Page MenuHomePhabricator

Security Readiness Review for one skin and five plugins to be used in Tech Blog based on Wordpress
Closed, ResolvedPublicSecurity

Description

Event Timeline

Reedy triaged this task as Medium priority.Jan 22 2020, 5:13 PM
chasemp assigned this task to Reedy.Jan 22 2020, 5:14 PM
chasemp removed a project: Security-Team.
chasemp moved this task from Incoming to In Progress on the Security Readiness Reviews board.
chasemp added a subscriber: chasemp.

Security Readiness Reviews 's have their own workflow so we aren't double tagging with Security-Team for now

Jcross added a subscriber: Jcross.Jan 22 2020, 5:19 PM

This task has been resourced but reviewing by the planned deployment date (month) can not be guaranteed as we are out for All Hands next week, leaving less than 30 days. We will do our best to meet the requested timeline and will be in contact as work progresses.

Reedy updated the task description. (Show Details)Jan 25 2020, 3:03 PM

Does this task itself need to be private?

Does this task itself need to be private?

I myself do not think so, but others I talked to were not sure, hence my action. If Sec Team sees no issues it would be great to make this task public.

sbassett reassigned this task from Reedy to chasemp.Feb 3 2020, 4:50 PM
sbassett added subscribers: Reedy, sbassett.

Assigning to @chasemp for a quick review of our intake process to make sure our various Phab forms are set up correctly :)

@Aklapper @Legoktm - I think the Security-Team is fine with Security Readiness Reviews and Security Preview requests being public with the discretion to protect if certain vulnerabilities are found during a review within production/live code and possibly even within certain public gerrit/github/etc repos.

chasemp added a comment.EditedFeb 3 2020, 6:28 PM

The form at https://phabricator.wikimedia.org/maniphest/task/edit/form/79/ sets things to be viewable or all users and has an indicator at the top so that folks filing requests know that upfront. In concert with @sbassett 's notes above I think things are cool. I believe this task itself was filed as a security issue task type, which security readiness reviews are not.

(small edit: concept reviews are private when filing due to the nature of the requests.)

chasemp reassigned this task from chasemp to sbassett.Feb 3 2020, 6:28 PM
chasemp removed a project: acl*security.
chasemp changed the visibility from "Custom Policy" to "All Users".
chasemp changed the edit policy from "Custom Policy" to "All Users".
Aklapper changed the visibility from "All Users" to "Public (No Login Required)".Feb 3 2020, 6:38 PM
sbassett reassigned this task from sbassett to Reedy.Feb 3 2020, 6:44 PM
Reedy closed this task as Resolved.Feb 10 2020, 6:43 PM

This seems fine to go ahead. I've documented this on officewiki (along with other wordpress based sites), to keep track of what's going on across them. Looking into Wordpress things is hard, as looking into CVE lists for wordpress finds a lot of results...

https://wordpress.org/plugins/gutenberg/ (@srodlund is not sure if this is available for our installation -- it has to do with the WP Editor redesign)

When we know about this, updating the document on officewiki would be appreciated :)

chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM
bd808 added a subscriber: bd808.EditedFri, Mar 13, 3:16 PM

This seems fine to go ahead. I've documented this on officewiki (along with other wordpress based sites), to keep track of what's going on across them. Looking into Wordpress things is hard, as looking into CVE lists for wordpress finds a lot of results...

https://wordpress.org/plugins/gutenberg/ (@srodlund is not sure if this is available for our installation -- it has to do with the WP Editor redesign)

When we know about this, updating the document on officewiki would be appreciated :)

Gutenberg is available as part of the default https://github.com/automattic/vip-go-mu-plugins bundle on wpvip. We enabled it with this config change -- https://github.com/wpcomvip/wikimedia-techblog/commit/d3e509a77ad045749e10853b7e87e3e3cfc04a61. I will update the table at [[officewiki:WordPress]] to reflect this.