Page MenuHomePhabricator

mmartorana (manfredi martorana)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Nov 5 2021, 2:54 PM (128 w, 4 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
MMartorana (WMF) [ Global Accounts ]

Recent Activity

Today

mmartorana changed the status of T272297: User script on user subpage doesn't work after user rename from Open to In Progress.
Tue, Apr 23, 2:34 PM · SecTeam-Processed, Security-Team, Patch-For-Review, MediaWiki-extensions-CentralAuth, JavaScript, MediaWiki-User-rename, MediaWiki-General, Vuln-DoS

Tue, Apr 9

mmartorana added a comment to T361943: Decide on a Software Bill of Materials (SBOM) format for MediaWiki.

I lean towards CycloneDX because of its broader approach, it prioritizes the management of software components and dependencies rather than license/legal compliance, which is the primary focus of SPDX.

Tue, Apr 9, 3:44 PM · SecTeam-Processed, Security-Team, Security

Tue, Apr 2

mmartorana added a comment to T354136: Application Security Review Request: MathJax.

@Physikerwelt - I have now made the pastes public.

Tue, Apr 2, 1:56 PM · MW-1.42-release, RESTBase Sunsetting, Patch-For-Review, secscrum, Security, Application Security Reviews, Math, User-Physikerwelt
mmartorana changed the visibility for P59010 T354136 - horusec results .
Tue, Apr 2, 1:54 PM · WMF-NDA
mmartorana changed the visibility for P59005 T354136 - semgrep sast results.
Tue, Apr 2, 1:53 PM · WMF-NDA
mmartorana changed the visibility for P59005 T354136 - semgrep sast results.
Tue, Apr 2, 1:53 PM · WMF-NDA
mmartorana changed the visibility for P59010 T354136 - horusec results .
Tue, Apr 2, 1:52 PM · WMF-NDA
mmartorana changed the visibility for P59008 T354136 - bearer sast results.
Tue, Apr 2, 1:52 PM · WMF-NDA
mmartorana changed the visibility for P59004 T354136 - scorecard results.
Tue, Apr 2, 1:51 PM · WMF-NDA

Fri, Mar 29

mmartorana moved T354136: Application Security Review Request: MathJax from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T354136- 2024-03-29
Last tag reviewed: v3.2.2

Fri, Mar 29, 5:44 PM · MW-1.42-release, RESTBase Sunsetting, Patch-For-Review, secscrum, Security, Application Security Reviews, Math, User-Physikerwelt
mmartorana created P59010 T354136 - horusec results .
Fri, Mar 29, 11:16 AM · WMF-NDA

Thu, Mar 28

mmartorana created P59008 T354136 - bearer sast results.
Thu, Mar 28, 9:02 PM · WMF-NDA
mmartorana created P59005 T354136 - semgrep sast results.
Thu, Mar 28, 7:22 PM · WMF-NDA
mmartorana created P59004 T354136 - scorecard results.
Thu, Mar 28, 7:14 PM · WMF-NDA

Mar 22 2024

mmartorana closed T349568: Application Security Review Request : Community Configuration as Resolved.

Hi @Urbanecm_WMF and @KStoller-WMF - Apologies for any confusion caused. As mentioned in the summary of my review, the overall risk score is classified as low risk.
Although the SAST findings were labeled as medium by the tools, upon further consideration of the context, I concluded that these vulnerabilities did not pose a significant risk. Therefore, I maintained the low risk rating for the overall review. I just wanted to double-check and receive confirmation from you, which I now have.

Mar 22 2024, 7:59 PM · Growth-Team (Sprint 10 (Growth Team)), CommunityConfiguration, secscrum, Security, Application Security Reviews
mmartorana closed T349568: Application Security Review Request : Community Configuration, a subtask of T357766: Deploy Community configuration to beta wiki, as Resolved.
Mar 22 2024, 7:58 PM · Wikimedia-Extension-setup, Growth-Team (Sprint 10 (Growth Team)), CommunityConfiguration
mmartorana moved T349568: Application Security Review Request : Community Configuration from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T349568 - 2024-03-22
Last commit reviewed: cb8c5d5

Mar 22 2024, 4:55 PM · Growth-Team (Sprint 10 (Growth Team)), CommunityConfiguration, secscrum, Security, Application Security Reviews

Mar 18 2024

mmartorana added a comment to T354136: Application Security Review Request: MathJax.

Hi @MSantos and @Physikerwelt - I'm in the process of conducting the review, and it will be completed by the end of March.

Mar 18 2024, 4:19 PM · MW-1.42-release, RESTBase Sunsetting, Patch-For-Review, secscrum, Security, Application Security Reviews, Math, User-Physikerwelt
mmartorana added a comment to T349568: Application Security Review Request : Community Configuration.

Hi @mmartorana!

My name is Martin Urbanec and I work as a Software Engineer within the Growth team. Unfortunately, we're somehow behind the originally anticipated schedule. However, we now have CommunityConfiguration working in some way within mediawiki/extensions/CommunityConfiguration on Gerrit (since it is meant as a platform for other developers, it is not directly usable, but we have an example available in GitLab). Documentation of the extension is available at https://www.mediawiki.org/wiki/Extension:CommunityConfiguration and https://www.mediawiki.org/wiki/Extension:CommunityConfiguration/Developer_setup.

So far, not everything that we want to be a part of CommunityConfiguration is fully ready yet, but it would make testing and reviewing much easier if we could have the extension available at the beta cluster. Unfortunately, I'm not fully sure what exactly we need to have "checked off" by the Security team for that to happen. As far as I understand it, Writing an extension for deployment indicates an Application Security Review needs to be completed for a beta deployment to happen. Is that understanding correct? If so, what is needed from the Growth-Team to make an Application Security Review possible? Is there something else we need to run by the Security team before moving ahead to Beta?

Looking forward to hearing from you,
Martin Urbanec, Growth team

Mar 18 2024, 4:14 PM · Growth-Team (Sprint 10 (Growth Team)), CommunityConfiguration, secscrum, Security, Application Security Reviews

Mar 12 2024

mmartorana added a comment to T354136: Application Security Review Request: MathJax.

@mmartorana do you need https://gerrit.wikimedia.org/r/c/987131 to do the security review? If not, I would abandon the change and start over with the method suggested by @Jdforrester-WMF which I was not aware of when I created the patch.

Mar 12 2024, 4:21 PM · MW-1.42-release, RESTBase Sunsetting, Patch-For-Review, secscrum, Security, Application Security Reviews, Math, User-Physikerwelt

Mar 11 2024

mmartorana claimed T337949: Add security.txt to Wikimedia sites? (2023 edition).
Mar 11 2024, 4:53 PM · Patch-For-Review, SecTeam-Processed, Documentation, WMF-General-or-Unknown, Security-Team, Security, Wikimedia-Apache-configuration

Mar 6 2024

mmartorana changed the status of T358728: Solve OSV Double-Pipeline Problem without Requiring Many Default Rules from Open to In Progress.
Mar 6 2024, 4:49 PM · SecTeam-Processed, Security-Team, Release Pipeline, Release-Engineering-Team
mmartorana added a comment to T358728: Solve OSV Double-Pipeline Problem without Requiring Many Default Rules.

Hey @cmassaro - we recommend implementing Dan's suggestions and providing us with feedback on the outcomes. This will help us gather more metrics regarding the usage of this template.

Mar 6 2024, 4:49 PM · SecTeam-Processed, Security-Team, Release Pipeline, Release-Engineering-Team

Mar 5 2024

mmartorana closed T352743: Test CVSS against SSVC theory as Resolved.
Mar 5 2024, 3:27 PM · risk-rating-toolkit

Feb 28 2024

mmartorana added a project to T358133: Security Issue Access Request for cdobbins: SecTeam-Processed.
Feb 28 2024, 6:38 PM · SecTeam-Processed, Security-Team, Security
mmartorana closed T358133: Security Issue Access Request for cdobbins as Resolved.

Thanks @KOfori - I have granted access to acl*security_sre.

Feb 28 2024, 6:38 PM · SecTeam-Processed, Security-Team, Security
mmartorana added a member for acl*security_sre: CDobbins.
Feb 28 2024, 6:36 PM
mmartorana moved T357760: CVE-2024-: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages from Incoming to Security Patch To Deploy on the Security-Team board.

From a security perspective, there doesn't seem to be any concern with this patch.

Feb 28 2024, 5:51 PM · MW-1.42-notes (1.42.0-wmf.26; 2024-04-09), MW-1.41-notes, MW-1.40-notes, MW-1.39-notes, SecTeam-Processed, Patch-For-Review, MediaWiki-Page-rename, Vuln-DoS, Security, Security-Team
mmartorana claimed T358133: Security Issue Access Request for cdobbins.

Hi @ssingh - Could you kindly request approval from your team's manager here on this task? This will enable me to promptly grant access to acl*security_sre .

Feb 28 2024, 5:44 PM · SecTeam-Processed, Security-Team, Security

Feb 26 2024

mmartorana changed the status of T357760: CVE-2024-: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages from Open to In Progress.
Feb 26 2024, 1:14 PM · MW-1.42-notes (1.42.0-wmf.26; 2024-04-09), MW-1.41-notes, MW-1.40-notes, MW-1.39-notes, SecTeam-Processed, Patch-For-Review, MediaWiki-Page-rename, Vuln-DoS, Security, Security-Team

Feb 20 2024

mmartorana closed T344509: Security Issue Access Request for (Kappakayala) as Resolved.
Feb 20 2024, 5:27 PM · SecTeam-Processed, Security-Team, Security
mmartorana added a comment to T344509: Security Issue Access Request for (Kappakayala).

Hey @Kappakayala - I've just added you to acl*security_sre . Let us know if you need anything else.

Feb 20 2024, 5:25 PM · SecTeam-Processed, Security-Team, Security
mmartorana added a member for acl*security_sre: Kappakayala.
Feb 20 2024, 5:22 PM

Feb 19 2024

mmartorana placed T337949: Add security.txt to Wikimedia sites? (2023 edition) up for grabs.

AS the original task was declined without comment, it would be helpful to understand what the input we're looking for in this task is (from SRE but also in general)? And who would be the decision maker, Security-Team?

If we want to go that path (which I think makes sense, but is low prio), the decision (and filling in the data) would be for the security team. Who then eventually takes care of making sure we serve the file is TBD. We can also just drop SRE for now and then add it back when there is progress to the state that it needs SRE involvement.

Feb 19 2024, 6:28 PM · Patch-For-Review, SecTeam-Processed, Documentation, WMF-General-or-Unknown, Security-Team, Security, Wikimedia-Apache-configuration

Feb 12 2024

mmartorana added a comment to T357101: Special:MergeLexemes makes edits on GET requests without edit tokens.

Hey @sbassett thanks for the triaging. Upon reviewing the provided code, there don't seem to be any apparent security concerns.

Feb 12 2024, 6:53 PM · MW-1.42-notes (1.42.0-wmf.23; 2024-03-19), Vuln-CSRF, SecTeam-Processed, Wikidata Dev Team (Wikidata.org Slice), Wikidata Lexicographical data, Wikidata, Security, Security-Team

Jan 19 2024

mmartorana changed the status of T349568: Application Security Review Request : Community Configuration from Open to In Progress.
Jan 19 2024, 6:12 PM · Growth-Team (Sprint 10 (Growth Team)), CommunityConfiguration, secscrum, Security, Application Security Reviews
mmartorana added a comment to T349568: Application Security Review Request : Community Configuration.

Hello @KStoller-WMF - As I prepare for this review, could you kindly provide your project timeline? In particular, I'm interested in whether you have any imminent plans to release a substantial amount of code or introduce new features. This information will help me decide whether to wait for those updates and include them in my review.

Jan 19 2024, 6:12 PM · Growth-Team (Sprint 10 (Growth Team)), CommunityConfiguration, secscrum, Security, Application Security Reviews
mmartorana changed the point value for T352743: Test CVSS against SSVC theory from 8 to 4.

Hi @Cleo_Lemoisson - Following our discussion with @acooper yesterday, @Mstyles and I plan to collaborate on developing our custom theoretical implementation of the SSVC framework. This effort aims to assess and compare the risk rating results with the CVSS score already calculated.

Jan 19 2024, 10:58 AM · risk-rating-toolkit

Jan 18 2024

mmartorana added a comment to T335004: Check existing and planned plugins for WikimediaFoundation.org.

Hi @SCampos-WMF - Thanks for letting us know. The security posture is improved, and I see that you have a plan to address the remaining issues. I can now assign a low risk score.

Jan 18 2024, 4:36 PM · secscrum, Application Security Reviews, wikimediafoundation.org, Security, Security-Team
mmartorana updated the task description for T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
Jan 18 2024, 10:17 AM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security

Jan 17 2024

mmartorana changed the visibility for T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
Jan 17 2024, 5:35 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security
mmartorana changed the visibility for T347742: CVE-2024-23176: MassMessage i18n key massmessage-form-page-help allows i18n-xss.
Jan 17 2024, 5:34 PM · MW-1.39-notes, MW-1.41-notes, MW-1.40-notes, MW-1.42-notes (1.42.0-wmf.15; 2024-01-23), Security-Team, user-sbassett, Patch-For-Review, Vuln-XSS, SecTeam-Processed, MassMessage, Security
mmartorana changed the visibility for T353138: CVE-2024-23175: FlexDiagrams XSS bug.
Jan 17 2024, 5:34 PM · SecTeam-Processed, Vuln-XSS, security-bug, Security, MediaWiki-extensions-FlexDiagrams
mmartorana closed T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0) as Resolved.

Supplemental announcement is out!

Jan 17 2024, 5:33 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security
mmartorana closed T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0), a subtask of T347649: Release MediaWiki 1.35.14/1.39.6/1.40.2/1.41.0, as Resolved.
Jan 17 2024, 5:33 PM · MediaWiki-Releasing, Security
mmartorana closed T347742: CVE-2024-23176: MassMessage i18n key massmessage-form-page-help allows i18n-xss as Resolved.
Jan 17 2024, 5:22 PM · MW-1.39-notes, MW-1.41-notes, MW-1.40-notes, MW-1.42-notes (1.42.0-wmf.15; 2024-01-23), Security-Team, user-sbassett, Patch-For-Review, Vuln-XSS, SecTeam-Processed, MassMessage, Security
mmartorana updated the task description for T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
Jan 17 2024, 5:20 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security
mmartorana committed rEWAN60007b9a4e0d: [SECURITY] Escape the 'page' URL parameter value before outputting it (authored by ashley).
[SECURITY] Escape the 'page' URL parameter value before outputting it
Jan 17 2024, 4:25 PM
mmartorana committed rEPHNb3085aa58a78: PhonosButton: use text() instead of append() (authored by MusikAnimal).
PhonosButton: use text() instead of append()
Jan 17 2024, 4:19 PM
mmartorana renamed T353138: CVE-2024-23175: FlexDiagrams XSS bug from FlexDiagrams XSS bug to CVE-2024-23175: FlexDiagrams XSS bug.
Jan 17 2024, 4:19 PM · SecTeam-Processed, Vuln-XSS, security-bug, Security, MediaWiki-extensions-FlexDiagrams
mmartorana renamed T349312: CVE-2024-23178: XSS in Phonos via the phonos-purge-needed-error message from XSS in Phonos via the phonos-purge-needed-error message to CVE-2024-23178: XSS in Phonos via the phonos-purge-needed-error message.
Jan 17 2024, 4:17 PM · MW-1.41-notes, MW-1.42-notes (1.42.0-wmf.1; 2023-10-17), Community-Tech (CommTech-Kanban), MediaWiki-extensions-Phonos, Vuln-XSS, Security, Security-Team
mmartorana renamed T348979: CVE-2024-23177: WatchAnalytics: classic XSS on Special:PageStatistics with the 'page' URL parameter from WatchAnalytics: classic XSS on Special:PageStatistics with the 'page' URL parameter to CVE-2024-23177: WatchAnalytics: classic XSS on Special:PageStatistics with the 'page' URL parameter.
Jan 17 2024, 4:17 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-extensions-WatchAnalytics, Security
mmartorana renamed T347746: CVE-2024-23179: GlobalBlocking subtitle links have i18n-xss via the parentheses message from GlobalBlocking subtitle links have i18n-xss via the parentheses message to CVE-2024-23179: GlobalBlocking subtitle links have i18n-xss via the parentheses message.
Jan 17 2024, 4:16 PM · Security-Team, Vuln-XSS, SecTeam-Processed, GlobalBlocking, Security
mmartorana renamed T347742: CVE-2024-23176: MassMessage i18n key massmessage-form-page-help allows i18n-xss from MassMessage i18n key massmessage-form-page-help allows i18n-xss to CVE-2024-23176: MassMessage i18n key massmessage-form-page-help allows i18n-xss.
Jan 17 2024, 4:16 PM · MW-1.39-notes, MW-1.41-notes, MW-1.40-notes, MW-1.42-notes (1.42.0-wmf.15; 2024-01-23), Security-Team, user-sbassett, Patch-For-Review, Vuln-XSS, SecTeam-Processed, MassMessage, Security
mmartorana updated the task description for T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
Jan 17 2024, 4:11 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security
mmartorana claimed T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.14/1.39.6/1.40.2/1.41.0)

Jan 17 2024, 4:09 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security
mmartorana committed rEFLD7d40f00ef55c: Add more escaping of text (authored by Yaron_Koren).
Add more escaping of text
Jan 17 2024, 3:52 PM
mmartorana updated the task description for T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
Jan 17 2024, 3:43 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security
mmartorana updated the task description for T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
Jan 17 2024, 3:40 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security
mmartorana committed rEFLD6b95a3edb491: Add more escaping of text (authored by Yaron_Koren).
Add more escaping of text
Jan 17 2024, 3:38 PM
mmartorana updated the task description for T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
Jan 17 2024, 3:35 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security
mmartorana updated the task description for T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
Jan 17 2024, 3:22 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security
mmartorana updated the task description for T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
Jan 17 2024, 3:21 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security

Jan 10 2024

mmartorana added a comment to T335004: Check existing and planned plugins for WikimediaFoundation.org.

Hi @SCampos-WMF - What's the progress on the remediation plan? Kindly provide an update so that we can prevent adding it to our risk registry. Thank you.

Jan 10 2024, 10:11 AM · secscrum, Application Security Reviews, wikimediafoundation.org, Security, Security-Team
mmartorana closed T350900: Application Security Review Request : Extension:WikimediaCampaignEvents as Resolved.

Hi @VPuffetMichel - I submitted the review on December 22, Friday. The risk was assessed as low risk, so there's no further action needed from your end. Appreciate it.

Jan 10 2024, 10:07 AM · Campaign-Tools, WikimediaCampaignEvents, secscrum, Security, Application Security Reviews
mmartorana closed T350900: Application Security Review Request : Extension:WikimediaCampaignEvents, a subtask of T347896: Prepare the WikimediaCampaignEvents extension for deployment, as Resolved.
Jan 10 2024, 10:07 AM · Campaign-Tools (Campaign-Tools-Current-Sprint), WikimediaCampaignEvents, Campaign-Registration

Jan 8 2024

mmartorana added a comment to T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).

Assigned CVE and backport duties for this report:

Jan 8 2024, 5:47 PM · user-sbassett, SecTeam-Processed, MediaWiki-Releasing, Security

Dec 22 2023

mmartorana added a comment to T350900: Application Security Review Request : Extension:WikimediaCampaignEvents.

Thanks for the review!

The codebase is generally clean; however, it does involve some usage, although discouraged, of the service locator pattern. Although this approach might not be optimal for testing and maintaining code, there are situations where it can be beneficial. I'm curious to understand the reasoning behind its choice.

Where did you see those? I'm unable to find any static service access in the code base.

Dec 22 2023, 6:32 PM · Campaign-Tools, WikimediaCampaignEvents, secscrum, Security, Application Security Reviews
mmartorana moved T350900: Application Security Review Request : Extension:WikimediaCampaignEvents from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T350900 - 2023-11-22
Last commit reviewed: be04cea

Dec 22 2023, 5:01 PM · Campaign-Tools, WikimediaCampaignEvents, secscrum, Security, Application Security Reviews

Dec 21 2023

mmartorana closed T241451: Security Review For SpamRegex extension as Resolved.

Hey @Aklapper - Since there are no plan to deploy that in production I am now resolving this task.

Dec 21 2023, 5:43 PM · secscrum, Application Security Reviews, SpamRegex, User-DannyS712
mmartorana closed T241451: Security Review For SpamRegex extension, a subtask of T241450: Deploy 'SpamRegex' extension on beta cluster, as Resolved.
Dec 21 2023, 5:43 PM · SpamRegex, Wikimedia-extension-review-queue, User-DannyS712, Wikimedia-Extension-setup

Dec 20 2023

mmartorana changed the point value for T348548: Provide use case about specific workflow in documentation from 1 to 4.
Dec 20 2023, 6:12 PM · SecTeam-Processed, Security, GitLab-Application-Security-Pipeline
mmartorana closed T348548: Provide use case about specific workflow in documentation as Resolved.

The Risk acceptance section has been created and added to the documentation.

Dec 20 2023, 6:12 PM · SecTeam-Processed, Security, GitLab-Application-Security-Pipeline
mmartorana closed T348548: Provide use case about specific workflow in documentation, a subtask of T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work, as Resolved.
Dec 20 2023, 6:12 PM · user-sbassett, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana changed the status of T353819: Allow Gitlab CI OSV template to fail from Open to In Progress.
Dec 20 2023, 4:27 PM · SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana changed the status of T353819: Allow Gitlab CI OSV template to fail, a subtask of T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work, from Open to In Progress.
Dec 20 2023, 4:27 PM · user-sbassett, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana created T353819: Allow Gitlab CI OSV template to fail.
Dec 20 2023, 4:26 PM · SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline

Dec 19 2023

mmartorana closed T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work, a subtask of T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work, as Resolved.
Dec 19 2023, 4:09 PM · user-sbassett, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana closed T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work as Resolved.
Dec 19 2023, 4:09 PM · Documentation, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana updated the task description for T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work.
Dec 19 2023, 4:09 PM · Documentation, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana updated the task description for T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work.
Dec 19 2023, 4:07 PM · Documentation, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana updated the task description for T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work.
Dec 19 2023, 4:03 PM · Documentation, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline

Dec 14 2023

mmartorana updated the task description for T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work.
Dec 14 2023, 3:51 PM · Documentation, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana updated the task description for T338034: Address issues within certain Gitlab CI security templates.
Dec 14 2023, 3:49 PM · Patch-For-Review, SecTeam-Processed, Security-Team, GitLab-Application-Security-Pipeline, Security Team AppSec, Security
mmartorana changed the status of T352877: Several efficiency errors in wbsearchentities API compound to long execution time and many database queries from Open to In Progress.
Dec 14 2023, 2:56 PM · SecTeam-Processed, security-bug, Vuln-DoS, MediaWiki-extensions-WikibaseRepository, wmde-wikidata-tech, Wikidata, Security, Security-Team

Dec 13 2023

mmartorana added a comment to T338238: Use Gitlab Security Pipeline for ipoid.

Hi @kostajh - I have created this merge request, please review it and let me know your thoughts.

Dec 13 2023, 3:52 PM · Patch-For-Review, Release-Engineering-Team (Radar), Security-Team, Anti-Harassment, iPoid-Service

Dec 8 2023

mmartorana updated the task description for T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work.
Dec 8 2023, 4:54 PM · Documentation, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana updated the task description for T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work.
Dec 8 2023, 4:53 PM · Documentation, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana updated the task description for T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work.
Dec 8 2023, 4:43 PM · Documentation, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline

Dec 7 2023

mmartorana set the point value for T350900: Application Security Review Request : Extension:WikimediaCampaignEvents to 16.
Dec 7 2023, 3:47 PM · Campaign-Tools, WikimediaCampaignEvents, secscrum, Security, Application Security Reviews
mmartorana set the point value for T348548: Provide use case about specific workflow in documentation to 1.
Dec 7 2023, 3:45 PM · SecTeam-Processed, Security, GitLab-Application-Security-Pipeline
mmartorana set the point value for T338034: Address issues within certain Gitlab CI security templates to 2.
Dec 7 2023, 3:45 PM · Patch-For-Review, SecTeam-Processed, Security-Team, GitLab-Application-Security-Pipeline, Security Team AppSec, Security
mmartorana set the point value for T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work to 4.
Dec 7 2023, 3:44 PM · Documentation, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana set the point value for T338238: Use Gitlab Security Pipeline for ipoid to 8.
Dec 7 2023, 3:43 PM · Patch-For-Review, Release-Engineering-Team (Radar), Security-Team, Anti-Harassment, iPoid-Service
mmartorana changed the status of T352743: Test CVSS against SSVC theory from Open to In Progress.
Dec 7 2023, 11:44 AM · risk-rating-toolkit

Nov 27 2023

mmartorana closed T309997: Implement an outdated modules check for golang , a subtask of T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work, as Resolved.
Nov 27 2023, 10:34 AM · user-sbassett, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
mmartorana closed T309997: Implement an outdated modules check for golang as Resolved.
Nov 27 2023, 10:34 AM · GitLab-Application-Security-Pipeline, Security, Security Team AppSec, Security-Team

Nov 21 2023

mmartorana updated the task description for T346802: Update on-wiki documentation for the AppSec Pipeline for phase 2 work.
Nov 21 2023, 3:12 PM · Documentation, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline

Oct 11 2023

mmartorana added a comment to T335004: Check existing and planned plugins for WikimediaFoundation.org.

Hi @Varnent - Do you have any plan to mitigate these issues?

Oct 11 2023, 5:22 PM · secscrum, Application Security Reviews, wikimediafoundation.org, Security, Security-Team

Oct 10 2023

mmartorana renamed T344923: CVE-2023-45367: User can store arbitrary number of rows in cu_useragent_clienthints from User can store arbitrary number of rows in cu_useragent_clienthints to CVE-2023-45367: User can store arbitrary number of rows in cu_useragent_clienthints.
Oct 10 2023, 5:29 PM · http-client-hints (Release 0 (Pilot wikis)), MW-1.41-notes (1.41.0-wmf.25; 2023-09-05), Anti-Harassment (AHaT Sprint 32 - Baseball Cap), SecTeam-Processed, Vuln-DoS, CheckUser, Security, Security-Team