Closed Bug 720476 Opened 12 years ago Closed 2 years ago

security review for War on Orange mailer

Categories

(mozilla.org :: Security Assurance: Review Request, task, P4)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED INACTIVE

People

(Reporter: mcote, Assigned: ygjb)

Details

(Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][score:13::Low]) 

A quick intro to what this app does.

The War on Orange, also known as OrangeFactor, is a web application that tracks intermittent orange failures in buildbot tests.  Included with it is a mailer application that generates reports and emails them and/or posts them to USENET groups.  While the web app was reviewed in bug 679072, I don't think the the mailer itself was reviewed.  Given that I wish to deploy this on the new brasstacks (brasstacks1.dmz.sjc1.mozilla.com), I figure I should ensure that it has been reviewed.

Where is the source code located?

The mailer is located specifically at hg.mozilla.org/automation/orangefactor/woo_mailer.py.  It also uses the sendemail.py file in the same directory.

Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.

It can be tested on any machine, since it is a standalone script and not a daemon (it is normally run through cron).  Since it needs to access a WOO server for its data, you can use http://brasstacks.mozilla.com/orangefactor/ once it is deployed (should be within a day or two).

Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.

Testing/Orange Factor

Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)?

No.

Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.

As mentioned above, it connects to the WOO server, pulling data only (all of the War on Orange app is read only).  It doesn't interact with the OS aside from reading the config file and using sockets to send/post the report.

Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.

No.

What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)

Nothing much could really happen, aside from generating large db queries.

Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?

N/A

This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

It would be nice to have this done quickly, since the War on Orange has been down for a couple weeks.  Given that it is only one two files, it should be easy.

-----

This is the config file that would be used in production, which should be called woo_mailer.conf and located in the same directory as woo_mailer.py.  You will probably want to change some options for testing.


[report]
from = Mozilla A-Team <automation@mozilla.com>

[email]
dest = mcote@mozilla.com, ctalbert@mozilla.com, jmaher@mozilla.com, jhammel@mozilla.com, jgriffin@mozilla.com
# since this script normally runs on the MPT network, it can access the mail server without ssl.
server = mail.mozilla.org
port = 25
ssl = off

[woo]
# local_server_url would normally refer to localhost, as this script would normally be run on the same server as the War on Orange web app.
local_server_url = http://brasstacks.mozilla.com/orangefactor/api
# external_server_url is just used to populate the email and is not loaded by the mailer script.
external_server_url = http://brasstacks.mozilla.com/orangefactor

[nntp]
# can use mozilla.test for testing
newsgroups = mozilla.dev.tree-management
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [secr:yvan]
QA Contact: mcoates → jstevensen
Component: Security Assurance: Applications → Security Assurance: Review Needed
Assignee: security-assurance → yboily
Status: NEW → ASSIGNED
Keywords: sec-review-needed
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 2 (P4) - Team Quarterly Goal

Operational: 3 - Major
User: 0 - N/A
Privacy: 0 - N/A
Engineering: 1 - Minor
Reputational: 1 - Minor

Priority Score: 13
Severity: normal → major
Priority: -- → P4
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][score:13::Low]
stale bug ping
Flags: needinfo?(yboily)
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(yvanboily+mozbugmail)
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.