Page MenuHomePhabricator
Create Task
Maniphest T86677

Quick/short security review of Extension:Sentry
Closed, ResolvedPublic
Actions

Description

The extension's code will change a lot before deployment to production, so it might not be worth a full on review now, but given that Sentry is to deal with stack traces, I figured a quick look is warranted.

Related Objects
Search...

StatusSubtypeAssignedTask
 DeclinedNoneT382 RfC: Server-side Javascript error logging
 ResolvedTgrT524 Interface to display JS error logs
 ResolvedGillesT525 Review existing JS error logging solutions
 OpenNoneT106913 Use Sentry on non-production Wikimedia wikis, Toolforge and other sites/tools
 DeclinedNoneT106915 Use Sentry in production
 DeclinedTgrT91649 Deploy Sentry (JavaScript error logging) to production, configured to log only a limited subset of users/pages
 ResolvedTgrT1345 Set up and test Sentry on Labs for JS error logging
 ResolvedTgrT78807 Deploy Sentry extension on beta cluster
 ResolvedcsteippT86677 Quick/short security review of Extension:Sentry
 ResolvedTgrT105374 Investigate if the XSS vulnerability addressed in Sentry 7.6.1 affects us
 ResolvedjlinehanT88399 Improve Javascript error logging coverage
 ResolvedTgrT78809 Implement module wrapping for Sentry
 DeclinedTgrT85262 Add startup script to automatically wrap asynchronous functions in try..catch
 DeclinedTgrT86058 Find out whether any browser supported by MediaWiki needs TraceKit's "rethrow to window.onerror" logic for stack traces
 DeclinedTgrT92247 Wrap jQuery AJAX callbacks in try..catch via mw.errorLogging
 ResolvedTgrT92701 Test the impact of Javascript error logging on performance
 DeclinedTgrT93392 Make sure async wrapping for Javascript error logging only happens when the call is truly async
 ResolvedTgrT85263 Track module initialization errors in ResourceLoader
 ResolvedTgrT88874 Catch uncaught exceptions with Sentry
 ResolvedKrinkleT93986 mw.track subscribers cannot unsubscribe
 DeclinedNoneT90524 Use source urls in mw.loader.store
 OpenNoneT508 Use CORS-enabled fetch of scripts to avoid same-domain limitations in JS error logging
 ResolvedTgrT507 Measure how many users have CORS-hostile proxies
 DeclinedNoneT88078 Automated tests for Javascript error logging
 OpenNoneT526 Add sampling and throttling support to JS error logging
 InvalidNoneT89732 Investigate production and/or beta requirements for Sentry
 DeclinedTgrT93138 Procure hardware for Sentry
 ResolvedTgrT84956 Create basic puppet role for Sentry
 ResolvedjcrespoT112228 Need to run postgresql::user twice to set the password
 ResolvedTgrT94428 Log Javascript errors in UploadWizard funnel flow

Event Timeline

greg created this task.Jan 13 2015, 4:19 PM
greg assigned this task to csteipp.
greg raised the priority of this task from to Medium.
greg updated the task description. (Show Details)
greg added projects: Patch-For-Review, Sentry, Multimedia.
greg added subscribers: Aklapper, Tgr, He7d3r and 7 others.
Aklapper added a project: deprecated-security-team-reviews.Jan 14 2015, 6:12 PM
Tgr added a comment.Jan 16 2015, 8:31 PM

Super lame data flow diagram for Sentry: https://docs.google.com/a/wikimedia.org/presentation/d/1kdSdtLFev6r9rirI35n9QUrU9-3J5XgYk00vDJrqISI/edit#slide=id.p

csteipp added a comment.Feb 6 2015, 12:03 AM

I talked through the privacy aspects with Tgr, and as long as access to the collection server is restricted to start, we should be ok on that.

raven.js doesn't look likely to harm us. @Tgr, who on multimedia is responsible for making sure that any security fixes in upstream will get deployed into our environment?

Tgr added a comment.Feb 6 2015, 12:55 AM
In T86677#1019781, @csteipp wrote:

@Tgr, who on multimedia is responsible for making sure that any security fixes in upstream will get deployed into our environment?

I'll assume responsibility for that.

csteipp closed this task as Resolved.Feb 6 2015, 12:57 AM
csteipp set Security to None.
Liuxinyu970226 removed a subscriber: Liuxinyu970226.Feb 6 2015, 1:56 AM
Tgr mentioned this in T89732: Investigate production and/or beta requirements for Sentry.Apr 9 2015, 7:29 AM
sbassett moved this task from Incoming to Done on the deprecated-security-team-reviews board.Apr 24 2019, 6:40 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:18 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL