+++ This bug was initially created as a clone of Bug #957082 +++ Bugzfeed is the WebSockets application that serves data from the Bugzilla Change Notification System. ---------------- //////////////// ---------------- (In reply to Mark Goodwin [:mgoodwin] from comment #1) > Mark, please help us out by answering the following questions: Thanks for filing this--I neglected to because I was hoping this would be run on stackato, but that turned out to be problematic, and then I forgot about sec review... > 1) Who is/are the point of contact(s) for this review? Me! :) Note that I am out from Jan 13-24 inclusive, however. > 2) Please provide a short description of the feature / application (e.g. > problem solved, use cases, etc.): This is a WebSocket server that allows clients to subscribe to one or more bugs and get updates when they change. The data is produced by a Bugzilla extension, pushed to pulse (a RabbitMQ server), and then picked up by bugzfeed. Since any user can subscribe to *any* bug, regardless of visibility settings of that bug, *only* bug ID and time of change are included in the messages, for security reasons. It is expected that a client application would then do a normal, authenticated request through the Bugzilla API to obtain the specifics of the change. > 3) Please provide links to additional information (e.g. feature page, > wiki) if available and not yet included in feature description: https://wiki.mozilla.org/BMO/ChangeNotificationSystem > 4) Does this request block another bug? If so, please indicate the bug > number Already set on this bug. > 5) This review will be scheduled amongst other requested reviews. What is > the urgency or needed completion date of this review? No specific date, but we would like to get this deployed this quarter, and the system as a whole has been sec reviewed, so the sooner this is done the sooner we can get users! > 6) To help prioritize this work request, does this project support a goal > specifically listed on this quarter's goal list? If so, which goal? It follows the 2013Q4 Automation & Tools goal of implementing a prototype of this system. > 7) Please answer the following few questions: (Note: If you are asked to > describe anything, 1-2 sentences shall suffice.) > a) Does this feature or code change affect Firefox, Thunderbird or > any product or service the Mozilla ships to end users? No. > b) Are there any portions of the project that interact with 3rd party > services? Nothing outside of Mozilla; as mentioned, this hooks into pulse.mozilla.org and indirectly to bugzilla.mozilla.org. > c) Will your application/service collect user data? If so, please > describe No. The only information that it will have is which clients are subscribed to which bugs, but even this is not persistent. > 8) If you feel something is missing here or you would like to provide > other kind of feedback, feel free to do so here (no limits on size): Just to reiterate, the idea behind the change notification system has already been approved by security (bug 915406), so I would expect this review to focus on the bugzfeed code and not the security implications of broadcasting bug-change data. > 9) Desired Date of review (if known from > https://email@example.com/Security%20Review.html) > and whom to invite. If this will be done in a public meeting (as opposed to asynchronously within this bug), then please schedule for sometime on or after January 27 so that I can attend.
4 years ago
Reviewed this with :mocte on vidyo today. Bugzfeed consumes data from the already public Pulse infrastructure, and serves it over websocket. The service is non-critical (data or availability). The only area that might interest OpSec is how this is hosted. Since ZLBs don't support websocket at the moment, the Bugzfeed server will need to either receive traffic directly, or use another load balancing technology. Depending on what the project come up with, we may want to look at it.