322
By "this quarter" above I mean Q4.
Added a bugzilla component, WebTools/Pulse.
Assignee: server-ops → infrasec
Component: Server Operations: Security → Infrastructure Security: Web Security
Assignee: infrasec → mcoates
Depends on: 606362
The review of the server side bugzilla-push extension has been completed. The extension does not push out sensitive bug data by default. We would like to conduct a followup review of the infrastructure/setup if sensitive data starts being pushed.

This bug will remain open pending triage of the dependent bugs.
Thanks!
Assignee: mcoates → dchan
Whiteboard: [completed secreview]
QA Contact: chris → mcoates
QA Contact: mcoates → jstevensen
closing stale bug.

the bugzilla-push extension has undergone significant refactoring, and there was an updated review on the new code on bug 757702.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.