Page MenuHomePhabricator
Create Task
Maniphest T257100

Set up automated/regular end-to-end testing of potential and past security issues
Open, Needs TriagePublicSecurity
Actions

Description

Suggested to me by @Bawolff, though I've expanded the scope.

We should have a script/bot that regularly tries to exploit potential security issues (e.g. anything related to media files, shelling out, etc.) and probably past ones for regression testing. I'd imagine this script lives in toolforge/wmcloud somewhere, runs regularly, firing off emails if something fails. Ideally it would not actually edit the wiki, instead using preview or other methods to avoid making public write actions.

E.g. for T257062 we could try to action=parse a malicious <score> block and see if it errors out. I'm sure there's a bunch of other things we could find going through past security issues or looking at places we've added preventative hardening measures.

Related Objects

Event Timeline

Legoktm created this task.Jul 4 2020, 8:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 4 2020, 8:13 AM
sbassett removed a project: Security-Team.Jul 6 2020, 3:31 PM
sbassett subscribed.
Aklapper added a project: Technical-Tool-Request.Jul 25 2020, 4:55 PM

This task is not on any team's workboard and is access restricted (author, subscribers, and members of acl*security), so the chances that someone will find this task and work on this are low. Does this need to be access restricted?

Legoktm added a comment.Jul 28 2021, 12:23 AM

Another case: T287542: API action=parse&prop=headhtml leaking user tokens and other private info in cross-origin requests (again)

In T257100#6335437, @Aklapper wrote:

This task is not on any team's workboard and is access restricted (author, subscribers, and members of acl*security), so the chances that someone will find this task and work on this are low. Does this need to be access restricted?

Not anymore, it's no longer a secret that Score has security issues.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 28 2021, 12:23 AM
Legoktm changed the edit policy from "Custom Policy" to "All Users".
Legoktm added a comment.Aug 16 2022, 7:27 PM

Another: {T315366}.

Zabe subscribed.Aug 16 2022, 7:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL