[Wikidata-bugs] [Maniphest] [Commented On] T204542: Security review for the Wikidata primary sources tool MediaWiki extension

2019-01-15 Thread sbassett
sbassett added a comment. Hello @Hjfocs Some follow-up here - apologies for the stop/go on this one: Did the mirroring issue with gerrit ever get addressed? It still looks to be an empty repo. I was curious if the tool is actually working in production. On wikidata.org, I added the gadget

[Wikidata-bugs] [Maniphest] [Commented On] T204542: Security review for the Wikidata primary sources tool MediaWiki extension

2019-01-23 Thread sbassett
sbassett added a comment. @Hjfocs - But you served as the first reviewer, what am I getting wrong? From T196073#4825203, it looks like @MaxSem found the PrimarySources code as an unmerged gerrit patch set, and offered some initial feedback (thanks!) However, this isn't typical of a standard

[Wikidata-bugs] [Maniphest] [Commented On] T204542: Security review for the Wikidata primary sources tool MediaWiki extension

2018-12-12 Thread sbassett
sbassett added a comment. Not seeing anything in master or REL1_32 for this. Is it somewhere else? If not, is there an estimate for completion?TASK DETAILhttps://phabricator.wikimedia.org/T204542EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: sbassettCc

[Wikidata-bugs] [Maniphest] [Commented On] T204542: Security review for the Wikidata primary sources tool MediaWiki extension

2018-12-14 Thread sbassett
sbassett added a comment. Ok, thanks for the update, @Hjfocs.TASK DETAILhttps://phabricator.wikimedia.org/T204542EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: sbassettCc: sbassett, Aklapper, Hjfocs, Nandana, Lahi, Gq86, GoranSMilovanovic, Kiailandi, QZanden

[Wikidata-bugs] [Maniphest] [Triaged] T204542: Security review for the Wikidata primary sources tool MediaWiki extension

2018-12-14 Thread sbassett
sbassett triaged this task as "Low" priority. TASK DETAILhttps://phabricator.wikimedia.org/T204542EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: sbassettCc: sbassett, Aklapper, Hjfocs, Nandana, Lahi, Gq86, GoranSMilovanovic, Kiailandi, QZand

[Wikidata-bugs] [Maniphest] [Edited] T204542: Security review for the Wikidata primary sources tool MediaWiki extension

2018-12-14 Thread sbassett
sbassett updated the task description. (Show Details) CHANGES TO TASK DESCRIPTION...* Target date for deployment: N.A. (the related [[https://meta.wikimedia.org/wiki/Grants:IEG/StrepHit:_Wikidata_Statements_Validation_via_References/Renewal/Timeline | project grant]] is over anyway)this code

[Wikidata-bugs] [Maniphest] [Updated] T216692: Security review for WikibaseSchema

2019-02-21 Thread sbassett
sbassett edited projects, added Security-Team-Reviews; removed Security. TASK DETAIL https://phabricator.wikimedia.org/T216692 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Aklapper, RazShuty, WMDE-leszek, Michael, noarave

[Wikidata-bugs] [Maniphest] [Updated] T216692: Security review for WikibaseSchema

2019-04-24 Thread sbassett
sbassett edited projects, added Security-Team-Reviews; removed Security-Team-Review-Active. TASK DETAIL https://phabricator.wikimedia.org/T216692 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: Tarrow, Aklapper, RazShuty, WMDE

[Wikidata-bugs] [Maniphest] [Changed Policy] T233213: XSS in Wikidata Query Service UI

2019-11-12 Thread sbassett
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". TASK DETAIL https://phabricator.wikimedia.org/T233213 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Tarrow, hoo, Jakob_WMDE,

[Wikidata-bugs] [Maniphest] [Updated] T237667: PHP Warning: preg_match(): Unknown modifier 'p' (from MwTimeIsoParser.php, API action=wbparsevalue) [8 story points]

2019-12-10 Thread sbassett
sbassett added a comment. In T237667#5728294 <https://phabricator.wikimedia.org/T237667#5728294>, @Ladsgroup wrote: > Sorry, When I made the patch to gerrit it made sense to open the ticket so the bots can add the patch to this ticket, when the patch is in gerrit, this can

[Wikidata-bugs] [Maniphest] [Commented On] T236500: large number of 504 errors from ulsfo

2019-10-28 Thread sbassett
sbassett added a comment. In T236500#5609046 <https://phabricator.wikimedia.org/T236500#5609046>, @Bugreporter wrote: > @jijiki The Custom Policy does not make sense since #Traffic <https://phabricator.wikimedia.org/tag/traffic/> is currently a public-joinable pro

[Wikidata-bugs] [Maniphest] [Triaged] T197777: potential issues with planned release of query logs (Wikidata Query Server)

2019-10-16 Thread sbassett
sbassett triaged this task as "Normal" priority. TASK DETAIL https://phabricator.wikimedia.org/T19 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Smalyshev, sbassett Cc: Krenair, Bawolff, Lydia_Pintscher, APalmer_WMF, Smalysh

[Wikidata-bugs] [Maniphest] [Triaged] T150803: Information leak on wikidata-externalid-url

2019-10-16 Thread sbassett
sbassett triaged this task as "Normal" priority. sbassett removed a project: Cloud-Services. TASK DETAIL https://phabricator.wikimedia.org/T150803 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Esc3300, Sjoerddebruin, Multichi

[Wikidata-bugs] [Maniphest] [Updated] T130856: query.wikidata.org is making requests to http://themes.googleusercontent.com

2019-10-16 Thread sbassett
sbassett removed a project: Patch-For-Review. TASK DETAIL https://phabricator.wikimedia.org/T130856 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: JanZerebecki, sbassett Cc: Gehel, Smalyshev, gerritbot, csteipp, Bovlb, Jonas, Aklapper

[Wikidata-bugs] [Maniphest] [Updated] T124451: Don't make edits if a logged in user gets logged out

2019-10-16 Thread sbassett
sbassett removed a project: Patch-For-Review. TASK DETAIL https://phabricator.wikimedia.org/T124451 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Tarrow, sbassett Cc: gerritbot, Lucas_Werkmeister_WMDE, Addshore, thiemowmde, adrianheine, TerraCodes

[Wikidata-bugs] [Maniphest] [Triaged] T202389: Add phan-taint-check-plugin to Wikibase extension

2019-10-15 Thread sbassett
sbassett triaged this task as "Normal" priority. TASK DETAIL https://phabricator.wikimedia.org/T202389 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Legoktm, sbassett Cc: Legoktm, gerritbot, Aklapper, Umherirrender, darthmon_wmde,

[Wikidata-bugs] [Maniphest] [Triaged] T202390: Add phan-taint-check-plugin to WikibaseLexeme extension

2019-10-15 Thread sbassett
sbassett triaged this task as "Normal" priority. TASK DETAIL https://phabricator.wikimedia.org/T202390 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Legoktm, sbassett Cc: gerritbot, Umherirrender, darthmon_wmde, DannyS712, Nandana

[Wikidata-bugs] [Maniphest] [Updated] T233213: XSS in Wikidata Query Service UI, DATATYPE_MATHML - CVE-2019-19329

2019-12-02 Thread sbassett
sbassett removed a project: Patch-For-Review. sbassett moved this task from Backlog / Other to Done on the Security board. TASK DETAIL https://phabricator.wikimedia.org/T233213 WORKBOARD https://phabricator.wikimedia.org/project/board/30/ EMAIL PREFERENCES https

[Wikidata-bugs] [Maniphest] [Changed Status] T208329: Gadget with SPARQL services and the Content Security Policy ?

2019-10-04 Thread sbassett
sbassett changed the task status from "Open" to "Stalled". sbassett triaged this task as "Normal" priority. sbassett moved this task from Backlog to Waiting on the Security-Team board. TASK DETAIL https://phabricator.wikimedia.org/T208329 WORKBOARD https://pha

[Wikidata-bugs] [Maniphest] [Commented On] T214378: Check simple format constraints (no grouping) in PHP instead of SPARQL

2019-10-04 Thread sbassett
sbassett added a comment. @RazShuty @Addshore @Lucas_Werkmeister_WMDE - Sorry for the (very) delayed response here. Due to a healthy amount of organizational shift, the #security-team <https://phabricator.wikimedia.org/tag/security-team/> is just now getting our Phab works boards in

[Wikidata-bugs] [Maniphest] [Changed Policy] T241536: Remove the use of chronology_id in wdqs-updater

2020-02-06 Thread sbassett
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". TASK DETAIL https://phabricator.wikimedia.org/T241536 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Addshore, sbassett, Zby

[Wikidata-bugs] [Maniphest] [Commented On] T241536: Remove the use of chronology_id in wdqs-updater

2020-02-06 Thread sbassett
sbassett added a comment. I've made this task public now that T241410 should be completely resolved with all data flushed (and hopefully able to become public soon itself). TASK DETAIL https://phabricator.wikimedia.org/T241536 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings

[Wikidata-bugs] [Maniphest] [Changed Subscribers] T240884: Standalone service to evaluate user-provided regular expressions

2020-01-16 Thread sbassett
sbassett added a subscriber: Daimona. sbassett added a comment. In T240884#5810094 <https://phabricator.wikimedia.org/T240884#5810094>, @Ladsgroup wrote: > One complicating factor here is that AbuseFilter and SpamBlacklist both don't have a clear maintainer. I think

[Wikidata-bugs] [Maniphest] [Updated] T237667: PHP Warning: preg_match(): Unknown modifier 'p' (from MwTimeIsoParser.php, API action=wbparsevalue) [8 story points]

2019-12-26 Thread sbassett
sbassett removed a project: Patch-For-Review. sbassett moved this task from External (Non-WMF) Issues to Done on the Security board. TASK DETAIL https://phabricator.wikimedia.org/T237667 WORKBOARD https://phabricator.wikimedia.org/project/board/30/ EMAIL PREFERENCES https

[Wikidata-bugs] [Maniphest] [Triaged] T249039: Security Readiness Review For Wikidata Bridge

2020-04-06 Thread sbassett
sbassett moved this task from Incoming to Back Orders on the secscrum board. sbassett triaged this task as "Low" priority. TASK DETAIL https://phabricator.wikimedia.org/T249039 WORKBOARD https://phabricator.wikimedia.org/project/board/4630/ EMAIL PREFERENC

[Wikidata-bugs] [Maniphest] [Commented On] T251834: PrivateSettings: PHP Notice: Undefined offset: 1

2020-05-04 Thread sbassett
sbassett added a comment. This was caused by this security patch to PS.php <https://phabricator.wikimedia.org/T250887#6102375>. Which was reverted and re-synced <https://sal.toolforge.org/log/0F-m4XEBj_Bg1xd3x-G7>. An updated version <https://phabricator.wikimedia.o

[Wikidata-bugs] [Maniphest] [Changed Status] T249039: Security Readiness Review For Wikidata Bridge

2020-05-11 Thread sbassett
sbassett changed the task status from "Open" to "Stalled". TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lu

[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge

2020-05-11 Thread sbassett
sbassett added a comment. Hey @darthmon_wmde- In T249039#6125290 <https://phabricator.wikimedia.org/T249039#6125290>, @darthmon_wmde wrote: > We have not frozen the code yet, are finishing the last 2.5 stories. Excuse my ignorance but, do we need to be 100% finish

[Wikidata-bugs] [Maniphest] [Edited] T249039: Security Readiness Review For Wikidata Bridge

2020-05-14 Thread sbassett
sbassett updated the task description. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE

[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge

2020-05-08 Thread sbassett
sbassett added a comment. @darthmon_wmde - we don't currently have this review assigned/scheduled, though I could probably have a look at it next week. Before we do that, I think we'd need: 1. Confirmed commit shas for the various code bases and files defined within sections one

[Wikidata-bugs] [Maniphest] [Claimed] T249039: Security Readiness Review For Wikidata Bridge

2020-05-08 Thread sbassett
sbassett claimed this task. sbassett moved this task from Back Orders to Waiting on the secscrum board. sbassett added a project: user-sbassett. TASK DETAIL https://phabricator.wikimedia.org/T249039 WORKBOARD https://phabricator.wikimedia.org/project/board/4630/ EMAIL PREFERENCES https

[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge

2020-08-20 Thread sbassett
sbassett closed this task as "Resolved". sbassett moved this task from Waiting to Our Part Is Done on the secscrum board. sbassett added a comment. @darthmon_wmde - I assume there are no further questions about my above explanation? I'll plan to resolve this task for now. We can

[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge

2020-07-21 Thread sbassett
sbassett added a comment. In T249039#6322813 <https://phabricator.wikimedia.org/T249039#6322813>, @Lucas_Werkmeister_WMDE wrote: > I looked at these earlier and thought they all looked like false positives Great, thanks for confirming and for your detailed analysis, wit

[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge

2020-08-06 Thread sbassett
sbassett added a comment. In T249039#6362819 <https://phabricator.wikimedia.org/T249039#6362819>, @darthmon_wmde wrote: > heads up: I am accepting the risk and we programmed the deploy to production. Great, thanks. > We have already fixed <https://gerrit.wi

[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge

2020-07-01 Thread sbassett
sbassett added a comment. So https://gerrit.wikimedia.org/g/mediawiki/extensions/Wikibase/+/master/client/resources/Resources.php no longer appears to exist, as it is ref'd in the task description. Does that live somewhere else or is it just gone now? TASK DETAIL https

[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge

2020-07-02 Thread sbassett
sbassett added a comment. Update: I still hope to have this security review completed by EOBD tomorrow (10:00 PM UTC for me) but note that the review may have to be posted on Monday 2020-07-06 due to some delays. Apologies and thanks for your patience. TASK DETAIL https

[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge

2020-07-08 Thread sbassett
sbassett added a comment. !!**Security Review Summary - T249039 <https://phabricator.wikimedia.org/T249039> - 2020-07-06**!! **Last commit reviewed:** 1. Wikibase: `cbfd8bbca3bf816ace5bafdfbd112ddaa44274da` For this review, I focused mainly upon the TypeScript app

[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge

2020-07-03 Thread sbassett
sbassett added a comment. **Update:** Apologies, but this is going to have to wait until Monday 2020-07-06. TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett

[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge

2020-07-15 Thread sbassett
sbassett added a comment. In T249039#6307879 <https://phabricator.wikimedia.org/T249039#6307879>, @darthmon_wmde wrote: > sorry if this is a stupid question but could you please say clearly whether we need to lower the risk on any of the points? I am not sure whether what yo

[Wikidata-bugs] [Maniphest] [Updated] T230451: Class 'Wikibase\DataModel\Entity\ItemId' not found in various CI-related dockers

2020-06-25 Thread sbassett
sbassett added a comment. In T230451#6257384 <https://phabricator.wikimedia.org/T230451#6257384>, @Jdforrester-WMF wrote: > Not sure if these release branches of Wikibase are supported. That'd be something for the Wikidata team to determine. I suppose REL1_32 an

[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge

2020-06-26 Thread sbassett
sbassett added a comment. @Lydia_Pintscher @darthmon_wmde - I hope to have the aforementioned due-diligence security review completed by the end of next week (Friday, July 3rd). TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org

[Wikidata-bugs] [Maniphest] [Updated] T230451: Class 'Wikibase\DataModel\Entity\ItemId' not found in various CI-related dockers

2020-06-26 Thread sbassett
sbassett removed a project: Patch-For-Review. TASK DETAIL https://phabricator.wikimedia.org/T230451 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Jdforrester-WMF, Aklapper, sbassett, darthmon_wmde, Michael, Nandana, Lahi, Gq86

[Wikidata-bugs] [Maniphest] [Commented On] T230451: Class 'Wikibase\DataModel\Entity\ItemId' not found in various CI-related dockers

2020-06-26 Thread sbassett
sbassett added a comment. Hmm, well now I'm getting an phpunit error with `quibble-composer-mysql-php72-noselenium-docker`: PHP Fatal error: Cannot use 'object' as class name as it is reserved in /workspace/src/vendor/phpunit/phpunit-mock-objects/src/Generator.php(264) : eval()'d

[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge

2020-06-16 Thread sbassett
sbassett added a comment. In T249039#6224698 <https://phabricator.wikimedia.org/T249039#6224698>, @Lydia_Pintscher wrote: > If at all possible it'd be <3 to be ready for deployment at the beginning of July. We can at least have a minimal, due-diligence revi

[Wikidata-bugs] [Maniphest] [Commented On] T249039: Security Readiness Review For Wikidata Bridge

2020-06-08 Thread sbassett
sbassett added a comment. @darthmon_wmde - I can look at this next. Did you have an updated target date for deployment? TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE

[Wikidata-bugs] [Maniphest] [Changed Status] T249039: Security Readiness Review For Wikidata Bridge

2020-06-08 Thread sbassett
sbassett changed the task status from "Stalled" to "Open". TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lu

[Wikidata-bugs] [Maniphest] [Raised Priority] T249039: Security Readiness Review For Wikidata Bridge

2020-06-08 Thread sbassett
sbassett raised the priority of this task from "Low" to "Medium". TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: WMDE-leszek, sbassett, Addshore, Michael, Lu

[Wikidata-bugs] [Maniphest] T258323: Unable to set up move protection in ns:0 on Commons

2020-07-24 Thread sbassett
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". TASK DETAIL https://phabricator.wikimedia.org/T258323 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, greg, Lucas_Werkm

[Wikidata-bugs] [Maniphest] T238052: Deleted pages in ns:0 cannot be protected on the Commons

2020-07-24 Thread sbassett
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". TASK DETAIL https://phabricator.wikimedia.org/T238052 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: 4nn1l2, Urb

[Wikidata-bugs] [Maniphest] T258323: Unable to set up move protection in ns:0 on Commons

2020-07-24 Thread sbassett
sbassett added a comment. In T258323#6334121 <https://phabricator.wikimedia.org/T258323#6334121>, @RhinosF1 wrote: > There was a restricted task merged into this. Should it be made public as well? (https://phabricator.wikimedia.org/T258323#6317139) Done. TASK DETAI

[Wikidata-bugs] [Maniphest] T258323: Unable to set up move protection in ns:0 on Commons

2020-07-24 Thread sbassett
sbassett removed a project: Patch-For-Review. sbassett moved this task from Watching to Our Part Is Done on the Security-Team board. TASK DETAIL https://phabricator.wikimedia.org/T258323 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https

[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge

2020-07-16 Thread sbassett
sbassett added a comment. In T249039#6313032 <https://phabricator.wikimedia.org/T249039#6313032>, @darthmon_wmde wrote: >> (...) our current risk management policy (on officewiki <https://office.wikimedia.org/wiki/Security/Policy/Risk_Management>, which sadly I don't

[Wikidata-bugs] [Maniphest] T249039: Security Readiness Review For Wikidata Bridge

2020-07-29 Thread sbassett
sbassett added a comment. Ping @darthmon_wmde et al - just wanted to check on where we're at here with mediations and/or risk acceptance per my previous comment. Thanks! TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings

[Wikidata-bugs] [Maniphest] T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted

2021-01-25 Thread sbassett
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board. sbassett lowered the priority of this task from "High" to "Low". TASK DETAIL https://phabricator.wikimedia.org/T260349 WORKBOARD https://phabricator.wikimedia.org/project/board/1179

[Wikidata-bugs] [Maniphest] T272534: EntityDataSerializationService - Possible SQL Injection

2021-01-25 Thread sbassett
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". sbassett changed the edit policy from "Custom Policy" to "All Users". TASK DETAIL https://phabricator.wikimedia.org/T272534 EMAIL PREFERENCES https://

[Wikidata-bugs] [Maniphest] T272130: Consider moving the Wikidata Query Builder repository from github to gerrit

2021-02-01 Thread sbassett
sbassett added a comment. @Ladsgroup @Michael TASK DETAIL https://phabricator.wikimedia.org/T272130 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Michael, Ladsgroup, Jakob_WMDE, DannyS712, Aklapper, Lydia_Pintscher

[Wikidata-bugs] [Maniphest] T272130: Consider moving the Wikidata Query Builder repository from github to gerrit

2021-02-04 Thread sbassett
sbassett added a comment. In T272130#6802796 <https://phabricator.wikimedia.org/T272130#6802796>, @Addshore wrote: > So, this will be deployed via a build in jenkins (ideally), so that it uses the same process and the query gui. > This is just about to be created by

[Wikidata-bugs] [Maniphest] T284137: Allow federated queries with the Lingua Libre SPARQL endpoint

2021-06-11 Thread sbassett
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)". TASK DETAIL https://phabricator.wikimedia.org/T284137 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: dcausse, sbassett Cc: Aklapper, mickeybar

[Wikidata-bugs] [Maniphest] T284137: Allow federated queries with the Lingua Libre SPARQL endpoint

2021-06-11 Thread sbassett
sbassett added a comment. In T284137#7151424 <https://phabricator.wikimedia.org/T284137#7151424>, @Seb35 wrote: > Indeed, this task can become public. @Aklapper: could you remove the protection of this task? Done. TASK DETAIL https://phabricator.wikimedia.org/T2841

[Wikidata-bugs] [Maniphest] T284137: Allow federated queries with the Lingua Libre SPARQL endpoint

2021-06-14 Thread sbassett
sbassett added a project: SecTeam-Processed. TASK DETAIL https://phabricator.wikimedia.org/T284137 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: dcausse, sbassett Cc: dev.kadirselcuk, sbassett, Aklapper, mickeybarber, Xenophon, Seb35, VIGNERON

[Wikidata-bugs] [Maniphest] T284137: Allow federated queries with the Lingua Libre SPARQL endpoint

2021-06-14 Thread sbassett
sbassett removed a project: Security-Team. TASK DETAIL https://phabricator.wikimedia.org/T284137 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: dcausse, sbassett Cc: dev.kadirselcuk, sbassett, Aklapper, mickeybarber, Xenophon, Seb35, VIGNERON

[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder

2021-06-29 Thread sbassett
sbassett added subscribers: Mstyles, Reedy. sbassett added a comment. !!**Security Review Summary - TT264822 - 2021-06-25**!! **Last commit reviewed: 2d65299a44** **Summary** Overall, the current Query Builder code looks fairly secure with certain issues outlined below. I would

[Wikidata-bugs] [Maniphest] T285761: Add proper security headers to Query Builder

2021-07-12 Thread sbassett
sbassett added a comment. In T285761#7198527 <https://phabricator.wikimedia.org/T285761#7198527>, @Michael wrote: > We discussed that these headers are likely not to be added in the Query Builder code itself, but in the Apache server configuration, which probably does not li

[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder

2021-06-30 Thread sbassett
sbassett added a comment. In T264822#7183569 <https://phabricator.wikimedia.org/T264822#7183569>, @Ladsgroup wrote: > Created T285761: Add proper security headers to Query Builder <https://phabricator.wikimedia.org/T285761> for headers. Sounds good. The defau

[Wikidata-bugs] [Maniphest] T272130: Consider moving the Wikidata Query Builder repository from github to gerrit

2021-01-29 Thread sbassett
sbassett added a comment. > Hello security team, it would be great if we can have a comment on this ticket on whether it's okay to have it on github or not. We are planning to deploy this to production as a static site. @Ladsgroup @Michael - we'll chat about this as a team at our cli

[Wikidata-bugs] [Maniphest] T272130: Consider moving the Wikidata Query Builder repository from github to gerrit

2021-02-01 Thread sbassett
sbassett added a project: SecTeam-Processed. TASK DETAIL https://phabricator.wikimedia.org/T272130 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Michael, Ladsgroup, Jakob_WMDE, DannyS712, Aklapper, Lydia_Pintscher, Devnull

[Wikidata-bugs] [Maniphest] T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted

2021-02-01 Thread sbassett
sbassett added a comment. Note: I committed the deletion of the two wmf.28 Wikibase patches under `/srv/patches` on the deployment server (`5578144525`) since wmf.28 was rolled back and as noted by gerritbot above, https://gerrit.wikimedia.org/r/658323 and https://gerrit.wikimedia.org/r

[Wikidata-bugs] [Maniphest] T257002: Special:Contributions fails to load contributions with relatively small limit for high-volume users

2021-03-08 Thread sbassett
sbassett merged a task: Restricted Task. sbassett added subscribers: Urbanecm, sbassett, WMDE-leszek, Addshore, Lydia_Pintscher. TASK DETAIL https://phabricator.wikimedia.org/T257002 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc

[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder

2021-04-07 Thread sbassett
sbassett added a comment. @Lydia_Pintscher - We've tentatively scheduled this review for our 4th quarter, which began April 1st and will continue until June 30th, 2021. We should have this review completed by the end of this quarter at the latest. Please feel free to let us know if you

[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder

2021-04-14 Thread sbassett
sbassett claimed this task. sbassett added a project: user-sbassett. TASK DETAIL https://phabricator.wikimedia.org/T264822 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Addshore, sbassett, Michael, Ladsgroup, Lydia_Pintscher

[Wikidata-bugs] [Maniphest] T280229: Query Builder banner in the examples query dialog

2021-08-13 Thread sbassett
sbassett closed subtask T264822: (MS 7) Security Readiness Review For Wikidata Query Builder as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T280229 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Botoxparty, sbassett Cc: Aklapper

[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder

2021-08-13 Thread sbassett
sbassett added a comment. In T264822#7270301 <https://phabricator.wikimedia.org/T264822#7270301>, @Michael wrote: > Just to record it, as checked just now, with the current HEAD of the master branch, `npm audit` finds **0** vulnerabilities. I arrived at the same resul

[Wikidata-bugs] [Maniphest] T280230: Query Builder top banner

2021-08-13 Thread sbassett
sbassett closed subtask T264822: (MS 7) Security Readiness Review For Wikidata Query Builder as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T280230 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Botoxparty, sbassett Cc

[Wikidata-bugs] [Maniphest] T276210: Add ‘Query Builder’ Button + tooltip to Query Service Interface

2021-08-13 Thread sbassett
sbassett closed subtask T264822: (MS 7) Security Readiness Review For Wikidata Query Builder as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T276210 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Botoxparty, sbassett Cc

[Wikidata-bugs] [Maniphest] T266703: Deploy query builder to microsites (on top of the wdqs-ui)

2021-08-13 Thread sbassett
sbassett closed subtask T264822: (MS 7) Security Readiness Review For Wikidata Query Builder as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T266703 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Ladsgroup, sbassett Cc: Manuel, Ladsgroup

[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder

2021-08-13 Thread sbassett
sbassett closed this task as "Resolved". sbassett moved this task from Waiting to Our Part Is Done on the secscrum board. TASK DETAIL https://phabricator.wikimedia.org/T264822 WORKBOARD https://phabricator.wikimedia.org/project/board/4630/ EMAIL PREFERENC

[Wikidata-bugs] [Maniphest] T264822: (MS 7) Security Readiness Review For Wikidata Query Builder

2021-08-09 Thread sbassett
sbassett added a comment. In T264822#7269255 <https://phabricator.wikimedia.org/T264822#7269255>, @Ladsgroup wrote: > This is done. And given that we now migrated to vite/rollup, does that improve the security risk? If so, can this be reflated somewhere? :D That is the

[Wikidata-bugs] [Maniphest] T285761: Add proper security headers to Query Builder

2021-09-23 Thread sbassett
sbassett added a comment. @Ladsgroup et al - LGTM for now, +1. TASK DETAIL https://phabricator.wikimedia.org/T285761 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: toan, sbassett Cc: RhinosF1, Manuel, valerio.bozzolan, Lucas_Werkmeister_WMDE

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-10-15 Thread sbassett
sbassett added a comment. In T292110#7412589 <https://phabricator.wikimedia.org/T292110#7412589>, @Addshore wrote: > Quick follow up incase the intent of this ticket was misunderstood. > This is a security review request for deploying the service to Wikimedia Production,

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-10-08 Thread sbassett
sbassett added a comment. In T292110#7405421 <https://phabricator.wikimedia.org/T292110#7405421>, @WMDE-leszek wrote: > @sbassett Opening this request was meant as an indication of WMDE understanding the "fast track" deployment is not an option. Apologies for not

[Wikidata-bugs] [Maniphest] T285098: Production A/B test deployment - Improved Property Suggester/Recommender

2021-10-04 Thread sbassett
sbassett added a comment. Hey all- We've received the security review request (T292110 <https://phabricator.wikimedia.org/T292110>) for this and will plan to include it within our review planning session this week (whether it's accepted for the quarter as-is or not is a separate

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-10-05 Thread sbassett
sbassett changed the task status from "Open" to "Stalled". sbassett triaged this task as "Low" priority. sbassett added a comment. Stalling this review for now pending further discussion at T285098 <https://phabricator.wikimedia.org/T285098>. We may st

[Wikidata-bugs] [Maniphest] T294693: XSS on page information Wikibase central description

2021-12-21 Thread sbassett
sbassett closed this task as "Resolved". TASK DETAIL https://phabricator.wikimedia.org/T294693 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Urbanecm, sbassett Cc: Zabe, gerritbot, Reedy, Mohammed_Sadat_WMDE, Rosalie_WMDE, Lea_

[Wikidata-bugs] [Maniphest] T297570: XSS in Wikibase using formatter URL

2021-12-21 Thread sbassett
sbassett closed this task as "Resolved". TASK DETAIL https://phabricator.wikimedia.org/T297570 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: Zabe, Bugreporter, hashar, Jakob_WMDE, noarave, toan, Ro

[Wikidata-bugs] [Maniphest] T296578: Globally blocked IPs can edit EntitySchema items

2021-12-23 Thread sbassett
sbassett added a parent task: Restricted Task. TASK DETAIL https://phabricator.wikimedia.org/T296578 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: Zabe, Rosalie_WMDE, Addshore, toan, sbassett, karapayneWMDE, Manuel, Lydia_Pintscher

[Wikidata-bugs] [Maniphest] T294693: XSS on page information Wikibase central description

2021-12-23 Thread sbassett
sbassett added a parent task: Restricted Task. TASK DETAIL https://phabricator.wikimedia.org/T294693 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Urbanecm, sbassett Cc: Zabe, gerritbot, Reedy, Mohammed_Sadat_WMDE, Rosalie_WMDE, Lea_WMDE, dang

[Wikidata-bugs] [Maniphest] T297570: XSS in Wikibase using formatter URL

2021-12-23 Thread sbassett
sbassett added a parent task: Restricted Task. TASK DETAIL https://phabricator.wikimedia.org/T297570 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE, sbassett Cc: Zabe, Bugreporter, hashar, Jakob_WMDE, noarave, toan

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-11-16 Thread sbassett
sbassett changed the task status from "In Progress" to "Stalled". sbassett added a comment. Stalling until more security/linting automation has been officially set up in CI. We'll then plan to use the results of some of that tooling, in addition to some manua

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-11-04 Thread sbassett
sbassett added a comment. Hey @WMDE-leszek - We're still working through some possibilities for engaging a vendor for this work. Hopefully I can have an answer in another week or so for you and your team. If the vendor path falls through, we'd likely need to schedule this review for early

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-11-04 Thread sbassett
sbassett assigned this task to Reedy. sbassett moved this task from Q1: 2021 Planning Queue to In Progress on the secscrum board. TASK DETAIL https://phabricator.wikimedia.org/T292110 WORKBOARD https://phabricator.wikimedia.org/project/board/4630/ EMAIL PREFERENCES https

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-11-04 Thread sbassett
sbassett raised the priority of this task from "Low" to "Medium". TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: sbassett, Michaelcochez, Martaannaj, Lydia

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-11-04 Thread sbassett
sbassett changed the task status from "Stalled" to "In Progress". TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: sbassett, Michaelcochez, Martaannaj, Lydia

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-11-08 Thread sbassett
sbassett added a comment. Hey @WMDE-leszek - we're going to have @reedy give this a first look for a security review. Hopefully they can have a report deliverable for you later this quarter or early next. At that point we can reassess any additional needs. TASK DETAIL https

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-12-16 Thread sbassett
sbassett added a comment. In T292110#7574265 <https://phabricator.wikimedia.org/T292110#7574265>, @Michaelcochez wrote: > @sbassett Is that something which should be checked now, during the security readiness review, or only later upon deployment? > > I have added

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-12-14 Thread sbassett
sbassett added a comment. @Michaelcochez - Thanks for getting gosec set up within the project's Github CI. just reviewing some recent runs <https://github.com/martaannaj/RecommenderServer/actions/workflows/gosec.yml>, it doesn't seem like it's found much, which is good, and we'd

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-12-15 Thread sbassett
sbassett added a comment. In T292110#7571382 <https://phabricator.wikimedia.org/T292110#7571382>, @Michaelcochez wrote: > I have now added gokart. The github action was not working out of the box, because of some missing configuration parameters in the example. I opened a pul

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2021-12-15 Thread sbassett
sbassett added a comment. In T292110#7573952 <https://phabricator.wikimedia.org/T292110#7573952>, @Michaelcochez wrote: > 1. should we solve this by also having this internal service use https ? > 2. and if so, where would i get a certificate/key for that? I

[Wikidata-bugs] [Maniphest] T285761: Add proper security headers to Query Builder

2021-07-21 Thread sbassett
sbassett added a comment. In T285761#7227281 <https://phabricator.wikimedia.org/T285761#7227281>, @Michael wrote: > Especially because the Query Builder will //work// without these headers, so we might not even notice it until the security team gives us the evil eye.  TA

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2022-01-12 Thread sbassett
sbassett added a comment. In T292110#7614949 <https://phabricator.wikimedia.org/T292110#7614949>, @Michaelcochez wrote: > @Reedy could you have a look at the current security policy https://github.com/martaannaj/RecommenderServer/security/policy and if this is fine cl

[Wikidata-bugs] [Maniphest] T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata

2022-01-11 Thread sbassett
sbassett closed this task as "Resolved". sbassett added a comment. We're going to resolve this for now as {icon check-circle color=green} **low risk** since none of the new security tooling added to the Github repo has returned any medium+ risk actionable issues. One caveat would

  1   2   >