Closed
Bug 684270
Opened 14 years ago
Closed 13 years ago
Security review for Mozmill Results Dashboard
Categories
(mozilla.org :: Security Assurance: Applications, task, P3)
mozilla.org
Security Assurance: Applications
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: whimboo, Assigned: rforbes)
References
()
Details
(Whiteboard: [completed secreview])
1. A quick intro to what this app does.
The different instances of the website are used to track test failures of our Mozmill test-runs against all supported versions of Firefox. Results will be uploaded by any community members. See the following URL for an example of our daily and release tests:
http://mozmill-release.brasstacks.mozilla.com/
2. Where is the source code located?
See the URL field.
3. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.
As staging server we are using another instance of the dashboard on brasstacks:
http://mozmill-archive.brasstacks.mozilla.com/
4. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.
Product: Mozilla QA, Component: Mozmill Result Dashboard
5. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.
There are no connections to any internal or external service. Testers will upload JSON blobs with test results which get stored in CouchDB. Those results will be displayed on the website.
6. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.
No, there is no support for that at the moment.
7. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)
I'm not a security expert, so hard to tell. But people could inject malicious javascript code with the report, which then could be executed on the users system.
8. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?
No, there is no admin page. Administration happens via the CouchDB interface behind the firewall.
9. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
No completion date necessary to specify. Just do it when you have time.
Currently we are working on a complete new version of the dashboard which will make use of Django and ElasticSearch. So just be warned that the current code from the above repository is far from being optimal.
For any questions you can also get in contact with me on IRC (:whimboo).
Thanks.
|
Assignee | |
Updated•14 years ago
|
Assignee: infrasec → rforbes
|
|
||
Updated•14 years ago
|
Priority: -- → P3
|
||
Comment 1•13 years ago
|
||
Hey Henrik,
to continue the review, there are a few more things we would like to ask:
1) How do the Testers upload the JSON blobs? Do you have code examples?
2) How do you reach CouchDB's web interface (Futon)?
Thanks,
Freddy
|
Reporter | |
Comment 2•13 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #1)
> to continue the review, there are a few more things we would like to ask:
> 1) How do the Testers upload the JSON blobs? Do you have code examples?
The JSON reports are getting uploaded directly by Mozmill. To exercise it yourself please follow the steps:
1. Download and unzip the environment for your platform: http://people.mozilla.com/~hskupin/downloads/mozmill-env/
2. Run: mozmill-env/run.sh hg clone http://hg.mozilla.org/qa/mozmill-automation/
3. Run: mozmill-env/run.sh mozmill-automation/testrun_l10n.py --report=http://mozmill-crowd.brasstacks.mozilla.com/db/ %path_to_firefox%
4. Check your report: http://mozmill-crowd.brasstacks.mozilla.com/#/l10n/reports
> 2) How do you reach CouchDB's web interface (Futon)?
This is behind LDAP and only accessible from within MPT, or via the right user/pass when accessing the CouchDB (as given above).
If you have more questions you can also find me on IRC in #automation.
|
|
||
Comment 3•13 years ago
|
||
Sorry for not keeping this updated (as well).
The security review is completed and waits for 703789 to be fixed (i.e. implement validation).
Whiteboard: [pending secreview] → [completed secreview]
|
|
||
Updated•13 years ago
|
QA Contact: mcoates → jstevensen
|
|
Reporter | |
Comment 4•13 years ago
|
||
The small follow-up patch has been landed this morning:
https://github.com/whimboo/mozmill-dashboard/pull/28/files
I have forced an update of all of our dashboard instances so we are now running the code with the recent validation addition.
Thanks David!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 5•13 years ago
|
||
Sorry, meant to close the other bug. Given its status and the feedback from Frederik, what are the next actions here? Could we even close it as fixed?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Updated•13 years ago
|
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•