Closed Bug 813182 Opened 12 years ago Closed 12 years ago

SecReview: Perform Security Review for gameon.mozilla.org (planned URL)

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: boozeniges, Assigned: avarma)

References

Details

(Whiteboard: [champion reviewer=avarma@mozilla.com])

Who is/are the point of contact(s) for this review? Ross Bruniges - ross@mozillafoundation.org (based in UK) David Ascher - dascher@mozilla.com (for when Ross isn't around) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): An app similar to mozillaignite.org (in both code and idea) where users can submit their HTML5 games (just URL to external sites like github, vimeo) for the chance to be featured in the Mozilla Marketplace and other prizes. The challenge is to support the work that Mozilla Foundation will be doing in 2013 around hackable games. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: mozilla.org/gameon/ Does this request block another bug? If so, please indicate the bug number https://bugzilla.mozilla.org/show_bug.cgi?id=803541 This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? Planned launch is December 3rd To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal? N/A Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? No Are there any portions of the project that interact with 3rd party services? gravatar persona for login (not sure if that counts' as third party or not) Will your application/service collect user data? If so, please describe email and profile data supported by personaID data surrounding their application - title, github repo, description, external URLs, additional team members (name/email/bio) Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. Soon - would be nice to have Mark Goodwin
Forgot to mention - the code is available here (https://github.com/mozilla/gameon) Due to the time constraints we're using as much core Playdoh stuff and possible and attempting to base things on the Mozilla Ignite codebase (https://github.com/mozilla/mozilla-ignite) which has already passed a sec-review.
Adding Atul - who Mark says can be our go-to security guy on this project.
(In reply to Ross Bruniges from comment #2) > Adding Atul - who Mark says can be our go-to security guy on this project. Mainly because this is an excellent Security Champions bug...
This looks good to me, although I'm not super familiar with Django's forms-handling library. I've left some comments in the commits for the project on github, and the only one that I have minor concerns for is this: https://github.com/mozilla/gameon/commit/cf8d97f468d5b87ee53b0d584a43a29b82102b9b#commitcomment-2176482
Whiteboard: [pending secreview] → [pending secreview][triage needed]
Assignee: nobody → avarma
We now have things up on a mozilla labs VM - https://gameon-dev.mozillalabs.com dev is still on-going but at least you can all see what's happening now!
:psiinon can you take a look at the concerns atul mentions above? we just want a final sanity check before resolving this one.
Flags: needinfo?(sbennetts)
Thanks for all the effort on this guys :)
:atul I'm not familiar with the code either, but I agree it looks very dodgy. Can we get confirmation from the dev that this is really safe? Some comments wouldnt go amiss either, so we can tell what this function is actually supposed to be doing ;)
Flags: needinfo?(sbennetts)
I've seen that code in nearly every mozilla product I've worked on but yeah, I'll add in a bit of background info.
Ok, I've finished reviewing the code for this site and I think everything looks good (to the best of my knowledge). The full dialogue of our discussion about the security issues is available at https://github.com/mozilla/gameon/issues/24. Let me know if you need anything else!
This review is complete. The only outstanding concern is the need to perform a review on gravatar as a service, which we will do separately and come back to the team if it is a concern.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview][triage needed] → [champion reviewer=avarma@mozilla.com]
Blocks: 814463
Status: RESOLVED → VERIFIED
Blocks: 814466
You need to log in before you can comment on or make changes to this bug.