If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Security review for SpeedTests



Security Assurance: Review Request
6 years ago
5 years ago


(Reporter: mcote, Assigned: freddyb)



(Whiteboard: [completed secreview][score:4::Low])



6 years ago
A quick intro to what this app does.

SpeedTests (slightly misnamed) is a framework for cross-browser comparisons.  It consists of one or more clients that run tests in a variety of browsers, with a web UI for viewing the results.

Info on the wiki is at https://wiki.mozilla.org/Auto-tools/Projects/SpeedTests

The only public-facing part of this is the results server, that is, the part that accepts results from clients and serves them to users, via a fairly simple web UI.  The tests themselves are served internally, since we may not be able to redistribute them (most of them are modified versions of the Internet Explorer Speed Demos)

Where is the source code located?

hg.mozilla.org/automation/speedtests/  There is a README in there about setting up the framework.

Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.

There is not, at the moment, since the original brasstacks went down.  We have a client machine in the MV office along with a test server; however the results are not going anywhere at the moment.

Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.

Testing / General, CC mcote@mozilla.com

Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)?


Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.

It reads from and writes to a MySQL database.

Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.


What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)

Nothing in particular; the app mostly just reads from and writes to a MySQL db.

Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?

No admin page.

This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

I would love to get this done soon, since it has been down for a month, since brasstacks went down.  I would like to redeploy it on the new brasstacks as soon as I can.
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [secr:yvan]
QA Contact: mcoates → jstevensen
Component: Security Assurance: Applications → Security Assurance: Review Needed
Assignee: security-assurance → yboily
Keywords: sec-review-needed
Whiteboard: [secr:yvan] → [pending secreview]
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 1 (P5) - Age

Operational: 1 - Minor
User: 0 - N/A
Privacy: 0 - N/A
Engineering: 1 - Minor
Reputational: 1 - Minor

Priority Score: 4
Severity: normal → minor
Priority: -- → P5
Whiteboard: [pending secreview] → [pending secreview][score:4::Low]

Comment 2

5 years ago
Am I correctly assuming that this is a review for the code in server/ only and that *all* clients will only *ever* come from mozilla offices?
Assignee: yboily → fbraun


5 years ago
Depends on: 850757

Comment 3

5 years ago
Correct.  This service has never attracted a lot of attention, so at the moment we have only one client, located in Mountain View.

Comment 4

5 years ago
The SQL queries are all safe. Nice work on that.


5 years ago
Depends on: 850779

Comment 5

5 years ago
All done. See depending bugs for more information.
Last Resolved: 5 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview][score:4::Low] → [completed secreview][score:4::Low]


5 years ago
Blocks: 858437
You need to log in before you can comment on or make changes to this bug.