sbassett (Scott Bassett)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Wednesday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (22 w, 5 d)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Recent Activity

Thu, Feb 14

sbassett added a comment to T214152: Security review for Extension:ExternalGuidance.

@Arrbee - that's good to know, thanks. Again, I think this code is looking pretty good overall with @santhosh's recent patch set. I was merely planning to perform some additional (kind of optional) analysis and pen-testing of the code for good measure. It shouldn't really be anything that prevents a full production deployment.

Thu, Feb 14, 4:15 PM · Security-Team-Review-Active, Patch-For-Review, Security, ExternalGuidance

Wed, Feb 13

sbassett added a comment to T214152: Security review for Extension:ExternalGuidance.

Update: I did have a more in-depth look at the JavaScript under modules/ yesterday - again, I didn't find anything particularly concerning. I still wanted to pen-test it a bit further (was having some vagrant issues yesterday) so if I find anything from that, I'll post it here. Additionally, I see that the extension was deployed to simple.wikipedia.org and id.wikipedia.org earlier today, per T213076.

Wed, Feb 13, 4:50 PM · Security-Team-Review-Active, Patch-For-Review, Security, ExternalGuidance

Tue, Feb 12

sbassett reassigned T207990: Security review for TheWikipediaLibrary extension from sbassett to mmarble.
Tue, Feb 12, 6:34 PM · Security-Team-Review-Active, The-Wikipedia-Library
sbassett edited projects for T214152: Security review for Extension:ExternalGuidance, added: Security-Team-Review-Active; removed Security-Team-Reviews.
Tue, Feb 12, 6:01 PM · Security-Team-Review-Active, Patch-For-Review, Security, ExternalGuidance
sbassett added a comment to T209109: Security model for session storage service.

@Eevans, @Clarakosi - just booked a quick hangout for this Friday (2/15) to discuss potential security concerns for this service.

Tue, Feb 12, 4:35 PM · Patch-For-Review, Security-Team, User-Clarakosi, Core Platform Team Backlog (Next), Core Platform Team (Session Management Service (CDP2)), User-Eevans
sbassett claimed T214152: Security review for Extension:ExternalGuidance.
Tue, Feb 12, 3:42 PM · Security-Team-Review-Active, Patch-For-Review, Security, ExternalGuidance
sbassett updated subscribers of T215366: Security Issue Access Request for @brennen.

Security-Team approved at weekly this morning. Tagging @JBennett and @chasemp in case there are any further questions.

Tue, Feb 12, 3:31 PM · Security-Team, Security

Mon, Feb 11

sbassett added a comment to T214152: Security review for Extension:ExternalGuidance.

These changes look good and phan-taint-check likes them now. I still want to review the aforementioned JS a bit more in depth, but I personally don't think that should stop your deployment timeline of 2/12.

Mon, Feb 11, 3:32 PM · Security-Team-Review-Active, Patch-For-Review, Security, ExternalGuidance

Fri, Feb 8

sbassett added a comment to T208251: Modern Event Platform: Stream Intake Service: AJV usage security review.

Some additional follow-up:

Fri, Feb 8, 10:24 PM · Security-Team-Review-Active, Security-Team, Core Platform Team Backlog (Watching / External), Services (watching), Analytics-EventLogging, EventBus, Analytics
sbassett added a comment to T208251: Modern Event Platform: Stream Intake Service: AJV usage security review.

lodash <= 4.17.5

EventGate uses ^4.17.11

Fri, Feb 8, 9:56 PM · Security-Team-Review-Active, Security-Team, Core Platform Team Backlog (Watching / External), Services (watching), Analytics-EventLogging, EventBus, Analytics
sbassett added a comment to T214152: Security review for Extension:ExternalGuidance.

@santhosh - I think we'd like to (or at least I'd like to) review this code a bit more. We didn't have our weekly security review scrum during All-hands or the week after, so this is still kind of in limbo at the moment though we wanted to get you some initial feedback. We should be able to schedule a full review by next Tuesday (2/12) when we have our next scrum. Is there a more specific launch date other than "February 2019" you had in mind that would make this more pressing?

Fri, Feb 8, 5:33 PM · Security-Team-Review-Active, Patch-For-Review, Security, ExternalGuidance
sbassett added a comment to T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction.

*Update:* Sorry for the crazy delays on all of this. I'm officially starting in on this today (2/8).

Fri, Feb 8, 5:02 PM · Security-Team-Review-Active, Reading-Infrastructure-Team-Backlog, Maps (Kartographer), MediaWiki-extensions-JsonConfig
sbassett moved T208251: Modern Event Platform: Stream Intake Service: AJV usage security review from In Progress (Min Weekly Updates) to Waiting On Response/Mitigation on the Security-Team-Review-Active board.
Fri, Feb 8, 2:57 PM · Security-Team-Review-Active, Security-Team, Core Platform Team Backlog (Watching / External), Services (watching), Analytics-EventLogging, EventBus, Analytics

Thu, Feb 7

sbassett added a comment to T208251: Modern Event Platform: Stream Intake Service: AJV usage security review.

Security Review Summary - February 2019
Overall, this looks pretty good to me. Issues detailed below:

Thu, Feb 7, 10:59 PM · Security-Team-Review-Active, Security-Team, Core Platform Team Backlog (Watching / External), Services (watching), Analytics-EventLogging, EventBus, Analytics

Wed, Feb 6

sbassett added a project to T215366: Security Issue Access Request for @brennen: Security-Team.
Wed, Feb 6, 4:13 PM · Security-Team, Security

Mon, Feb 4

sbassett added a comment to T214152: Security review for Extension:ExternalGuidance.

This is still technically unassigned, but I had a cursory look at it. Some initial findings:

  1. package.lock looks fine from a quick run of security-checker.
  2. I assume any potential privacy (and related) issues w/ the Google MT service are already addressed by WMF's agreement with Google for cxserver.
  3. In SiteMapper::getPageURL, it looks like $title isn't being validated/sanitized and is just replacing $2 within //$1.wikipedia.org/wiki/$2. Given that Html::rawElement is used within specials/SpecialExternalGuidance.php and it's populating $sourcePage from the request via getVal(), I'm thinking there could be a potential for injection here, unless I'm just missing where this is being sent to the parser or sanitized, etc.
  4. I'm not seeing anything egregious within the JS modules under modules/, but I (or whomever officially gets assigned this review) should definitely spend more time reviewing those.
Mon, Feb 4, 8:46 PM · Security-Team-Review-Active, Patch-For-Review, Security, ExternalGuidance
sbassett added a watcher for Privacy: sbassett.
Mon, Feb 4, 5:09 PM
sbassett added a comment to T208251: Modern Event Platform: Stream Intake Service: AJV usage security review.

Update: review will be posted here by Friday (2/8/2019) at the latest.

Mon, Feb 4, 4:50 PM · Security-Team-Review-Active, Security-Team, Core Platform Team Backlog (Watching / External), Services (watching), Analytics-EventLogging, EventBus, Analytics
sbassett triaged T214152: Security review for Extension:ExternalGuidance as Normal priority.
Mon, Feb 4, 3:09 PM · Security-Team-Review-Active, Patch-For-Review, Security, ExternalGuidance
sbassett triaged T215048: Security review for the (WIP) WikimediaEditorTasks extension as Normal priority.
Mon, Feb 4, 3:09 PM · Reading-Infrastructure-Team-Backlog, Security-Team-Reviews

Wed, Jan 23

sbassett triaged T211489: Security review of bjeavons/zxcvbn-php as Normal priority.

Thanks, @Tgr. Unless @Reedy has strong objections, we'll go with the bjeavons repo and get this scheduled for a security review.

Wed, Jan 23, 4:51 PM · Security-Team-Review-Active, MediaWiki-Vendor, MediaWiki-User-login-and-signup
sbassett added a comment to T204542: Security review for the Wikidata primary sources tool MediaWiki extension.

But you served as the first reviewer, what am I getting wrong?

Wed, Jan 23, 3:16 PM · Wikidata, Wikidata-primary-sources, Security-Team-Reviews

Tue, Jan 22

sbassett added a comment to T211489: Security review of bjeavons/zxcvbn-php.

Pinging @Reedy and @Tgr per @charlotteportero comment above.

Tue, Jan 22, 10:56 PM · Security-Team-Review-Active, MediaWiki-Vendor, MediaWiki-User-login-and-signup

Jan 18 2019

sbassett added a comment to T208251: Modern Event Platform: Stream Intake Service: AJV usage security review.

@Ottomata et al - just fyi, this is officially in-progress and I hope to have a review completed either just before or just after all-hands.

Jan 18 2019, 4:46 PM · Security-Team-Review-Active, Security-Team, Core Platform Team Backlog (Watching / External), Services (watching), Analytics-EventLogging, EventBus, Analytics
sbassett updated subscribers of T214130: Requesting access to production for dsharpe.

I'd imagine you'd probably need deployment and analytics-privatedata-users access for now - this is what @Bawolff and I have. Here's the patch for when I was added to these groups.

Jan 18 2019, 2:35 AM · SRE-Access-Requests, Operations

Jan 15 2019

sbassett added a comment to T204542: Security review for the Wikidata primary sources tool MediaWiki extension.

Some follow-up here - apologies for the stop/go on this one:

  1. Did the mirroring issue with gerrit ever get addressed? It still looks to be an empty repo.
  2. I was curious if the tool is actually working in production. On wikidata.org, I added the gadget and selected "All Sources" within the config and the interstitial just kind of hangs indefinitely for me. (Chrome 71.0.3578.98 on Mac Mojave.) Is this expected for now?
  3. Is the current version (gadget/backend at pst.wmflabs.org) the indefinite production version for now? Looking at wikidata.org/wiki/Special:Version, I'm not seeing a deployed extension, so I assume that might be part of a forthcoming development cycle?
Jan 15 2019, 10:31 PM · Wikidata, Wikidata-primary-sources, Security-Team-Reviews
sbassett added a comment to T66548: Security review indigo-depict.

@Niharika - I believe I tagged Community-Tech as it was thought that they might be a viable champion/owner of this project, when the Security-Team recently discussed this task. If that's not the case, then we can remove the tag.

Jan 15 2019, 4:12 PM · Multimedia, MediaWiki-extensions-MolHandler, Security-Team-Reviews

Jan 14 2019

sbassett added a comment to T208251: Modern Event Platform: Stream Intake Service: AJV usage security review.

I think it should be a larger effort between RelEng and the SRE/Service Operations team.

Jan 14 2019, 5:57 PM · Security-Team-Review-Active, Security-Team, Core Platform Team Backlog (Watching / External), Services (watching), Analytics-EventLogging, EventBus, Analytics
sbassett added a comment to T208251: Modern Event Platform: Stream Intake Service: AJV usage security review.

The Security-Team should be able to get a review scheduled for this soon. Just a few initial questions/observations, in addition to some of the concerns already being brought up within other comments:

  1. We'd want to have a look at the eventgate code as well as any additional dependencies within package.json as opposed to just Ajv, at bare minimum scanning for existing vulnerabilities and any obviously-dangerous functionality.
  2. Given some of the recent unpleasantness with npm, has there been any plan for Analytics to host their own npm registry, only allowing vetted modules to be installed for various wikimedia Node applications? From various conversations I've had and doc I've read, it seems that having local repositories (e.g. apt) of vetted packages/modules are simultaneously 1) expected 2) not enforced in any way for things like npm, pip, etc. I'd imagine this is something the Security-Team would want to begin calling out within our reviews, as again, this seems a fairly lax policy within the context of wikimedia application development.
Jan 14 2019, 4:22 PM · Security-Team-Review-Active, Security-Team, Core Platform Team Backlog (Watching / External), Services (watching), Analytics-EventLogging, EventBus, Analytics
sbassett moved T155087: Security review for NamespaceRelations from Backlog to Frozen on the Security-Team-Reviews board.
Jan 14 2019, 3:54 PM · Security-Team-Reviews

Jan 9 2019

sbassett added a member for PermanentlyPrivate: sbassett.
Jan 9 2019, 5:05 PM

Jan 8 2019

sbassett added a comment to T208251: Modern Event Platform: Stream Intake Service: AJV usage security review.

Here's some current documentation for our security review process and here's the Phab request form. We're currently revamping the process a bit and updating the documentation with the goal of socializing it a bit better in the future.

Jan 8 2019, 2:36 PM · Security-Team-Review-Active, Security-Team, Core Platform Team Backlog (Watching / External), Services (watching), Analytics-EventLogging, EventBus, Analytics

Jan 7 2019

MSantos awarded T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction a Like token.
Jan 7 2019, 7:02 PM · Security-Team-Review-Active, Reading-Infrastructure-Team-Backlog, Maps (Kartographer), MediaWiki-extensions-JsonConfig
sbassett claimed T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
Jan 7 2019, 6:56 PM · Security-Team-Review-Active, Reading-Infrastructure-Team-Backlog, Maps (Kartographer), MediaWiki-extensions-JsonConfig
sbassett added a project to T66548: Security review indigo-depict: Community-Tech.
Jan 7 2019, 6:36 PM · Multimedia, MediaWiki-extensions-MolHandler, Security-Team-Reviews
sbassett added a comment to T213088: Security Credentialing Efforts .

Right, I just meant more for sanity's sake and in case discussion from any of those tickets accidentally wandered over here :)

Jan 7 2019, 4:47 PM · Security-Team, Epic
sbassett added a comment to T213088: Security Credentialing Efforts .

So there's a tag where a lot of password/credential-related tasks are tracked: https://phabricator.wikimedia.org/project/board/148/. But similar to Security, it's fairly noisy. Some recent password/credential-related tasks have been public (e.g. the proposed haveibeenpwned service T189641), though many others are security-protected for obvious reasons. If we'd like to track those here, we may want to consider making this a security-protected task as well, at least for the time being. There's also a fairly enormous body of password/credential-related tasks in various states of decay from the past decade or so. Some of these do seem to have recent, relevant discussions on them, but many are probably too stale for what we would want to track here.

Jan 7 2019, 4:26 PM · Security-Team, Epic
sbassett triaged T213088: Security Credentialing Efforts as Normal priority.
Jan 7 2019, 4:18 PM · Security-Team, Epic
sbassett triaged T213082: Add John Bond to Security group in Phabricator as Normal priority.
Jan 7 2019, 2:40 PM · Security-Team, Security

Jan 2 2019

sbassett triaged T212519: Massive spambot registrations at dinwiki as Normal priority.
Jan 2 2019, 4:24 PM · Wikimedia-General-or-Unknown, Security, Operations
sbassett added a comment to T212519: Massive spambot registrations at dinwiki.

There's a private ticket (T212679) where similar issues on a couple of other wikis were being addressed over the holiday break. It looks like this issue subsided a bit after 12/19/2018, according to Special:RecentChanges.

Jan 2 2019, 4:22 PM · Wikimedia-General-or-Unknown, Security, Operations
sbassett added a comment to T212787: Wikidata slack channel token in public config file.

Looks like this is for travis CI's integration w/ slack:

Jan 2 2019, 3:51 PM · Wikidata-Campsite (Wikidata-Campsite-Iteration-∞), Wikidata, Security
sbassett edited projects for T207990: Security review for TheWikipediaLibrary extension, added: Security-Team-Review-Active; removed Security-Team-Reviews.
Jan 2 2019, 2:19 PM · Security-Team-Review-Active, The-Wikipedia-Library

Dec 21 2018

sbassett closed T144467: Security review for Google MT for Content Translation as Resolved.
Dec 21 2018, 5:09 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions
sbassett closed T144467: Security review for Google MT for Content Translation, a subtask of T90208: Create Google translate backend for cxserver, as Resolved.
Dec 21 2018, 5:09 PM · User-notice, Language-Team (Language-2019-January-March), ContentTranslation, MW-1.33-notes (1.33.0-wmf.3; 2018-11-06), Language-Engineering October-December 2016, WorkType-NewFunctionality

Dec 20 2018

sbassett added a comment to T207814: centralauthtoken should be redacted in logs (including hadoop wmf_raw.apiaction).

@Ladsgroup - I think the Security-Team would be fine with that, thanks.

Dec 20 2018, 6:26 PM · MW-1.33-notes (1.33.0-wmf.16; 2019-02-05), User-Ladsgroup, Analytics, MediaWiki-API, Security
sbassett added a comment to T144467: Security review for Google MT for Content Translation.

All (@santhosh, @Nikerabbit, @KartikMistry, etc) - I'll plan to resolve this ticket today or tomorrow unless there any additional concerns.

Dec 20 2018, 6:05 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions
sbassett moved T144467: Security review for Google MT for Content Translation from Backlog to Frozen on the Security-Team-Reviews board.
Dec 20 2018, 6:04 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions
sbassett added a comment to T144467: Security review for Google MT for Content Translation.

@Nikerabbit - This all sounds reasonable. From your analysis (thanks!) it appears the two sinks we eventually arrive at (from CXServer's perspective) are ve.init.target.parseDocument and ve.createDocumentFromHtml, both of which are trusted and do not use jQuery in any way. Furthermore, VE seems unconcerned with the flag within its own sanitization module: https://gerrit.wikimedia.org/r/plugins/gitiles/VisualEditor/VisualEditor/+/master/src/ve.sanitize.js#23

Dec 20 2018, 6:03 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions

Dec 18 2018

sbassett added a comment to T144467: Security review for Google MT for Content Translation.

@santhosh - abandoning r477459 should be fine, but I would note that sending any DOMPurified content to jQuery's dom-writing functions (html(), etc) should be thoroughly vetted so as to ensure any potentially-dangerous payloads are being sanitized (via some method similar to DOMPurify's SAFE_FOR_JQUERY feature) as expected.

Dec 18 2018, 5:28 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions
sbassett added a comment to T207814: centralauthtoken should be redacted in logs (including hadoop wmf_raw.apiaction).

SWAT today sounds fine to me.

Dec 18 2018, 4:23 PM · MW-1.33-notes (1.33.0-wmf.16; 2019-02-05), User-Ladsgroup, Analytics, MediaWiki-API, Security

Dec 17 2018

sbassett added a comment to T207814: centralauthtoken should be redacted in logs (including hadoop wmf_raw.apiaction).

@Ladsgroup - this looks fine to me. Were you pinging @Bawolff and @Reedy to deploy this during the security window (2200 UTC Mondays) or did you want to deploy? I'd guess either would most likely be fine.

Dec 17 2018, 4:13 PM · MW-1.33-notes (1.33.0-wmf.16; 2019-02-05), User-Ladsgroup, Analytics, MediaWiki-API, Security

Dec 14 2018

sbassett added a comment to T212008: upgrade Cloud VPS servers hosting tiles.wmflabs.org, wma.wmflabs.org, overpass-wiki.

@Krenair - yes, looks to be a dupe. Can we merge this one or resolve it and have @Sasheto claim T204506?

Dec 14 2018, 8:19 PM · Cloud-VPS
sbassett triaged T212008: upgrade Cloud VPS servers hosting tiles.wmflabs.org, wma.wmflabs.org, overpass-wiki as Low priority.
Dec 14 2018, 7:43 PM · Cloud-VPS
sbassett updated the task description for T204542: Security review for the Wikidata primary sources tool MediaWiki extension.
Dec 14 2018, 7:39 PM · Wikidata, Wikidata-primary-sources, Security-Team-Reviews
sbassett added a comment to T204542: Security review for the Wikidata primary sources tool MediaWiki extension.

Ok, thanks for the update, @Hjfocs.

Dec 14 2018, 7:23 PM · Wikidata, Wikidata-primary-sources, Security-Team-Reviews
sbassett triaged T204542: Security review for the Wikidata primary sources tool MediaWiki extension as Low priority.
Dec 14 2018, 3:11 PM · Wikidata, Wikidata-primary-sources, Security-Team-Reviews
sbassett awarded T209972: Remove auto-fill/suggest of usernames from password reset forms a Like token.
Dec 14 2018, 2:31 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security

Dec 12 2018

sbassett added a comment to T204542: Security review for the Wikidata primary sources tool MediaWiki extension.

Not seeing anything in master or REL1_32 for this. Is it somewhere else? If not, is there an estimate for completion?

Dec 12 2018, 5:12 PM · Wikidata, Wikidata-primary-sources, Security-Team-Reviews
sbassett added a comment to T144467: Security review for Google MT for Content Translation.

@KartikMistry - Ok, that sounds good. I just wanted to ensure apertium.wmflabs.org was only used for testing purposes and not in any production capacity. Thanks.

Dec 12 2018, 3:22 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions

Dec 11 2018

sbassett closed T206350: Onboard Michal Anna (to begin on Oct 9th) as Resolved.

I'm going to resolve this ticket now. The last item was just to add the following to your /etc/hosts if wikitech,w.o/DNS ever goes down:

192.237.162.200 wikitech-static.wikimedia.org
2001:4801:7821:77:be76:4eff:fe10:2ed5 wikitech-static.wikimedia.org

If you really feel like doing that, go for it, but that's fairly optional IMO.

Dec 11 2018, 5:15 PM · Security-Team
sbassett added a comment to T144467: Security review for Google MT for Content Translation.

@santhosh et al -

Dec 11 2018, 4:44 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions

Dec 10 2018

sbassett added a comment to T151011: Add password generator to account creation / password change form.

I'm not sure how worthwhile this would be if we ever got a decent password strength meter deployed. Though digging through the history, that might be a big if.

Dec 10 2018, 4:15 PM · User-Tgr, Security, Security-Core, MediaWiki-User-login-and-signup
sbassett added a comment to T209972: Remove auto-fill/suggest of usernames from password reset forms.

If we're looking to abandon https://gerrit.wikimedia.org/r/475798/, my vote would be to instead go with https://gerrit.wikimedia.org/r/478395/, as it does a good job of balancing both security and usability IMO.

Dec 10 2018, 4:09 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett triaged T207990: Security review for TheWikipediaLibrary extension as Low priority.
Dec 10 2018, 4:01 PM · Security-Team-Review-Active, The-Wikipedia-Library
sbassett moved T144467: Security review for Google MT for Content Translation from In Progress to Awaiting remediation on the Security-Team-Reviews board.
Dec 10 2018, 3:58 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions

Dec 6 2018

sbassett added a comment to T144467: Security review for Google MT for Content Translation.

Thanks for all of the quick follow-up on this. https://gerrit.wikimedia.org/r/477972 looks good as additional hardening and the new test within test/mt/Yandex.test.js runs well. I think this is looking pretty good, and would like to leave the SAFE_FOR_JQUERY flag implementation up to you and the Language Team to discuss further, as I believe I've probably provided as much relevant feedback within https://gerrit.wikimedia.org/r/477459/ as I can. Also, thanks for the information regarding the specific implementation of the Youdao service. I'm going to review that a bit more, but for now I'm not seeing any issues there, as it seems to be a more restrictive (fewer html tags/markup) version of the 1) reduce html 2) send to MT service 3) expand translated html process.

Dec 6 2018, 5:04 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions
sbassett added a comment to T204615: Generate new Captcha word list for prod.

Interesting - thanks for the context and history, @Anomie.

Dec 6 2018, 4:06 PM · Security, Wikimedia-General-or-Unknown, ConfirmEdit (CAPTCHA extension)
sbassett added a comment to T166622: Allow all users on all wikis to use OATHAuth.

Trust-and-Safety might have some additional thoughts here, as they currently manage the operational work around OATHAuth. Though the tasks @Tgr mentioned (T166622#4802577) should alleviate most of their concerns, I'd imagine.

Dec 6 2018, 4:01 PM · Security-team-backlog, Trust-and-Safety, MediaWiki-extensions-OATHAuth, Security, Wikimedia-Site-requests
sbassett triaged T204615: Generate new Captcha word list for prod as Normal priority.
Dec 6 2018, 3:21 PM · Security, Wikimedia-General-or-Unknown, ConfirmEdit (CAPTCHA extension)
sbassett added a comment to T204615: Generate new Captcha word list for prod.

A bit out of scope for this task, but have we ever considered creating alternative captchas (math, image classifying, etc?)

Dec 6 2018, 3:21 PM · Security, Wikimedia-General-or-Unknown, ConfirmEdit (CAPTCHA extension)
sbassett added a comment to T144467: Security review for Google MT for Content Translation.

A summary of where I think we're at right now:

Dec 6 2018, 3:49 AM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions

Dec 5 2018

sbassett added a comment to T144467: Security review for Google MT for Content Translation.

This need to fix via: https://github.com/gwicke/kad/pull/1
This is coming from service-runner and affecting all services. We have asked services team to update the dependencies

Dec 5 2018, 12:46 AM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions

Dec 4 2018

sbassett created P7886 https://github.com/cure53/HTTPLeaks/blob/master/leak.html cleaned.
Dec 4 2018, 11:53 PM

Dec 3 2018

sbassett changed the visibility for T210329: CheckUsers have unlogged access to IP addresses via the AbuseFilter API.
Dec 3 2018, 11:05 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Privacy, AbuseFilter, Security
sbassett added a comment to T210329: CheckUsers have unlogged access to IP addresses via the AbuseFilter API.

@Bawolff and I are deploying this now.

Dec 3 2018, 10:37 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Privacy, AbuseFilter, Security
sbassett added a comment to T144467: Security review for Google MT for Content Translation.

@santhosh et al-

Dec 3 2018, 10:15 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions
sbassett updated subscribers of T210329: CheckUsers have unlogged access to IP addresses via the AbuseFilter API.

@Daimona, @Huji - I checked that T210329.patch applies locally to the abusefilter master branch. Looks good. Not sure if @Bawolff or @Reedy are around right now, but we do have the security deployment window today at 22:00 UTC, so just a shade under two hours away (https://wikitech.wikimedia.org/wiki/Deployments#Monday,_December_03). I've got deployment rights and have done config deployments before, so I could probably do this, but:

  1. I don't have CU anywhere, so the best I'd be able to test is locally. The patch doesn't look volatile, but if anything looked amiss in the logs, I'd have to revert immediately.
  2. I've never done a full security patch and deploy before, by myself.
Dec 3 2018, 8:18 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Privacy, AbuseFilter, Security

Nov 29 2018

sbassett added a member for security_assessment_mobile_2018: sbassett.
Nov 29 2018, 6:28 PM

Nov 28 2018

sbassett added a comment to T144467: Security review for Google MT for Content Translation.

Hey everybody-

Nov 28 2018, 11:08 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions
sbassett claimed T144467: Security review for Google MT for Content Translation.
Nov 28 2018, 11:07 PM · Core Platform Team Backlog (Watching / External), Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Team-Reviews, Security-Extensions

Nov 27 2018

sbassett awarded Blog Post: Bring in 'da noise, bring in defunct. It's a zombie party! a Like token.
Nov 27 2018, 10:06 PM · Continuous-Integration-Infrastructure, Release-Engineering-Team
sbassett changed the visibility for T208474: SQL injection attacks showing up in webrequest logs.
Nov 27 2018, 9:00 PM · Security-Team, Security
sbassett closed T208474: SQL injection attacks showing up in webrequest logs as Resolved.

Hey Jon-

Nov 27 2018, 9:00 PM · Security-Team, Security

Nov 26 2018

sbassett moved T208431: Add Marble to `wmf` LDAP group from Backlog to Waiting on the Security-Team board.
Nov 26 2018, 9:04 PM · Patch-For-Review, Security-Team, LDAP-Access-Requests
sbassett added a comment to T207777: audit password policy check for constant time string comparisons.

Thanks, @Aklapper.

Nov 26 2018, 3:43 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Google-Code-in-2018, MediaWiki-User-management, Security

Nov 20 2018

sbassett added a project to T210018: Security Issue Access Request for @jeena: Security-Team.
Nov 20 2018, 10:48 PM · Security-Team, Security
sbassett updated subscribers of T210018: Security Issue Access Request for @jeena.
Nov 20 2018, 10:47 PM · Security-Team, Security
sbassett triaged T210018: Security Issue Access Request for @jeena as Normal priority.
Nov 20 2018, 10:47 PM · Security-Team, Security
sbassett added a comment to T209972: Remove auto-fill/suggest of usernames from password reset forms.

@Jdforrester-WMF The Security-Team discussed that item today as well, and perhaps filing it as a separate task related to this issue. Given some of the feedback above, it might be wiser to pursue that approach as opposed to this one.

Nov 20 2018, 10:43 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett updated the task description for T209972: Remove auto-fill/suggest of usernames from password reset forms.
Nov 20 2018, 10:11 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett updated the task description for T209972: Remove auto-fill/suggest of usernames from password reset forms.
Nov 20 2018, 10:06 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett added a comment to T207990: Security review for TheWikipediaLibrary extension.

@Catrope - sounds good, thanks.

Nov 20 2018, 9:42 PM · Security-Team-Review-Active, The-Wikipedia-Library
sbassett added a comment to T209972: Remove auto-fill/suggest of usernames from password reset forms.

Well you are proposing removal of functionality that's only displaying public data. This does need to be balanced against the value of that functionality.

Nov 20 2018, 6:35 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett added a project to T209972: Remove auto-fill/suggest of usernames from password reset forms: Trust-and-Safety.
Nov 20 2018, 6:20 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett moved T206350: Onboard Michal Anna (to begin on Oct 9th) from In Progress to Waiting on the Security-Team board.
Nov 20 2018, 5:42 PM · Security-Team
sbassett updated the task description for T209972: Remove auto-fill/suggest of usernames from password reset forms.
Nov 20 2018, 5:40 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett added a comment to T209972: Remove auto-fill/suggest of usernames from password reset forms.

Is that a bad thing? Increasing obscurity and potentially deterring certain behaviors while reassuring legitimate users seems like a good thing.

Nov 20 2018, 5:37 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett updated the task description for T209972: Remove auto-fill/suggest of usernames from password reset forms.
Nov 20 2018, 5:04 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett triaged T209972: Remove auto-fill/suggest of usernames from password reset forms as Low priority.
Nov 20 2018, 5:02 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security