I'd like to expose piston to end users using 3 legged OAuth on addons.mozilla.org that end users can upload apps and so on. Currently we only use it internally for other Mozilla apps to talk to. I'd like to allow wider access. We've had questions about piston security, specifically: bug 698184 points out that Piston does not require a CSRF token. The first issue mentioned in bug 698184 is fixed (yaml.safe_load vs yaml.load). Is this worth a security review? Where is the source code located? https://github.com/mozilla/zamboni/tree/master/apps/api Note: 3 legged auth isn't turned on for end users. But we are using a library that has at least one issue on it (not using CSRF). I would rather fend off bounty requests first. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on. No, code isn't turned on yet. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs. addons.mozilla.org
We are using a fork from Bitbucket that supports OAuth2: https://github.com/andymckay/django-piston-oauth2 Forked from: https://bitbucket.org/jespern/django-piston-oauth2
Whiteboard: [pending secreview] → [pending secreview][secr:yvan]
QA Contact: mcoates → jstevensen
Assignee: security-assurance → nobody
Component: Security Assurance: Applications → Security Assurance: Review Needed
QA Contact: jstevensen → security-assurance
Whiteboard: [pending secreview][secr:yvan] → [pending secreview]
Whiteboard: [pending secreview] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
Assignee: nobody → yboily
I'm not going to use piston on the marketplace. If you still want to review this for AMO, go for it, but we've been using it for a long time now.
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 1 (P5) - Age Operational: 0 - N/A User: 3 - Major Privacy: 1 - Minor Engineering: 1 - Minor Reputational: 3 - Major Priority Score: 8
Severity: normal → major
Priority: -- → P5
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][score:8::Low]
They are using tastypie instead.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.