Page MenuHomePhabricator

A direct way to submit a security report as a private task
Closed, ResolvedPublic

Description

Is it possible to offer a link with parameters or an email address that could be used by security task reporters to submit private tasks directly? @csteipp asked.

Maybe the simplest scenario is to have an email address i.e. security-bugs@, in the lines of T675?

Related Objects

StatusAssignedTask
ResolvedQgil
ResolvedQgil
ResolvedQgil
Resolved RobLa-WMF
ResolvedQgil
ResolvedDzahn
ResolvedQgil
ResolvedAklapper
Invalidmmodell
Resolvedmmodell
Resolvedmmodell
DeclinedQgil
Resolvedmmodell
ResolvedQgil
ResolvedRobH
ResolvedAklapper
ResolvedAklapper
ResolvedAklapper
ResolvedAklapper
ResolvedAklapper
DeclinedAklapper
ResolvedQgil
Resolvedchasemp
Resolvedchasemp
Resolvedchasemp
Resolvedchasemp
Resolvedchasemp
Resolvedchasemp
ResolvedQgil
Resolvedgpaumier
ResolvedAklapper
ResolvedDzahn
ResolvedDzahn
DeclinedNone
ResolvedRobH
DuplicateRobH
Declinedmmodell
Duplicatemmodell
ResolvedQgil
Resolvedmmodell
ResolvedSpringle
ResolvedNone
Resolvedmmodell

Event Timeline

Qgil created this task.Dec 3 2014, 7:11 AM
Qgil updated the task description. (Show Details)
Qgil raised the priority of this task from to Normal.
Qgil claimed this task.
Qgil added projects: Phabricator, Security.
Qgil changed Security from none to None.
Qgil added subscribers: Qgil, Aklapper, mmodell and 2 others.
Qgil removed Qgil as the assignee of this task.Dec 3 2014, 11:25 AM

I *guess* that's about setting up such a dedicated incoming email address on WMF servers, write some script that takes the input and make somehow sure that the custom checkbox for access restriction can be set (I don't know how) and passing that again to Phab (probably via email again to somehow keep the original reporter intact)? Doesn't sound entirely trivial.

Aklapper lowered the priority of this task from Normal to Low.Dec 3 2014, 2:16 PM

Maybe the simplest scenario is to have an email address i.e. security-bugs@, in the lines of T675?

The more I thought about this, the more I don't think this will work. To be effective, we have to publicize the email address heavily (like we do with security@wikimedia.org currently). And on the current account, we get about 50 spam emails / day. I wouldn't like to have to close those every day in Phab.

Qgil added a comment.Dec 4 2014, 9:16 AM

Quoting https://www.mediawiki.org/wiki/Phabricator/Security#A_direct_way_to_submit_a_security_report_as_a_private_task

  • Currently the intention for a few specific projects related to Operations is to route certain emails as bot created tasks from anonymous senders.
  • The security transform is applied via the existing and known mechanisms outlined above (using the auxiliary field via task creation with Conduit).
  • There is no way to set policy on a task via email.
  • There is no way to set policy on a task via project association.

Question: can the Security dropdown option be defined with a URL parameter?

Qgil moved this task from To Triage to Need discussion on the Phabricator board.Dec 4 2014, 1:25 PM

Nope, I don't see the option. FWIW custom fields are handled via conduit with "auxiliary" and this seems not be supported via URL parameter's at all. In theory it wouldn't matter as to adjust policy you need to part of the relevant groups and I don't know if it would die on initial filing policy adjustment or not. I mean technically all tasks have policy, even new tasks filed now by users who can't adjust policy.

Anyways,

https://github.com/wikimedia/phabricator-tools/blob/master/bugzilla_create.py#L285

Not supported via URL atm.

Chad and I tried to get this working with the task templates, but that didn't really work either.

This isn't quite as important as T518, but it is really important that we can give a link to user to file security issues, and not, "click this link, find this dropdown, make sure you select the right one, and if you mess up the issue is permanently public."

Qgil added a comment.Dec 8 2014, 6:55 AM

Does this mean that we are still stuck with security@ email address?

Also, what about a Phabricator extension to report security issues, consisting of a Create Task form, with the Security configuration predefined as security task, and not visible in the UI?

I don't understand exactly the idea behind the last suggestion there, but the most straightforward thing would be for us to contribute a patch upstream that allows 'auxiliary' to be passed in by URL. That would keep all current abstractions consistent, but allow for embedded links that create appropriate security tasks.

Qgil added a comment.Dec 8 2014, 8:40 PM

the most straightforward thing would be for us to contribute a patch upstream that allows 'auxiliary' to be passed in by URL. That would keep all current abstractions consistent, but allow for embedded links that create appropriate security tasks.

Sounds good to me.

csteipp edited projects, added Security-Team; removed Security.May 6 2015, 12:38 AM

Adding a dep on T823 as Spaces might solve the "Create Security task by sending an emal to a certain address" part, see https://secure.phabricator.com/T8493#119789

Restricted Application added a subscriber: scfc. · View Herald TranscriptJul 2 2015, 1:58 PM
mmodell closed this task as Resolved.Mar 13 2016, 7:40 PM
mmodell claimed this task.

Is this basically resolved by the forms change (@20after4?) at https://phabricator.wikimedia.org/maniphest/task/edit/form/2/ ?

Yes https://phabricator.wikimedia.org/maniphest/task/edit/form/2/ is the proper way to create a security task.

It might also be possible to do via email but I don't think we have that set up correctly currently.

Note also the "Protect as security issue" link in the task menu (Top right of the page) which will convert a regular task into a protected security task.