Page MenuHomePhabricator

Remove `sync` scripts from mediawiki docker image used for wbstack/wikibase.cloud
Closed, ResolvedPublicSecurity

Description

Currently the scripts used for updating the Mediawiki code end up also being built into the docker image.

see: https://github.com/wbstack/mediawiki/tree/main/wbstack/sync

At the least this probably exposes a DDOS but perhaps also a more critical one since these scripts are able to modify files on disc.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Deutschland

Event Timeline

This doesn't directly contribute to our sprint goal but should be picked up if there is nothing else to be done

This adds a .dockerignore file which excludes wbstack/sync from the build process.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.