Security review of Citoid
Closed, ResolvedPublic0 Estimated Story Points
Actions

Assigned To

Authored By

	• csteipp
	May 4 2015, 11:21 PM

Description

I gave some input to the team prior to deployment, but we never did a full review.

https://gerrit.wikimedia.org/r/p/mediawiki/extensions/Citoid.git

https://gerrit.wikimedia.org/r/p/mediawiki/services/citoid

"dependencies": {
  "async": "0.9.0",
  "bluebird": "2.9.24",
  "body-parser": "1.12.3",
  "bunyan": "1.3.5",
  "cheerio": "0.18.0",
  "compression": "1.4.3",
  "content-type": "1.0.1",
  "express": "4.12.3",
  "html-metadata": "0.1.1",
  "iconv-lite": "0.4.8",
  "js-yaml": "3.2.7",
  "node-uuid": "1.4.3",
  "preq": "0.3.13",
  "request": "2.49.0",
  "service-runner": "0.1.8"
}

$wgCitoidServiceUrl = '//citoid.wikimedia.org/api';

Related Objects
Search...

Status	Assigned	Task
Resolved	• csteipp	T98096 Security review of Citoid
		Restricted Task
		Restricted Task
		Restricted Task
		Restricted Task
Resolved	BBlack	T108632 http://citoid.wikimedia.org/ should force HTTPS

Event Timeline

• csteipp created this task.May 4 2015, 11:21 PM

• csteipp claimed this task.

• csteipp raised the priority of this task from to High.

• csteipp updated the task description. (Show Details)

• csteipp added projects: Security-Team, deprecated-security-team-reviews, Citoid.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 4 2015, 11:21 PM

• csteipp moved this task from Incoming to In Progress on the Security-Team board.May 4 2015, 11:22 PM

FYI, the codebase is going to change substantially following T75993 (and to some extent T95295) so it will need to be redone following that, I suspect.

In T98096#1259928, @Mvolz wrote:

FYI, the codebase is going to change substantially following T75993 (and to some extent T95295) so it will need to be redone following that, I suspect.

I think we should be fine actually. The code-base will change to some extent, but security-wise, not much will change - the dependencies will stay the same, just as the functional part of Citoid wrt inter-service communication patterns.

@Mvolz, is there a version of citoid running in labs that I can try some things on?

@csteipp have at'er : http://citoid.wmflabs.org/

• csteipp moved this task from In Progress to Waiting on the Security-Team board.May 11 2015, 9:27 PM

• csteipp closed subtask Restricted Task as Declined.May 21 2015, 9:42 PM

• mobrovac closed subtask Restricted Task as Resolved.Jun 1 2015, 7:31 AM

MoritzMuehlenhoff closed subtask Restricted Task as Resolved.Jul 27 2015, 7:18 PM

• mobrovac closed subtask Restricted Task as Resolved.Aug 20 2015, 12:54 PM

• csteipp moved this task from Incoming to Waiting/Blocked on the deprecated-security-team-reviews board.Aug 24 2015, 6:57 PM

BBlack closed subtask T108632: http://citoid.wikimedia.org/ should force HTTPS as Resolved.Apr 6 2016, 1:40 PM

Restricted Application added a project: VisualEditor. · View Herald TranscriptApr 6 2016, 1:40 PM

I assume this can be marked Resolved now, right? :-)

Looks like all of the issues have been followed up.

Jdforrester-WMF set the point value for this task to 0.May 10 2016, 1:16 AM

Jdforrester-WMF set Security to None.

sbassett moved this task from Waiting to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:04 PM

Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptJun 11 2019, 6:04 PM

sbassett moved this task from Waiting/Blocked to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:25 PM

• chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:15 PM

Security review of CitoidClosed, ResolvedPublic0 Estimated Story PointsActions

Description

Related ObjectsSearch...

Event Timeline

Security review of Citoid
Closed, ResolvedPublic0 Estimated Story Points
Actions

Related Objects
Search...