Closed
Bug 706936
Opened 13 years ago
Closed 13 years ago
secreview for Mediawiki-Bugzilla extension
Categories
(mozilla.org :: Security Assurance: Applications, task)
mozilla.org
Security Assurance: Applications
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: lmandel, Unassigned)
References
Details
(Whiteboard: [target JanQ1][secr:rforbes])
1. A quick intro to what this app does.
This Mediawiki extension allows for embedding bugzilla queries into wiki pages. Query results are viewed in a table format within the wiki page.
2. Where is the source code located?
https://github.com/LegNeato/mediawiki-bugzilla
3. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.
Brandon - can you answer this one?
4. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.
Bugs should be filed against:
product: Websites
component: wiki.mozilla.org
cc: Brandon Savage (:brandon), Lawrence Mandel (:lmandel)
5. Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)?
No.
6. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.
This extension connects to the public Bugzilla REST API.
7. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.
No. This extension accesses Bugzilla data using an the anonymous Bugzilla REST API.
8. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)
This extension is accessing publicly available bug information in order to display it in mediawiki. I think the worst case is that too many bugzilla queries (I don't have a sense of how many too many is) could be embedded in a single wiki page causing a large number or queries to hit the Bugzilla server.
9. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?
There is no admin page.
10. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
This is not a high priority but we would like to deploy this extension to wiki.mozilla.org in 4Q. The normal turnaround (1-2 weeks) should be fine.
|
Reporter | |
Comment 1•13 years ago
|
||
Brandon - Can you please review and provide a link to a staging server if you have one?
|
|
||
Comment 2•13 years ago
|
||
Would January work? There are only a few work weeks left in the quarter and we are busy with security work on major goals such as BrowserID and AppStore
|
|
Reporter | |
Comment 3•13 years ago
|
||
As much as I'd like to complete this 4Q goal in 4Q it clearly is a lower priority. Can we schedule early Jan now so that we can complete the review and (hopefully) get this deployed in early Jan?
|
|
||
Updated•13 years ago
|
Whiteboard: [pending secreview] → [pending secreview][target JanQ1]
|
|
Reporter | |
Comment 4•13 years ago
|
||
Some more information from Brandon:
1. More details about the service including usage can be found in the readme at
https://github.com/brandonsavage/mediawiki-bugzilla
3. Brandon will set up a stage server and provide details once it's ready.
8. As I stated in comment 0, the extension could be used to initiate a large number of bugzilla queries. While this could potentially be used to initiate a DOS or DDOS attack against Bugzilla, this possibility is remote since the implementation caches the results for a period of time.
|
|
||
Comment 5•13 years ago
|
||
Lawrence, you can go ahead and access a staging environment here: http://bsavage.khan.mozilla.org/mediawiki/index.php/Socorro
This took a little longer than it should have due to Khan's unique setup but this should satisfy your requirements. Let me know what else you need.
|
|
Reporter | |
Comment 6•13 years ago
|
||
(In reply to Brandon Savage [:brandon] from comment #5)
> Lawrence, you can go ahead and access a staging environment here:
> http://bsavage.khan.mozilla.org/mediawiki/index.php/Socorro
>
> This took a little longer than it should have due to Khan's unique setup but
> this should satisfy your requirements. Let me know what else you need.
Looks great. Thanks Brandon.
I think we're now in a holding pattern until we can get a secreview scheduled in Jan.
|
|
Reporter | |
Comment 7•13 years ago
|
||
Michael - Now that we're into Jan, can we get this on the secreview schedule?
|
|
||
Comment 8•13 years ago
|
||
Yep, Yvan will get it on the schedule.
|
|
||
Comment 9•13 years ago
|
||
this looks good. go ahead and use it.
-r
|
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Updated•13 years ago
|
Keywords: sec-review-needed
|
|
||
Updated•13 years ago
|
Keywords: sec-review-needed → sec-review-complete
Whiteboard: [pending secreview][target JanQ1] → [target JanQ1][secr:rforbes]
|
||
Updated•13 years ago
|
Keywords: sec-review-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•