Closed Bug 690390 Opened 14 years ago Closed 14 years ago

Security review request for Case Conductor

Categories

(mozilla.org :: Security Assurance: Applications, task, P3)

Product:
mozilla.org
Component:
Security Assurance: Applications
Type:
task

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: camd, Assigned: rforbes)

References

Details

(Whiteboard: [in-progress secreview])

1. A quick intro to what this app does. Case Conductor is a Test Case Management system. We are writing this to replace Litmus for Mozilla QA. This is also an open-source project that anyone can access from Github. 2. Where is the source code located? The source is in two parts. A platform in Java and a UI in Python/Django: Platform: https://github.com/mozilla/caseconductor-platform UI: https://github.com/mozilla/caseconductor-ui 3. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on. https://cc.oddsites.net/ 4. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs. Product: Mozilla QA Component: UI: TCM Platform: TCM-Platform Please always CC cdawson@mozilla.com 5. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS. It will have its own database, and won't directly interact with any other internal or external service at this time. It may integrate with Bugzilla at a later time. It won't directly interact with the OS. 6. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role. Yes. It has authentication and roles. Admin: admin@utest.com / pw: admin User: mcoates@mozilla.com / pw: mozsecurity 7. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.) If a user got admin access, they could systematically delete all the data that was established for tests and products. Worst case scenario would be data destruction of test cases, test suites, test runs, test cycles, products and environment settings and users. So they could wipe out the active objects. There is no facility to delete results of test execution. 8. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed? Yes, it has an admin page. We do everything except #1. We have a bug for implementing brute-force prevention: https://bugzilla.mozilla.org//show_bug.cgi?id=637900 (added to the dependencies for this bug) 9. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? Urgency is low at this point. I just want to get in the queue.
Priority: -- → P3
This site is complicated enough that it is crushing the scanner I have against it. So far, however, I haven't found anything significant. I should be able to give a definitive answer tomorrow EOD.
Assignee: infrasec → rforbes
Whiteboard: [pending secreview] → [in-progress secreview]
Raymond. Agreed. It was way too complicated. We have recently decided to simplify this site. We are going to port it to pure Django. Your work today actually did help us find a few flaws, which Carl is fixing. But please pause your security review for now. We should have the Django port done around the 1st of Jan or so.
Also: apologies for not notifying you sooner. This decision was pretty recent, but I'm to blame for not updating this bug sooner. Though, as I said, your time was not wasted as you did help us find some issues. So sorry, and thanks.
no worries. i am closing this review bug and lets make a new one when the new release is ready for testing.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.