Closed Bug 957082 Opened 10 years ago Closed 10 years ago

SecReview: bugzfeed

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mgoodwin, Assigned: ygjb)

References

Details

Bugzfeed is the WebSockets application that serves data from the Bugzilla Change Notification System.
Mark, please help us out by answering the following questions:

1)    Who is/are the point of contact(s) for this review?
2)    Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
3)    Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
4)    Does this request block another bug? If so, please indicate the bug number
5)    This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
6)    To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?
7)    Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
  a)      Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
  b)      Are there any portions of the project that interact with 3rd party services?
  c)      Will your application/service collect user data? If so, please describe 
8)    If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
9)    Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Flags: needinfo?(mcote)
(In reply to Mark Goodwin [:mgoodwin] from comment #1)
> Mark, please help us out by answering the following questions:

Thanks for filing this--I neglected to because I was hoping this would be run on stackato, but that turned out to be problematic, and then I forgot about sec review...

> 1)    Who is/are the point of contact(s) for this review?

Me! :) Note that I am out from Jan 13-24 inclusive, however.

> 2)    Please provide a short description of the feature / application (e.g.
> problem solved, use cases, etc.):

This is a WebSocket server that allows clients to subscribe to one or more bugs and get updates when they change.  The data is produced by a Bugzilla extension, pushed to pulse (a RabbitMQ server), and then picked up by bugzfeed.  Since any user can subscribe to *any* bug, regardless of visibility settings of that bug, *only* bug ID and time of change are included in the messages, for security reasons.  It is expected that a client application would then do a normal, authenticated request through the Bugzilla API to obtain the specifics of the change.

> 3)    Please provide links to additional information (e.g. feature page,
> wiki) if available and not yet included in feature description:

https://wiki.mozilla.org/BMO/ChangeNotificationSystem

> 4)    Does this request block another bug? If so, please indicate the bug
> number

Already set on this bug.

> 5)    This review will be scheduled amongst other requested reviews. What is
> the urgency or needed completion date of this review?

No specific date, but we would like to get this deployed this quarter, and the system as a whole has been sec reviewed, so the sooner this is done the sooner we can get users!

> 6)    To help prioritize this work request, does this project support a goal
> specifically listed on this quarter's goal list? If so, which goal?

It follows the 2013Q4 Automation & Tools goal of implementing a prototype of this system.

> 7)    Please answer the following few questions: (Note: If you are asked to
> describe anything, 1-2 sentences shall suffice.)
>   a)      Does this feature or code change affect Firefox, Thunderbird or
> any product or service the Mozilla ships to end users?

No.

>   b)      Are there any portions of the project that interact with 3rd party
> services?

Nothing outside of Mozilla; as mentioned, this hooks into pulse.mozilla.org and indirectly to bugzilla.mozilla.org.

>   c)      Will your application/service collect user data? If so, please
> describe 

No.  The only information that it will have is which clients are subscribed to which bugs, but even this is not persistent.

> 8)    If you feel something is missing here or you would like to provide
> other kind of feedback, feel free to do so here (no limits on size):

Just to reiterate, the idea behind the change notification system has already been approved by security (bug 915406), so I would expect this review to focus on the bugzfeed code and not the security implications of broadcasting bug-change data.

> 9)    Desired Date of review (if known from
> https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html)
> and whom to invite.

If this will be done in a public meeting (as opposed to asynchronously within this bug), then please schedule for sometime on or after January 27 so that I can attend.
Flags: needinfo?(mcote)
Whiteboard: [triage needed]
Assignee: nobody → yboily
Whiteboard: [triage needed]
Ping?  I'm back from PTO. :)
This was supposed to have been commented on earlier.  Since the app is not storing data about the bugs, and we determined in a security triage meeting that we are not concerned with update notifications on private bugs (the update contains the bug id and time of change), there is virtually no risk here.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.