Page MenuHomePhabricator
Create Task
Maniphest T86677

Quick/short security review of Extension:Sentry
Closed, ResolvedPublic
Actions

Description

The extension's code will change a lot before deployment to production, so it might not be worth a full on review now, but given that Sentry is to deal with stack traces, I figured a quick look is warranted.

Related Objects
Search...

StatusAssignedTask
 OpenTgrT382 RfC: Server-side Javascript error logging
 ResolvedTgrT524 Interface to display JS error logs
 ResolvedGillesT525 Review existing JS error logging solutions
 OpenNoneT106913 Use Sentry on non-production Wikimedia wikis, Tool Labs and other sites/tools
 OpenNoneT106915 Use Sentry in production
 OpenTgrT91649 Deploy Sentry (JavaScript error logging) to production, configured to log only a limited subset of users/pages
 OpenTgrT1345 Set up and test Sentry on Labs for JS error logging
 ResolvedTgrT78807 Deploy Sentry extension on beta cluster
 ResolvedcsteippT86677 Quick/short security review of Extension:Sentry
 ResolvedTgrT105374 Investigate if the XSS vulnerability addressed in Sentry 7.6.1 affects us
 OpenNoneT88399 Improve Sentry coverage
 ResolvedTgrT78809 Implement module wrapping for Sentry
 DeclinedTgrT85262 Add startup script to automatically wrap asynchronous functions in try..catch
 DeclinedTgrT86058 Find out whether any browser supported by MediaWiki needs TraceKit's "rethrow to window.onerror" logic for stack traces
 StalledTgrT92247 Wrap jQuery AJAX callbacks in try..catch via mw.errorLogging
 ResolvedTgrT92701 Test the impact of Javascript error logging on performance
 StalledTgrT93392 Make sure async wrapping for Javascript error logging only happens when the call is truly async
 ResolvedTgrT85263 Track module initialization errors in ResourceLoader
 OpenTgrT88874 Catch uncaught exceptions with Sentry
 ResolvedKrinkleT93986 mw.track subscribers cannot unsubscribe
 DeclinedNoneT90524 Use source urls in mw.loader.store
 OpenTgrT508 Use CORS-enabled fetch of scripts to avoid same-domain limitations in JS error logging
 ResolvedTgrT507 Measure how many users have CORS-hostile proxies
 OpenTgrT88078 Automated tests for Sentry error logging
 OpenNoneT526 Add sampling and throttling support to JS error logging
 InvalidNoneT89732 Investigate production and/or beta requirements for Sentry
 StalledTgrT93138 Procure hardware for Sentry
 ResolvedTgrT84956 Create basic puppet role for Sentry
 OpenNoneT96054 Puppet resource for creating a postgresql database
 ResolvedjcrespoT112228 Need to run postgresql::user twice to set the password
 ResolvedTgrT94428 Log Javascript errors in UploadWizard funnel flow

Event Timeline

greg created this task.Jan 13 2015, 4:19 PM
greg updated the task description. (Show Details)
greg raised the priority of this task from to Normal.
greg assigned this task to csteipp.
greg added projects: Patch-For-Review, Sentry, Multimedia.
greg added subscribers: Aklapper, Tgr, He7d3r and 7 others.
csteipp added a comment.Feb 6 2015, 12:03 AM

I talked through the privacy aspects with Tgr, and as long as access to the collection server is restricted to start, we should be ok on that.

raven.js doesn't look likely to harm us. @Tgr, who on multimedia is responsible for making sure that any security fixes in upstream will get deployed into our environment?

Tgr added a comment.Feb 6 2015, 12:55 AM
In T86677#1019781, @csteipp wrote:

@Tgr, who on multimedia is responsible for making sure that any security fixes in upstream will get deployed into our environment?

I'll assume responsibility for that.

csteipp closed this task as Resolved.Feb 6 2015, 12:57 AM
csteipp set Security to None.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL