Page MenuHomePhabricator
Create Task
Maniphest T153087

Security Review of Trending Edits Endpoint
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project

https://phabricator.wikimedia.org/T140102

Description of how the tool will be used at WMF

The Trending Edits service will be used to provide a list of currently active articles to apps and web sites by analyzing the edit traffic using Kafka

Dependencies

List dependencies, or upstream projects that this project relies on
RESTBase
Kafka

Has this project been reviewed before?

No

Working test environment

https://en.wikipedia.org/api/rest_v1/#!/Feed/trendingEdits

Post-deployment

#reading-infrastructure-team

Related Objects
Search...

Event Timeline

Fjalapeno created this task.Dec 13 2016, 4:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 13 2016, 4:39 PM
Fjalapeno added a parent task: T150039: Create a public REST endpoint for Trending Edits API.Dec 13 2016, 4:42 PM
mobrovac removed a parent task: T150039: Create a public REST endpoint for Trending Edits API.Dec 13 2016, 7:21 PM
mobrovac added a subtask: T150043: New Service Request for Trending Edits Service.
Bawolff subscribed.Dec 13 2016, 9:16 PM

Hi. To clarify, is this written yet? Can you fill out the task with the info requested at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Requesting_a_review ?

Bawolff edited projects, added deprecated-security-team-reviews; removed acl*security.Dec 13 2016, 9:17 PM
bearND edited projects, added Trending-Service; removed Mobile-Content-Service.Dec 14 2016, 9:41 PM
mobrovac closed subtask T150043: New Service Request for Trending Edits Service as Resolved.Jan 27 2017, 9:40 PM
Jdlrobson added subscribers: mobrovac, Jdlrobson.Feb 1 2017, 9:41 PM

@mobrovac @Fjalapeno is this done or being done (given its in production.. I assume it's done?)?

mobrovac added a comment.Feb 1 2017, 10:24 PM

I haven't requested the review itself. Has any of you done so? If not, please request it.

Fjalapeno added a comment.Feb 2 2017, 6:57 PM

@mobrovac I have it

Fjalapeno added a project: Reading Epics (Trending Edits).Feb 3 2017, 4:31 PM
Fjalapeno updated the task description. (Show Details)

@Bawolff let me know if you need any other information, thanks!

dpatrick mentioned this in E486: Security Review of Trending Edits Endpoint.Feb 7 2017, 5:33 PM
dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.
Bawolff closed this task as Resolved.Feb 12 2017, 1:09 PM
Bawolff claimed this task.
Bawolff moved this task from Scheduled to Waiting on the deprecated-security-team-reviews board.

This looks good. Review passed.

[Not a security issue]: I did find it a little confusing that the totalEdits and editors is not actually the total over all time, but just for some unclear duration of recent time. Perhaps that should be documented.

If that were to be Editors over all time, I would perhaps be worried about maybe leaking if revdel'd edits were by the same author. This would be a very minor leak as far as leaks go, but nonetheless if there's any future plan to make the Editors list extend over all time, please keep that in mind.

At the moment, this doesn't include who the recent editors are (which seems good). If in the future you ever decide to expose that information, please keep revision deletion in mind to avoid exposing revdeleted users.

sbassett moved this task from Waiting to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:22 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:12 PM
chasemp added a project: Application Security Reviews.Jan 8 2020, 4:39 PM
chasemp moved this task from Incoming to Our Part Is Done on the Application Security Reviews board.Jan 8 2020, 4:43 PM
chasemp added a project: secscrum.Mar 10 2020, 8:11 PM
chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits