Status

P5
major
RESOLVED INVALID
7 years ago
6 years ago

People

(Reporter: andy+bugzilla, Assigned: ygjb)

Tracking

Details

(Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][score:8::Low])

(Reporter)

Description

7 years ago
I'd like to expose piston to end users using 3 legged OAuth on addons.mozilla.org that end users can upload apps and so on. Currently we only use it internally for other Mozilla apps to talk to. I'd like to allow wider access.

We've had questions about piston security, specifically: bug 698184 points out that Piston does not require a CSRF token. The first issue mentioned in bug 698184 is fixed (yaml.safe_load vs yaml.load).

Is this worth a security review?



Where is the source code located?

https://github.com/mozilla/zamboni/tree/master/apps/api

Note: 3 legged auth isn't turned on for end users. But we are using a library that has at least one issue on it (not using CSRF). I would rather fend off bounty requests first.

Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.

No, code isn't turned on yet.

Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.

addons.mozilla.org
(Reporter)

Updated

7 years ago
Blocks: 704208
(Reporter)

Comment 1

7 years ago
We are using a fork from Bitbucket that supports OAuth2:

https://github.com/andymckay/django-piston-oauth2

Forked from:

https://bitbucket.org/jespern/django-piston-oauth2
(Assignee)

Updated

7 years ago
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [pending secreview][secr:yvan]
QA Contact: mcoates → jstevensen
Assignee: security-assurance → nobody
Component: Security Assurance: Applications → Security Assurance: Review Needed
QA Contact: jstevensen → security-assurance
Whiteboard: [pending secreview][secr:yvan] → [pending secreview]
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
Assignee: nobody → yboily
(Reporter)

Comment 2

7 years ago
I'm not going to use piston on the marketplace. If you still want to review this for AMO, go for it, but we've been using it for a long time now.
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 1 (P5) - Age

Operational: 0 - N/A
User: 3 - Major
Privacy: 1 - Minor
Engineering: 1 - Minor
Reputational: 3 - Major

Priority Score: 8
Severity: normal → major
Priority: -- → P5
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][score:8::Low]
(Assignee)

Comment 4

6 years ago
They are using tastypie instead.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.