Aphlict security review
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• csteipp
	Nov 14 2014, 11:53 PM

Revisions and Commits

Unknown Object (Diffusion Commit)

Related Objects
Search...

Status	Assigned	Task
Resolved	• chasemp	T1047 Phabricator lacks a "notification" feed similar other project management software: Enable "Flame"
Resolved	• mmodell	T75791 Following Notification from "bell" menu does not clear notification
Resolved	• mmodell	T103444 Desktop notifications
Resolved	• mmodell	T97650 Conpherence wont refresh chat messages automatically, needs manual reload
Resolved	• mmodell	T765 Enable notification server (real-time pop-up notifications) in Phabricator
Resolved	BBlack	T112765 Phabricator needs to expose notification daemon (websocket)
Resolved	• csteipp	T1286 Aphlict security review

Event Timeline

• csteipp created this task.Nov 14 2014, 11:53 PM

• csteipp claimed this task.

• csteipp raised the priority of this task from to Medium.

• csteipp updated the task description. (Show Details)

• csteipp added a project: MediaWiki-Core-Team.

• csteipp changed Security from none to None.

• csteipp subscribed.

Qgil added a project: Phabricator.Nov 15 2014, 12:28 AM

Qgil moved this task from To Triage to Ready to Go on the Phabricator board.Nov 27 2014, 11:55 AM

Qgil mentioned this in T765: Enable notification server (real-time pop-up notifications) in Phabricator.Dec 8 2014, 9:54 AM

Jdforrester-WMF subscribed.Dec 8 2014, 4:14 PM

• RobLa-WMF added a project: deprecated-security-team-reviews.Dec 13 2014, 11:29 PM

Krenair subscribed.Dec 14 2014, 12:08 AM

jeremyb-phone subscribed.Dec 25 2014, 4:08 AM

There is ongoing work to get rid of Flash and use WebSockets. Should we resolve this task as Stalled in the meantime?

See https://secure.phabricator.com/T6559

In T1286#957936, @Qgil wrote:

There is ongoing work to get rid of Flash and use WebSockets. Should we resolve this task as Stalled in the meantime?

See https://secure.phabricator.com/T6559

I think so.

https://secure.phabricator.com/T6559 has been resolved as Fixed. In principle, Aphlict has no dependency on Flash anymore.

Being Aphlict and dependencies fully open source now, does it still require a security review?

In T1286#964251, @Qgil wrote:

https://secure.phabricator.com/T6559 has been resolved as Fixed. In principle, Aphlict has no dependency on Flash anymore.

Being Aphlict and dependencies fully open source now, does it still require a security review?

I would still like to take a look at it. I'll start back in on it after CX.

In T1286#964692, @csteipp wrote:

I would still like to take a look at it. I'll start back in on it after CX.

@csteipp: What is CX, and more important: When is that? :)

In T1286#1043325, @Aklapper wrote:

In T1286#964692, @csteipp wrote:

I would still like to take a look at it. I'll start back in on it after CX.

@csteipp: What is CX, and more important: When is that? :)

Sorry, that was ContentTranslation, which is done. I'm working on a couple things, should get back to this next week.

epriestley closed this task as Resolved by committing Unknown Object (Diffusion Commit).Mar 4 2015, 8:24 AM

epriestley added a commit: Unknown Object (Diffusion Commit).

Accidental clash. Known issue. Reverting status.

bd808 edited projects, added Security-Team; removed MediaWiki-Core-Team.Apr 8 2015, 9:46 PM

• csteipp moved this task from Incoming to Ready on the Security-Team board.May 4 2015, 10:28 PM

@csteipp: the only challenge with the new incarnation of notifications, is that we need to proxy the websocket connection through our varnish and nginx reverse proxies (phab has two layers of proxies in front of it for horribly bad reasons I don't wanna talk about)

but the aplict server it's self is a fairly straightforward nodejs-based websocket thing.
https://secure.phabricator.com/book/phabricator/article/notifications/

Negative24 subscribed.Jun 12 2015, 9:03 PM

Restricted Application added a subscriber: scfc. · View Herald TranscriptJun 12 2015, 9:03 PM

Is this still being blocked by upstream?

Upsteam did a nice refactor of everything, so no longer blocked on their use of flash. I found one potentially blocking bug in the new service, I need to get that verified and reported to them, then we should be ok to deploy. Sorry for the delay.

@Negative24: besides security review this is also blocked by ops: need to tunnel the websocket through two layers of reverse-proxy servers.

• mmodell removed a subtask: T100519: Phabricator needs to expose ssh.Jun 15 2015, 9:22 PM

In T1286#1367000, @csteipp wrote:

I found one potentially blocking bug in the new service, I need to get that verified and reported to them

@csteipp: Has that step happened? If yes: upstream task ID welcome.

• csteipp moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Aug 24 2015, 7:00 PM

• mmodell added a parent task: T112765: Phabricator needs to expose notification daemon (websocket).Oct 6 2015, 9:18 AM

Any vague timeframe for when this is scheduled?

As I said on email, it was scheduled for last week, then stuff happened.
Should be next week.

Ok, things look mostly ok as long as we take a couple of precautions running this in production:

Don't configure a logging file-- too much opportunity for DoS (arbitrary length messages from users are written into the log), and there might be some privacy impact since it logs remote ip + user ids.
Make sure the admin host remains 127.0.0.1 (default setting). Anyone with access to that port can be a very painful nuisance to other users.