SecReview: want to upload and use JavaScript in WordPress, to display GitHub metrics for our projects, on quality.mozilla.org (QMO)

RESOLVED FIXED

Status

mozilla.org
Security Assurance: Review Request
P2
normal
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: stephend, Assigned: adamm)

Tracking

Details

(Whiteboard: [secreview completed][start 2012-12-10][target 2012-12-10[score:35:Medium], URL)

Who is/are the point of contact(s) for this review?

* Myself (Stephen Donner), Bob Silverberg (bsilverberg on #mozwebqa), and Zac Campbell (zac on #mozwebqa)

Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):

* We'd like the ability to use JavaScript in our WordPress instance of QMO (quality.mozilla.org) to display GitHub stats for our automation projects, dynamically

Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

* It would potentially use: http://codex.wordpress.org/Using_Javascript, and look like http://bobsilverberg.github.com/jquery-github-widget/example/

Does this request block another bug? If so, please indicate the bug number

* No

This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

* We'd love to get this soon, but understand that real security reviews are higher priority

To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?

* There's no quarterly goal yet tied to this

Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)

Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

* No

Are there any portions of the project that interact with 3rd party services?

* Yes, pulls in via JSON, like so:

[11:36:09.337] GET https://api.github.com/repos/mozilla/qmo-tests?callback=jQuery172011219896164879795_1348598169260&_=1348598169283 [HTTP/1.1 200 OK 853ms]

Will your application/service collect user data? If so, please describe

* No, I don't believe so, at least not on our end

If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Whiteboard: [pending secreview] → [pending secreview][triage needed]
Assignee: nobody → amuntner
Whiteboard: [pending secreview][triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
(Assignee)

Comment 1

6 years ago
Is there documentation for the JSON request/response? One thing we're interested in making sure of is security around what gets returned and rendered in the user's browser, the API call docs would help a lot. 

Also, I did some searching and I'm still not certain what api.github.com is, who hosts it, and who controls it to what extent. Could someone explain?

Thank you!
(Assignee)

Comment 2

6 years ago
Once I understand those things better I'll be able to complete the triage.
Thanks for the review, Adam. 

The main page for the GitHub API can be found at http://developer.github.com/v3/. The documentation for the JSON request/responses used in the code can be found at http://developer.github.com/v3/orgs/#get-an-organization and http://developer.github.com/v3/repos/#get.

Regarding api.github.com, it is hosted by Github and is described at http://developer.github.com/v3/ as:

"All API access is over HTTPS, and accessed from the api.github.com domain (or through yourdomain.com/api/v3/ for enterprise). All data is sent and received as JSON."

Please let me know if you have any other questions.
(Assignee)

Comment 4

6 years ago
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 4 (P2) - Mozilla Initiative

Operational: 2 - Normal
User: 3 - Major
Privacy: 4 - Critical
Engineering: 1 - Minor
Reputational: 1 - Minor

Priority Score: 35
(Assignee)

Updated

6 years ago
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][score:35:Medium]
(Assignee)

Updated

6 years ago
Priority: -- → P2
(Assignee)

Updated

6 years ago
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][score:35:Medium] → [pending secreview][start 2012-12-10][target 2012-12-10[score:35:Medium]
(Assignee)

Comment 5

6 years ago
It looks safe to me. Can you loop us back in to take another look once you have it up on the site?
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Updated

6 years ago
Whiteboard: [pending secreview][start 2012-12-10][target 2012-12-10[score:35:Medium] → [secreview completed][start 2012-12-10][target 2012-12-10[score:35:Medium]
(In reply to Adam Muntner :adamm from comment #5)
> It looks safe to me. Can you loop us back in to take another look once you
> have it up on the site?

Bob, can you look into this, with an authenticated call?
Flags: needinfo?(bob.silverberg)
Sorry for the late reply, Stephen. I have looked into this and there is apparently a way do do this via Javascript but I haven't had a chance to try it our yet. I will try to get to it this week.
Flags: needinfo?(bob.silverberg)
You need to log in before you can comment on or make changes to this bug.