Page MenuHomePhabricator
Create Task
Maniphest T356852

Security Issue Access Request for SecurityPatchBot
Closed, ResolvedPublic
Actions

Description

Phabricator Username: SecurityPatchBot

Reasons For Request: Motivated by T350065. In order to be able to ping security patch tasks, they need to be visible to the SecurityPatchBot. The bot will not log/expose any information from the tasks.

Related Objects

Event Timeline

jnuche created this task.Feb 7 2024, 10:16 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 7 2024, 10:16 AM
jnuche mentioned this in T350065: Notify MediaWiki security tasks as soon as an uploaded patch fails to apply.Feb 7 2024, 10:18 AM
sbassett changed the task status from Open to In Progress.Feb 12 2024, 5:26 PM
sbassett assigned this task to Mstyles.
sbassett triaged this task as Medium priority.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Mstyles added a comment.Feb 12 2024, 6:23 PM

@thcipriani do you approve this as the manager of Release Engineering?

thcipriani added a comment.Feb 12 2024, 6:27 PM
In T356852#9534981, @Mstyles wrote:

@thcipriani do you approve this as the manager of Release Engineering?

Hi @Mstyles yes, approved. We'd protect any credentials for this bot in the same way we're protecting access to the security patches themselves in our automated testing (since this bot will be used to update security tasks with the results of automated testing).

Mstyles added a comment.Feb 12 2024, 9:37 PM

@thcipriani do you know if it's possible to add MFA to a bot account? I understand the team will be protecting credentials which is great. I looked around in the phabricator documentation and I didn't see anything, but I wanted to be thorough.

jnuche added a comment.Feb 13 2024, 10:06 AM

@Mstyles As you mentioned, there doesn't seem to be any references in the docs. Also, the settings section in the UI for bots doesn't offer MFA options, unlike the settings for a regular user.

I'm not sure how a MFA workflow for a bot would work, but intuitively (maybe I'm wrong) any extra authentication factor would need to be collocated with the current credentials (a conduit token) so the bot could access both securely. In that case, an attacker getting access to one of the factors would probably get access to both.

Mstyles mentioned this in T357487: Create new subproject "acl*security_bots" under acl*security.Feb 14 2024, 12:06 AM

@jnuche I completely agree, I just wanted to make sure we were thorough in the approach. I'm creating a subproject for security bots in T357487 and after that's done, I'll go ahead and add security issue access.

jnuche added a comment.Feb 14 2024, 9:17 AM

@Mstyles thanks a lot!

Mstyles closed this task as Resolved.Feb 15 2024, 5:54 PM
Mstyles moved this task from In Progress to Our Part Is Done on the Security-Team board.

Security issue access has been granted to the SecurityPatchBot

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL