Closed
Bug 714102
Opened 13 years ago
Closed 12 years ago
Piston safe to use?
Categories
(mozilla.org :: Security Assurance: Review Request, task, P5)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: andy+bugzilla, Assigned: ygjb)
References
Details
(Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][score:8::Low])
I'd like to expose piston to end users using 3 legged OAuth on addons.mozilla.org that end users can upload apps and so on. Currently we only use it internally for other Mozilla apps to talk to. I'd like to allow wider access.
We've had questions about piston security, specifically: bug 698184 points out that Piston does not require a CSRF token. The first issue mentioned in bug 698184 is fixed (yaml.safe_load vs yaml.load).
Is this worth a security review?
Where is the source code located?
https://github.com/mozilla/zamboni/tree/master/apps/api
Note: 3 legged auth isn't turned on for end users. But we are using a library that has at least one issue on it (not using CSRF). I would rather fend off bounty requests first.
Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.
No, code isn't turned on yet.
Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.
addons.mozilla.org
Reporter | ||
Comment 1•13 years ago
|
||
We are using a fork from Bitbucket that supports OAuth2:
https://github.com/andymckay/django-piston-oauth2
Forked from:
https://bitbucket.org/jespern/django-piston-oauth2
Assignee | ||
Updated•13 years ago
|
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [pending secreview][secr:yvan]
Updated•13 years ago
|
QA Contact: mcoates → jstevensen
Updated•13 years ago
|
Assignee: security-assurance → nobody
Component: Security Assurance: Applications → Security Assurance: Review Needed
QA Contact: jstevensen → security-assurance
Whiteboard: [pending secreview][secr:yvan] → [pending secreview]
Updated•13 years ago
|
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
Updated•13 years ago
|
Assignee: nobody → yboily
Reporter | ||
Comment 2•13 years ago
|
||
I'm not going to use piston on the marketplace. If you still want to review this for AMO, go for it, but we've been using it for a long time now.
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings
Priority: 1 (P5) - Age
Operational: 0 - N/A
User: 3 - Major
Privacy: 1 - Minor
Engineering: 1 - Minor
Reputational: 3 - Major
Priority Score: 8
Severity: normal → major
Priority: -- → P5
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][score:8::Low]
Assignee | ||
Comment 4•12 years ago
|
||
They are using tastypie instead.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•