[Wikidata-bugs] [Maniphest] T356764: Merging lexemes is only partially rate limited and protected by AbuseFilter
sbassett closed this task as "Resolved". sbassett claimed this task. TASK DETAIL https://phabricator.wikimedia.org/T356764 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: ArthurTaylor, sbassett, gerritbot, Michael, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, S8321414, Astuthiodit_1, karapayneWMDE, Invadibot, Dylsss, maantietaja, ItamarWMDE, Akuckartz, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, Mahir256, QZanden, KimKelting, LawExplorer, JJMC89, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T356764: Merging lexemes is only partially rate limited and protected by AbuseFilter
sbassett reassigned this task from sbassett to Lucas_Werkmeister_WMDE. TASK DETAIL https://phabricator.wikimedia.org/T356764 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: ArthurTaylor, sbassett, gerritbot, Michael, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, S8321414, Astuthiodit_1, karapayneWMDE, Invadibot, Dylsss, maantietaja, ItamarWMDE, Akuckartz, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, Mahir256, QZanden, KimKelting, LawExplorer, JJMC89, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T356764: Merging lexemes is only partially rate limited and protected by AbuseFilter
sbassett added a comment. In T356764#9701739 <https://phabricator.wikimedia.org/T356764#9701739>, @Lucas_Werkmeister_WMDE wrote: > I think we can make this task public now? As far as I understand, the release happened and T353904 only remains open because the CVEs haven’t been assigned yet. Done. Unfortunately, Mitre has a sizable backlog of CVEs FWIU that is affecting everyone :/ > Also, suggested adjusted row for the table in that task (I’m not allowed to edit it myself): > > | T357101 | [WikibaseLexeme](https://www.mediawiki.org/wiki/Extension:WikibaseLexeme) | [CVE-2024-x](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-x) | [Yes](https://gerrit.wikimedia.org/r/1003480) | [Yes](https://gerrit.wikimedia.org/r/1003477) | [Yes](https://gerrit.wikimedia.org/r/1002959) | [Yes](https://gerrit.wikimedia.org/r/1002999) Thanks, done. TASK DETAIL https://phabricator.wikimedia.org/T356764 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: ArthurTaylor, sbassett, gerritbot, Michael, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, S8321414, Astuthiodit_1, karapayneWMDE, Invadibot, Dylsss, maantietaja, ItamarWMDE, Akuckartz, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, Mahir256, QZanden, KimKelting, LawExplorer, JJMC89, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T356764: Merging lexemes is only partially rate limited and protected by AbuseFilter
sbassett removed a project: Patch-For-Review. sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". TASK DETAIL https://phabricator.wikimedia.org/T356764 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: ArthurTaylor, sbassett, gerritbot, Michael, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, S8321414, Astuthiodit_1, karapayneWMDE, Invadibot, Dylsss, maantietaja, ItamarWMDE, Akuckartz, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, Mahir256, QZanden, KimKelting, LawExplorer, JJMC89, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T362089: connecting-senses tool OAuth credentials were world-readable
sbassett triaged this task as "Low" priority. sbassett added a project: Tools. sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". sbassett changed Risk Rating from N/A to Medium. TASK DETAIL https://phabricator.wikimedia.org/T362089 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: JJMC89, sbassett Cc: JJMC89, ItamarWMDE, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, Bellucii32, S8321414, Astuthiodit_1, karapayneWMDE, Invadibot, Dylsss, Zabe, Devnull, maantietaja, Y.ssk, Akuckartz, 94rain, DannyS712, Nandana, sbassett, Namenlos314, skpuneethumar, Zylc, Amorymeltzer, 1978Gage2001, Lahi, Operator873, Gq86, Bsandipan, GoranSMilovanovic, DSquirrelGM, Chicocvenancio, QZanden, Tbscho, KimKelting, LawExplorer, _jensen, rosalieper, Scott_WUaS, Luke081515, Wikidata-bugs, Jitrixis, aude, Bawolff, Gryllida, scfc, Mbch331, Krenair, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T357101: Special:MergeLexemes makes edits on GET requests without edit tokens
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". sbassett changed Risk Rating from N/A to Low. TASK DETAIL https://phabricator.wikimedia.org/T357101 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: Lydia_Pintscher, gerritbot, jnuche, Mstyles, sbassett, mmartorana, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, Isabelladantes1983, Themindcoder, Adamm71, S8321414, Jersione, Hellket777, Cleo_Lemoisson, LisafBia6531, Astuthiodit_1, 786, Biggs657, karapayneWMDE, Invadibot, Dylsss, Devnull, maantietaja, Juan90264, Alter-paule, Beast1978, ItamarWMDE, Un1tY, Akuckartz, Hook696, Kent7301, joker88john, DannyS712, CucyNoiD, Nandana, Gaboe420, Giuliamocci, Cpaulf30, Lahi, Gq86, Af420, Bsandipan, GoranSMilovanovic, Mahir256, QZanden, KimKelting, LawExplorer, Lewizho99, JJMC89, Maathavan, _jensen, rosalieper, Neuronton, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T357101: Special:MergeLexemes makes edits on GET requests without edit tokens
sbassett removed a project: Patch-For-Review. TASK DETAIL https://phabricator.wikimedia.org/T357101 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: Lydia_Pintscher, gerritbot, jnuche, Mstyles, sbassett, mmartorana, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, S8321414, Cleo_Lemoisson, Astuthiodit_1, karapayneWMDE, Invadibot, Dylsss, Devnull, maantietaja, ItamarWMDE, Akuckartz, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, Mahir256, QZanden, KimKelting, LawExplorer, JJMC89, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair, Legoktm, Isabelladantes1983, Themindcoder, Adamm71, Jersione, Hellket777, LisafBia6531, 786, Biggs657, Juan90264, Alter-paule, Beast1978, Un1tY, Hook696, Kent7301, joker88john, CucyNoiD, Gaboe420, Giuliamocci, Cpaulf30, Af420, Bsandipan, Lewizho99, Maathavan, Neuronton ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T356561: Wikidata query service updater script seems to not close connections to wikibase after latest update
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". sbassett changed Risk Rating from N/A to Low. TASK DETAIL https://phabricator.wikimedia.org/T356561 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Physikerwelt, sbassett Cc: Aklapper, Physikerwelt, AWesterinen, Namenlos314, Gq86, Lucas_Werkmeister_WMDE, EBjune, KimKelting, merbst, Jonas, Xmlizer, jkroll, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T352877: Several efficiency errors in wbsearchentities API compound to long execution time and many database queries
sbassett moved this task from Incoming to Watching on the Security-Team board. sbassett added a project: SecTeam-Processed. TASK DETAIL https://phabricator.wikimedia.org/T352877 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, ArthurTaylor, Michael, Lydia_Pintscher, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, Cleo_Lemoisson, Astuthiodit_1, karapayneWMDE, Invadibot, Dylsss, Devnull, maantietaja, ItamarWMDE, Akuckartz, CDanis, DannyS712, Nandana, lucamauri, Lahi, Gq86, GoranSMilovanovic, QZanden, KimKelting, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T352877: Several efficiency errors in wbsearchentities API compound to long execution time and many database queries
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". TASK DETAIL https://phabricator.wikimedia.org/T352877 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, ArthurTaylor, Michael, Lydia_Pintscher, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, Cleo_Lemoisson, Astuthiodit_1, karapayneWMDE, Invadibot, Dylsss, Devnull, maantietaja, ItamarWMDE, Akuckartz, CDanis, DannyS712, Nandana, lucamauri, Lahi, Gq86, GoranSMilovanovic, QZanden, KimKelting, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T340200: i18n XSS in Citoid Wikibase module
sbassett added a comment. Yes, it can be made public soon. We've been waiting on Mitre to get us the CVEs for the next supplemental security release (T340874) (where this issue is included) and we just got those at the end of last week. So the supplemental security release should come out today or tomorrow. TASK DETAIL https://phabricator.wikimedia.org/T340200 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: hashar, sbassett, Mstyles, Esanders, Mvolz, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, Cleo_Lemoisson, Astuthiodit_1, VPuffetMichel, karapayneWMDE, Invadibot, Dylsss, Devnull, diegodlh, maantietaja, Y.ssk, ItamarWMDE, Akuckartz, Ironie, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Jason_Quinn, Scott_WUaS, Shangkuanlc, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, He7d3r, csteipp, Mbch331, Jay8g, Krenair, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T340201: Use custom language code to find i18n XSS issues
sbassett added a comment. In T340201#9213154 <https://phabricator.wikimedia.org/T340201#9213154>, @Reedy wrote: > I'm curious how we can track issues found by this... > > Just xref this task in the description? We could subtask them under this task. Or sure, cross-ref this task within any new bug, and maybe still subtask them under T2212 <https://phabricator.wikimedia.org/T2212>? TASK DETAIL https://phabricator.wikimedia.org/T340201 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: Reedy, Bawolff, Daimona, Nikerabbit, Jdforrester-WMF, Fomafix, Lydia_Pintscher, sbassett, jhsoby, kostajh, matmarex, bd808, Michael, Aklapper, Lucas_Werkmeister_WMDE, Danny_Benjafield_WMDE, Cleo_Lemoisson, Astuthiodit_1, karapayneWMDE, Invadibot, Dylsss, Devnull, maantietaja, ItamarWMDE, Akuckartz, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Grunny, csteipp, Mbch331, Jay8g, Krenair, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T332953: Migrate PipelineLib repos to GitLab
sbassett added a comment. In T332953#8769056 <https://phabricator.wikimedia.org/T332953#8769056>, @thcipriani wrote: > - Tricky part: recreate mediawiki-i18n-check, only run on changes from l10nbot/localization (may/likely to require changes to GitLab client code, too) This could probably just become a CI include within the repo's `gitlab-ci.yml` during the test stage? It's just a pretty simple bash script <https://github.com/wikimedia/integration-config/blob/master/jjb/mediawiki-extensions.yaml#L34-L71>. TASK DETAIL https://phabricator.wikimedia.org/T332953 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, bking, bd808, Ladsgroup, Krinkle, Legoktm, tstarling, Physikerwelt, dcausse, Jdrewniak, taavi, hnowlan, Michaelcochez, cjming, Jdforrester-WMF, dduvall, Aklapper, thcipriani, Bellucii32, Mohamed-Awnallah, Itsmeduncan, Cleo_Lemoisson, Astuthiodit_1, lbowmaker, TheReadOnly, BTullis, karapayneWMDE, toberto, joanna_borun, Simonmaignan, Invadibot, MPhamWMF, Ywats0ns, Devnull, maantietaja, calbon, Muchiri124, Confetti68, Anerka, CBogen, ItamarWMDE, Nintendofan885, Akuckartz, Otr500, WDoranWMF, Ddurigon, MJL, brennen, Mateo1977, EvanProdromou, Legado_Shulgin, ReaperDawn, Nandana, NebulousIris, Namenlos314, aezell, skpuneethumar, Zylc, Davinaclare77, Abdeaitali, 1978Gage2001, Techguru.pc, Lahi, Operator873, Gq86, Xinbenlv, Vacio, Sharvaniharan, Bsandipan, scblr, Xover, GoranSMilovanovic, SPoore, TBolliger, Chicocvenancio, Hfbn0, QZanden, EBjune, Tbscho, Taquo, LawExplorer, catalandres, Eginhard, Avner, Zppix, JJMC89, elukey, TerraCodes, DDJJ, _jensen, rosalieper, Agabi10, PEarleyWMF, RuyP, Liudvikas, Scott_WUaS, Pchelolo, Karthik_sripal, Izno, Wong128hk, Luke081515, Bsadowski1, Niharika, Wikidata-bugs, Jitrixis, aude, Bawolff, Capt_Swing, Dbrant, Dinoguy1000, Gryllida, Lydia_Pintscher, faidon, Grunny, ssastry, scfc, Alchimista, Arlolra, csteipp, Mbch331, Jay8g, Krenair, fgiunchedi ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T332953: Migrate PipelineLib repos to GitLab
sbassett updated the task description. TASK DETAIL https://phabricator.wikimedia.org/T332953 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: bking, bd808, Ladsgroup, Krinkle, Legoktm, tstarling, Physikerwelt, dcausse, Jdrewniak, taavi, hnowlan, Michaelcochez, cjming, Jdforrester-WMF, dduvall, Aklapper, thcipriani, Bellucii32, Mohamed-Awnallah, Itsmeduncan, Cleo_Lemoisson, Astuthiodit_1, lbowmaker, TheReadOnly, BTullis, karapayneWMDE, toberto, joanna_borun, Simonmaignan, Invadibot, MPhamWMF, Ywats0ns, Devnull, maantietaja, calbon, Muchiri124, Confetti68, Anerka, CBogen, ItamarWMDE, Nintendofan885, Akuckartz, Otr500, WDoranWMF, Ddurigon, MJL, brennen, Mateo1977, EvanProdromou, Legado_Shulgin, ReaperDawn, Nandana, NebulousIris, sbassett, Namenlos314, aezell, skpuneethumar, Zylc, Davinaclare77, Abdeaitali, 1978Gage2001, Techguru.pc, Lahi, Operator873, Gq86, Xinbenlv, Vacio, Sharvaniharan, Bsandipan, scblr, Xover, GoranSMilovanovic, SPoore, TBolliger, Chicocvenancio, Hfbn0, QZanden, EBjune, Tbscho, Taquo, LawExplorer, catalandres, Eginhard, Avner, Zppix, JJMC89, elukey, TerraCodes, DDJJ, _jensen, rosalieper, Agabi10, PEarleyWMF, RuyP, Liudvikas, Scott_WUaS, Pchelolo, Karthik_sripal, Izno, Wong128hk, Luke081515, Bsadowski1, Niharika, Wikidata-bugs, Jitrixis, aude, Bawolff, Capt_Swing, Dbrant, Dinoguy1000, Gryllida, Lydia_Pintscher, faidon, Grunny, ssastry, scfc, Alchimista, Arlolra, csteipp, Mbch331, Jay8g, Krenair, fgiunchedi ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T329121: Allow the Wikidata Query Builder to be embedded in an iframe
sbassett added a comment. In T329121#8636168 <https://phabricator.wikimedia.org/T329121#8636168>, @Michael wrote: > That being said, the query builder is just static files. It could potentially just run on their page natively, maybe needs a few changes and a bit of documentation from us. Or am I missing some fundamental consideration? Static files... which include a hefty amount of client-side JS, no? That's the security concern. If it can be bundled and deployed from just about anywhere, setting up a demo site on wmcs, etc. would likely be fine. As long as there was no confusion for users that it was, indeed, a demo site. TASK DETAIL https://phabricator.wikimedia.org/T329121 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Michael, sbassett, ItamarWMDE, Lucas_Werkmeister_WMDE, mickeybarber, Envlh, Aklapper, Astuthiodit_1, karapayneWMDE, Invadibot, Devnull, maantietaja, Akuckartz, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T329121: Allow the Wikidata Query Builder to be embedded in an iframe
sbassett moved this task from Incoming to In Progress on the Security-Team board. sbassett added a project: SecTeam-Processed. TASK DETAIL https://phabricator.wikimedia.org/T329121 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, ItamarWMDE, Lucas_Werkmeister_WMDE, mickeybarber, Envlh, Aklapper, Astuthiodit_1, karapayneWMDE, Invadibot, Devnull, maantietaja, Akuckartz, Michael, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair, RhinosF1 ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T329121: Allow the Wikidata Query Builder to be embedded in an iframe
sbassett added a comment.
In T329121#8620995 <https://phabricator.wikimedia.org/T329121#8620995>,
@ItamarWMDE wrote:
> Unfortunately, it seems like we cannot do this as these headers were
requested by the WMF security team it seems. In addition, this might expose us
to some forms of clickjacking
<https://owasp.org/www-community/attacks/Clickjacking> attacks, where other
embedding sites will be able to steal some information from the embedded page.
This is all correct, and why we'd discourage a revert of the status quo or,
at the very least, likely rate it as at least a {icon exclamation-triangle
color=yellow} **medium risk**.
> We might be able to try and set a `Content-Security-Policy` header with a
`frame-ancestors` directive set to the domain of the MOOC. But I would still
defer to advice from the WMF Security Team (tagging @sbassett here since they
are the only contact I have in the team so far)
This is likely feasible, if it doesn't interfere with any potential
`X-Frame-Options: deny` headers, and if the source list is kept to a minimum of
//absolutely necessary// URLs that the #security-team
<https://phabricator.wikimedia.org/tag/security-team/> could review and assign
any potential risk ratings.
TASK DETAIL
https://phabricator.wikimedia.org/T329121
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/
To: sbassett
Cc: sbassett, ItamarWMDE, Lucas_Werkmeister_WMDE, mickeybarber, Envlh,
Aklapper, Astuthiodit_1, karapayneWMDE, Invadibot, Devnull, maantietaja,
Akuckartz, Michael, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden,
LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515,
Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair
___
Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org
To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T323592: CVE-2023-22910: XSS in Wikibase date formatting
sbassett removed a project: Patch-For-Review. TASK DETAIL https://phabricator.wikimedia.org/T323592 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Mstyles, sbassett Cc: Mstyles, sbassett, Jdforrester-WMF, WMDE-leszek, Michael, Aklapper, Lucas_Werkmeister_WMDE, Astuthiodit_1, karapayneWMDE, Invadibot, Devnull, maantietaja, Y.ssk, ItamarWMDE, Akuckartz, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, He7d3r, csteipp, Mbch331, Jay8g, Krenair, Legoktm, Adamm71, Jersione, Hellket777, LisafBia6531, 786, Biggs657, Juan90264, Alter-paule, Beast1978, Un1tY, Hook696, Kent7301, joker88john, CucyNoiD, Gaboe420, Giuliamocci, Cpaulf30, Af420, Bsandipan, Lewizho99, Maathavan, Neuronton ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T321318: 烙️ Wikibase REST API ignores `bot` user right, lets anyone mark edits as bot edits
sbassett changed Risk Rating from N/A to Low. TASK DETAIL https://phabricator.wikimedia.org/T321318 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Jakob_WMDE, WMDE-leszek, Aklapper, Lucas_Werkmeister_WMDE, Astuthiodit_1, karapayneWMDE, Invadibot, Devnull, maantietaja, ItamarWMDE, Akuckartz, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Lydia_Pintscher, Grunny, csteipp, Mbch331, Jay8g, Krenair, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T321318: 烙️ Wikibase REST API ignores `bot` user right, lets anyone mark edits as bot edits
sbassett added a comment. In T321318#8407900 <https://phabricator.wikimedia.org/T321318#8407900>, @WMDE-leszek wrote: > Good point @sbassett. For that reasons it was actually worked upon in the open on Gerrit Ok. Is there a change set we could reference here? Searching the Phab task ID doesn't seem to get me anything... TASK DETAIL https://phabricator.wikimedia.org/T321318 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Jakob_WMDE, WMDE-leszek, Aklapper, Lucas_Werkmeister_WMDE, Astuthiodit_1, karapayneWMDE, Invadibot, Devnull, maantietaja, ItamarWMDE, Akuckartz, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Lydia_Pintscher, Grunny, csteipp, Mbch331, Jay8g, Krenair, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T308659: Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty (CVE-2022-34750)
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board. sbassett added a comment. In T308659#8037779 <https://phabricator.wikimedia.org/T308659#8037779>, @Lucas_Werkmeister_WMDE wrote: > I think we’re done here (but please reopen if the task should still be open for security release process purposes). Yes, looks good. This will be (re-)announced via the upcoming supplemental security release, due out tomorrow or early next week. And thanks for shepherding all of those additional backports. TASK DETAIL https://phabricator.wikimedia.org/T308659 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: MoritzMuehlenhoff, Zabe, sbassett, Erdinc_Ciftci_WMDE, Michael, ItamarWMDE, guergana.tzatchkova, noarave, karapayneWMDE, Manuel, Lydia_Pintscher, Aklapper, Lucas_Werkmeister_WMDE, Hellket777, Astuthiodit_1, 786, Biggs657, Invadibot, Devnull, Universal_Omega, maantietaja, Juan90264, Alter-paule, Beast1978, Un1tY, Akuckartz, Hook696, Kent7301, joker88john, CDanis, DannyS712, CucyNoiD, Nandana, Gaboe420, Giuliamocci, Cpaulf30, Lahi, Gq86, Af420, Bsandipan, GoranSMilovanovic, Mahir256, QZanden, LawExplorer, Lewizho99, Maathavan, _jensen, rosalieper, Bodhisattwa, Neuronton, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T308659: Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty (CVE-2022-34750)
sbassett added a comment. In T308659#8036319 <https://phabricator.wikimedia.org/T308659#8036319>, @MoritzMuehlenhoff wrote: > This appeared in the CVE feed as https://www.cve.org/CVERecord?id=CVE-2022-34750 Yes, I requested that ID a couple of days ago and forgot to update the task title here. Thanks for doing that. TASK DETAIL https://phabricator.wikimedia.org/T308659 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: MoritzMuehlenhoff, Zabe, sbassett, Erdinc_Ciftci_WMDE, Michael, ItamarWMDE, guergana.tzatchkova, noarave, karapayneWMDE, Manuel, Lydia_Pintscher, Aklapper, Lucas_Werkmeister_WMDE, Hellket777, Astuthiodit_1, 786, Biggs657, Invadibot, Devnull, Universal_Omega, maantietaja, Juan90264, Alter-paule, Beast1978, Un1tY, Akuckartz, Hook696, Kent7301, joker88john, CDanis, DannyS712, CucyNoiD, Nandana, Gaboe420, Giuliamocci, Cpaulf30, Lahi, Gq86, Af420, Bsandipan, GoranSMilovanovic, Mahir256, QZanden, LawExplorer, Lewizho99, Maathavan, _jensen, rosalieper, Bodhisattwa, Neuronton, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T308659: Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty
sbassett triaged this task as "Low" priority. sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". sbassett changed Risk Rating from N/A to Low. TASK DETAIL https://phabricator.wikimedia.org/T308659 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: sbassett, Erdinc_Ciftci_WMDE, Michael, ItamarWMDE, guergana.tzatchkova, noarave, karapayneWMDE, Manuel, Lydia_Pintscher, Aklapper, Lucas_Werkmeister_WMDE, Astuthiodit_1, Invadibot, Devnull, maantietaja, Akuckartz, CDanis, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, Mahir256, QZanden, LawExplorer, _jensen, rosalieper, Bodhisattwa, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair, Legoktm, RhinosF1 ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T306031: XSS in Wikidata top page views Grafana board (affects grafana.w.o and grafana-rw.w.o)
sbassett triaged this task as "Low" priority. sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". sbassett changed Risk Rating from N/A to Low. TASK DETAIL https://phabricator.wikimedia.org/T306031 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: sbassett, Mstyles, Lydia_Pintscher, Aklapper, Lucas_Werkmeister_WMDE, Addshore, Astuthiodit_1, karapayneWMDE, Invadibot, Devnull, maantietaja, Y.ssk, ItamarWMDE, Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, He7d3r, csteipp, Mbch331, Jay8g, Krenair, Legoktm, chasemp, RhinosF1, valerio.bozzolan ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T302215: HTML injection / XSS from i18n message in WikibaseClient edit hook (CVE-2022-28208)
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". TASK DETAIL https://phabricator.wikimedia.org/T302215 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: sbassett, Addshore, ItamarWMDE, Aklapper, Lucas_Werkmeister_WMDE, Astuthiodit_1, karapayneWMDE, Invadibot, Devnull, maantietaja, Y.ssk, Akuckartz, Dsharpe, DannyS712, Nandana, lucamauri, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Lydia_Pintscher, Grunny, He7d3r, csteipp, Mbch331, Jay8g, Krenair, Legoktm, chasemp, RhinosF1, valerio.bozzolan ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T294151: Reports that the ua-parser-js npm package has been "hijacked" into a coinminer (indirect dependency of Wikibase)
sbassett removed a project: Security-Team. TASK DETAIL https://phabricator.wikimedia.org/T294151 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Dsharpe, Lucas_Werkmeister_WMDE, Silvan_WMDE, Tarrow, sbassett, Aklapper, Jdforrester-WMF, Legoktm, Majavah, Urbanecm_WMF, karapayneWMDE, Invadibot, Lectrician1, Devnull, maantietaja, Akuckartz, Michael, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Aschroet, Wikidata-bugs, aude, Bawolff, Lydia_Pintscher, Addshore, Mbch331, EBjune, Wong128hk, Luke081515, Grunny, csteipp, Jay8g, Krenair, chasemp ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T294151: Reports that the ua-parser-js npm package has been "hijacked" into a coinminer (indirect dependency of Wikibase)
sbassett added a project: SecTeam-Processed. sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". sbassett changed Risk Rating from N/A to Low. TASK DETAIL https://phabricator.wikimedia.org/T294151 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Dsharpe, Lucas_Werkmeister_WMDE, Silvan_WMDE, Tarrow, sbassett, Aklapper, Jdforrester-WMF, Legoktm, Majavah, Urbanecm_WMF, karapayneWMDE, Invadibot, Lectrician1, Devnull, maantietaja, Akuckartz, Michael, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Aschroet, Wikidata-bugs, aude, Bawolff, Lydia_Pintscher, Grunny, Addshore, csteipp, Mbch331, Jay8g, Krenair, chasemp, RhinosF1 ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T301273: Wikibase submodule is linked to github, causing scap prep to fail
sbassett edited projects, added SecTeam-Processed; removed Security-Team. sbassett added a comment. @ItamarWMDE - re: security reviews, please see the current SOP at https://www.mediawiki.org/wiki/Security/SOP/Application_Security_Reviews. From what I'm seeing in the change set @Lucas_Werkmeister_WMDE mentions above, this doesn't appear to be a large volume of new or security-sensitive code, so it can likely just go through CR within gerrit. The #security-team <https://phabricator.wikimedia.org/tag/security-team/> absolutely cannot review every new line of code added to Wikimedia projects and so we typically reserve the application security review process to major new codebases bound for production or major changes to core or other deployed extensions and skins. We also encourage folks to run various automated tools (SCA, SAST, etc.) against their own codebases, as tests or manually, for which we can help advise. The initial security concern here was the submodule update from github, which we don't allow in wikimedia production. TASK DETAIL https://phabricator.wikimedia.org/T301273 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: ItamarWMDE, sbassett Cc: sbassett, karapayneWMDE, Addshore, Michael, Lucas_Werkmeister_WMDE, ItamarWMDE, Reedy, Zabe, Ladsgroup, Majavah, Umherirrender, thcipriani, jeena, Aklapper, Invadibot, maantietaja, Akuckartz, Nandana, Lahi, Gq86, GoranSMilovanovic, Mahir256, QZanden, LawExplorer, _jensen, rosalieper, Bodhisattwa, Scott_WUaS, Wikidata-bugs, aude, Mbch331, Devnull, Dsharpe, EBjune, Wong128hk, Luke081515, Bawolff, Grunny, csteipp, Jay8g, Krenair, chasemp ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett added a comment. In T292110#7614949 <https://phabricator.wikimedia.org/T292110#7614949>, @Michaelcochez wrote: > @Reedy could you have a look at the current security policy https://github.com/martaannaj/RecommenderServer/security/policy and if this is fine close https://github.com/martaannaj/RecommenderServer/issues/2 ? The new Github security policy LGTM, +1. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: Lucas_Werkmeister_WMDE, sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett closed this task as "Resolved".
sbassett added a comment.
We're going to resolve this for now as {icon check-circle color=green} **low
risk** since none of the new security tooling added to the Github repo has
returned any medium+ risk actionable issues. One caveat would be noting (in
the README or wherever) as a kinda-false-positive (and possibly suppressing
<https://semgrep.dev/docs/ignoring-findings/>) the TLS issue found by semgrep
so as not to cause any future concern. Otherwise, consider this unblocked from
an #application_security_reviews
<https://phabricator.wikimedia.org/tag/application_security_reviews/>
perspective.
TASK DETAIL
https://phabricator.wikimedia.org/T292110
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/
To: Reedy, sbassett
Cc: Lucas_Werkmeister_WMDE, sbassett, Michaelcochez, Martaannaj,
Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot,
Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi,
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS,
Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm
___
Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org
To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T294693: XSS on page information Wikibase central description
sbassett added a parent task: Restricted Task. TASK DETAIL https://phabricator.wikimedia.org/T294693 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Urbanecm, sbassett Cc: Zabe, gerritbot, Reedy, Mohammed_Sadat_WMDE, Rosalie_WMDE, Lea_WMDE, dang, Deniz_WMDE, rosalieper, Samantha_Alipio_WMDE, toan, sbassett, Tarrow, Tgr, Jakob_WMDE, WMDE-leszek, Michael, noarave, Mstyles, ItamarWMDE, Lucas_Werkmeister_WMDE, Addshore, Urbanecm, Aklapper, Dylsss, Invadibot, Devnull, maantietaja, Y.ssk, Akuckartz, Dsharpe, DannyS712, Nandana, lucamauri, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Lydia_Pintscher, Grunny, He7d3r, csteipp, Mbch331, Jay8g, Krenair, Legoktm, chasemp ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T296578: Globally blocked IPs can edit EntitySchema items
sbassett added a parent task: Restricted Task. TASK DETAIL https://phabricator.wikimedia.org/T296578 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Zabe, Rosalie_WMDE, Addshore, toan, sbassett, karapayneWMDE, Manuel, Lydia_Pintscher, Urbanecm, Lucas_Werkmeister_WMDE, Michael, Aklapper, Dylsss, Invadibot, Devnull, maantietaja, SCIdude, Akuckartz, pdehaye, Dsharpe, FriedrickMILBarbarossa, DannyS712, Nandana, Tks4Fish, Jony, Lahi, Gq86, Andrawaag, GoranSMilovanovic, SPoore, QZanden, EBjune, YULdigitalpreservation, LawExplorer, Salgo60, JJMC89, _jensen, rosalieper, Tegel, RuyP, JEumerus, Scott_WUaS, Taketa, Matiia, Einsbor, Wong128hk, Luke081515, MisterSynergy, Bsadowski1, Mardetanha, abian, Barras, Wikidata-bugs, Snowolf, Savh, aude, Pmlineditor, Bawolff, NahidSultan, DerHexer, Shanmugamp7, Trijnstel, Melos, Grunny, Stryn, csteipp, Mbch331, Jay8g, Glaisher, Krenair, Legoktm, chasemp ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T297570: XSS in Wikibase using formatter URL
sbassett added a parent task: Restricted Task. TASK DETAIL https://phabricator.wikimedia.org/T297570 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: Zabe, Bugreporter, hashar, Jakob_WMDE, noarave, toan, Rosalie_WMDE, karapayneWMDE, Silvan_WMDE, sbassett, WMDE-leszek, Michael, Lucas_Werkmeister_WMDE, Addshore, Aklapper, Dylsss, Invadibot, Devnull, maantietaja, Y.ssk, Akuckartz, DannyS712, Nandana, lucamauri, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Lydia_Pintscher, He7d3r, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T297570: XSS in Wikibase using formatter URL
sbassett closed this task as "Resolved". TASK DETAIL https://phabricator.wikimedia.org/T297570 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: Zabe, Bugreporter, hashar, Jakob_WMDE, noarave, toan, Rosalie_WMDE, karapayneWMDE, Silvan_WMDE, sbassett, WMDE-leszek, Michael, Lucas_Werkmeister_WMDE, Addshore, Aklapper, Dylsss, Invadibot, Devnull, maantietaja, Y.ssk, Akuckartz, DannyS712, Nandana, lucamauri, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Lydia_Pintscher, He7d3r, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T294693: XSS on page information Wikibase central description
sbassett closed this task as "Resolved". TASK DETAIL https://phabricator.wikimedia.org/T294693 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Urbanecm, sbassett Cc: Zabe, gerritbot, Reedy, Mohammed_Sadat_WMDE, Rosalie_WMDE, Lea_WMDE, dang, Deniz_WMDE, rosalieper, Samantha_Alipio_WMDE, toan, sbassett, Tarrow, Tgr, Jakob_WMDE, WMDE-leszek, Michael, noarave, Mstyles, ItamarWMDE, Lucas_Werkmeister_WMDE, Addshore, Urbanecm, Aklapper, Dylsss, Invadibot, Devnull, maantietaja, Y.ssk, Akuckartz, Dsharpe, DannyS712, Nandana, lucamauri, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Lydia_Pintscher, Grunny, He7d3r, csteipp, Mbch331, Jay8g, Krenair, Legoktm, chasemp ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett added a comment. In T292110#7574265 <https://phabricator.wikimedia.org/T292110#7574265>, @Michaelcochez wrote: > @sbassett Is that something which should be checked now, during the security readiness review, or only later upon deployment? > > I have added the TLS option to the implementation, but the fact that we still allow starting a http version remains flagged. I believe that in the context of a Wikimedia production service deploy, this rule would likely be a false positive result, but again, something to confirm with #SRE <https://phabricator.wikimedia.org/tag/sre/>. For a local dev environment, it also seems unnecessary. The only time it would be a true positive, in my opinion, would be if the service did not have any kind of reverse proxy for TLS termination, i.e. it was directly exposed to the internet. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: Lucas_Werkmeister_WMDE, sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett added a comment. In T292110#7573952 <https://phabricator.wikimedia.org/T292110#7573952>, @Michaelcochez wrote: > 1. should we solve this by also having this internal service use https ? > 2. and if so, where would i get a certificate/key for that? I believe it'd be a similar setup to wmcloud, i.e. a reverse proxy to the app, if this service-related doc is correct <https://wikitech.wikimedia.org/wiki/Kubernetes/Enabling_TLS>. This would be a good thing to confirm with #sre <https://phabricator.wikimedia.org/tag/sre/>, likely within the context of a new service request <https://phabricator.wikimedia.org/project/profile/1305/>. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: Lucas_Werkmeister_WMDE, sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett added a comment. In T292110#7571382 <https://phabricator.wikimedia.org/T292110#7571382>, @Michaelcochez wrote: > I have now added gokart. The github action was not working out of the box, because of some missing configuration parameters in the example. I opened a pull request for that. Great. > Then, I also added nancy to scan packages and enabled Dependabot alerts. Great. > It seems I cannot configure semgrep as a github action, and I am uncomfortable giving the website access to my github account. Yes, I wouldn't set up any version of semgrep that depended upon semgrep.dev (or untrusted images) except for maybe talking to their registry. I think the worst case would be manually setting up a github action that uses a python image, installing semgrep via pip (or whatever) and then running the cli like: `semgrep --config=p/golang --metrics=off`. I believe this //should// just pull the golang policy from their registry and not report any pseudonymous feedback back to semgrep.dev. Anyhow, this is more a suggestion with both gosec and gokart running for SAST. And if any of these tools become too noisy, they can likely be disabled or further tweaked, especially if there are noisy rules. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: Lucas_Werkmeister_WMDE, sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett added a comment.
@Michaelcochez - Thanks for getting gosec set up within the project's Github
CI. just reviewing some recent runs
<https://github.com/martaannaj/RecommenderServer/actions/workflows/gosec.yml>,
it doesn't seem like it's found much, which is good, and we'd likely rate that
as {icon check-circle color=green} **low risk** for now, but I'll let @reedy
make that call as this is his review.
Another tool that might be helpful is go-kart
<https://www.praetorian.com/blog/introducing-gokart/>, which is somewhat of a
complement/alternative to gosec FWIU, and it looks like there's a convenient
way to set it up as a Github action here
<https://github.com/kitabisa/gokart-action>. semgrep <https://semgrep.dev/>
also has a golang policy ("p/golang") consisting of about 24 rules right now.
I'd also recommend using at least some tool to scan for vulnerable packages in
addition to Github's recent Advisories support for golang
<https://github.blog/2021-07-22-github-supply-chain-security-features-go-community/>.
Nancy <https://github.com/sonatype-nexus-community/nancy> or even the
free/foss tier of snyk <https://snyk.io/plans/> should work, though the latter
obviously has some limits re: tests per month, etc. Talking with some snyk
sales reps recently, they are allegedly coming out with a pure non-profit
license, which I'm hopeful might work well and be less limited for the entire
Wikimedia developer community/ecosystem.
TASK DETAIL
https://phabricator.wikimedia.org/T292110
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/
To: Reedy, sbassett
Cc: Lucas_Werkmeister_WMDE, sbassett, Michaelcochez, Martaannaj,
Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot,
Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi,
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS,
Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm
___
Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org
To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett changed the task status from "In Progress" to "Stalled". sbassett added a comment. Stalling until more security/linting automation has been officially set up in CI. We'll then plan to use the results of some of that tooling, in addition to some manual review/pen-testing, to formulate a final application security review deliverable on this task. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett added a comment. Hey @WMDE-leszek - we're going to have @reedy give this a first look for a security review. Hopefully they can have a report deliverable for you later this quarter or early next. At that point we can reassess any additional needs. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett raised the priority of this task from "Low" to "Medium". TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett changed the task status from "Stalled" to "In Progress". TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett assigned this task to Reedy. sbassett moved this task from Q1: 2021 Planning Queue to In Progress on the secscrum board. TASK DETAIL https://phabricator.wikimedia.org/T292110 WORKBOARD https://phabricator.wikimedia.org/project/board/4630/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett added a comment. Hey @WMDE-leszek - We're still working through some possibilities for engaging a vendor for this work. Hopefully I can have an answer in another week or so for you and your team. If the vendor path falls through, we'd likely need to schedule this review for early next quarter (January 2022 - March 2022), but there are options for risk acceptance/ownership if that scheduling estimate does not align with your desired production deployment date. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett added a comment. In T292110#7412589 <https://phabricator.wikimedia.org/T292110#7412589>, @Addshore wrote: > Quick follow up incase the intent of this ticket was misunderstood. > This is a security review request for deploying the service to Wikimedia Production, not to WMCS, as that was ruled out as an option in T285098 <https://phabricator.wikimedia.org/T285098> (at least as far as we can tell) Fair enough, we'll be sure to characterize the review via that lens. For now, the #security-team <https://phabricator.wikimedia.org/tag/security-team/> is attempting to determine the best path forward, be it a vendor proposal and review or attempting to schedule this review with existing Foundation resources. We should have an answer for everyone soon. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett added a comment.
In T292110#7405421 <https://phabricator.wikimedia.org/T292110#7405421>,
@WMDE-leszek wrote:
> @sbassett Opening this request was meant as an indication of WMDE
understanding the "fast track" deployment is not an option. Apologies for not
being clear about it. I've said it explicitly on T285098
<https://phabricator.wikimedia.org/T285098> now.
Ok, just to set expectations, as this system is currently architected with
the service living on wmcs and wanting to communicate directly with Wikimedia
production, the security review will very likely come back with a {icon
exclamation-triangle color=orange} **high** or {icon exclamation-triangle
color=red} **critical** overall risk, **requiring WMF c-level acceptance of any
residual risk**.
TASK DETAIL
https://phabricator.wikimedia.org/T292110
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/
To: sbassett
Cc: sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore,
WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja,
Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic,
QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude,
Bawolff, Mbch331, Legoktm
___
Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org
To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata
sbassett changed the task status from "Open" to "Stalled". sbassett triaged this task as "Low" priority. sbassett added a comment. Stalling this review for now pending further discussion at T285098 <https://phabricator.wikimedia.org/T285098>. We may still be able to complete this review this quarter (October to December 2021) if a clear path to production, stewardship, etc are determined soon. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T285098: Production A/B test deployment - Improved Property Suggester/Recommender
sbassett added a comment.
Hey all-
We've received the security review request (T292110
<https://phabricator.wikimedia.org/T292110>) for this and will plan to include
it within our review planning session this week (whether it's accepted for the
quarter as-is or not is a separate matter to be determined). Responding to a
few issues:
In T285098#7262291 <https://phabricator.wikimedia.org/T285098#7262291>, @Joe
wrote:
> First of all, I want to say that IMHO things would have gone smoother if
you asked SRE for an opinion about the plan before it was put in motion. Keep
this in mind for the future.
Same for the #security-team
<https://phabricator.wikimedia.org/tag/security-team/>. The earlier we have
some general idea of an architecture and code base, the better we can offer
guidance on how to successfully get something through a security review. Even
a simple RFS form submissions or email to security-help@
<https://www.mediawiki.org/wiki/Wikimedia_Security_Team#Contacting_Us> with a
sketch of the project very early in the process can be helpful and hopefully
avoid unpleasantness at a much later date, which is painful for everyone
involved. And unfortunately, this has to be a proactive process for
engineering teams, as our team literally cannot monitor every conversation that
happens on Phab, gerrit, wikitech, meta or mediawiki.org.
> Having said that, we don't usually allow any request to flow from
production services to services running in WMCS for a few good reasons,
regarding reliability, privacy, and security. I don't think we've ever made an
exception to this rule, and I don't think we should make one in this case - but
this is my own personal opinion.
The #security-team <https://phabricator.wikimedia.org/tag/security-team/>
would likely rate something like this {icon exclamation-triangle color=orange}
**high risk** by default (requires c-level/leadership risk acceptance), without
additional assurances and some type of mitigation plan.
> I would say that **a security review cannot be skipped **...
Confirmed.
In T285098#7262893 <https://phabricator.wikimedia.org/T285098#7262893>,
@Addshore wrote:
> However tying this into the precedent mentioned above, I highly doubt that
external services that we call get a security review of their code etc, but
indeed perhaps for the requests & responses and general risk.
The most they'd likely get in terms of a direct review is a supplier review
<https://office.wikimedia.org/wiki/Security/Policy/Supplier_and_Partner_Security_Addendum>
(apologies as I know most folks can't see that) and/or a third party review
<https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Third_Party_Code_Review_Checklist>.
But we would certainly look heavily into the contexts in which they were
being used by Wikimedia production services, MediaWiki extensions, etc. e.g. a
small amount of public, read-only data vs. read/write of sensitive data.
> Services running on WMCS (the Service we want to use in A/B testing) and
routine Gerrit changes (which were made to the property suggestor extension)
are also listed as things unlikely to get a review
https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews
Correct, which is why we'd echo the advice of pursuing this as a proper
Wikimedia production service.
> To then run a 1 month A/B test and then turn the service off / undeploy it,
evaluate the A/B result and potentially not deploy the service again.
> Then I feel that we would have unnecessarily spent a whole lot of resources
for the year and probably extended the timeline of this A/B test by 6 months or
so (I could be wrong).
The other side of this reasoning is that performing end-runs around processes
put in place to get something into Wikimedia production exposes the Foundation,
WMDE and the community to a much larger potential attack surface and greater
risk profile. Our current risk management framework doesn't really want to be
in the business of being a hard blocker for anything but rather pushes for
their to be a proper understanding of risk and a thoughtful acceptance of risk
at various levels across organizations and the community.
> In T285098#7262378 <https://phabricator.wikimedia.org/T285098#7262378>,
@Ladsgroup wrote:
>
>> (Not speaking on behalf of the team, completely personal):
>> I see three way out that we could talk about and decide:
>>
>> - Get SRE/Security/Legal approval for a temporary deployment of reading
for wmcs. One idea I have to ease and compromise is to have a fixed deadline.
e.g. "This will stay in production no more than 30 days" This would reduce the
risk. The actual number should be decided by PM and the rest.
>
> To me this seems quite reasonable, and probably a much sma
[Wikidata-bugs] [Maniphest] T285761: Add proper security headers to Query Builder
sbassett added a comment. @Ladsgroup et al - LGTM for now, +1. TASK DETAIL https://phabricator.wikimedia.org/T285761 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: toan, sbassett Cc: RhinosF1, Manuel, valerio.bozzolan, Lucas_Werkmeister_WMDE, Aklapper, conny-kawohl_WMDE, guergana.tzatchkova, Jakob_WMDE, Lydia_Pintscher, Michael, sbassett, Addshore, karapayneWMDE, Mstyles, Reedy, Ladsgroup, Invadibot, Devnull, maantietaja, Akuckartz, Iflorez, alaa_wmde, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder
sbassett closed this task as "Resolved". sbassett moved this task from Waiting to Our Part Is Done on the secscrum board. TASK DETAIL https://phabricator.wikimedia.org/T264822 WORKBOARD https://phabricator.wikimedia.org/project/board/4630/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Reedy, Mstyles, karapayneWMDE, Addshore, sbassett, Michael, Ladsgroup, Lydia_Pintscher, Jakob_WMDE, guergana.tzatchkova, conny-kawohl_WMDE, bete, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T266703: Deploy query builder to microsites (on top of the wdqs-ui)
sbassett closed subtask T264822: (MS 7) Security Readiness Review For Wikidata Query Builder as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T266703 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Ladsgroup, sbassett Cc: Manuel, Ladsgroup, Michael, guergana.tzatchkova, Lydia_Pintscher, Aklapper, Dzahn, Addshore, Biggs657, joanna_borun, Invadibot, Lalamarie69, Devnull, maantietaja, lmata, Juan90264, Muchiri124, Alter-paule, Hazizibinmahdi, Beast1978, Un1tY, Akuckartz, Hook696, Iflorez, Kent7301, alaa_wmde, RhinosF1, joker88john, Legado_Shulgin, ReaperDawn, CucyNoiD, Nandana, Gaboe420, Giuliamocci, Davinaclare77, Cpaulf30, Techguru.pc, Lahi, Gq86, Af420, Bsandipan, GoranSMilovanovic, Hfbn0, QZanden, LawExplorer, Lewizho99, Zppix, Maathavan, _jensen, rosalieper, Scott_WUaS, Wong128hk, Wikidata-bugs, aude, faidon, Mbch331, Jay8g, fgiunchedi ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T276210: Add ‘Query Builder’ Button + tooltip to Query Service Interface
sbassett closed subtask T264822: (MS 7) Security Readiness Review For Wikidata Query Builder as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T276210 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Botoxparty, sbassett Cc: Lucas_Werkmeister_WMDE, Lydia_Pintscher, Erdinc_Ciftci_WMDE, Aklapper, Charlie_WMDE, Biggs657, Invadibot, Lalamarie69, maantietaja, Juan90264, Alter-paule, Beast1978, Un1tY, Akuckartz, Hook696, Kent7301, joker88john, CucyNoiD, Nandana, Gaboe420, Giuliamocci, Cpaulf30, Lahi, Gq86, Af420, Bsandipan, GoranSMilovanovic, QZanden, LawExplorer, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331 ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T280229: Query Builder banner in the examples query dialog
sbassett closed subtask T264822: (MS 7) Security Readiness Review For Wikidata Query Builder as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T280229 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Botoxparty, sbassett Cc: Aklapper, Lydia_Pintscher, Biggs657, Invadibot, Lalamarie69, maantietaja, Juan90264, Alter-paule, Beast1978, Un1tY, Akuckartz, Hook696, Kent7301, joker88john, CucyNoiD, Nandana, Gaboe420, Giuliamocci, Cpaulf30, Lahi, Gq86, Af420, Bsandipan, GoranSMilovanovic, QZanden, LawExplorer, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331 ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T280230: Query Builder top banner
sbassett closed subtask T264822: (MS 7) Security Readiness Review For Wikidata Query Builder as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T280230 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Botoxparty, sbassett Cc: Lucas_Werkmeister_WMDE, Aklapper, Lydia_Pintscher, Biggs657, Invadibot, Lalamarie69, maantietaja, Juan90264, Alter-paule, Beast1978, Un1tY, Akuckartz, Hook696, Kent7301, joker88john, CucyNoiD, Nandana, Gaboe420, Giuliamocci, Cpaulf30, Lahi, Gq86, Af420, Bsandipan, GoranSMilovanovic, QZanden, LawExplorer, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331 ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder
sbassett added a comment.
In T264822#7270301 <https://phabricator.wikimedia.org/T264822#7270301>,
@Michael wrote:
> Just to record it, as checked just now, with the current HEAD of the master
branch, `npm audit` finds **0** vulnerabilities.
I arrived at the same result. Given that webpack/dev npm dependecies were
the most substantial risks found during my security audit, I am now fine
assigning an overall {icon check-circle color=green} **low risk** for Wikidata
Query Builder, which is automatically accepted.
TASK DETAIL
https://phabricator.wikimedia.org/T264822
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/
To: sbassett
Cc: Reedy, Mstyles, karapayneWMDE, Addshore, sbassett, Michael, Ladsgroup,
Lydia_Pintscher, Jakob_WMDE, guergana.tzatchkova, conny-kawohl_WMDE, bete,
Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe,
DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer,
_jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm
___
Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org
To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder
sbassett added a comment. In T264822#7269255 <https://phabricator.wikimedia.org/T264822#7269255>, @Ladsgroup wrote: > This is done. And given that we now migrated to vite/rollup, does that improve the security risk? If so, can this be reflated somewhere? :D That is the hope, yes, though both of those are still technically in security review this quarter (T284341 <https://phabricator.wikimedia.org/T284341>, T284338 <https://phabricator.wikimedia.org/T284338>) TASK DETAIL https://phabricator.wikimedia.org/T264822 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Reedy, Mstyles, karapayneWMDE, Addshore, sbassett, Michael, Ladsgroup, Lydia_Pintscher, Jakob_WMDE, guergana.tzatchkova, conny-kawohl_WMDE, bete, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T285761: Add proper security headers to Query Builder
sbassett added a comment. In T285761#7227281 <https://phabricator.wikimedia.org/T285761#7227281>, @Michael wrote: > Especially because the Query Builder will //work// without these headers, so we might not even notice it until the security team gives us the evil eye. TASK DETAIL https://phabricator.wikimedia.org/T285761 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: valerio.bozzolan, Lucas_Werkmeister_WMDE, Aklapper, bete, conny-kawohl_WMDE, guergana.tzatchkova, Jakob_WMDE, Lydia_Pintscher, Michael, sbassett, Addshore, karapayneWMDE, Mstyles, Reedy, Ladsgroup, Invadibot, Devnull, maantietaja, Akuckartz, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T285761: Add proper security headers to Query Builder
sbassett added a comment. In T285761#7198527 <https://phabricator.wikimedia.org/T285761#7198527>, @Michael wrote: > We discussed that these headers are likely not to be added in the Query Builder code itself, but in the Apache server configuration, which probably does not live inside the Query Builder Repo. +1 from the #security-team <https://phabricator.wikimedia.org/tag/security-team/> for this approach, as there can be issues when attempting to serve CSP at the app layer (see T238367). TASK DETAIL https://phabricator.wikimedia.org/T285761 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Lucas_Werkmeister_WMDE, Aklapper, bete, conny-kawohl_WMDE, guergana.tzatchkova, Jakob_WMDE, Lydia_Pintscher, Michael, sbassett, Addshore, karapayneWMDE, Mstyles, Reedy, Ladsgroup, Invadibot, maantietaja, Akuckartz, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331 ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder
sbassett added a comment. In T264822#7183569 <https://phabricator.wikimedia.org/T264822#7183569>, @Ladsgroup wrote: > Created T285761: Add proper security headers to Query Builder <https://phabricator.wikimedia.org/T285761> for headers. Sounds good. The defaults for service-template-node <https://github.com/wikimedia/service-template-node/blob/master/app.js#L99-L113> would likely be a good baseline to model. > Does T276366: Replace vue-cli with vite and webpack with rollup <https://phabricator.wikimedia.org/T276366> mitigate the medium security risk in packaging? If so, we can prioritize it. Yes! I believe rollup has become somewhat agreed-upon as a less risky alternative to webpack. > Regarding performance review, I want to mention this will be on wikidata.org but a separate, statically served site (basically something like https://security.wikimedia.org/) and won't have any interaction with mediawiki (beside being in the same high level DNS domain). Do we still need to get performance review for it? Ok, I just meant that it's something that would be hosted under a production TLD, as stated: "We intend to deploy it as a subpage of the existing Wikidata Query Service at query.wikidata.org". A perf review is never //required// for any production deployment, AIUI, but is strongly recommended in many cases. Again, I'd recommend asking the #performance-team <https://phabricator.wikimedia.org/tag/performance-team/> if they feel it would be a good idea to perform such a review for this codebase, largely as a way to surface any potential DoS-related issues. TASK DETAIL https://phabricator.wikimedia.org/T264822 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Reedy, Mstyles, karapayneWMDE, Addshore, sbassett, Michael, Ladsgroup, Lydia_Pintscher, Jakob_WMDE, guergana.tzatchkova, conny-kawohl_WMDE, bete, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder
sbassett added subscribers: Mstyles, Reedy.
sbassett added a comment.
!!**Security Review Summary - TT264822 - 2021-06-25**!!
**Last commit reviewed: 2d65299a44**
**Summary**
Overall, the current Query Builder code looks fairly secure with certain
issues outlined below. I would currently rate the overall risk as: {icon
exclamation-triangle color=yellow} **Medium**. See a public-facing summary of
the WMF's risk management policy here: T249039#6309061
<https://phabricator.wikimedia.org/T249039#6309061> (sadly, the full version is
still protected under officewiki.)
**Vulnerable Packages - Production**
**None**: as verified with `auditjs`, `snyk` and `npm audit`. Still, I'd note
that these dependencies add an additional **584,927** lines of code to Query
Builder's codebase, thus dramatically increasing complexity and potential
future risk. And with dev dependencies, that figure becomes **9,678,194** lines
of code. Risk: {icon check-circle color=green} **Low**.
**Vulnerable Packages - Development**
`npm audit` (though curiously //not// `snyk` or `auditjs`) found a
//massive// number of development dependency vulnerabilites: **5,551** to be
exact. They break down as 1 low, 303 moderate and 5,247 high from 2,875
scanned packages. Allegedly, `npm audit fix` can be used to automatically
upgrade the vast majority to secure versions, while 35 require manual review.
While development dependency vulnerabilities typically pose a //substantially
smaller// risk than those found within production dependencies, the risk is not
zero, especially for development tools used to build production artifacts like
`vue-cli-service`. Just scanning the results, I'd note that a large volume of
these appear to be for the `@vue/cli-service`, `@vue/cli-plugin-unit-jest` and
`netlify-cli` dependencies, so bumping those to more recent versions (if
feasible) would likely substantially reduce this risk. For now, given the
sheer volume of vulnerabilities, and the fact these are for somewhat-critical
development tools, particularly `vue-cli-service`, this will be rated as a
{icon exclamation-triangle color=orange} **High Risk**.
**Outdated Packages**
As reported via `npm outdated`:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)
Risk: {icon smile-o color=sky} **None**.
| Package
| Current| Wanted | Latest |
|
-
| -- | -- | |
| Package <https://www.npmjs.com/package/Package>
| Current| Wanted | Latest |
| @types/jest <https://www.npmjs.com/package/@types/jest>
| 24.9.1 | 24.9.1 | 26.0.23 |
| @types/lodash <https://www.npmjs.com/package/@types/lodash>
| 4.14.168 | 4.14.170 | 4.14.170 |
| @types/node <https://www.npmjs.com/package/@types/node>
| 14.14.28 | 14.17.4| 15.12.4 |
| @typescript-eslint/eslint-plugin
<https://www.npmjs.com/package/@typescript-eslint/eslint-plugin> | 2.34.0
| 2.34.0 | 4.28.0 |
| @typescript-eslint/parser
<https://www.npmjs.com/package/@typescript-eslint/parser> |
2.34.0 | 2.34.0 | 4.28.0 |
| @vue/cli-plugin-babel <https://www.npmjs.com/package/@vue/cli-plugin-babel>
| 4.5.11 | 4.5.13 | 4.5.13 |
| @vue/cli-plugin-eslint
<https://www.npmjs.com/package/@vue/cli-plugin-eslint> |
4.5.11 | 4.5.13 | 4.5.13 |
| @vue/cli-plugin-typescript
<https://www.npmjs.com/package/@vue/cli-plugin-typescript> | 4.5.11
| 4.5.13 | 4.5.13 |
| @vue/cli-plugin-unit-jest
<https://www.npmjs.com/package/@vue/cli-plugin-unit-jest> |
4.5.11 | 4.5.13 | 4.5.13 |
| @vue/cli-plugin-vuex <https://www.npmjs.com/package/@vue/cli-plugin-vuex>
| 4.5.11 | 4.5.13 | 4.5.13 |
| @vue/cli-service <https://www.npmjs.com/package/@vue/cli-service>
| 4.5.11 | 4.5.13 | 4.5.13 |
| @vue/eslint-config-typescript
<https://www.npmjs.com/package/@vue/eslint-config-typescript> | 5.1.0
| 5.1.0 | 7.0.0|
| @vue/test-utils <https://www.npmjs.com/package/@vue/test-utils>
| 1.1.3 | 1.2.1 | 1.2.1|
| @wmde/wikit-tokens <https://www.npmjs.com/package/@wmde/wikit-tokens>
| 2.0
[Wikidata-bugs] [Maniphest] T284137: Allow federated queries with the Lingua Libre SPARQL endpoint
sbassett added a project: SecTeam-Processed. TASK DETAIL https://phabricator.wikimedia.org/T284137 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: dcausse, sbassett Cc: dev.kadirselcuk, sbassett, Aklapper, mickeybarber, Xenophon, Seb35, VIGNERON, dcausse, MPhamWMF, WikiLucas00, Salgo60, Nikki, Invadibot, Lalamarie69, GFontenelle_WMF, Devnull, maantietaja, FRomeo_WMF, Muchiri124, Alter-paule, Beast1978, CBogen, Un1tY, Nintendofan885, Akuckartz, Hook696, Eihel, Kent7301, joker88john, DannyS712, CucyNoiD, Nandana, JKSTNK, Namenlos314, Gaboe420, Poslovitch, Giuliamocci, Cpaulf30, Lahi, Gq86, Af420, E1presidente, Ramsey-WMF, Cparle, Anooprao, SandraF_WMF, Bsandipan, Lucas_Werkmeister_WMDE, GoranSMilovanovic, QZanden, EBjune, Tramullas, Acer, merbst, LawExplorer, Lewizho99, Maathavan, Silverfish, Poyekhali, _jensen, rosalieper, Pamputt, Taiwania_Justo, Scott_WUaS, Jonas, Xmlizer, Susannaanas, Ixocactus, Wong128hk, Jane023, jkroll, Wikidata-bugs, Jdouglas, Base, matthiasmullie, aude, Tobias1984, Bawolff, El_Grafo, Dinoguy1000, Manybubbles, Ricordisamoa, Wesalius, Lydia_Pintscher, Raymond, Steinsplitter, Mbch331, Ltrlg, Keegan, Legoktm ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T284137: Allow federated queries with the Lingua Libre SPARQL endpoint
sbassett removed a project: Security-Team. TASK DETAIL https://phabricator.wikimedia.org/T284137 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: dcausse, sbassett Cc: dev.kadirselcuk, sbassett, Aklapper, mickeybarber, Xenophon, Seb35, VIGNERON, dcausse, MPhamWMF, WikiLucas00, Salgo60, Nikki, Invadibot, Lalamarie69, GFontenelle_WMF, Devnull, maantietaja, FRomeo_WMF, Muchiri124, Alter-paule, Beast1978, CBogen, Un1tY, Nintendofan885, Akuckartz, Hook696, Eihel, Kent7301, joker88john, DannyS712, CucyNoiD, Nandana, JKSTNK, Namenlos314, Gaboe420, Poslovitch, Giuliamocci, Cpaulf30, Lahi, Gq86, Af420, E1presidente, Ramsey-WMF, Cparle, Anooprao, SandraF_WMF, Bsandipan, Lucas_Werkmeister_WMDE, GoranSMilovanovic, QZanden, EBjune, Tramullas, Acer, merbst, LawExplorer, Lewizho99, Maathavan, Silverfish, Poyekhali, _jensen, rosalieper, Pamputt, Taiwania_Justo, Scott_WUaS, Jonas, Xmlizer, Susannaanas, Ixocactus, Wong128hk, Jane023, jkroll, Wikidata-bugs, Jdouglas, Base, matthiasmullie, aude, Tobias1984, Bawolff, El_Grafo, Dinoguy1000, Manybubbles, Ricordisamoa, Wesalius, Lydia_Pintscher, Raymond, Steinsplitter, Mbch331, Ltrlg, Keegan, Legoktm, Dsharpe, Luke081515, Grunny, csteipp, Jay8g, Krenair, chasemp ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T284137: Allow federated queries with the Lingua Libre SPARQL endpoint
sbassett added a comment. In T284137#7151424 <https://phabricator.wikimedia.org/T284137#7151424>, @Seb35 wrote: > Indeed, this task can become public. @Aklapper: could you remove the protection of this task? Done. TASK DETAIL https://phabricator.wikimedia.org/T284137 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: dcausse, sbassett Cc: sbassett, Aklapper, mickeybarber, Xenophon, Seb35, VIGNERON, dcausse, MPhamWMF, WikiLucas00, Salgo60, Nikki, Invadibot, GFontenelle_WMF, Devnull, maantietaja, FRomeo_WMF, Muchiri124, CBogen, Nintendofan885, Akuckartz, Eihel, Dsharpe, DannyS712, Nandana, JKSTNK, Namenlos314, Poslovitch, Lahi, Gq86, E1presidente, Ramsey-WMF, Cparle, Anooprao, SandraF_WMF, Lucas_Werkmeister_WMDE, GoranSMilovanovic, QZanden, EBjune, Tramullas, Acer, merbst, LawExplorer, Silverfish, Poyekhali, _jensen, rosalieper, Pamputt, Taiwania_Justo, Scott_WUaS, Jonas, Xmlizer, Susannaanas, Ixocactus, Wong128hk, Luke081515, Jane023, jkroll, Wikidata-bugs, Jdouglas, Base, matthiasmullie, aude, Tobias1984, Bawolff, El_Grafo, Dinoguy1000, Manybubbles, Ricordisamoa, Wesalius, Lydia_Pintscher, Raymond, Grunny, csteipp, Steinsplitter, Mbch331, Jay8g, Ltrlg, Krenair, Keegan, Legoktm, chasemp ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T284137: Allow federated queries with the Lingua Libre SPARQL endpoint
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". TASK DETAIL https://phabricator.wikimedia.org/T284137 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: dcausse, sbassett Cc: Aklapper, mickeybarber, Xenophon, Seb35, VIGNERON, dcausse, MPhamWMF, WikiLucas00, Salgo60, Nikki, Invadibot, GFontenelle_WMF, Devnull, maantietaja, FRomeo_WMF, Muchiri124, CBogen, Nintendofan885, Akuckartz, Eihel, Dsharpe, DannyS712, Nandana, JKSTNK, sbassett, Namenlos314, Poslovitch, Lahi, Gq86, E1presidente, Ramsey-WMF, Cparle, Anooprao, SandraF_WMF, Lucas_Werkmeister_WMDE, GoranSMilovanovic, QZanden, EBjune, Tramullas, Acer, merbst, LawExplorer, Silverfish, Poyekhali, _jensen, rosalieper, Pamputt, Taiwania_Justo, Scott_WUaS, Jonas, Xmlizer, Susannaanas, Ixocactus, Wong128hk, Luke081515, Jane023, jkroll, Wikidata-bugs, Jdouglas, Base, matthiasmullie, aude, Tobias1984, Bawolff, El_Grafo, Dinoguy1000, Manybubbles, Ricordisamoa, Wesalius, Lydia_Pintscher, Raymond, Grunny, csteipp, Steinsplitter, Mbch331, Jay8g, Ltrlg, Krenair, Keegan, Legoktm, chasemp, RhinosF1, valerio.bozzolan ___ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder
sbassett claimed this task. sbassett added a project: user-sbassett. TASK DETAIL https://phabricator.wikimedia.org/T264822 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Addshore, sbassett, Michael, Ladsgroup, Lydia_Pintscher, Jakob_WMDE, guergana.tzatchkova, conny-kawohl_WMDE, bete, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder
sbassett added a comment. @Lydia_Pintscher - We've tentatively scheduled this review for our 4th quarter, which began April 1st and will continue until June 30th, 2021. We should have this review completed by the end of this quarter at the latest. Please feel free to let us know if you have any additional questions or feel free to review our current security readiness reviews SOP <https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews>. TASK DETAIL https://phabricator.wikimedia.org/T264822 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Michael, Ladsgroup, Lydia_Pintscher, Jakob_WMDE, guergana.tzatchkova, conny-kawohl_WMDE, bete, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T257002: Special:Contributions fails to load contributions with relatively small limit for high-volume users
sbassett merged a task: Restricted Task. sbassett added subscribers: Urbanecm, sbassett, WMDE-leszek, Addshore, Lydia_Pintscher. TASK DETAIL https://phabricator.wikimedia.org/T257002 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Lydia_Pintscher, Addshore, WMDE-leszek, sbassett, Urbanecm, Ladsgroup, Cyberpower678, CDanis, daniel, Bugreporter, jhsoby, Aklapper, maantietaja, Naike, Akuckartz, eprodromou, darthmon_wmde, Nandana, Amorymeltzer, Lahi, Gq86, Lsherwinforone, GoranSMilovanovic, Jayprakash12345, QZanden, LawExplorer, Sethakill, _jensen, rosalieper, Agabi10, Scott_WUaS, Pchelolo, Wong128hk, Verdy_p, abian, Wikidata-bugs, aude, Jdforrester-WMF, Mbch331, Jay8g ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T272130: Consider moving the Wikidata Query Builder repository from github to gerrit
sbassett added a comment. In T272130#6802796 <https://phabricator.wikimedia.org/T272130#6802796>, @Addshore wrote: > So, this will be deployed via a build in jenkins (ideally), so that it uses the same process and the query gui. > This is just about to be created by the campsite as a push button trigger in https://phabricator.wikimedia.org/T210286 > I guess it's only for a similar job to exist fetching code from github to create the build that would then be deployed? > > Another alternative would be github actions to make the build and push a change to gerrit? > I don't see a big difference between the two as either way the build is triggered by a human, and the change is still 2ed by a human. > The one difference would be that npm install is running in a different place for each. While not ideal, I think either of these approaches would be fairly low risk given the current realities of how code with build steps has to be managed and deployed to Wikimedia production, especially if said code's canonical repo exists outside of gerrit. And obviously any QA and/or security-minded review which can happen post-build (automated or otherwise) is strongly encouraged, prior to deployment. TASK DETAIL https://phabricator.wikimedia.org/T272130 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Addshore, sbassett, Michael, Ladsgroup, Jakob_WMDE, DannyS712, Aklapper, Lydia_Pintscher, Devnull, Akuckartz, Dsharpe, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, csteipp, Mbch331, Rxy, Jay8g, Krenair, chasemp ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted
sbassett added a comment. Note: I committed the deletion of the two wmf.28 Wikibase patches under `/srv/patches` on the deployment server (`5578144525`) since wmf.28 was rolled back and as noted by gerritbot above, https://gerrit.wikimedia.org/r/658323 and https://gerrit.wikimedia.org/r/658324 were merged. TASK DETAIL https://phabricator.wikimedia.org/T260349 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: sbassett, brennen, Silvan_WMDE, mmodell, thcipriani, hoo, bete, rosalieper, noarave, toan, Rosalie_WMDE, Jakob_WMDE, Pablo-WMDE, Ladsgroup, Addshore, ItamarWMDE, Michael, Tarrow, darthmon_wmde, WMDE-leszek, conny-kawohl_WMDE, Samantha_Alipio_WMDE, Lydia_Pintscher, Aklapper, Lucas_Werkmeister_WMDE, Devnull, Akuckartz, Iflorez, alaa_wmde, Dsharpe, DannyS712, Nandana, lucamauri, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, Scott_WUaS, Jonas, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, csteipp, Mbch331, Rxy, Jay8g, Krenair, Legoktm, chasemp ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T272130: Consider moving the Wikidata Query Builder repository from github to gerrit
sbassett added a project: SecTeam-Processed. TASK DETAIL https://phabricator.wikimedia.org/T272130 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Michael, Ladsgroup, Jakob_WMDE, DannyS712, Aklapper, Lydia_Pintscher, Devnull, Akuckartz, Dsharpe, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, csteipp, Mbch331, Rxy, Jay8g, Krenair, chasemp, RhinosF1 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T272130: Consider moving the Wikidata Query Builder repository from github to gerrit
sbassett added a comment. @Ladsgroup @Michael TASK DETAIL https://phabricator.wikimedia.org/T272130 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Michael, Ladsgroup, Jakob_WMDE, DannyS712, Aklapper, Lydia_Pintscher, Devnull, Akuckartz, Dsharpe, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, csteipp, Mbch331, Rxy, Jay8g, Krenair, chasemp ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T272130: Consider moving the Wikidata Query Builder repository from github to gerrit
sbassett added a comment. > Hello security team, it would be great if we can have a comment on this ticket on whether it's okay to have it on github or not. We are planning to deploy this to production as a static site. @Ladsgroup @Michael - we'll chat about this as a team at our clinic meeting this Monday, but I don't think we'd have too many security concerns (at least I don't) about canonically hosting Wikimedia-related repos at github, since we already do that for a handful of repos anyways (service-template-node et al). I believe there is a preference to use gerrit for canonical Wikimedia-related repos, but there's no official policy governing this AFAIK, and as long as best practices around development, CI and security issues are being followed, that should be fine. Finally - this will all change once projects begin migrating to Gitlab over the next year or so. TASK DETAIL https://phabricator.wikimedia.org/T272130 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Michael, Ladsgroup, Jakob_WMDE, DannyS712, Aklapper, Lydia_Pintscher, Devnull, Akuckartz, Dsharpe, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, csteipp, Mbch331, Rxy, Jay8g, Krenair, chasemp ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board. sbassett lowered the priority of this task from "High" to "Low". TASK DETAIL https://phabricator.wikimedia.org/T260349 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: brennen, Silvan_WMDE, mmodell, thcipriani, hoo, bete, rosalieper, noarave, toan, Rosalie_WMDE, Jakob_WMDE, Pablo-WMDE, Ladsgroup, Addshore, ItamarWMDE, Michael, Tarrow, darthmon_wmde, WMDE-leszek, conny-kawohl_WMDE, Samantha_Alipio_WMDE, Lydia_Pintscher, Aklapper, Lucas_Werkmeister_WMDE, Devnull, Akuckartz, Iflorez, alaa_wmde, Dsharpe, DannyS712, Nandana, sbassett, lucamauri, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, Scott_WUaS, Jonas, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, csteipp, Mbch331, Rxy, Jay8g, Krenair, Legoktm, chasemp ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T272534: EntityDataSerializationService - Possible SQL Injection
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". TASK DETAIL https://phabricator.wikimedia.org/T272534 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Aklapper, brennen, Mstyles, Devnull, Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, csteipp, Mbch331, Rxy, Jay8g, Krenair, Legoktm, chasemp, RhinosF1 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge
sbassett closed this task as "Resolved". sbassett moved this task from Waiting to Our Part Is Done on the secscrum board. sbassett added a comment. @darthmon_wmde - I assume there are no further questions about my above explanation? I'll plan to resolve this task for now. We can create new tasks for any additional, more focused follow-ups. TASK DETAIL https://phabricator.wikimedia.org/T249039 WORKBOARD https://phabricator.wikimedia.org/project/board/4630/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, abian, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment. In T249039#6362819 <https://phabricator.wikimedia.org/T249039#6362819>, @darthmon_wmde wrote: > heads up: I am accepting the risk and we programmed the deploy to production. Great, thanks. > We have already fixed <https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/618319> some of the dev dependencies - by yesterday there were no high vulnerabilities, only low ones. Ok, great. > You mentioned that we need to commit to a risk plan to review the vulnerable dependencies e.g. in the next 30 days. From talking to the team the issue here is rather a continuous than a milestone, meaning that this is a moving target and we need a process to periodically check and fix the dependencies of our projects (To this aim we could really benefit from https://phabricator.wikimedia.org/T228527) > > With all this in mind, could you please specify the kind of commitment that you expect from me? The expectations the #security-team <https://phabricator.wikimedia.org/tag/security-team/> would have would be: 1. Accepting the risk resulting from this review would mean accepting accountability for any potential issue which might arise from this code being deployed upon Wikimedia hardware. e.g. being fully accountable if, say, a vulnerability from a deployed npm package resulted in a security incident. 2. Regarding the risk plan, what you've described seems reasonable. Given the vast amount of upstream code used for wikidata-bridge and other projects, it's likely infeasible to get to a point any time soon where every vulnerability has been addressed and resolved. Committing to constant vigilance of dependency vulnerabilities and working to remediate those via patches to upstream, upgrading to secure versions or using alternative packages are all acceptable solutions. To help with this, it might make sense to set up automated jobs (outside of publicly-viewable jenkins CI jobs) to run tools like `npm audit`, `retirejs`, `outdated` and `snyk` against the code base, which would then inform developers of current statuses. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment. Ping @darthmon_wmde et al - just wanted to check on where we're at here with mediations and/or risk acceptance per my previous comment. Thanks! TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T258323: Unable to set up move protection in ns:0 on Commons
sbassett added a comment. In T258323#6334121 <https://phabricator.wikimedia.org/T258323#6334121>, @RhinosF1 wrote: > There was a restricted task merged into this. Should it be made public as well? (https://phabricator.wikimedia.org/T258323#6317139) Done. TASK DETAIL https://phabricator.wikimedia.org/T258323 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: RhinosF1, sbassett, greg, Lucas_Werkmeister_WMDE, Michael, guergana.tzatchkova, toan, ItamarWMDE, Tonina_Zhelyazkova_WMDE, Addshore, Ramsey-WMF, Lydia_Pintscher, Ladsgroup, Masumrezarock100, Umherirrender, 4nn1l2, Achim55, Urbanecm, Majavah, Aklapper, Didym, CBogen, Akuckartz, Iflorez, darthmon_wmde, DutchTina, alaa_wmde, Dsharpe, Viztor, Nandana, JKSTNK, Jony, lucamauri, Amorymeltzer, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, JJMC89, Poyekhali, _jensen, rosalieper, Taiwania_Justo, Scott_WUaS, Jonas, Johan, Ixocactus, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, El_Grafo, Dinoguy1000, TheDJ, csteipp, Steinsplitter, Mbch331, Rxy, Jay8g, Krenair, Keegan, Legoktm, chasemp ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T238052: Deleted pages in ns:0 cannot be protected on the Commons
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". TASK DETAIL https://phabricator.wikimedia.org/T238052 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: 4nn1l2, Urbanecm, Umherirrender, Masumrezarock100, Aklapper, Achim55, CBogen, Akuckartz, darthmon_wmde, Dsharpe, Nandana, sbassett, Lahi, Gq86, Ramsey-WMF, GoranSMilovanovic, Jayprakash12345, QZanden, EBjune, LawExplorer, Poyekhali, _jensen, rosalieper, Taiwania_Justo, Scott_WUaS, Ixocactus, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, El_Grafo, Dinoguy1000, csteipp, Steinsplitter, Mbch331, Rxy, Jay8g, Krenair, Keegan, Legoktm, chasemp ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T258323: Unable to set up move protection in ns:0 on Commons
sbassett removed a project: Patch-For-Review. sbassett moved this task from Watching to Our Part Is Done on the Security-Team board. TASK DETAIL https://phabricator.wikimedia.org/T258323 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, greg, Lucas_Werkmeister_WMDE, Michael, guergana.tzatchkova, toan, ItamarWMDE, Tonina_Zhelyazkova_WMDE, Addshore, Ramsey-WMF, Lydia_Pintscher, Ladsgroup, Masumrezarock100, Umherirrender, 4nn1l2, Achim55, Urbanecm, Majavah, Aklapper, Didym, CBogen, Akuckartz, Iflorez, darthmon_wmde, DutchTina, alaa_wmde, Dsharpe, Viztor, Nandana, JKSTNK, Jony, lucamauri, Amorymeltzer, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, JJMC89, Poyekhali, _jensen, rosalieper, Taiwania_Justo, Scott_WUaS, Jonas, Johan, Ixocactus, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, El_Grafo, Dinoguy1000, TheDJ, csteipp, Steinsplitter, Mbch331, Rxy, Jay8g, Krenair, Keegan, Legoktm, chasemp, Alter-paule, Beast1978, Un1tY, Hook696, Kent7301, joker88john, CucyNoiD, Gaboe420, Giuliamocci, Cpaulf30, Af420, Bsandipan, Lewizho99, Maathavan ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T258323: Unable to set up move protection in ns:0 on Commons
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". TASK DETAIL https://phabricator.wikimedia.org/T258323 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, greg, Lucas_Werkmeister_WMDE, Michael, guergana.tzatchkova, toan, ItamarWMDE, Tonina_Zhelyazkova_WMDE, Addshore, Ramsey-WMF, Lydia_Pintscher, Ladsgroup, Masumrezarock100, Umherirrender, 4nn1l2, Achim55, Urbanecm, Majavah, Aklapper, Didym, Alter-paule, Beast1978, CBogen, Un1tY, Akuckartz, Hook696, Iflorez, darthmon_wmde, DutchTina, Kent7301, alaa_wmde, Dsharpe, joker88john, Viztor, CucyNoiD, Nandana, JKSTNK, Gaboe420, Jony, lucamauri, Amorymeltzer, Giuliamocci, Cpaulf30, Lahi, Gq86, Af420, Bsandipan, GoranSMilovanovic, QZanden, EBjune, LawExplorer, Lewizho99, JJMC89, Maathavan, Poyekhali, _jensen, rosalieper, Taiwania_Justo, Scott_WUaS, Jonas, Johan, Ixocactus, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, El_Grafo, Dinoguy1000, TheDJ, csteipp, Steinsplitter, Mbch331, Rxy, Jay8g, Krenair, Keegan, Legoktm, chasemp, RhinosF1 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment.
In T249039#6322813 <https://phabricator.wikimedia.org/T249039#6322813>,
@Lucas_Werkmeister_WMDE wrote:
> I looked at these earlier and thought they all looked like false positives
Great, thanks for confirming and for your detailed analysis, with which I
concur. I'll change this to a risk rating of: {icon smile-o color=sky}
**none**.
> but I seem to have lost access to the paste now for some reason, so I can’t
say for sure.
This was due to some mitigations for a non-issue (T258239
<https://phabricator.wikimedia.org/T258239>), the referenced pastes should now
be viewable to you.
In T249039#6323388 <https://phabricator.wikimedia.org/T249039#6323388>,
@Pablo-WMDE wrote:
> There recurringly are and recently were efforts to get those numbers down,
maybe a recheck (e.g. after sha 5f1d7d106f47dbe7738efb788144d7f2fe391f39
<https://phabricator.wikimedia.org/rEWBA5f1d7d106f47dbe7738efb788144d7f2fe391f39>)
is all it takes to find more acceptable counts (is 0 the success criterion?).
> This is a moving target, however. At WMDE we are in the process of finding
a structured workflow (for the products' and the developers' sake) which
prevents those counts climbing again. A push on T228527: Support nested
package.json files <https://phabricator.wikimedia.org/T228527> from people with
an official security hat would be of great help to make this happen in (ever
more popular) monorepos.
0 is of course ideal, though likely not realistic. As noted within the
review, outdated packages by themselves, without any additional mention of
specific security vulnerabilities, would have a risk of: {icon check-circle
color=green} **low**. Per the risk acceptance chart within T249039#6309061
<https://phabricator.wikimedia.org/T249039#6309061>, these issues can be
addressed outside of any timeline and the risk is automatically accepted
without managerial+ approval. I'm also hopeful that we'll have better
automated security monitoring in place both as stand-alone solutions and within
CI in the near future. Though that work is likely not to be completed for a
while and so we try to call out such issues during manual security readiness
reviews when prudent.
> I believe this is a false positive. TinyColor (which we depend on via
@storybook/addon-knobs@5.3.19 > react-color@2.18.1 > tinycolor 1.4.1) does
contain a copy of jquery 1.9.1 for its own demo
<https://github.com/bgrins/TinyColor/tree/ab58ca0/demo> page, but it is not
part of its package, and consequently not loaded in the bridge product.
Ok, I'd barely call that a dev dependency then, so the risk would be: {icon
check-circle color=green} **low**.
Given the volume of issues returned by `npm audit` and `snyk test`, and that
while such packages might not be directly deployed to wikimedia production
hardware, they are still likely used during critical doc, test and build stages
and I would still rate the overall risk at {icon exclamation-triangle
color=yellow} **medium**. This risk can be accepted by a manager (I assume
@darthmon_wmde) and a risk plan could be as simple as committing to review
vulnerable dependencies for security updates within 30 days (for which there
obviously //may// or //may not// be updates.)
TASK DETAIL
https://phabricator.wikimedia.org/T249039
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/
To: sbassett
Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE,
Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde,
Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden,
LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff,
Mbch331, Legoktm
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment. In T249039#6313032 <https://phabricator.wikimedia.org/T249039#6313032>, @darthmon_wmde wrote: >> (...) our current risk management policy (on officewiki <https://office.wikimedia.org/wiki/Security/Policy/Risk_Management>, which sadly I don't believe wmde folks can view) ... > > You are probably right. Are the credentials for this page shared with another system within the wikimedia world? I have tried a couple without success. Sadly, I do not believe so. officewiki accounts are local (not SUL or shared in any way) and are granted upon being employed by the WMF. There are definitely various policies that live there which should probably have some public version on mw.org or wherever. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment.
In T249039#6307879 <https://phabricator.wikimedia.org/T249039#6307879>,
@darthmon_wmde wrote:
> sorry if this is a stupid question but could you please say clearly whether
we need to lower the risk on any of the points? I am not sure whether what you
define as medium or low risk are acceptable to go to production or not.
Hey @darthmon_wmde -
Apologies if our current risk management policy (on officewiki
<https://office.wikimedia.org/wiki/Security/Policy/Risk_Management>, which
sadly I don't believe wmde folks can view) hasn't been as well-socialized as I
would like, but whenever the #security-team
<https://phabricator.wikimedia.org/tag/security-team/> performs any kind of
security or risk review, including application security reviews, we assign an
overall risk which then needs to be mitigated or accepted. We obviously prefer
mitigation, as it //actually// reduces risk for a given code base or system,
but we also allow for individuals to fully accept and own any risk established
by a review. Here is a simple table from the aforementioned risk management
policy detailing levels of risks and the required steps for approval:
| Rating | Description
|
| --- |
-
|
| {icon exclamation-triangle color=red} Critical | Requires C level
oversight and an immediate evaluation of all possible mitigations to reduce
exposure. Risk treatment not to exceed 3 days. Risk acceptance only by Exec.
Director. |
| {icon exclamation-triangle color=orange} High | Requires C level
oversight and risk treatment plan creation in 7 days. Risk treatment must be
applied with 7 days of creation of that plan. Risk acceptance by C-Level
|
| {icon exclamation-triangle color=yellow} Medium | Requires Manger level
oversight and risk treatment plan creation within 30 days. Risk treatment must
be applied with 30 days of plan creation. Risk acceptance by Management level.
|
| {icon check-circle color=green} Low | Risk treatment applied
when resources are available. Risk is automatically accepted.
|
TASK DETAIL
https://phabricator.wikimedia.org/T249039
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/
To: sbassett
Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE,
Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde,
Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden,
LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff,
Mbch331, Legoktm
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment.
!!**Security Review Summary - T249039
<https://phabricator.wikimedia.org/T249039> - 2020-07-06**!!
**Last commit reviewed:**
1. Wikibase: `cbfd8bbca3bf816ace5bafdfbd112ddaa44274da`
For this review, I focused mainly upon the TypeScript app within Wikibase's
`client/data-bridge` directory, with a cursory glance at the config files
within `client/includes/DataBridge/` and the generic wikidata item regex
component of the IS.php config changes (`((Q[1-9][0-9]*)).*#(P[1-9][0-9]*)`),
which all seem fine. I didn't find anything significantly disturbing with the
TypeScript app other than it being a substantial amount of complex code with
myriad dependencies. Overall, I would currently assign a risk rating of {icon
exclamation-triangle color=yellow} **medium** given the dependency issues below.
**Vulnerable Packages**
1. No production vulnerabilities found with `npm audit --production`, though
a significant number (4,343!) were found within dev dependencies. Please run
an `npm audit` to confirm and address as needed. **Risk: {icon
exclamation-triangle color=yellow} medium**
2. No production vulnerabilities found with `snyk test`, though a significant
number were found (26 issues, 4,391 vulnerable paths) found within dev
dependencies. See attached file (F31919092
<https://phabricator.wikimedia.org/F31919092>) output of snyk report. **Risk:
{icon exclamation-triangle color=yellow} medium**
**Outdated Packages**
As reported via `npm outdated`:
(no explicit vulnerabilities reported, simply noting for completeness' sake.
**Risk: {icon check-circle color=green} low**)
| Package | Current| Wanted
| Latest |
| | -- | --
| --- |
| @babel/core | 7.8.4 | 7.10.4
| 7.10.4 |
| @storybook/addon-a11y| 5.3.14 | 5.3.19
| 5.3.19 |
| @storybook/addon-actions | 5.3.14 | 5.3.19
| 5.3.19 |
| @storybook/addon-docs| 5.3.14 | 5.3.19
| 5.3.19 |
| @storybook/addon-knobs | 5.3.14 | 5.3.19
| 5.3.19 |
| @storybook/addon-links | 5.3.14 | 5.3.19
| 5.3.19 |
| @storybook/addons| 5.3.14 | 5.3.19
| 5.3.19 |
| @storybook/vue | 5.3.14 | 5.3.19
| 5.3.19 |
| @types/jest | 24.9.1 | 24.9.1
| 26.0.3 |
| @types/jquery| 3.3.32 | 3.5.0
| 3.5.0 |
| @types/node | 12.12.27 | 12.12.48
| 14.0.18 |
| @types/uuid | 3.4.7 | 3.4.9
| 8.0.0 |
| @typescript-eslint/eslint-plugin | 2.19.2 | 2.34.0
| 3.6.0 |
| @typescript-eslint/parser| 2.19.2 | 2.34.0
| 3.6.0 |
| @vue/cli-plugin-babel| 4.2.2 | 4.4.6
| 4.4.6 |
| @vue/cli-plugin-eslint | 4.2.2 | 4.4.6
| 4.4.6 |
| @vue/cli-plugin-typescript | 4.4.4 | 4.4.6
| 4.4.6 |
| @vue/cli-plugin-unit-jest| 4.2.2 | 4.4.6
| 4.4.6 |
| @vue/cli-service | 4.2.2 | 4.4.6
| 4.4.6 |
| @vue/eslint-config-typescript| 5.0.1 | 5.0.2
| 5.0.2 |
| @vue/test-utils | 1.0.0-beta.29 | 1.0.0-beta.29
| 1.0.3 |
| @wdio/cli| 5.22.4 | 5.23.0
| 6.1.24 |
| @wdio/local-runner | 5.22.4 | 5.23.0
| 6.1.24 |
| @wdio/mocha-framework| 5.18.7 | 5.23.0
| 6.1.19 |
| @wdio/spec-reporter | 5.22.4 | 5.23.0
| 6.1.23 |
| @wdio/sync | 5.20.1 | 5.23.0
| 6.1.14 |
| @wmde/eslint-config-wikimedia-typescript | 0.1.1 | 0.1.1
| 0.2.0 |
| @wmde/wikibase-datamodel-types | 0.1.0 | 0.1.0
| 0.2.0 |
| babel-core | 7.0.0-bridge.0 | 7.0.0-bridge.0
| 6.26.3 |
| babel-eslint | 10.0.3 | 10.1.0
| 10.1.0 |
| bootstrap| 4.4.1 | 4.5.0
| 4.5.0 |
| core-js | 3.6.4 | 3.6.5
| 3.6.5 |
| deep-equal | 2.0.1 | 2.0.3
| 2.0.3 |
| eslint | 6.8.0 | 6.8.0
| 7.4.0 |
| e
[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment. **Update:** Apologies, but this is going to have to wait until Monday 2020-07-06. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment. Update: I still hope to have this security review completed by EOBD tomorrow (10:00 PM UTC for me) but note that the review may have to be posted on Monday 2020-07-06 due to some delays. Apologies and thanks for your patience. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment. So https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/master/client/resources/Resources.php no longer appears to exist, as it is ref'd in the task description. Does that live somewhere else or is it just gone now? TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment. @Lydia_Pintscher @darthmon_wmde - I hope to have the aforementioned due-diligence security review completed by the end of next week (Friday, July 3rd). TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T230451: Class 'Wikibase\DataModel\Entity\ItemId' not found in various CI-related dockers
sbassett added a comment. Hmm, well now I'm getting an phpunit error with `quibble-composer-mysql-php72-noselenium-docker`: PHP Fatal error: Cannot use 'object' as class name as it is reserved in /workspace/src/vendor/phpunit/phpunit-mock-objects/src/Generator.php(264) : eval()'d code on line 1 12:26:53 12:26:53 Fatal error: Cannot use 'object' as class name as it is reserved in /workspace/src/vendor/phpunit/phpunit-mock-objects/src/Generator.php(264) : eval()'d code on line 1 And the two dockers within the task description do not seem to be running against my test patch, guess they went away for REL1_31? TASK DETAIL https://phabricator.wikimedia.org/T230451 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Jdforrester-WMF, Aklapper, sbassett, darthmon_wmde, Michael, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Updated] T230451: Class 'Wikibase\DataModel\Entity\ItemId' not found in various CI-related dockers
sbassett removed a project: Patch-For-Review. TASK DETAIL https://phabricator.wikimedia.org/T230451 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Jdforrester-WMF, Aklapper, sbassett, darthmon_wmde, Michael, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Lydia_Pintscher, Mbch331, Alter-paule, Beast1978, Un1tY, Hook696, Kent7301, joker88john, CucyNoiD, Gaboe420, Giuliamocci, Cpaulf30, Af420, Bsandipan, Lewizho99, Maathavan ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Updated] T230451: Class 'Wikibase\DataModel\Entity\ItemId' not found in various CI-related dockers
sbassett added a comment. In T230451#6257384 <https://phabricator.wikimedia.org/T230451#6257384>, @Jdforrester-WMF wrote: > Not sure if these release branches of Wikibase are supported. That'd be something for the Wikidata team to determine. I suppose REL1_32 and REL1_33 are not of much concern anymore <https://www.mediawiki.org/wiki/Version_lifecycle?#Versions_and_their_end-of-life>. This also might have been resolved elsewhere: T189560#5460674 <https://phabricator.wikimedia.org/T189560#5460674>. So maybe this can be marked invalid or merged into that task? TASK DETAIL https://phabricator.wikimedia.org/T230451 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Jdforrester-WMF, Aklapper, sbassett, darthmon_wmde, Michael, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment. In T249039#6224698 <https://phabricator.wikimedia.org/T249039#6224698>, @Lydia_Pintscher wrote: > If at all possible it'd be <3 to be ready for deployment at the beginning of July. We can at least have a minimal, due-diligence review performed by then. Which will likely be the deliverable here given #security-team <https://phabricator.wikimedia.org/tag/security-team/> resourcing and the continued Covid19-related disruptions. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Raised Priority] T249039: Security Readiness Review For Wikidata Bridge
sbassett raised the priority of this task from "Low" to "Medium". TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Changed Status] T249039: Security Readiness Review For Wikidata Bridge
sbassett changed the task status from "Stalled" to "Open". TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment. @darthmon_wmde - I can look at this next. Did you have an updated target date for deployment? TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Edited] T249039: Security Readiness Review For Wikidata Bridge
sbassett updated the task description. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Sarai-WMDE, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Changed Status] T249039: Security Readiness Review For Wikidata Bridge
sbassett changed the task status from "Open" to "Stalled". TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Sarai-WMDE, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge
sbassett added a comment. Hey @darthmon_wmde- In T249039#6125290 <https://phabricator.wikimedia.org/T249039#6125290>, @darthmon_wmde wrote: > We have not frozen the code yet, are finishing the last 2.5 stories. Excuse my ignorance but, do we need to be 100% finished before the security review can happen? Although it has not been officially been documented within our Security Readiness Review SOP <https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews>, we typically ask code owners to select a "stopping point" for a review. This is ideally (a) commit sha(s) where the code is as close to production-ready as it can be so that we do not have to review a volatile codebase which may change substantially within a few days. Our team simply does not have the resources and sanity to conduct numerous reviews of volatile code. We understand this may not be possible in certain situations and that small changes (i18n, doc, etc.) can occur with little overall impact, but we strive to have the code in a stable, finished state prior to our reviews. So if there is more work to be completed (which seems to be the case with your mention of outstanding stories), we should likely wait until that work is completed before agreeing upon commit sha(s) for the review. > Other than that, please find here the documentation for the RegExp: https://www.mediawiki.org/wiki/Wikidata_Bridge/Development/DocDrafts/How_to_Enable_Wikidata_Bridge_for_your_Infobox Thanks. > I sent you a google doc today with the documentation on how to reproduce the DataBridge locally. Please, do no hesitate to ask if needed. Thanks, I'll review that and let you know. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Sarai-WMDE, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
