Page MenuHomePhabricator

Security Readiness Review For Wikipedia Preview
Open, LowPublic

Description

Project Information

Description of the tool/project:

It's a javascript library that 3rd parties will use to display Wikipedia articles previews on their own platforms.

Description of how the tool will be used at WMF:

Won't be used at WMF directly but it uses this API: https://<lang>.wikipedia.org/api/rest_v1/page/summary/<article title>

Dependencies

List dependencies, or upstream projects that this project relies on.

Build time: webpack, babel, mocha, etc (see package.json)

Has this project been reviewed before?

Yes: https://phabricator.wikimedia.org/T240010
We are finishing addressing some findings from the previous review. These will be addressed before the end of September before this gets reviewed again.

Please link to tasks or wiki pages of previous reviews.

https://phabricator.wikimedia.org/T240010

Working test environment

Please link or describe setup process for setting up a test environment.

A live demo is available at: https://wikimedia.github.io/wikipedia-preview/demo/
To set it up locally:
git clone git@github.com:wikimedia/wikipedia-preview.git
cd wikipedia-preview
npm install
npm run dev (the local url will be printed in the console)

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

The Inuka Team and @SBisson

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett triaged this task as Medium priority.Aug 20 2020, 4:10 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.
sbassett changed the task status from Open to Stalled.Aug 27 2020, 7:52 PM
sbassett lowered the priority of this task from Medium to Low.
sbassett added a subscriber: sbassett.

Stalling as a back order until we have some updates regarding:

We are finishing addressing some findings from the previous review. These will be addressed before the end of September before this gets reviewed again.

Also, as this won't be used within wikimedia production (according to the task description), this review may be de-prioritized in relation to code intended to be deployed to wikimedia production.

SBisson changed the task status from Stalled to Open.Dec 16 2020, 4:30 PM

We've addressed the remaining issues (API response sanitization, npm audit) from the previous security assessment.

This is ready for the security team to be prioritized as they see fit. It is not urgent but it would be great to get the results during Q3.

Hey @SBisson - Thanks for the update. Do you have a more specific "release date" for this code? I guess technically it's already "released" on github for anyone to use, but we'd like to get a better sense of how critical this review is to any projects milestones or OKRs, as the Security-Team is adopting a new security review prioritization mechanism (details forthcoming) this quarter (and likely beyond) where we complete a specific number of scheduled reviews based upon certain criteria.

Hey @sbassett, we don't have a specific "release date" for the reasons you mentioned. "Now" seems a good time for a review because we've addressed the previous points, the code has changed significantly and we don't plan any new big changes for the time being.

But it's also not urgent and not linked to any deadline on our end. I think we've established that this component is low-risk by nature. We want to keep you in the loop but we'd prefer not requesting a review for every version. We're open to suggestions about how we should proceed going forward.

@SBisson - Thanks for the update. We're pretty much booked this quarter for reviews (with our new SOP, we're trying to be realistic given current resources and limit the total volume of security reviews to 6 per quarter) so perhaps this could be scheduled for next quarter (cc @Jcross).

@SBisson @sbassett I'll place in planning queue for Q4 (https://phabricator.wikimedia.org/tag/secscrum/) and we'll be in touch if anything changes / is of concern. Thanks!