Page MenuHomePhabricator

Application Security Review Request : VueTest extension (proposed for beta cluster deployment only)
Closed, ResolvedPublic

Description

Project Information

Description of the tool/project: Extension that displays a demo of all Codex components. Only used for testing, and only proposed for deployment to the beta cluster, not to production wikis.

Description of how the tool will be used at WMF: Developers, designers, QTE people and others who need to test, do QA on, or demonstrate how Codex components look and work in a MediaWiki environment.

Dependencies
Codex (which has gone through a security review: T302772)

Has this project been reviewed before?
No

Working test environment
https://patchdemo.wmflabs.org/wikis/6dfc3f6619/wiki/Special:VueTest/codex

Post-deployment
Design-System-Team , @Catrope

Details

Risk Rating
Low

Event Timeline

Hey @Catrope - did you have a more specific date in mind for beta deployment? Also, a manager/director (@SCherukuwada?) could likely just own the beta deployment as a medium risk for the time being.

@sbassett We have no specific date in mind. We're pursuing this because it will make it easier for us to do testing and QA, but there's no pressing specific need for it in the near future. (There was one, but that was 1-2 weeks ago and has now passed. We undertook this effort in response.) If a pressing need arises, I'll update this task.

In the meantime, I'll talk to @SCherukuwada about the possibility of him owning it as medium risk.

Just had a conversation with @Catrope . I'm comfortable owning the risk and understand what that entails.

Thanks, @sbassett .

Just had a conversation with @Catrope . I'm comfortable owning the risk and understand what that entails.

@SCherukuwada -

I've added this exception to our risk register. Is this ever being planned for a production deployment? I think we should still perform a security review of the code, regardless, I'm just less clear after reading this language within the description: "Only used for testing, and only proposed for deployment to the beta cluster, not to production wikis."

I've added this exception to our risk register. Is this ever being planned for a production deployment? I think we should still perform a security review of the code, regardless, I'm just less clear after reading this language within the description: "Only used for testing, and only proposed for deployment to the beta cluster, not to production wikis."

Apologies for the late response.

No, this is not currently planned to ever be deployed to production. We did originally propose to deploy this to test.wikipedia.org (which is hosted on production infrastructure), but ran into resistance, see T315621#8563766, so we dropped that idea. It's possible that we could decide to bring back the idea of deploying to testwiki at some point in the future, but right now we're not planning to, and I can confidently say we're not planning to ever deploy this to a "real" (non-test) production wiki.

No, this is not currently planned to ever be deployed to production. We did originally propose to deploy this to test.wikipedia.org (which is hosted on production infrastructure), but ran into resistance, see T315621#8563766, so we dropped that idea. It's possible that we could decide to bring back the idea of deploying to testwiki at some point in the future, but right now we're not planning to, and I can confidently say we're not planning to ever deploy this to a "real" (non-test) production wiki.

Ok, thanks for the update. I think this would likely make this security review a bit lower in priority for us since, for now, this extension will only ever live on beta and the risk for that has already been accepted by a WMF manager/director.

Ok, thanks for the update. I think this would likely make this security review a bit lower in priority for us since, for now, this extension will only ever live on beta and the risk for that has already been accepted by a WMF manager/director.

That's fine with us. We just wanted to make sure we were doing everything by the book and that we're in the clear, security policy-wise.

That's fine with us. We just wanted to make sure we were doing everything by the book and that we're in the clear, security policy-wise.

Yes, you should be fine for now. We still have @SCherukuwada accepting the medium risk within our Application Security Reviews risk register.

sbassett changed the task status from Open to In Progress.Apr 5 2023, 4:19 PM
sbassett assigned this task to Mstyles.
sbassett raised the priority of this task from Low to Medium.
sbassett moved this task from Back Orders to In Progress on the secscrum board.

Security Review Summary - T328163 - 2023-06-23
Last commit reviewed: 766b92

Summary

Overall, the current code under consideration
has an overall risk rating of: low.

The only vulnerabilities found were in indirect dependencies and were listed for completeness. They're not a critical security concern. The biggest concern for this project is that this project lives in the beta cluster only and there is no plan for it to be deployed to any production environment. It is intended to be a testing tool, however it hasn't been updated since 2022 and there's a concern that the code could go stale and possibly be more vulnerable to attack especially in the beta environment which isn't as well monitored.

Vulnerable Packages - Production
nothing found from snyk or npm audit

Vulnerable Packages - Development
nothing found from snyk or npm audit

Outdated Packages
As reported via npm outdated:
none found

As reported via composer outdated:
none found

Other Vulnerable Code
nothing found from semgrep
nothing found from lockfile-lint
nothing found from git secrets
nothing found from gitleaks

  1. Scan

DAST Findings
DAST tool wapiti was run against the working test environment which reported only one issue regarding the content security policy (CSP) not being set which is most likely due to the cloud environment and not due to the VueTest extension

sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.

low risk is automatically accepted by the WMF. Resolving this task for now.