Page MenuHomePhabricator
Create Task
Maniphest T171274

Security review of wikiba.se
Closed, ResolvedPublic
Actions

Description

We are planning to move this to WMF infra and as @faidon pointed out, a security review would be needed. Since it's a static website, it'll be piece of cake (I guess)

Related Objects
Search...

Event Timeline

Ladsgroup created this task.Jul 21 2017, 7:59 AM
Bawolff subscribed.Aug 3 2017, 6:39 PM

Is the site in a git repo somewhere?

Restricted Application added a subscriber: PokestarFan. · View Herald TranscriptAug 3 2017, 6:39 PM
Bawolff added a comment.Aug 3 2017, 6:41 PM

To answer my own question: https://github.com/wikimedia/wikiba.se

Ladsgroup added a comment.Aug 3 2017, 7:59 PM

Yes, that's the correct repo.

dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Sep 20 2017, 5:45 PM
dpatrick mentioned this in E742: Security review of wikiba.se.Sep 20 2017, 5:50 PM
Reedy subscribed.Sep 21 2017, 10:34 PM

https://github.com/wikimedia/wikiba.se/blob/master/composer.json#L6 - Why are you including dflydev/embedded-composer yourself? https://packagist.org/packages/sculpin/sculpin adds the same version. I was trying to work out what it was used for; and the answer seems to be nothing directly

What's the deployment strategy going to be? Commit the generated files (from vendor/bin/sculpin generate --env=prod) into another repo (wikiba.se-deploy or similar?)... As we're presumably not going to be running composer and then sculpin on the misc servers and then serving those files?

Reedy moved this task from Scheduled to In Progress on the deprecated-security-team-reviews board.Sep 21 2017, 10:36 PM
Reedy added a comment.Sep 21 2017, 10:46 PM
Package operations: 79 installs, 0 updates, 0 removals

Yeah... That's definitely not being run in prod. lol

Reedy moved this task from In Progress to Waiting on the deprecated-security-team-reviews board.Sep 21 2017, 10:50 PM
Reedy closed this task as Resolved.Sep 21 2017, 10:53 PM
Reedy claimed this task.

There's nothing really scary here other than the dependancy tree of vendor/composer libs. But that's not a production issue.

The 3rd party loading of fonts was fixed recently, so that's good.

TBH, I don't think this really needed a security review; the resultant files are mostly static html, with a bit of (standard 3rd party) js

reedy@ubuntu64-web-esxi:~/wikiba.se/output_prod$ tree
.
├── applications
│   └── index.html
├── components
│   ├── bootstrap
│   │   ├── bootstrap-built.css
│   │   ├── bootstrap-built.js
│   │   └── dist
│   │       ├── css
│   │       │   ├── bootstrap.css
│   │       │   ├── bootstrap.min.css
│   │       │   ├── bootstrap-theme.css
│   │       │   └── bootstrap-theme.min.css
│   │       ├── fonts
│   │       │   ├── glyphicons-halflings-regular.eot
│   │       │   ├── glyphicons-halflings-regular.svg
│   │       │   ├── glyphicons-halflings-regular.ttf
│   │       │   ├── glyphicons-halflings-regular.woff
│   │       │   └── glyphicons-halflings-regular.woff2
│   │       └── js
│   │           ├── bootstrap.js
│   │           └── bootstrap.min.js
│   ├── font-awesome
│   │   ├── css
│   │   │   ├── font-awesome.css
│   │   │   ├── font-awesome.css.map
│   │   │   └── font-awesome.min.css
│   │   ├── font-awesome-built.css
│   │   └── fonts
│   │       ├── FontAwesome.otf
│   │       ├── fontawesome-webfont.eot
│   │       ├── fontawesome-webfont.svg
│   │       ├── fontawesome-webfont.ttf
│   │       ├── fontawesome-webfont.woff
│   │       └── fontawesome-webfont.woff2
│   ├── index.html
│   ├── jquery
│   │   ├── jquery-built.js
│   │   ├── jquery.js
│   │   ├── jquery-migrate.js
│   │   ├── jquery-migrate.min.js
│   │   ├── jquery.min.js
│   │   └── jquery.min.map
│   ├── require-built.js
│   ├── require.config.js
│   ├── require.css
│   └── require.js
├── css
│   └── style.css
├── images
│   ├── droidwiki.png
│   ├── eagle-project.png
│   ├── favicon.ico
│   ├── logo.png
│   └── wikidata.png
├── index.html
├── ontology-1.0.owl
├── projects
│   └── index.html
└── resources
    └── index.html
Ladsgroup mentioned this in T176841: Create wikibase/wikiba.se-deploy repo.Sep 27 2017, 8:46 AM
sbassett moved this task from Waiting to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:22 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:16 PM
chasemp added a project: Application Security Reviews.Jan 8 2020, 4:40 PM
chasemp moved this task from Incoming to Our Part Is Done on the Application Security Reviews board.Jan 8 2020, 4:43 PM
chasemp added a project: secscrum.Mar 10 2020, 8:11 PM
chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL