Page MenuHomePhabricator

sbassett (Scott Bassett)
Staff Security EngineerAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (287 w, 5 d)
Roles
Administrator
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.

Recent Activity

Yesterday

sbassett added a comment to T273220: Deploy StopForumSpam extension to production.

This effort has been become quite dusty, largely due to me not really being able to work on it much. I'm wondering though, if a better approach might be to propose integrating stopforumspam.org data within the new iPoid-Service. I'm not sure exactly how much overlap there is between SFS's and Spur's data sets - that would likely be critical in determining if this could be a useful path forward.

Mon, Mar 18, 5:32 PM · Privacy Engineering, MW-1.40-notes (1.40.0-wmf.17; 2023-01-02), Security-Team, user-sbassett, User-notice, Wikimedia-Extension-setup, MediaWiki-extensions-StopForumSpam
sbassett added a comment to T349569: Application Security Review Request : Floating UI.

Hey @Catrope - Quick update: unfortunately, I've found a few issues with floating-ui during review. I'm going to make this task private and post them soon.

Mon, Mar 18, 5:10 PM · user-sbassett, secscrum, Security, Application Security Reviews
sbassett added a comment to T359087: Redirecting @priv_eng_sync Phab account (Asana sync) to new email address.

Hey @Aklapper - the issue here is that @JFishback_WMF has left the Foundation, their Phab account is inactive and they may not be contactable at this point. But it sounds like we really don't have any options in this case, except to maybe disable/delete @priv_eng_sync and start over.

Mon, Mar 18, 2:26 PM · SecTeam-Processed, Security-Team

Wed, Mar 13

sbassett moved T360070: Application Security Review Request : Extension:IPReputation from Incoming to Upcoming Quarter Planning Queue on the secscrum board.
Wed, Mar 13, 9:09 PM · MediaWiki-extensions-IPReputation, secscrum, Security, Application Security Reviews
sbassett moved T346163: Implement a template for Shell scripting testing from In Progress to Our Part Is Done on the Security-Team board.
Wed, Mar 13, 7:25 PM · SecTeam-Processed, Security-Team, Security Team AppSec, GitLab-Application-Security-Pipeline
sbassett closed T346163: Implement a template for Shell scripting testing, a subtask of T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work, as Resolved.
Wed, Mar 13, 7:25 PM · user-sbassett, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
sbassett closed T346163: Implement a template for Shell scripting testing as Resolved.
Wed, Mar 13, 7:25 PM · SecTeam-Processed, Security-Team, Security Team AppSec, GitLab-Application-Security-Pipeline

Tue, Mar 12

sbassett added a comment to T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).

Thanks, @hashar. Looks like all we're waiting on now is a +2/deploy for https://gerrit.wikimedia.org/r/q/Id099f2602c333bf5843fa66776662d7bbb9fd923 and then this task can be resolved?

Tue, Mar 12, 3:52 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett moved T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285) from Watching to Our Part Is Done on the Security-Team board.
Tue, Mar 12, 3:50 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team

Mon, Mar 11

sbassett added a comment to T359634: Adopt SBOMs for MediaWiki.

Hey @Ladsgroup, thanks for filing this. As I noted on Slack, I kind of agree with @Bawolff's take above. SBOMs can be useful tools to assist in finding vulnerable dependencies (I've seen that term and supply chain attacks used interchangeably despite them being slightly different concepts). Just finding some tooling to create SBOMs from various lockfiles and potentially bundling them with MediaWiki, extensions, etc. is fairly trivial and doesn't create much value on its own IMO. But as you imply in this task, using them to help find vulnerable dependencies and related issues would be valuable. My issue is that we already do this with LibUp, our Gitlab AppSec Pipeline and our manual security review process. We don't necessarily generate SBOMs all of the time, but that's only because most tools that scan for CVEs within dependencies and similar issues readily support a number of lockfile formats out of the box (e.g. osv-scanner). So I guess a good question might be "what is the end goal of generating SBOMs?" Is it to improve some of the above processes that already accomplish similar goals? Or is it to create new processes or tooling to be run via CI, by developers themselves or via some other form of automation?

Mon, Mar 11, 5:42 PM · SecTeam-Processed, Security-Team, Security
sbassett moved T359634: Adopt SBOMs for MediaWiki from Incoming to Watching on the Security-Team board.
Mon, Mar 11, 5:28 PM · SecTeam-Processed, Security-Team, Security

Sat, Mar 9

FriedrickMILBarbarossa awarded T359553: Granting acl*security_steward access for 2024 Stewards and removing departing members a Pterodactyl token.
Sat, Mar 9, 7:51 AM · SecTeam-Processed, Security, Stewards-and-global-tools, Security-Team

Fri, Mar 8

sbassett added a comment to T351657: Application Security Review Request : Matomo upgrade and its campaign reporter plugin.

@sbassett Many thanks for the update - is the security review of matomo itself now complete, or is it no longer necessary?

Fri, Mar 8, 6:06 PM · SecTeam-Processed, secscrum, Security, Application Security Reviews
sbassett triaged T359624: XTools ignores opt out from restricted statistics as Low priority.
Fri, Mar 8, 5:51 PM · SecTeam-Processed, Privacy Engineering, XTools
sbassett edited projects for T359624: XTools ignores opt out from restricted statistics, added: SecTeam-Processed; removed Security, Security-Team.
Fri, Mar 8, 5:48 PM · SecTeam-Processed, Privacy Engineering, XTools
sbassett closed T351657: Application Security Review Request : Matomo upgrade and its campaign reporter plugin as Resolved.
Fri, Mar 8, 5:36 PM · SecTeam-Processed, secscrum, Security, Application Security Reviews
sbassett closed T351657: Application Security Review Request : Matomo upgrade and its campaign reporter plugin, a subtask of T319013: Enable the Marketing Campaigns Reporting plugin for matomo, as Resolved.
Fri, Mar 8, 5:35 PM · Data-Platform-SRE (2024.03.04 - 2024.03.24), Data-Engineering, Foundational Technology Requests
sbassett closed T351657: Application Security Review Request : Matomo upgrade and its campaign reporter plugin, a subtask of T351552: Upgrade matomo (piwik.wikimedia.org) to latest stable version, as Resolved.
Fri, Mar 8, 5:35 PM · Data-Platform-SRE
sbassett added a comment to T359624: XTools ignores opt out from restricted statistics.
Fri, Mar 8, 5:35 PM · SecTeam-Processed, Privacy Engineering, XTools
Uralvolkan89 awarded T359553: Granting acl*security_steward access for 2024 Stewards and removing departing members a Pterodactyl token.
Fri, Mar 8, 10:42 AM · SecTeam-Processed, Security, Stewards-and-global-tools, Security-Team

Thu, Mar 7

sbassett claimed T359553: Granting acl*security_steward access for 2024 Stewards and removing departing members.
Thu, Mar 7, 5:15 PM · SecTeam-Processed, Security, Stewards-and-global-tools, Security-Team
sbassett added a comment to T359553: Granting acl*security_steward access for 2024 Stewards and removing departing members.

According to the last years decision of security team, we just now need to confirm 2FA is enabled as it should be before performing the additions (no extra approval is necessary anymore).

Thu, Mar 7, 5:13 PM · SecTeam-Processed, Security, Stewards-and-global-tools, Security-Team
sbassett added a comment to T358618: Security Issue Access Request for Sfaci.

Confirming that @Sfaci currently has Phabricator MFA enabled:

sfaci.png (89×475 px, 15 KB)

Thu, Mar 7, 5:06 PM · SecTeam-Processed, Data Products, Security-Team, Security
sbassett added a comment to T358619: Security Issue Access Request for SGupta-WMF.

@SGupta-WMF does not currently have Phabricator MFA enabled.

Thu, Mar 7, 5:05 PM · SecTeam-Processed, Data Products, Security-Team, Security
sbassett added a comment to T358728: Solve OSV Double-Pipeline Problem without Requiring Many Default Rules.

Yep, it looks like this is working much better now. I've adopted @dduvall 's simpler ruleset. Thank you!

Thu, Mar 7, 5:02 PM · SecTeam-Processed, Security-Team, Release Pipeline, Release-Engineering-Team

Wed, Mar 6

sbassett updated the task description for T353747: Add basic unit tests and CI support for semgrep-merge-tool.
Wed, Mar 6, 10:00 PM · SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
sbassett added a comment to T348780: Integrate a risk factor related to how many production projects an extension or skin is deployed.

Works just as well (and seemingly as fast) with PHP-Parser. We just need to update ast.php and bring in the new dependency via composer:

ast.php
#!/usr/bin/env php
<?php
Wed, Mar 6, 9:56 PM · Patch-For-Review, SecTeam-Processed, Code-Health, Security, Security Team AppSec, production-risk-assessment, Security-Team
sbassett moved T353747: Add basic unit tests and CI support for semgrep-merge-tool from In Progress to Our Part Is Done on the Security-Team board.
Wed, Mar 6, 9:45 PM · SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
sbassett closed T353747: Add basic unit tests and CI support for semgrep-merge-tool as Resolved.
Wed, Mar 6, 9:45 PM · SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
sbassett closed T353747: Add basic unit tests and CI support for semgrep-merge-tool, a subtask of T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work, as Resolved.
Wed, Mar 6, 9:43 PM · user-sbassett, SecTeam-Processed, Security-Team, Security, GitLab-Application-Security-Pipeline
sbassett moved T358728: Solve OSV Double-Pipeline Problem without Requiring Many Default Rules from Incoming to Watching on the Security-Team board.
Wed, Mar 6, 5:36 PM · SecTeam-Processed, Security-Team, Release Pipeline, Release-Engineering-Team

Tue, Mar 5

sbassett added a comment to T334940: All Graphs broken on Wikimedia wikis (due to security issue T336556).

I suspect WMF is more interested in replacing vega with a different tbd solution, which feels like a more proper fix.

Tue, Mar 5, 7:22 PM · User-zeljkofilipin, Regression, User-notice, Tech Ambassadors & Translators, MediaWiki-extensions-Graph

Mon, Mar 4

sbassett added a project to T358619: Security Issue Access Request for SGupta-WMF: SecTeam-Processed.
Mon, Mar 4, 5:18 PM · SecTeam-Processed, Data Products, Security-Team, Security
sbassett moved T358618: Security Issue Access Request for Sfaci from Incoming to In Progress on the Security-Team board.
Mon, Mar 4, 5:17 PM · SecTeam-Processed, Data Products, Security-Team, Security
sbassett changed the visibility for T270456: Parsoid REST API does not check access permissions of user - allowed information disclosure for private or semi-private wikis (e.g. affecting VisualEditor + Lockdown).
Mon, Mar 4, 4:58 PM · SecTeam-Processed, VisualEditor, Editing-team, Vuln-Authn/Session, Security-Team, Security, Parsoid
sbassett removed a project from T222807: Sandbox Graph extension into an iframe: Patch-For-Review.
Mon, Mar 4, 4:00 PM · MediaWiki-Platform-Team, MediaWiki-extensions-Graph
sbassett closed T270456: Parsoid REST API does not check access permissions of user - allowed information disclosure for private or semi-private wikis (e.g. affecting VisualEditor + Lockdown) as Declined.
Mon, Mar 4, 3:58 PM · SecTeam-Processed, VisualEditor, Editing-team, Vuln-Authn/Session, Security-Team, Security, Parsoid
sbassett closed T270456: Parsoid REST API does not check access permissions of user - allowed information disclosure for private or semi-private wikis (e.g. affecting VisualEditor + Lockdown), a subtask of T268529: Adopt VisualEditor in wiki.wikimedia.it, as Declined.
Mon, Mar 4, 3:58 PM · WMIT-Infrastructure
sbassett added a comment to T270456: Parsoid REST API does not check access permissions of user - allowed information disclosure for private or semi-private wikis (e.g. affecting VisualEditor + Lockdown).

Feel free to close this as declined, since at least my known stakeholders migrated away from Lockdown and completely changed their workflows to do not involve any secret in the wiki. There are private pages only for members, but just for commodity reasons. No secret is stored. So their workflows cannot involve security issues anymore.

Maybe one day MediaWiki will be ready to flexibly host secrets. But we all know this is just discouraged at the moment.

Mon, Mar 4, 3:58 PM · SecTeam-Processed, VisualEditor, Editing-team, Vuln-Authn/Session, Security-Team, Security, Parsoid

Fri, Mar 1

sbassett added a comment to T260201: Parsoid REST API may not check access permissions of user.

I think this issue is moot, now that VE is using direct access to Parsoid?

Can anyone confirm?

Fri, Mar 1, 3:23 PM · Parsoid (Tracking), MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Security-Team, Security
sbassett added a comment to T348780: Integrate a risk factor related to how many production projects an extension or skin is deployed.

Yes, this definitely works and is very fast. Though there might be more benefits to using PHP-Parser instead of php-ast, which is maintained by the same person who maintains php-ast. PHP-Parser is definitely slower, but has better support for traversing the generated ast nodes and converting back and forth in a couple of ways: php -> ast -> php and php -> ast -> json, which will likely be handy for our intended use-case.

Fri, Mar 1, 3:04 PM · Patch-For-Review, SecTeam-Processed, Code-Health, Security, Security Team AppSec, production-risk-assessment, Security-Team

Thu, Feb 29

sbassett added a comment to T348780: Integrate a risk factor related to how many production projects an extension or skin is deployed.

Just a very quick proof of concept, this seems to work for me to process the current Wikimedia config CS.php and IS.php files (and it's quite fast):

ast.php
#!/usr/bin/env php 
<?php
Thu, Feb 29, 10:56 PM · Patch-For-Review, SecTeam-Processed, Code-Health, Security, Security Team AppSec, production-risk-assessment, Security-Team
sbassett added a comment to T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).

I failed to patch the vulnerability. It is still vulnerable, see https://github.com/lsegal/yard/pull/1537. I take full responsibility for this oversight.

Thu, Feb 29, 2:54 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett renamed T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285) from XSS on doc.wikimedia.org (puppet documentation generated by yard) (CVE-2024-27285) to XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).
Thu, Feb 29, 2:52 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett removed a project from T329266: Debian security update for git silently broke mediawiki-i18n-check-docker: Patch-For-Review.
Thu, Feb 29, 2:52 PM · Release-Engineering-Team (Priority Backlog 📥), Vuln-Misconfiguration, SecTeam-Processed, Security, Security-Team

Wed, Feb 28

sbassett moved T357353: Application Security Review Request : NetworkSession MediaWiki extension from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.
Wed, Feb 28, 5:18 PM · Discovery-Search (Current work), secscrum, Security, Application Security Reviews
sbassett updated the task description for T353826: Pentest FY2023/24 - Wikipedia Library .
Wed, Feb 28, 5:04 PM · The-Wikipedia-Library, secscrum
sbassett added a comment to T353826: Pentest FY2023/24 - Wikipedia Library .

See team's issue tracking task: T358257: Wikipedia Library January 2024 Pentest

Wed, Feb 28, 5:03 PM · The-Wikipedia-Library, secscrum
sbassett updated the task description for T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).
Wed, Feb 28, 4:12 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett updated subscribers of T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).
Wed, Feb 28, 4:11 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett updated the task description for T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).
Wed, Feb 28, 3:55 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett added a comment to T358140: Security Issue Access Request for @MShilova_WMF .

Team, I am still not able to see the content of this ticket https://phabricator.wikimedia.org/T358115. I'd like to be able to 'watch' it.

Wed, Feb 28, 3:49 PM · SecTeam-Processed, Security-Team, Security

Tue, Feb 27

sbassett added a comment to T358140: Security Issue Access Request for @MShilova_WMF .

Confirming that user @MShilova_WMF currently has Phab MFA enabled:

Screenshot 2024-02-27 at 9.40.56 AM.png (77×473 px, 12 KB)

Tue, Feb 27, 3:44 PM · SecTeam-Processed, Security-Team, Security
sbassett added a comment to T356297: Offboard James Fishback from Security Team.

privacy is planning to switch ownership of @priv_eng_sync to a privacy google group that is being created. However the account currently has 2FA tied to James Fishback's phab account, and that account has been disabled, so there might be some issues

Tue, Feb 27, 3:43 PM · SecTeam-Processed, Security-Team
sbassett added projects to T358581: Routinator: CVE-2024-1622: SecTeam-Processed, Vuln-VulnComponent.
Tue, Feb 27, 3:38 PM · Vuln-VulnComponent, SecTeam-Processed, netops, Infrastructure-Foundations, Infrastructure Security, Security

Mon, Feb 26

sbassett added a comment to T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).

We could also add a sandbox directive to the csp policy

Mon, Feb 26, 6:36 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett added a project to T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285): Infrastructure-Foundations.

Yes, that's what I reported. Until a fix is implemented, I'd suggest removing the frames.html file because it serves no purpose.

Mon, Feb 26, 6:25 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett added a comment to T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).

It looks like this issue is due to some really unfortunate javascript code. If one views the html source of the XSS payload URL within the above description, you can see:

var match = unescape(window.location.hash).match(/^#!(.+)/);
var name = match ? match[1] : 'index.html';
name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
window.top.location = name;

which is attempting to match anything after #! within the query string, perform some minor slash-escaping and then write it directly to the browser's location. Even implementing some basic url scheme sanitization as described here and other places would likely be mostly effective in mitigation this issue.

Mon, Feb 26, 6:19 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett changed the visibility for T356459: Password exposure on PCC when adding new host to LB pool?.
Mon, Feb 26, 5:59 PM · Vuln-Infoleak, SecTeam-Processed, Infrastructure-Foundations, Security
sbassett moved T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285) from Incoming to Watching on the Security-Team board.
Mon, Feb 26, 5:31 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett updated the task description for T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).
Mon, Feb 26, 5:30 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett updated the task description for T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).
Mon, Feb 26, 5:29 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett updated subscribers of T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).
Mon, Feb 26, 5:22 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett changed Author Affiliation from community to other on T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).
Mon, Feb 26, 4:50 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett added projects to T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285): Upstream, Vuln-XSS, doc.wikimedia.org.
Mon, Feb 26, 4:50 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett created T358507: XSS on doc.wikimedia.org (documentation generated by yard) (CVE-2024-27285).
Mon, Feb 26, 4:50 PM · Patch-For-Review, Infrastructure-Foundations, SecTeam-Processed, doc.wikimedia.org, Vuln-XSS, Upstream, Security, Security-Team
sbassett added a comment to T357353: Application Security Review Request : NetworkSession MediaWiki extension .

This will likely be reviewed next quarter (April 1st to June 30th, 2024).

Mon, Feb 26, 4:39 PM · Discovery-Search (Current work), secscrum, Security, Application Security Reviews
sbassett moved T357353: Application Security Review Request : NetworkSession MediaWiki extension from Incoming to Back Orders on the secscrum board.
Mon, Feb 26, 4:39 PM · Discovery-Search (Current work), secscrum, Security, Application Security Reviews
sbassett added a comment to T356459: Password exposure on PCC when adding new host to LB pool?.

Patch merged, this should be done.

Mon, Feb 26, 4:16 PM · Vuln-Infoleak, SecTeam-Processed, Infrastructure-Foundations, Security

Fri, Feb 23

sbassett assigned T283839: Open refine stored password available in PAWS public to Bstorm.
Fri, Feb 23, 9:02 PM · SecTeam-Processed, OpenRefine, Cloud-VPS, Vuln-Infoleak, PAWS, Security
sbassett set Author Affiliation to community on T283839: Open refine stored password available in PAWS public.
Fri, Feb 23, 9:01 PM · SecTeam-Processed, OpenRefine, Cloud-VPS, Vuln-Infoleak, PAWS, Security
sbassett added a comment to T283839: Open refine stored password available in PAWS public.

Anything here that would keep us from making this task public? I'm not seeing anything obvious.

Fri, Feb 23, 4:06 PM · SecTeam-Processed, OpenRefine, Cloud-VPS, Vuln-Infoleak, PAWS, Security

Thu, Feb 22

sbassett added a project to T354607: Security Issue Access Request for jhsoby: SecTeam-Processed.
Thu, Feb 22, 11:35 PM · SecTeam-Processed, Security-Team, Security
sbassett added a comment to T354607: Security Issue Access Request for jhsoby.

Confirming that user @jhsoby has Phab MFA enabled:

Screenshot 2024-02-22 at 11.07.15 AM.png (60×472 px, 15 KB)

Thu, Feb 22, 5:20 PM · SecTeam-Processed, Security-Team, Security
sbassett added a parent task for T354607: Security Issue Access Request for jhsoby: T353393: Request to add jhsoby to WMF-NDA group.
Thu, Feb 22, 5:02 PM · SecTeam-Processed, Security-Team, Security
sbassett added a subtask for T353393: Request to add jhsoby to WMF-NDA group: T354607: Security Issue Access Request for jhsoby.
Thu, Feb 22, 5:02 PM · WMF-NDA-Requests
sbassett added a comment to T354607: Security Issue Access Request for jhsoby.

I think this should now be unblocked due to T353393#9568781.

Thu, Feb 22, 5:01 PM · SecTeam-Processed, Security-Team, Security
sbassett closed T353393: Request to add jhsoby to WMF-NDA group as Resolved.

Per @Mstyles comment above, adding @jhsoby to WMF-NDA and resolving this task.

Thu, Feb 22, 5:00 PM · WMF-NDA-Requests
sbassett added a member for WMF-NDA: jhsoby.
Thu, Feb 22, 5:00 PM

Tue, Feb 20

sbassett added a project to T357622: Requesting access to security@wikimedia.org: SecTeam-Processed.
Tue, Feb 20, 7:17 PM · SecTeam-Processed, Security-Team
sbassett triaged T357479: Stop sending X-Webkit-CSP and X-Webkit-CSP-Report-Only headers as Medium priority.
Tue, Feb 20, 6:15 PM · SecTeam-Processed, Security-Team, ContentSecurityPolicy, Traffic
sbassett closed T357479: Stop sending X-Webkit-CSP and X-Webkit-CSP-Report-Only headers as Resolved.
Tue, Feb 20, 6:15 PM · SecTeam-Processed, Security-Team, ContentSecurityPolicy, Traffic
sbassett edited projects for T357479: Stop sending X-Webkit-CSP and X-Webkit-CSP-Report-Only headers, added: SecTeam-Processed; removed Patch-For-Review.
Tue, Feb 20, 6:14 PM · SecTeam-Processed, Security-Team, ContentSecurityPolicy, Traffic
sbassett moved T357479: Stop sending X-Webkit-CSP and X-Webkit-CSP-Report-Only headers from Incoming to Our Part Is Done on the Security-Team board.
Tue, Feb 20, 6:14 PM · SecTeam-Processed, Security-Team, ContentSecurityPolicy, Traffic
sbassett moved T357570: Run prod risk assessment cli to generate updated results from Incoming to In Progress on the Security-Team board.
Tue, Feb 20, 6:11 PM · SecTeam-Processed, user-sbassett, Code-Health, Security, Security Team AppSec, Security-Team, production-risk-assessment
sbassett removed a project from T354104: Wikibooks reported to be vulnerable to DOM Clobbering attack: Security-Team.
Tue, Feb 20, 6:05 PM · Vuln-Inject, SecTeam-Processed, user-sbassett, Security
sbassett moved T354104: Wikibooks reported to be vulnerable to DOM Clobbering attack from In Progress to Done on the user-sbassett board.
Tue, Feb 20, 6:05 PM · Vuln-Inject, SecTeam-Processed, user-sbassett, Security
sbassett moved T329266: Debian security update for git silently broke mediawiki-i18n-check-docker from Watching to Our Part Is Done on the Security-Team board.
Tue, Feb 20, 4:02 PM · Release-Engineering-Team (Priority Backlog 📥), Vuln-Misconfiguration, SecTeam-Processed, Security, Security-Team

Feb 16 2024

sbassett added a comment to T356599: DiscussionTools is incompatible with hCaptcha (and likely ReCaptcha).

Note for Editing Team: this does not affect WMF wikis

Feb 16 2024, 3:02 PM · ConfirmEdit (CAPTCHA extension), affects-Miraheze, DiscussionTools
sbassett moved T335698: Install the Application Security Pipeline templates for WikILambda CLI's GitLab repo from Frozen to Our Part Is Done on the Security-Team board.
Feb 16 2024, 2:55 PM · Security-Team, SecTeam-Processed, Security Architecture Tooling, Abstract Wikipedia Fix-It tasks, Abstract Wikipedia team

Feb 15 2024

sbassett updated the task description for T356297: Offboard James Fishback from Security Team.
Feb 15 2024, 9:46 PM · SecTeam-Processed, Security-Team
sbassett updated the task description for T356297: Offboard James Fishback from Security Team.
Feb 15 2024, 8:42 PM · SecTeam-Processed, Security-Team
sbassett changed the visibility for T352827: Directory traversal allows single-page whitelisting to override entire spam-blacklist entry.
Feb 15 2024, 8:42 PM · SecTeam-Processed, Vuln-Misconfiguration, SpamBlacklist, Security, Security-Team
sbassett moved T352827: Directory traversal allows single-page whitelisting to override entire spam-blacklist entry from Watching to Our Part Is Done on the Security-Team board.
Feb 15 2024, 8:41 PM · SecTeam-Processed, Vuln-Misconfiguration, SpamBlacklist, Security, Security-Team
sbassett added a comment to T352827: Directory traversal allows single-page whitelisting to override entire spam-blacklist entry.

(This was resolved by that patch, I just forgot to close it. @sbassett Could you please make it public?)

Feb 15 2024, 8:41 PM · SecTeam-Processed, Vuln-Misconfiguration, SpamBlacklist, Security, Security-Team
sbassett updated the task description for T356297: Offboard James Fishback from Security Team.
Feb 15 2024, 8:38 PM · SecTeam-Processed, Security-Team
sbassett updated the task description for T356297: Offboard James Fishback from Security Team.
Feb 15 2024, 7:13 PM · SecTeam-Processed, Security-Team
sbassett awarded T335696: Install the Application Security Pipeline templates for function-evaluator's GitLab repo a Like token.
Feb 15 2024, 7:11 PM · Abstract Wikipedia team, SecTeam-Processed, Security-Team, Security Architecture Tooling, function-evaluator, Abstract Wikipedia Fix-It tasks
sbassett moved T335696: Install the Application Security Pipeline templates for function-evaluator's GitLab repo from Frozen to Our Part Is Done on the Security-Team board.
Feb 15 2024, 7:11 PM · Abstract Wikipedia team, Security-Team, SecTeam-Processed, Security Architecture Tooling, function-evaluator, Abstract Wikipedia Fix-It tasks
sbassett moved T335695: Install the Application Security Pipeline templates for function-orchestrator's GitLab repo from Frozen to Our Part Is Done on the Security-Team board.
Feb 15 2024, 7:10 PM · Security-Team, SecTeam-Processed, Security Architecture Tooling, Abstract Wikipedia team, Abstract Wikipedia Fix-It tasks, function-orchestrator