Security review was performed. We need to go through the list of items and acknowledge if they will be fixed, won't fix, or just ack. See guidelines for the response:
When done editing this description, copy the resulting response and paste it in the parent task for the Security-Team to see.
Security review
Checklist
Vulnerable packages and outdated packages
- clean-css, ReDos (risk: low)
Will track upstream issue that will fix it https://github.com/less/less-plugin-clean-css/issues/29
- jquery 1.9.1 (CVE-2015-9251, CVE-2019-11358) (mobileapps, pagelib) (risk: low)
WONTFIX: 3rd-party dev-dependency never deployed to production code, only used by domino tests see: https://github.com/fgnass/domino/blob/e19e8bf1570faa761d3145611a23d77dc21247b2/test/domino.js
- jquery 2.2.0 (CVE-2015-9251, CVE-2019-11358) (mobileapps, pagelib) (risk: low)
WONTFIX: 3rd-party dev-dependency never deployed to production code, only used by domino tests see: https://github.com/fgnass/domino/blob/e19e8bf1570faa761d3145611a23d77dc21247b2/test/domino.js
- jquery 1.7.1 (CVE-2012-6708, CVE-2015-9251, CVE-2019-11358) (risk: low)
WONTFIX: service-runner have various outdated dependencies that doesn't seem to be on the roadmap to be fixed soon
- ms, ReDos (risk: low)
WONTFIX: service-runner have various outdated dependencies that doesn't seem to be on the roadmap to be fixed soon
- angularjs 1.4.14 (risk: medium)
WONTFIX: dev dependency rarely used that doesn't have and upstream package is archived and doesn't seem inteded to fix it, see https://github.com/BrowserSync/UI/issues/58
- Outdated Packages
ACK
Security Headers
- 1. config.dev.yaml [...] (risk: low)
https://gerrit.wikimedia.org/r/c/mediawiki/services/mobileapps/+/553480
- 2. app.js - app.conf.csp [...] (risk: low)
https://gerrit.wikimedia.org/r/c/mediawiki/services/mobileapps/+/553480
- 3. app.js - app.conf.mobile_html_csp [...] (risk: low)
https://gerrit.wikimedia.org/r/c/mediawiki/services/mobileapps/+/553480
- 4. The CSPs for the mobileapps [...]
Yes. This is the intended behavior.
- 5. No Public-Key-Pins or Strict-Transport-Security security headers [...] (risk: low)
ACK. See T227114#5503143
- 6. The default Access-Control-Allow-Origin header [...] (risk: medium)
Yes. This is the intended behavior. I would highlight from T227114#5503143 that "all traffic to and from this service in production is entirely internal to the cluster".
TLS/SSL
- 1. The dev/local environment [...] (risk: medium)
ACK. See T227114#5503143
General Security Issues
- 1. Having code like this on a random test page [...] (risk: low)
Follow-up in T239615: mobile-html: filter potentially harmful style tags
- 2. Just a general note on various JavaScript sinks [...] (risk: low)
Follow-up in T239619: mobile-html: validate innerHTML and appendChild() for potentially dangerous code
Code Cleanliness Issues
- 1. routes/page/mobile-html.js [...] (risk: low)
DONE in https://gerrit.wikimedia.org/r/c/mediawiki/services/mobileapps/+/554150
Other Oddities
- 1. Within my local testing build [...] (risk: none)
ACK