A quick intro to what this app does. SpeedTests (slightly misnamed) is a framework for cross-browser comparisons. It consists of one or more clients that run tests in a variety of browsers, with a web UI for viewing the results. Info on the wiki is at https://wiki.mozilla.org/Auto-tools/Projects/SpeedTests The only public-facing part of this is the results server, that is, the part that accepts results from clients and serves them to users, via a fairly simple web UI. The tests themselves are served internally, since we may not be able to redistribute them (most of them are modified versions of the Internet Explorer Speed Demos) Where is the source code located? hg.mozilla.org/automation/speedtests/ There is a README in there about setting up the framework. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on. There is not, at the moment, since the original brasstacks went down. We have a client machine in the MV office along with a test server; however the results are not going anywhere at the moment. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs. Testing / General, CC firstname.lastname@example.org Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)? No. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS. It reads from and writes to a MySQL database. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role. No. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.) Nothing in particular; the app mostly just reads from and writes to a MySQL db. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed? No admin page. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? I would love to get this done soon, since it has been down for a month, since brasstacks went down. I would like to redeploy it on the new brasstacks as soon as I can.
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 1 (P5) - Age Operational: 1 - Minor User: 0 - N/A Privacy: 0 - N/A Engineering: 1 - Minor Reputational: 1 - Minor Priority Score: 4
Am I correctly assuming that this is a review for the code in server/ only and that *all* clients will only *ever* come from mozilla offices?
Correct. This service has never attracted a lot of attention, so at the moment we have only one client, located in Mountain View.
The SQL queries are all safe. Nice work on that.
All done. See depending bugs for more information.