Closed
Bug 714102
Opened 13 years ago
Closed 11 years ago
Piston safe to use?
Categories
(mozilla.org :: Security Assurance: Review Request, task, P5)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: andy+bugzilla, Assigned: ygjb)
References
Details
(Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][score:8::Low])
I'd like to expose piston to end users using 3 legged OAuth on addons.mozilla.org that end users can upload apps and so on. Currently we only use it internally for other Mozilla apps to talk to. I'd like to allow wider access. We've had questions about piston security, specifically: bug 698184 points out that Piston does not require a CSRF token. The first issue mentioned in bug 698184 is fixed (yaml.safe_load vs yaml.load). Is this worth a security review? Where is the source code located? https://github.com/mozilla/zamboni/tree/master/apps/api Note: 3 legged auth isn't turned on for end users. But we are using a library that has at least one issue on it (not using CSRF). I would rather fend off bounty requests first. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on. No, code isn't turned on yet. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs. addons.mozilla.org
|
Reporter | |
Comment 1•13 years ago
|
||
We are using a fork from Bitbucket that supports OAuth2: https://github.com/andymckay/django-piston-oauth2 Forked from: https://bitbucket.org/jespern/django-piston-oauth2
|
Assignee | |
Updated•12 years ago
|
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [pending secreview][secr:yvan]
|
||
Updated•12 years ago
|
QA Contact: mcoates → jstevensen
|
|
||
Updated•12 years ago
|
Assignee: security-assurance → nobody
Component: Security Assurance: Applications → Security Assurance: Review Needed
QA Contact: jstevensen → security-assurance
Whiteboard: [pending secreview][secr:yvan] → [pending secreview]
|
|
||
Updated•12 years ago
|
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
|
|
||
Updated•12 years ago
|
Assignee: nobody → yboily
|
|
Reporter | |
Comment 2•12 years ago
|
||
I'm not going to use piston on the marketplace. If you still want to review this for AMO, go for it, but we've been using it for a long time now.
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 1 (P5) - Age Operational: 0 - N/A User: 3 - Major Privacy: 1 - Minor Engineering: 1 - Minor Reputational: 3 - Major Priority Score: 8
Severity: normal → major
Priority: -- → P5
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][score:8::Low]
|
|
Assignee | |
Comment 4•11 years ago
|
||
They are using tastypie instead.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•