Page MenuHomePhabricator

sbassett (Scott Bassett)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (128 w, 1 d)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.

Recent Activity

Yesterday

sbassett removed a project from T275669: Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will: Patch-For-Review.
Thu, Feb 25, 10:35 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), User-Urbanecm, CheckUser, Security, Security-Team
sbassett moved T275669: Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will from Incoming to Watching on the Security-Team board.
Thu, Feb 25, 10:35 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), User-Urbanecm, CheckUser, Security, Security-Team
sbassett added a comment to T275669: Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will.

Merged them.

Thu, Feb 25, 10:31 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), User-Urbanecm, CheckUser, Security, Security-Team
sbassett added a comment to T275669: Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will.

I kept these as separate patches for the backports so as to (hopefully) make reverting the first patch easier, if and when that's needed. These don't cleanly apply to REL1_35 and REL1_31, mainly due to directory/file name refactoring, but I can work on new patches for those, post them here and then push them up to gerrit for review/merge.

Thu, Feb 25, 5:30 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), User-Urbanecm, CheckUser, Security, Security-Team
sbassett lowered the priority of T275669: Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will from High to Low.
Thu, Feb 25, 5:17 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), User-Urbanecm, CheckUser, Security, Security-Team
sbassett changed the visibility for T275669: Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will.
Thu, Feb 25, 5:17 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), User-Urbanecm, CheckUser, Security, Security-Team
sbassett added a comment to T275704: Fix data inconsistency in cu_log: Remove trailing spaces.

I can add a query to detect whether there are any broken entries, to prevent going it through everything.

Thu, Feb 25, 4:44 PM · User-Urbanecm, CheckUser, Security, Security-Team
sbassett added a comment to T275704: Fix data inconsistency in cu_log: Remove trailing spaces.

+1 to the updated patch above, I assume that'll go through gerrit once T275669 is public (which I plan to do today, along with the backports). Do we have any idea what other projects this might need to be run on besides loginwiki, testwiki and enwiki?

Thu, Feb 25, 3:44 PM · User-Urbanecm, CheckUser, Security, Security-Team

Wed, Feb 24

sbassett moved T275669: Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will from Incoming to Watching on the Security-Team board.
Wed, Feb 24, 7:04 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), User-Urbanecm, CheckUser, Security, Security-Team
sbassett updated subscribers of T275669: Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will.

+1 to the patches above. I assume Linker::userLink( $row->cul_target_id, $row->cul_target_text ) in LogPager doesn't need a trim because of https://gerrit.wikimedia.org/g/mediawiki/core/+/21ab535b83b97866cb9b79dcede95e8b7c32858f/includes/Linker.php#914. I guess feel free to deploy these unless you want @Reedy or I to do so instead.

Wed, Feb 24, 7:04 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), User-Urbanecm, CheckUser, Security, Security-Team
sbassett moved T274107: Horizon shows me buttons to do dangerous things on the `tools` project from Watching to Our Part Is Done on the Security-Team board.
Wed, Feb 24, 3:22 PM · SecTeam-Processed, Horizon, cloud-services-team (Kanban), Security, Security-Team
sbassett moved T274107: Horizon shows me buttons to do dangerous things on the `tools` project from Backlog to Upstream on the Horizon board.
Wed, Feb 24, 3:22 PM · SecTeam-Processed, Horizon, cloud-services-team (Kanban), Security, Security-Team
sbassett lowered the priority of T274107: Horizon shows me buttons to do dangerous things on the `tools` project from Unbreak Now! to Low.
Wed, Feb 24, 3:22 PM · SecTeam-Processed, Horizon, cloud-services-team (Kanban), Security, Security-Team
sbassett added a comment to T274107: Horizon shows me buttons to do dangerous things on the `tools` project.

Upstream does not treat this as a security issue, can this task be made public?

Wed, Feb 24, 3:22 PM · SecTeam-Processed, Horizon, cloud-services-team (Kanban), Security, Security-Team

Tue, Feb 23

sbassett added a comment to T275402: Security Readiness Review For UseResource.

@Aklapper - a number of items from the Security-Team's perspective. For starters: there's no estimated deployment date which is a hard requirement for us to schedule reviews. It also doesn't satisfy a number of requirements for higher priority or status as described within the "What type of project or code triggers this review process?" and "How are these requests prioritized?" sections of the current security readiness review SOP. There are also questions above as to whether this extension would be the best approach for the current indicated problem. Given all of that, this review will have to be very low-priority for the Security-Team. If you'd like to change the task to "Open", I guess that's fine, though it won't really change how the Security-Team currently views this task.

Tue, Feb 23, 7:03 PM · MediaWiki-extensions-UseResource, Security, secscrum, Security Readiness Reviews
sbassett changed the status of T275402: Security Readiness Review For UseResource from Open to Stalled.
Tue, Feb 23, 5:48 PM · MediaWiki-extensions-UseResource, Security, secscrum, Security Readiness Reviews
sbassett changed the status of T275402: Security Readiness Review For UseResource, a subtask of T275403: Deploy 'UseResource' extension on MediaWiki wikis, from Open to Stalled.
Tue, Feb 23, 5:48 PM · MediaWiki-extensions-UseResource, Wikimedia-extension-review-queue, Wikimedia-Extension-setup

Mon, Feb 22

sbassett updated the task description for T254201: Compile, organize and schedule various Wikimedia security-related user audits.
Mon, Feb 22, 10:09 PM · Security-Team, Wikimedia-GitHub, user-sbassett
sbassett updated the task description for T271991: Add StopForumSpam to patchdemo tool.
Mon, Feb 22, 10:04 PM · Patch-For-Review, user-sbassett, MediaWiki-extensions-StopForumSpam
sbassett moved T271991: Add StopForumSpam to patchdemo tool from Backlog to In Progress on the user-sbassett board.
Mon, Feb 22, 10:03 PM · Patch-For-Review, user-sbassett, MediaWiki-extensions-StopForumSpam
sbassett moved T271991: Add StopForumSpam to patchdemo tool from Backlog to In Progress on the MediaWiki-extensions-StopForumSpam board.

Pull request created: https://github.com/MatmaRex/patchdemo/pull/241

Mon, Feb 22, 10:03 PM · Patch-For-Review, user-sbassett, MediaWiki-extensions-StopForumSpam
sbassett removed a project from T274883: Parse warnings shown in plain wikitext with live preview: Patch-For-Review.
Mon, Feb 22, 9:14 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), Patch-For-Review, SecTeam-Processed, Security-Team, Security, MediaWiki-Page-editing
sbassett moved T274883: Parse warnings shown in plain wikitext with live preview from Security Patch To Deploy to Our Part Is Done on the Security-Team board.
Mon, Feb 22, 9:13 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), Patch-For-Review, SecTeam-Processed, Security-Team, Security, MediaWiki-Page-editing
sbassett triaged T274883: Parse warnings shown in plain wikitext with live preview as Low priority.

The first patch (0001-SECURITY-Escape-the-wikitext-of-parse-warning-messag.patch) has been deployed to wmf.31. Logstash seems fine and the issue seems resolved testing the formerly problematic previews on enwiki Wikipedia:Sandbox. I'm going to track this issue on the next security release tracking task, just so we don't forget about it, in case it causes any issues later. @matmarex - it should be fine to push the second patch up to gerrit now, I'll make this task public shortly.

Mon, Feb 22, 9:11 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), Patch-For-Review, SecTeam-Processed, Security-Team, Security, MediaWiki-Page-editing
sbassett added a parent task for T274883: Parse warnings shown in plain wikitext with live preview: Unknown Object (Task).
Mon, Feb 22, 9:07 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), Patch-For-Review, SecTeam-Processed, Security-Team, Security, MediaWiki-Page-editing
sbassett updated the task description for T274682: Security Readiness Review For Wikifunctions.
Mon, Feb 22, 6:48 PM · Abstract Wikipedia (Phase δ), user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett updated the task description for T275047: Create webpack security standard for MediaWiki development.
Mon, Feb 22, 5:55 PM · JavaScript, SecTeam-Processed, Documentation, Security-Team
sbassett moved T275047: Create webpack security standard for MediaWiki development from Incoming to Back Orders on the Security-Team board.
Mon, Feb 22, 4:27 PM · JavaScript, SecTeam-Processed, Documentation, Security-Team
sbassett added a project to T125289: Auth tokens should expire: SecTeam-Processed.
Mon, Feb 22, 4:17 PM · SecTeam-Processed, Security, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-CentralAuth
sbassett changed the visibility for T125289: Auth tokens should expire.
Mon, Feb 22, 4:16 PM · SecTeam-Processed, Security, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-CentralAuth
sbassett removed a project from T125289: Auth tokens should expire: Security-Team.

Seeking input from Security-Team hence adding tag

Mon, Feb 22, 4:15 PM · SecTeam-Processed, Security, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-CentralAuth

Fri, Feb 19

sbassett added a comment to T242821: Separate access to tools and test features from ability to view private filters.

Not saying anything is broken now, or even with this patch.

Fri, Feb 19, 7:28 PM · MW-1.36-notes (1.36.0-wmf.32; 2021-02-23), AbuseFilter (Overhaul-2020), Security, MediaWiki-User-management, User-DannyS712, Security-Team
sbassett added a comment to T242821: Separate access to tools and test features from ability to view private filters.

As a reminder, Special:AbuseFilter/test still allows you to view private filters with a URL like https://en.wikipedia.org/wiki/Special:AbuseFilter/test/2.

Fri, Feb 19, 7:18 PM · MW-1.36-notes (1.36.0-wmf.32; 2021-02-23), AbuseFilter (Overhaul-2020), Security, MediaWiki-User-management, User-DannyS712, Security-Team
sbassett added a comment to T257066: Extension:Score / Lilypond is disabled on all wikis.

So… we're currently waiting for a suitable volunteer to materialize out of thin air to address an issue whose details are not public for security reasons? And in the mean time we have many thousand broken pages across multiple projects and all we can do is bleed contributors in those areas?

Fri, Feb 19, 3:55 PM · MW-1.36-notes (1.36.0-wmf.26; 2021-01-12), User-notice, Security-Team, Security, Wikimedia-General-or-Unknown, MediaWiki-extensions-Score, SRE

Thu, Feb 18

sbassett moved T275142: Security Access Request - Phabricator - Tobias Klausmann from Incoming to Our Part Is Done on the Security-Team board.
Thu, Feb 18, 6:12 PM · SecTeam-Processed, Security-Team, Security
sbassett updated subscribers of T271463: Refactor PermissionManager into Authority.
Thu, Feb 18, 5:21 PM · Platform Team Workboards (MW Expedition)
sbassett updated the task description for T274682: Security Readiness Review For Wikifunctions.
Thu, Feb 18, 4:37 PM · Abstract Wikipedia (Phase δ), user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett updated the task description for T274682: Security Readiness Review For Wikifunctions.
Thu, Feb 18, 4:36 PM · Abstract Wikipedia (Phase δ), user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett moved T274736: Grafana may allow access to API unauthenticated from Backlog to Patch merged upstream on the Upstream board.
Thu, Feb 18, 4:23 PM · Upstream, Security-Team, User-RhinosF1, Vuln-DoS, observability, Security
sbassett changed the visibility for T274736: Grafana may allow access to API unauthenticated.
Thu, Feb 18, 4:23 PM · Upstream, Security-Team, User-RhinosF1, Vuln-DoS, observability, Security
sbassett moved T274736: Grafana may allow access to API unauthenticated from Incoming to Our Part Is Done on the Security-Team board.

I reviewed this task for completeness and PII. Making public now per request from @RhinosF1.

Thu, Feb 18, 4:22 PM · Upstream, Security-Team, User-RhinosF1, Vuln-DoS, observability, Security
sbassett updated the task description for T275142: Security Access Request - Phabricator - Tobias Klausmann.
Thu, Feb 18, 4:17 PM · SecTeam-Processed, Security-Team, Security
sbassett created T275142: Security Access Request - Phabricator - Tobias Klausmann.
Thu, Feb 18, 4:11 PM · SecTeam-Processed, Security-Team, Security

Wed, Feb 17

sbassett added a comment to T275047: Create webpack security standard for MediaWiki development.

Some initial thoughts:

  1. I think the initial standard is: don't. Given the outcomes of the VueJS task force and commitments of various teams at this point, Rollup is likely to be the low-risk, paved-road approach for any JS-related build steps, e.g. T272879 and also a part of SX's current risk mitigation plan at T260236#6825798.
  2. I'm not saying this is a perfect approach, but requiring human-readable (kinda) webpack artifacts with any relevant gerrit cs with the steps I performed and outlined here should be mostly feasible for now. A couple of questions remain as to 1) how long we plan to support this kind of stuff until we... mandate? migration to Rollup and 2) how similar a manual review process Rollup artifacts might require.
Wed, Feb 17, 5:26 PM · JavaScript, SecTeam-Processed, Documentation, Security-Team
sbassett moved T274682: Security Readiness Review For Wikifunctions from Backlog to In Progress on the user-sbassett board.
Wed, Feb 17, 4:11 PM · Abstract Wikipedia (Phase δ), user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett claimed T274682: Security Readiness Review For Wikifunctions.

Hey all - thanks for submitting this review request. As discussed a bit with @Jdforrester-WMF, the security readiness review of the WikiLambda extension will be my primary focus/deliverable for Q3 for the Abstract Wikipedia project. The code currently seems to be in a reasonable state of completion for such a review, though as a lot of code for this project is likely to be quite volatile, I imagine this and the related services might undergo a few different reviews depending upon various deltas. Of course I'd like to keep those to a minimum as much as possible. For the forthcoming node services (orchestrator, executor), I'd imagine those to be ready for review sometime in Q4. Since they are based upon the existing (and what we believe to be reasonably-mature) service-template-node code, I'll likely be most concerned with the various measures to best protect against potential vulnerabilities specifically related to the execution of user-submitted code - though it is important to note that any system which allows for such a feature will always be inherently vulnerable, at least from a conceptual standpoint.

Wed, Feb 17, 4:11 PM · Abstract Wikipedia (Phase δ), user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett changed the status of T274356: Security Readiness Review For maplibre-gl-js from Open to Stalled.

Added to Q4 planning column for Q4 review.

Wed, Feb 17, 3:58 PM · Product-Infrastructure-Team-Backlog, secscrum, Security, Security Readiness Reviews
sbassett triaged T274875: Security Readiness Review For mapbox-gl-leaflet as Low priority.
Wed, Feb 17, 3:57 PM · secscrum, Security Readiness Reviews, Security, Product-Infrastructure-Team-Backlog
sbassett changed the status of T274875: Security Readiness Review For mapbox-gl-leaflet from Open to Stalled.

Added to Q4 planning column for Q4 review.

Wed, Feb 17, 3:57 PM · secscrum, Security Readiness Reviews, Security, Product-Infrastructure-Team-Backlog
sbassett moved T274875: Security Readiness Review For mapbox-gl-leaflet from Incoming to Q4: 2021 Planning Queue on the secscrum board.
Wed, Feb 17, 3:51 PM · secscrum, Security Readiness Reviews, Security, Product-Infrastructure-Team-Backlog
sbassett moved T274883: Parse warnings shown in plain wikitext with live preview from Incoming to Security Patch To Deploy on the Security-Team board.

The bug was introduced in https://gerrit.wikimedia.org/r/c/mediawiki/core/+/597262, which was not in a MediaWiki release yet, so we can probably just deploy the first patch to Wikimedia wikis, and then make this task public again and submit the patches to Gerrit?

Wed, Feb 17, 3:50 PM · MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), Patch-For-Review, SecTeam-Processed, Security-Team, Security, MediaWiki-Page-editing

Tue, Feb 16

sbassett added a project to T272770: Error while usurping an account: SecTeam-Processed.
Tue, Feb 16, 5:14 PM · SecTeam-Processed, MW-1.36-notes (1.36.0-wmf.31; 2021-02-16), User-Urbanecm, Security-Team, Security, User-Ladsgroup, MediaWiki-extensions-CentralAuth, GlobalRename
sbassett moved T272770: Error while usurping an account from In Progress to Our Part Is Done on the Security-Team board.
Tue, Feb 16, 5:14 PM · SecTeam-Processed, MW-1.36-notes (1.36.0-wmf.31; 2021-02-16), User-Urbanecm, Security-Team, Security, User-Ladsgroup, MediaWiki-extensions-CentralAuth, GlobalRename

Fri, Feb 12

sbassett moved T260236: Security Readiness Review For Section Translation from Waiting to Done on the user-sbassett board.
Fri, Feb 12, 8:10 PM · user-sbassett, SectionTranslation, Security, Security Readiness Reviews, secscrum
sbassett updated subscribers of T260236: Security Readiness Review For Section Translation.

@Arrbee et al - Great! I'll link the mitigation plan document within the relevant risk registry entry. Hopefully said registry will become a bit cleaner and feature better automation once it is migrated to our new GRC platform (Archer). But for now this is still a very manual process for the Security-Team. The mitigation plan the Language Team has put together looks good (thanks!) though I did want to provide feedback for a few items:

  1. It would be great if @Reedy and myself could be added to any gerrit change sets which include unminified webpack artifacts and any other relevant JS code as was recently done for WVUI, pre-merge/pre-deployment.
  2. For any vuln-checking/SAST/etc that may occur in CI/CD for SX and its dependencies, it would be great if those results could be 1) protected somewhere and/or 2) relevant change sets were not merged until any resultant risk was either mitigated (by bumping dependencies to known secure versions) or by formal risk acceptance. I understand the first suggestion is, at best, extremely inconvenient given gerrit and its current configuration.
  3. I would imagine that SX could leverage T272879, once completed, though I'm not sure what the timeline estimate is for that task.
Fri, Feb 12, 8:10 PM · user-sbassett, SectionTranslation, Security, Security Readiness Reviews, secscrum
sbassett moved T260236: Security Readiness Review For Section Translation from Waiting to Our Part Is Done on the secscrum board.
Fri, Feb 12, 8:10 PM · user-sbassett, SectionTranslation, Security, Security Readiness Reviews, secscrum
sbassett added a comment to T269517: Security Readiness Review For WatchSubpages.

For a bit more clarification on the comment above and per our security readiness review SOP, the Security-Team would be happy to re-triage this if a few more details can be provided regarding:

  1. A more specific target deployment date.
  2. An intended production support plan, including any potential Foundation team sponsorship.
  3. A working test environment, be that in Mediawiki-Docker, a standalone docker, a cloud installation, patchdemo, perhaps even a beta deployment, etc. While we can in theory just manually install the extension against a local copy of mediawiki, it helps us quite a bit to have an existing development environment with potentially real data to test against.

Thanks.

Fri, Feb 12, 7:57 PM · secscrum, Security Readiness Reviews, MediaWiki-extensions-WatchSubpages
sbassett moved T274356: Security Readiness Review For maplibre-gl-js from Back Orders to Q4: 2021 Planning Queue on the secscrum board.
Fri, Feb 12, 7:48 PM · Product-Infrastructure-Team-Backlog, secscrum, Security, Security Readiness Reviews

Thu, Feb 11

sbassett triaged T274356: Security Readiness Review For maplibre-gl-js as Medium priority.
Thu, Feb 11, 4:39 PM · Product-Infrastructure-Team-Backlog, secscrum, Security, Security Readiness Reviews

Wed, Feb 10

sbassett moved T274107: Horizon shows me buttons to do dangerous things on the `tools` project from Incoming to Watching on the Security-Team board.
Wed, Feb 10, 4:35 PM · SecTeam-Processed, Horizon, cloud-services-team (Kanban), Security, Security-Team

Tue, Feb 9

sbassett added a comment to T272770: Error while usurping an account.

This isn't an issue on any release branch.

...

Yeah the issue has not been released to 3rd parties at all.

Tue, Feb 9, 7:32 PM · SecTeam-Processed, MW-1.36-notes (1.36.0-wmf.31; 2021-02-16), User-Urbanecm, Security-Team, Security, User-Ladsgroup, MediaWiki-extensions-CentralAuth, GlobalRename
sbassett added a comment to T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search.

All - I believe there are some fairly significant misunderstanding around items related to:

  1. How the Security-Team performs various security reviews
  2. What is included within Security-Team review deliverables
  3. What the Security-Team will and will not review based upon current resources and priorities
  4. The concepts of risk assessment and risk ownership as they relate to various Security-Team reviews
  5. How to best communicate with the Security-Team through our official, documented processes

and likely a few others. We're going to have a few team discussions on some of the comments here with the hope of providing some clarifications to reset certain incorrect expectations and assumptions.

Tue, Feb 9, 7:16 PM · Security Readiness Reviews, WVUI, Readers-Web-Backlog (Kanbanana-FY-2020-21), user-sbassett, secscrum, Security, Vue.js (Vue.js-Search)
sbassett moved T244076: Security Readiness Review For ChessBrowser extension from Watching to Back Orders on the secscrum board.
Tue, Feb 9, 4:37 PM · secscrum, Security Readiness Reviews, Community-Tech, ChessBrowser
sbassett moved T241451: Security Review For SpamRegex extension from Watching to Back Orders on the secscrum board.
Tue, Feb 9, 4:37 PM · SpamRegex, User-DannyS712

Mon, Feb 8

sbassett added a comment to T272770: Error while usurping an account.

This is deployed now.

Mon, Feb 8, 10:37 PM · SecTeam-Processed, MW-1.36-notes (1.36.0-wmf.31; 2021-02-16), User-Urbanecm, Security-Team, Security, User-Ladsgroup, MediaWiki-extensions-CentralAuth, GlobalRename
sbassett added a comment to T273842: Notifications were updated even though session had expired.

Could there be a cache-related security issue here?

Mon, Feb 8, 10:11 PM · Security-Team, MediaWiki-Authentication-and-authorization, Growth-Team, Notifications
sbassett added a comment to T6845: CAPTCHA doesn't work for people with visual impairments.
In T6845#6811866, @MJL wrote:

I'm talking about the line included in challenges:

  • "Audio captchas present a language barrier problem (next to the language script barrier of normal captchas)"

It seems to imply audio captchas are an option but have been dismissed for this reason. If that's the case, could we not just implement them as a stop-gap measure?

Mon, Feb 8, 5:46 PM · Security, ConfirmEdit (CAPTCHA extension), Accessibility, Design, WCAG-Level-A
sbassett moved T272059: Update wgSFSIPListLocation and wgSFSIPListLocationMD5 defaults within StopForumSpam's extension.json from In Progress to Done on the user-sbassett board.
Mon, Feb 8, 5:32 PM · MW-1.36-notes (1.36.0-wmf.30; 2021-02-09), user-sbassett, MediaWiki-extensions-StopForumSpam
sbassett closed T272059: Update wgSFSIPListLocation and wgSFSIPListLocationMD5 defaults within StopForumSpam's extension.json as Resolved.

Resolving for now. The current fix (tx @Reedy) will likely need some adjustment if/when this repo migrates to Gitlab.

Mon, Feb 8, 5:31 PM · MW-1.36-notes (1.36.0-wmf.30; 2021-02-09), user-sbassett, MediaWiki-extensions-StopForumSpam
sbassett moved T272770: Error while usurping an account from Incoming to In Progress on the Security-Team board.
Mon, Feb 8, 4:30 PM · SecTeam-Processed, MW-1.36-notes (1.36.0-wmf.31; 2021-02-16), User-Urbanecm, Security-Team, Security, User-Ladsgroup, MediaWiki-extensions-CentralAuth, GlobalRename
sbassett moved T273842: Notifications were updated even though session had expired from Incoming to Watching on the Security-Team board.
Mon, Feb 8, 4:09 PM · Security-Team, MediaWiki-Authentication-and-authorization, Growth-Team, Notifications
sbassett moved T266513: Security Readiness Review For the MediaSearch extension from Backlog to In Progress on the user-sbassett board.
Mon, Feb 8, 3:20 PM · user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett added a project to T266513: Security Readiness Review For the MediaSearch extension: user-sbassett.
Mon, Feb 8, 3:20 PM · user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett moved T266513: Security Readiness Review For the MediaSearch extension from Q3:2021 Review Queue to In Progress on the secscrum board.
Mon, Feb 8, 3:19 PM · user-sbassett, Security, secscrum, Security Readiness Reviews

Fri, Feb 5

sbassett moved T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search from In Progress to Done on the user-sbassett board.
Fri, Feb 5, 10:30 PM · Security Readiness Reviews, WVUI, Readers-Web-Backlog (Kanbanana-FY-2020-21), user-sbassett, secscrum, Security, Vue.js (Vue.js-Search)
sbassett moved T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search from In Progress to Waiting on the secscrum board.
Fri, Feb 5, 10:29 PM · Security Readiness Reviews, WVUI, Readers-Web-Backlog (Kanbanana-FY-2020-21), user-sbassett, secscrum, Security, Vue.js (Vue.js-Search)
sbassett added a comment to T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search.

Security Review Summary - T257579 - 2020-02-05
Last commit reviewed: 7fd111ad5ed3165683a76f68c3d3504f24cc179f

Fri, Feb 5, 10:29 PM · Security Readiness Reviews, WVUI, Readers-Web-Backlog (Kanbanana-FY-2020-21), user-sbassett, secscrum, Security, Vue.js (Vue.js-Search)

Thu, Feb 4

Krinkle awarded T254201: Compile, organize and schedule various Wikimedia security-related user audits a Love token.
Thu, Feb 4, 4:30 PM · Security-Team, Wikimedia-GitHub, user-sbassett
sbassett added a comment to T272130: Consider moving the Wikidata Query Builder repository from github to gerrit.

So, this will be deployed via a build in jenkins (ideally), so that it uses the same process and the query gui.
This is just about to be created by the campsite as a push button trigger in https://phabricator.wikimedia.org/T210286
I guess it's only for a similar job to exist fetching code from github to create the build that would then be deployed?

Another alternative would be github actions to make the build and push a change to gerrit?
I don't see a big difference between the two as either way the build is triggered by a human, and the change is still 2ed by a human.
The one difference would be that npm install is running in a different place for each.

Thu, Feb 4, 4:27 PM · SecTeam-Processed, Security-Team, Wikidata Query Builder, Wikidata
sbassett updated the task description for T254201: Compile, organize and schedule various Wikimedia security-related user audits.
Thu, Feb 4, 3:32 PM · Security-Team, Wikimedia-GitHub, user-sbassett

Wed, Feb 3

sbassett updated subscribers of T260914: Security Readiness Review For Wikipedia Preview.

@SBisson - Thanks for the update. We're pretty much booked this quarter for reviews (with our new SOP, we're trying to be realistic given current resources and limit the total volume of security reviews to 6 per quarter) so perhaps this could be scheduled for next quarter (cc @Jcross).

Wed, Feb 3, 4:07 PM · Wikipedia-Preview, secscrum, Inuka-Team, Security, Security Readiness Reviews

Tue, Feb 2

sbassett updated the task description for T266904: Performance review of ext:StopForumSpam.
Tue, Feb 2, 5:53 PM · user-sbassett, Performance-Team
sbassett updated the task description for T273220: Deploy StopForumSpam extension to production.
Tue, Feb 2, 5:18 PM · user-sbassett, User-notice, Wikimedia-Extension-setup, MediaWiki-extensions-StopForumSpam
sbassett added a comment to T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search.

Update: I'm still hopeful to have this review completed by the end of this week (2021-02-05). @Volker_E - thanks for the version bumps, I'll pull those down for the review if they haven't been merged yet. Also - with the webpack build step still being in place, I'm going to rate the overall risk of wvui in its current state as at least medium, which will require managerial/directory acceptance of the risk, per our risk managment policy, as publicly summarized here: T249039#6309061.

Tue, Feb 2, 4:05 PM · Security Readiness Reviews, WVUI, Readers-Web-Backlog (Kanbanana-FY-2020-21), user-sbassett, secscrum, Security, Vue.js (Vue.js-Search)
sbassett added a comment to T101017: Early security release access for Lcawte (ShoutWiki).

Just for clarification, that means Oct-Dec 2021?

Tue, Feb 2, 3:50 PM · user-sbassett, Security-Team, ShoutWiki, WMF-Legal

Mon, Feb 1

sbassett added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Note: I committed the deletion of the two wmf.28 Wikibase patches under /srv/patches on the deployment server (5578144525) since wmf.28 was rolled back and as noted by gerritbot above, https://gerrit.wikimedia.org/r/658323 and https://gerrit.wikimedia.org/r/658324 were merged.

Mon, Feb 1, 10:25 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
sbassett added a project to T272297: User script on user subpage doesn't work after user rename: SecTeam-Processed.
Mon, Feb 1, 5:39 PM · SecTeam-Processed, MediaWiki-General, MediaWiki-extensions-Renameuser, Security-Team, JavaScript, MediaWiki-extensions-CentralAuth, GlobalRename
sbassett triaged T273401: peek does a deprecated API call as Low priority.
Mon, Feb 1, 5:37 PM · SecTeam-Processed, Security-Team
sbassett added a project to T272130: Consider moving the Wikidata Query Builder repository from github to gerrit: SecTeam-Processed.
Mon, Feb 1, 5:32 PM · SecTeam-Processed, Security-Team, Wikidata Query Builder, Wikidata
sbassett added a project to T273401: peek does a deprecated API call: SecTeam-Processed.
Mon, Feb 1, 5:32 PM · SecTeam-Processed, Security-Team
sbassett updated subscribers of T260236: Security Readiness Review For Section Translation.

I believe that it is still unclear what it the future of our UI lib. I believe that it will eventually be merged into Wikimedia Vue UI. After all the reason that we built our own UI library was the fact that we were moving too fast relatively to Wikimedia Vue UI lib and we would be blocked if not creating our own.

Mon, Feb 1, 5:29 PM · user-sbassett, SectionTranslation, Security, secscrum, Security Readiness Reviews
sbassett added a comment to T101017: Early security release access for Lcawte (ShoutWiki).

Update: unfortunately, it looks like the pilot program mentioned above likely will not happen until Q4 2021.

Mon, Feb 1, 4:49 PM · user-sbassett, Security-Team, ShoutWiki, WMF-Legal
sbassett added a project to T180896: Allow functionaries to reset second factor on low-risk accounts: SecTeam-Processed.
Mon, Feb 1, 4:35 PM · SecTeam-Processed, Security-Team, Security, MediaWiki-extensions-OATHAuth, Trust-and-Safety, WMF-Legal, MW-1.34-notes (1.34.0-wmf.1; 2019-04-16)
sbassett moved T273401: peek does a deprecated API call from Incoming to Back Orders on the Security-Team board.

Placing into back orders for now. The Security-Team needs to discuss how useful the continued maintenance of peek is for our project management function.

Mon, Feb 1, 4:25 PM · SecTeam-Processed, Security-Team
sbassett moved T272130: Consider moving the Wikidata Query Builder repository from github to gerrit from Incoming to In Progress on the Security-Team board.
Mon, Feb 1, 4:17 PM · SecTeam-Processed, Security-Team, Wikidata Query Builder, Wikidata
sbassett added a comment to T272130: Consider moving the Wikidata Query Builder repository from github to gerrit.

@Ladsgroup @Michael

Mon, Feb 1, 4:15 PM · SecTeam-Processed, Security-Team, Wikidata Query Builder, Wikidata
sbassett moved T180896: Allow functionaries to reset second factor on low-risk accounts from Incoming to In Progress on the Security-Team board.
Mon, Feb 1, 4:08 PM · SecTeam-Processed, Security-Team, Security, MediaWiki-extensions-OATHAuth, Trust-and-Safety, WMF-Legal, MW-1.34-notes (1.34.0-wmf.1; 2019-04-16)
sbassett added a comment to T271729: Create security-related project tags secteam-reviewed and wikimedia-project-event.

@sbassett: Hmm, why were Edit Policy and Join Policy of SecTeam-Processed and SecTeam-wikimedia-project-event changed to acl*security ? Which problem does that solve, apart from blocking interested people to join/follow that project?

Mon, Feb 1, 4:05 PM · Project-Admins, user-sbassett, Security

Fri, Jan 29

sbassett updated the task description for T271991: Add StopForumSpam to patchdemo tool.
Fri, Jan 29, 9:48 PM · Patch-For-Review, user-sbassett, MediaWiki-extensions-StopForumSpam
sbassett updated the task description for T273238: Write a script to parse StopForumSpam logs and make some stats.
Fri, Jan 29, 9:23 PM · MediaWiki-extensions-StopForumSpam