In T361956#9736949, @cscott wrote:

For all of these three things, it would be avoided if we were doing full expansion of custom properties and then sanitizing *the result*, but that's not how this patch works (and it's not really how CSS custom properties are designed to work).

@tchin - Has this project been discussed across the WMF/Community? Especially with SRE, who would need to support deployments of services that will use this new template? I'm just trying to understand what kind of consensus exists for this being the de facto replacement for service-runner. I know we don't really have a functioning tech-decision-forum or RFC process at the moment (AIUI) but this seems like something that would be a good candidate for wider review.

In T355161#9715623, @Iniquity wrote:

Do I understand correctly that with the current state of affairs, this request can be processed for several years? And is it easier for me to forget about this request and not plan any work for the coming years?

We could likely still do a quick scan of the repo just to make sure there aren't any vulnerable dependencies, secret leaks or obvious issues from static analysis. The only other concern I might have is that the $wgNetworkSessionProviderUsers config obviously needs to be kept in a private repository or config somewhere (PrivateSettings.php, etc.)

In T355161#9715467, @Iniquity wrote:

Is there any time frame for when this task will be taken on?

In T355161#9708335, @Iniquity wrote:

@sbassett Hello! I see you have already created a pool of extensions for testing? Are we missing this quarter too? How long should we wait? Are there any criteria or something like that?
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_Review_Planning/2024-04-08

Confirmed user has Phab MFA enabled:

In T272297#9700700, @stjn wrote:

This continuously causes issues with user scripts after any rename, I am asking someone from Security-Team to take time to review the patch provided.

This is done and has been reported via an internal Google sheet.

Hey @kostajh - Just wanted to check in and see if ext:IPReputation is ready for review or if you're planning any large, meaningful development cycles soon (and I should wait a bit). Thanks.

In T356764#9701739, @Lucas_Werkmeister_WMDE wrote:

I think we can make this task public now? As far as I understand, the release happened and T353904 only remains open because the CVEs haven’t been assigned yet.

In T359087#9699828, @Aklapper wrote:

Taking a step back, could someone point to docs which functionality this account provides? Is there any custom code involved somewhere, or is this "just" about email notifications into Asana? I see that it is a member of acl*security and acl*security_secteam...

In T349569#9699086, @egardner wrote:

Hey @sbassett – I reached out to the maintainer just before a 2-week stint of travel (which I am now back from). Sounds like he would welcome a PR but doesn't see this as a huge priority since the package in question is a dev dependency instead of a runtime one.

In T349569#9647538, @egardner wrote:

In T349569#9646835, @sbassett wrote:

It'd probably be best to follow their security policy first: https://github.com/floating-ui/floating-ui/security. And hope they are responsive.

Oh, good catch. I can reach out to the developer at the email address provided and let him know about the Vite issue. I can report back here if he responds.

From a mostly AppSec perspective, I'd vote for CycloneDX. It's supported by the org I'm most familiar with (OWASP) and the tooling is far more robust, at least for now. Would it be a big deal for AppSec interests if we went with SPDX? Probably not, so I'd definitely need to qualify this as more of a light preference.

I'd like to add more tests, but the basic cli is done now.

In T361452#9686743, @Samwilson wrote:

Also, why is escapeIdForAttribute() "not guaranteed to be HTML safe"? What other ID attribute is it intended for, that needs to be able to contain angle brackets etc.? Is it because some XML dialects permit more characters in IDs than HTML does? It looks like a bunch of skins are doing similar things to Foreground here, so it does seem a confusingly named function.

New tag: https://gitlab.wikimedia.org/repos/security/wikimedia-code-health-check/-/tags/0.1.4

In T359634#9682494, @Ladsgroup wrote:

Does that sound good to you as the first step?

Since this skin isn't deployed or bundled, the vulnerability (and hopefully merged patch) will be (re)announced via the next supplemental security release: T361321.

Since this skin isn't deployed or bundled, the proposed patch can go through gerrit at any time. It will be (re)announced via the next supplemental security release: T361321.

@elukey @Ladsgroup - Sounds like we can make this public now?

In T361482#9676929, @Dbrant wrote:

@sbassett I'm not sure this requires custom policy or Security tags. It sounds like the user is simply having trouble changing their password and/or logging in, and decided to report to security@.