Page MenuHomePhabricator

Security review of Cards extension and fix any bugs that come out of it
Closed, ResolvedPublic2 Story Points

Description

This is a simple extension so I imagine will not have many issues but we should aim to get sign off from @csteipp as soon as we possibly can so we are able to deploy it.

I talked to @csteipp Thursday about security reviewing cards.
I explained we want to make it a submodule that simply renders cards.

He said that he could help if we can do the following:

  • sketch out a diagram of how all the pieces fit together
  • explain where data comes from and where/how it is rendered and out of these which you see as the biggest vector of attacks.
  • setup an hour to talk through the extension with him to get his blessing to deploy.

Event Timeline

Jdlrobson raised the priority of this task from to Needs Triage.
Jdlrobson updated the task description. (Show Details)
Jdlrobson added a subscriber: Jdlrobson.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 26 2015, 10:21 PM
Jdlrobson renamed this task from Organise security review of Cards extension to Security review of Cards extension and fix any bugs that come out of it.Oct 26 2015, 10:33 PM
Jdlrobson set Security to None.
Jdlrobson edited a custom field.
Jdlrobson triaged this task as Normal priority.Oct 26 2015, 11:50 PM
Jdlrobson updated the task description. (Show Details)
Jdlrobson added a subscriber: csteipp.

Hi @Jdlrobson, since this didn't get on our schedule before the quarter started, we'll try to work it in as soon as we have time. But we have a bunch of reviews that have been scheduled since the start of the quarter, and those will take priority. I'll update this once we're able to schedule it.

@csteipp understood. Sorry I dropped the ball on this one, although the extension was only conceived during the last few weeks.

Fellow devs: I'll push this back to in analysis since it seems we can't commit to this right now. We should continue working on the extension in the meantime and ensure we have a clean path to adding the dependency to it when the time comes.

@Jdlrobson I spoke with @csteipp, and he said he would be okay if either of the following two people ran the security review instead. @Krinkle or @tstarling would either of you be interested and able in helping us out? I am not sure if we will hit our quarterly goals without this review.

Jdlrobson updated the task description. (Show Details)Nov 6 2015, 11:00 PM
KLans_WMF edited a custom field.Nov 9 2015, 5:29 PM

I talked with @Jdlrobson on friday about this-- he said he would schedule someone for a 1 hour review with me this week. Can someone set that up with the appropriate person?

phuedx raised the priority of this task from Normal to Unbreak Now!.Nov 9 2015, 6:00 PM
phuedx added a subscriber: phuedx.Nov 10 2015, 4:16 PM

I've sent an invite to Chris for the 1 hour review meeting – I've actually sent a couple because my Google Calendar-fu is weak today. I'll add my prepared notes for the meeting to this card for posterity.

phuedx claimed this task.Nov 10 2015, 4:16 PM
phuedx moved this task from To Do to Doing on the Reading Web Sprint 60 - Boom Headshot! board.
phuedx lowered the priority of this task from Unbreak Now! to High.Nov 13 2015, 9:53 AM

I've emailed @csteipp to schedule a full review of MediaWiki-extensions-Cards.

Ping @csteipp. Can we/how do we get this card into the Scheduled column of the Security-Team-Reviews board?

Jdlrobson added a comment.EditedDec 1 2015, 10:28 PM

@phuedx did you have a meeting? Can I see your notes?

csteipp closed this task as Resolved.Dec 3 2015, 5:12 PM

After the thumbnail update, things look good. Thanks!

phuedx added a comment.Dec 3 2015, 5:39 PM

Thanks for both your patience and attention @csteipp.

Yedeng reopened this task as Open.Mar 16 2016, 6:01 AM
Yedeng closed this task as Resolved.
Yedeng reopened this task as Open.
Yedeng changed the point value for this task from 2 to 0.
Yedeng closed this task as Resolved.Mar 16 2016, 6:04 AM
Yedeng changed the point value for this task from 0 to 2.