In T361956#9736949, @cscott wrote:For all of these three things, it would be avoided if we were doing full expansion of custom properties and then sanitizing *the result*, but that's not how this patch works (and it's not really how CSS custom properties are designed to work).
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Yesterday
Yesterday
sbassett updated the task description for T363182: Create a proof-of-concept rapid risk assessment tool.
sbassett updated the task description for T363182: Create a proof-of-concept rapid risk assessment tool.
sbassett updated the task description for T363182: Create a proof-of-concept rapid risk assessment tool.
Tue, Apr 23
Tue, Apr 23
sbassett added a comment to T361956: Application Security Review Request : css-sanitizer custom property support.
sbassett added a project to T363068: Please remove 2FA from Vito Genovese Wikimedia SUL account: SecTeam-Processed.
Thu, Apr 18
Thu, Apr 18
sbassett moved T337305: Audit members of acl*security for more than 12 months of no activity (May 2024) from Back Orders to Watching on the Security-Team board.
Wed, Apr 17
Wed, Apr 17
sbassett added a comment to T362774: Application Security Review Request : service-runner replacement: @tchin/service-utils.
@tchin - Has this project been discussed across the WMF/Community? Especially with SRE, who would need to support deployments of services that will use this new template? I'm just trying to understand what kind of consensus exists for this being the de facto replacement for service-runner. I know we don't really have a functioning tech-decision-forum or RFC process at the moment (AIUI) but this seems like something that would be a good candidate for wider review.
Tue, Apr 16
Tue, Apr 16
sbassett added a comment to T355161: Application Security Review Request : PlaceNewSection extension.
In T355161#9715623, @Iniquity wrote:Do I understand correctly that with the current state of affairs, this request can be processed for several years? And is it easier for me to forget about this request and not plan any work for the coming years?
sbassett added a comment to T357353: Application Security Review Request : NetworkSession MediaWiki extension .
We could likely still do a quick scan of the repo just to make sure there aren't any vulnerable dependencies, secret leaks or obvious issues from static analysis. The only other concern I might have is that the $wgNetworkSessionProviderUsers config obviously needs to be kept in a private repository or config somewhere (PrivateSettings.php, etc.)
sbassett changed Due Date from Dec 29 2023, 6:00 AM to Jun 30 2024, 5:00 AM on T342468: Craft more mediawiki-specific and php semgrep rule sets.
Mon, Apr 15
Mon, Apr 15
sbassett added a comment to T355161: Application Security Review Request : PlaceNewSection extension.
In T355161#9715467, @Iniquity wrote:Is there any time frame for when this task will be taken on?
sbassett added a comment to T355161: Application Security Review Request : PlaceNewSection extension.
In T355161#9708335, @Iniquity wrote:@sbassett Hello! I see you have already created a pool of extensions for testing? Are we missing this quarter too? How long should we wait? Are there any criteria or something like that?
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_Review_Planning/2024-04-08
sbassett moved T362348: Add -c flag to cli_runner and reorganize data_management columns from In Progress to Done on the user-sbassett board.
sbassett closed T362348: Add -c flag to cli_runner and reorganize data_management columns as Resolved.
sbassett moved T362348: Add -c flag to cli_runner and reorganize data_management columns from In Progress to Completed on the production-risk-assessment board.
sbassett closed T362348: Add -c flag to cli_runner and reorganize data_management columns, a subtask of T343366: [EPIC] Production Risk Assessment Work - Phase 2, as Resolved.
sbassett moved T362199: Security Issue Access Request for jrbranaa from Incoming to In Progress on the Security-Team board.
sbassett moved T272297: User script on user subpage doesn't work after user rename from Incoming to In Progress on the Security-Team board.
In T272297#9700700, @stjn wrote:This continuously causes issues with user scripts after any rename, I am asking someone from Security-Team to take time to review the patch provided.
Fri, Apr 12
Fri, Apr 12
sbassett added a project to T239730: Improper Access Control on timeless.wmflabs.org: SecTeam-Processed.
sbassett moved T272297: User script on user subpage doesn't work after user rename from Watching to Incoming on the Security-Team board.
Thu, Apr 11
Thu, Apr 11
sbassett moved T357570: Run prod risk assessment cli to generate updated results from In Progress to Done on the user-sbassett board.
This is done and has been reported via an internal Google sheet.
sbassett moved T357570: Run prod risk assessment cli to generate updated results from In Progress to Completed on the production-risk-assessment board.
sbassett moved T357570: Run prod risk assessment cli to generate updated results from In Progress to Our Part Is Done on the Security-Team board.
sbassett closed T357570: Run prod risk assessment cli to generate updated results, a subtask of T343366: [EPIC] Production Risk Assessment Work - Phase 2, as Resolved.
sbassett moved T362348: Add -c flag to cli_runner and reorganize data_management columns from Backlog to In Progress on the user-sbassett board.
sbassett moved T362348: Add -c flag to cli_runner and reorganize data_management columns from Backlog to In Progress on the production-risk-assessment board.
sbassett changed the status of T362348: Add -c flag to cli_runner and reorganize data_management columns from Open to In Progress.
sbassett changed the status of T362348: Add -c flag to cli_runner and reorganize data_management columns, a subtask of T343366: [EPIC] Production Risk Assessment Work - Phase 2, from Open to In Progress.
Hey @kostajh - Just wanted to check in and see if ext:IPReputation is ready for review or if you're planning any large, meaningful development cycles soon (and I should wait a bit). Thanks.
Wed, Apr 10
Wed, Apr 10
sbassett moved T360070: Application Security Review Request : Extension:IPReputation from Backlog to In Progress on the user-sbassett board.
sbassett added a project to T360070: Application Security Review Request : Extension:IPReputation: user-sbassett.
sbassett moved T349569: Application Security Review Request : Floating UI from Waiting to Our Part Is Done on the secscrum board.
sbassett moved T349569: Application Security Review Request : Floating UI from In Progress to Watching on the Security-Team board.
sbassett removed a project from T326867: CheckUser API can expose suppressed information for log events: Patch-For-Review.
Tue, Apr 9
Tue, Apr 9
sbassett added a comment to T356764: Merging lexemes is only partially rate limited and protected by AbuseFilter.
In T356764#9701739, @Lucas_Werkmeister_WMDE wrote:I think we can make this task public now? As far as I understand, the release happened and T353904 only remains open because the CVEs haven’t been assigned yet.
sbassett removed a project from T356764: Merging lexemes is only partially rate limited and protected by AbuseFilter: Patch-For-Review.
sbassett added a comment to T359087: Redirecting @priv_eng_sync Phab account (Asana sync) to new email address.
In T359087#9699828, @Aklapper wrote:Taking a step back, could someone point to docs which functionality this account provides? Is there any custom code involved somewhere, or is this "just" about email notifications into Asana? I see that it is a member of acl*security and acl*security_secteam...
In T349569#9699086, @egardner wrote:Hey @sbassett – I reached out to the maintainer just before a 2-week stint of travel (which I am now back from). Sounds like he would welcome a PR but doesn't see this as a huge priority since the package in question is a dev dependency instead of a runtime one.
Mon, Apr 8
Mon, Apr 8
sbassett moved T361956: Application Security Review Request : css-sanitizer custom property support from Backlog to In Progress on the user-sbassett board.
sbassett changed the visibility for T335004: Check existing and planned plugins for WikimediaFoundation.org.
In T349569#9647538, @egardner wrote:In T349569#9646835, @sbassett wrote:It'd probably be best to follow their security policy first: https://github.com/floating-ui/floating-ui/security. And hope they are responsive.
Oh, good catch. I can reach out to the developer at the email address provided and let him know about the Vite issue. I can report back here if he responds.
sbassett closed T354136: Application Security Review Request: MathJax, a subtask of T310211: Deliver visible MathML to the browser, as Resolved.
sbassett closed T354136: Application Security Review Request: MathJax, a subtask of T338429: Prepare Mathoid for RESTbase sunsetting, as Resolved.
sbassett moved T361943: Decide on a Software Bill of Materials (SBOM) format for MediaWiki from Incoming to Watching on the Security-Team board.
sbassett moved T361690: Application Security Review Request : AutoModerator from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.
sbassett moved T361690: Application Security Review Request : AutoModerator from Incoming to Back Orders on the secscrum board.
sbassett moved T361956: Application Security Review Request : css-sanitizer custom property support from Incoming to Back Orders on the secscrum board.
sbassett moved T361961: Security Review For reefjs (potentially used by Wikipedia Preview) from Incoming to Back Orders on the secscrum board.
sbassett triaged T362089: connecting-senses tool OAuth credentials were world-readable as Low priority.
sbassett edited projects for T362089: connecting-senses tool OAuth credentials were world-readable, added: SecTeam-Processed; removed Security-Team.
Fri, Apr 5
Fri, Apr 5
sbassett changed the visibility for T357101: Special:MergeLexemes makes edits on GET requests without edit tokens.
sbassett removed a project from T357101: Special:MergeLexemes makes edits on GET requests without edit tokens: Patch-For-Review.
sbassett added a comment to T361943: Decide on a Software Bill of Materials (SBOM) format for MediaWiki.
From a mostly AppSec perspective, I'd vote for CycloneDX. It's supported by the org I'm most familiar with (OWASP) and the tooling is far more robust, at least for now. Would it be a big deal for AppSec interests if we went with SPDX? Probably not, so I'd definitely need to qualify this as more of a light preference.
Thu, Apr 4
Thu, Apr 4
sbassett moved T342467: Design AppSec Pipeline metrics approach from In Progress to Done on the user-sbassett board.
I'd like to add more tests, but the basic cli is done now.
sbassett closed T342467: Design AppSec Pipeline metrics approach, a subtask of T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work, as Resolved.
In T361452#9686743, @Samwilson wrote:Also, why is escapeIdForAttribute() "not guaranteed to be HTML safe"? What other ID attribute is it intended for, that needs to be able to contain angle brackets etc.? Is it because some XML dialects permit more characters in IDs than HTML does? It looks like a bunch of skins are doing similar things to Foreground here, so it does seem a confusingly named function.
Wed, Apr 3
Wed, Apr 3
sbassett set Author Affiliation to community on T361449: Metrolook skin: stored XSS via MediaWiki:Sidebar.
sbassett moved T361449: Metrolook skin: stored XSS via MediaWiki:Sidebar from Incoming to Our Part Is Done on the Security-Team board.
sbassett moved T342468: Craft more mediawiki-specific and php semgrep rule sets from Backlog to In Progress on the GitLab-Application-Security-Pipeline board.
sbassett added a project to T342468: Craft more mediawiki-specific and php semgrep rule sets: user-sbassett.
In T359634#9682494, @Ladsgroup wrote:Does that sound good to you as the first step?
Tue, Apr 2
Tue, Apr 2
sbassett closed T347744: i18n-xss vectors on Special:SecurePoll, a subtask of T2212: Some MediaWiki: messages not safe in HTML (tracking), as Resolved.
sbassett added a project to T361452: Foreground skin: stored XSS via MediaWiki:Sidebar: security-bug.
sbassett edited projects for T361452: Foreground skin: stored XSS via MediaWiki:Sidebar, added: SecTeam-Processed; removed Security-Team.
Since this skin isn't deployed or bundled, the vulnerability (and hopefully merged patch) will be (re)announced via the next supplemental security release: T361321.
sbassett edited projects for T361448: GuMaxDD skin: stored XSS via MediaWiki:Sidebar, added: SecTeam-Processed; removed Security-Team.
Since this skin isn't deployed or bundled, the proposed patch can go through gerrit at any time. It will be (re)announced via the next supplemental security release: T361321.
@elukey @Ladsgroup - Sounds like we can make this public now?
sbassett edited projects for T361328: Password to keystore of java certificates needs changing, added: SecTeam-Processed; removed Security-Team.
sbassett changed the visibility for T361482: Issues changing password & logging in (primarily with Android Wikipedia mobile app).
sbassett added a comment to T361482: Issues changing password & logging in (primarily with Android Wikipedia mobile app).
In T361482#9676929, @Dbrant wrote:
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL