Page MenuHomePhabricator

sbassett (Scott Bassett)
Staff Security EngineerAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (237 w, 1 d)
Roles
Administrator
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.

Recent Activity

Wed, Mar 29

sbassett changed the visibility for T332598: changeprop-jobqueue password leaked on phabricator.
Wed, Mar 29, 3:10 PM · Vuln-Infoleak, SecTeam-Processed, serviceops, Security

Tue, Mar 28

sbassett added a comment to T311337: CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension.

@sbassett it seems that the CVE description is wrong.

This information should not allow public viewing: it is supposed to be viewable only by users with checkuser access.

It should be suppress not checkuser.

Can this be updated?

Tue, Mar 28, 8:13 PM · MW-1.40-notes (1.40.0-wmf.19; 2023-01-16), Platform Engineering, Vuln-Infoleak, CheckUser, Security, Security-Team
sbassett added a comment to T305082: Request for Private repos to be enabled.

My goals would be:

  1. No free-for-all private repos
  2. Allow users to request private repos through some process (a phab form? Dunno if there's any analogous process that exists that we could copy?)
    1. Ideally the form would require users to acknowledge that any data in a repo is only private-ish
  3. Ensure there's a list of known private repositories that can be reviewed by administrators on some cadence

I chatted with @sbassett, he suggested I loop in Privacy Engineering for some discussion/assistance (👋 @JFishback_WMF ).

Tue, Mar 28, 4:26 PM · Privacy Engineering, Release-Engineering-Team (Priority Backlog 📥), Privacy, User-brennen, GitLab (Administration, Settings & Policy), Product-Analytics
sbassett added a comment to T332850: Undeploy DoubleWiki Extension from Wikimedia production .

If the issue is severe enough as T257062: Lilypond seemingly not subject to restrictions (CVE-2020-29007), it should be emergency disabled but reenabled once it is fixed (and there would be a task for reenable it).

Tue, Mar 28, 3:53 PM · Patch-For-Review, MediaWiki-extensions-DoubleWiki, Code-Stewardship-Reviews

Mon, Mar 27

sbassett closed T206970: Investigate using simple grep to check js for raw html messages as Declined.

Declining this as I think it is likely a relic of the past. We still have the the mediawiki-i18n-check-docker running for twn messages, phan-taint-check running under phan for most php repos (which can find problematic message usage like this), bugs like T200997 seemingly mostly resolved and still-active efforts like T2212.

Mon, Mar 27, 8:07 PM · Security, Security-Team
sbassett changed the visibility for T328277: Cargo: HTML/JS injection via unescaped messages.
Mon, Mar 27, 7:14 PM · SecTeam-Processed, Vuln-XSS, Vuln-Inject, MediaWiki-extensions-Cargo, Security
sbassett closed T328277: Cargo: HTML/JS injection via unescaped messages as Resolved.

@thiemowmde - thanks for finding these, and sorry for the long delay in handling this. I just checked in this fix - I don't know if I got all the necessary escaping there, but hopefully I got most of it:

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/899598

Mon, Mar 27, 7:13 PM · SecTeam-Processed, Vuln-XSS, Vuln-Inject, MediaWiki-extensions-Cargo, Security
sbassett edited projects for T332639: Make it more difficult to unintentionally paste secrets, passwords, and keys in Phabricator task descriptions, comments and pastes, added: SecTeam-Processed; removed Security-Team.
Mon, Mar 27, 4:20 PM · SecTeam-Processed, Release-Engineering-Team, Phabricator
sbassett added a comment to T332639: Make it more difficult to unintentionally paste secrets, passwords, and keys in Phabricator task descriptions, comments and pastes.

It might not be terrible to port Whispers' rule regular expressions over to client-side js, but that kind of defeats the point of leveraging an upstream project IMO. As far as JS-ish things that currently exist, this Node fork of Yelp's detect-secrets looks pretty unmaintained at this point. And this eslint plugin seems more entropy-focused than problematic, basic string patterns (e.g. password=).

Mon, Mar 27, 4:01 PM · SecTeam-Processed, Release-Engineering-Team, Phabricator
sbassett triaged T333138: API login with empty CSRF token as Low priority.
Mon, Mar 27, 3:31 PM · SecTeam-Processed, MediaWiki-Authentication-and-authorization
sbassett removed a project from T333138: API login with empty CSRF token: Security.
Mon, Mar 27, 3:30 PM · SecTeam-Processed, MediaWiki-Authentication-and-authorization
sbassett edited projects for T333138: API login with empty CSRF token, added: SecTeam-Processed; removed Security-Team.
Mon, Mar 27, 3:30 PM · SecTeam-Processed, MediaWiki-Authentication-and-authorization

Wed, Mar 22

sbassett added a comment to T301044: Request creation of OurWorldinData VPS project.

By "experienced developer review our current nodejs service documentation and begin specifying and prototyping a new project" do you mean someone within the WMF technical team?

Wed, Mar 22, 2:22 PM · Security-Team, cloud-services-team (Kanban), Cloud-VPS (Project-requests)

Tue, Mar 21

sbassett added a comment to T301044: Request creation of OurWorldinData VPS project.

Okay so what would be the steps to "develop a microservice to deliver any relevant OWID content which could live within Wikimedia production"? Best

Tue, Mar 21, 8:37 PM · Security-Team, cloud-services-team (Kanban), Cloud-VPS (Project-requests)
sbassett added a comment to T301044: Request creation of OurWorldinData VPS project.

Sure, it's just that, as also mentioned within the security review (T324989), we can't iframe external content within Wikimedia production. And in this case, anything under wmcs or toolforge would be considered external content. So that would be a blocker to getting OWID into Wikimedia production. Hence the suggestion of developing a microservice to deliver any relevant OWID content which could live within Wikimedia production.

Tue, Mar 21, 6:31 PM · Security-Team, cloud-services-team (Kanban), Cloud-VPS (Project-requests)
sbassett added a comment to T301044: Request creation of OurWorldinData VPS project.

Wikimedia production supports a number of node/js (some examples here) and golang microservices these days

I didn't mean to imply that it is a nodejs app. Once converted it is straight up html, but most of the work is done by runtime javascript on the front end that draws the graphs.

Tue, Mar 21, 5:56 PM · Security-Team, cloud-services-team (Kanban), Cloud-VPS (Project-requests)
sbassett added a comment to T301044: Request creation of OurWorldinData VPS project.

This would be ideal, but keep in mind that the graphs rendered use javascript and svg, so they are not your typical php app,

Tue, Mar 21, 4:39 PM · Security-Team, cloud-services-team (Kanban), Cloud-VPS (Project-requests)

Mon, Mar 20

sbassett added a comment to T332639: Make it more difficult to unintentionally paste secrets, passwords, and keys in Phabricator task descriptions, comments and pastes.

So there are at least a few CLI tools - git secrets, whispers, gitleaks - that we (sec team) have experimented with for our manual reviews. It would be nice to maybe leverage one of these established tools with a hypothetical Phab plugin.

Mon, Mar 20, 10:02 PM · SecTeam-Processed, Release-Engineering-Team, Phabricator
sbassett moved T331928: Phabricator Admin Access Request for Scott Bassett from In Progress to Done on the user-sbassett board.
Mon, Mar 20, 9:51 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett moved T331928: Phabricator Admin Access Request for Scott Bassett from In Progress to Our Part Is Done on the Security-Team board.
Mon, Mar 20, 9:50 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett added a comment to T331125: Security Issue Access Request for nfraison.

Confirmed 2fa enabled for @nfraison:

nfraison-2fa.png (54×472 px, 17 KB)

Mon, Mar 20, 9:50 PM · SecTeam-Processed, Security-Team, Security
sbassett awarded T331928: Phabricator Admin Access Request for Scott Bassett a Like token.
Mon, Mar 20, 9:44 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
brennen empowered sbassett as an administrator.
Mon, Mar 20, 9:42 PM
sbassett added a comment to T326871: Update Security Team-owned products that may be affected by IP Masking.

ext:StopForumSpam also echos back a user's IP address via the following error message (if they're disallowed access by the extension): https://github.com/wikimedia/mediawiki-extensions-StopForumSpam/blob/master/i18n/en.json#L13. It is unclear to me if this sort of thing will be disallowed under the new IP Masking policies.

Mon, Mar 20, 4:47 PM · user-sbassett, SecTeam-Processed, Security-Team, IP Masking
sbassett changed Author Affiliation from tech to product on T332598: changeprop-jobqueue password leaked on phabricator.
Mon, Mar 20, 4:22 PM · Vuln-Infoleak, SecTeam-Processed, serviceops, Security
sbassett set Author Affiliation to tech on T332598: changeprop-jobqueue password leaked on phabricator.
Mon, Mar 20, 4:22 PM · Vuln-Infoleak, SecTeam-Processed, serviceops, Security
sbassett edited projects for T332598: changeprop-jobqueue password leaked on phabricator, added: SecTeam-Processed, Vuln-Infoleak; removed Security-Team.
Mon, Mar 20, 4:22 PM · Vuln-Infoleak, SecTeam-Processed, serviceops, Security
sbassett moved T316722: Re-evaluate stream_wrapper_unregister seen in recent maintenance scripts from Watching to Frozen on the Security-Team board.
Mon, Mar 20, 4:17 PM · SecTeam-Processed, Performance-Team (Radar), Security-Team, MediaWiki-General
sbassett added a comment to T331928: Phabricator Admin Access Request for Scott Bassett.

@Aklapper - seems like there are no objections here, with at least one blessing from the Release-Engineering-Team?

Mon, Mar 20, 4:13 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator

Tue, Mar 14

sbassett moved T332086: Improve stopforumspam-is-blocked message to include external link text / privacy copy from Backlog to In Progress on the user-sbassett board.
Tue, Mar 14, 9:15 PM · WMF-Legal, Patch-For-Review, MediaWiki-extensions-StopForumSpam, user-sbassett, SecTeam-Processed, Security-Team
sbassett moved T332086: Improve stopforumspam-is-blocked message to include external link text / privacy copy from Incoming to In Progress on the Security-Team board.
Tue, Mar 14, 9:14 PM · WMF-Legal, Patch-For-Review, MediaWiki-extensions-StopForumSpam, user-sbassett, SecTeam-Processed, Security-Team
sbassett changed the status of T332086: Improve stopforumspam-is-blocked message to include external link text / privacy copy from Open to In Progress.
Tue, Mar 14, 9:14 PM · WMF-Legal, Patch-For-Review, MediaWiki-extensions-StopForumSpam, user-sbassett, SecTeam-Processed, Security-Team
sbassett created T332086: Improve stopforumspam-is-blocked message to include external link text / privacy copy.
Tue, Mar 14, 8:57 PM · WMF-Legal, Patch-For-Review, MediaWiki-extensions-StopForumSpam, user-sbassett, SecTeam-Processed, Security-Team
sbassett closed T150300: icinga notification if elevated writing to badpass.log as Declined.

The Security-Team are the ostensible drivers of this work, but we have no resources or plans to work on it, so I'll mark it declined for now.

Tue, Mar 14, 5:45 PM · Sustainability (Incident Followup), Security-Team, observability
sbassett changed the status of T328568: Add eslint-plugin-security as a plugin to eslint-wikimedia-config from Open to Stalled.

Added an update to remove a noisy rule: https://github.com/wikimedia/eslint-config-wikimedia/pull/490#issuecomment-1468547357.

Tue, Mar 14, 5:42 PM · user-sbassett, SecTeam-Processed, Security, Security-Team, JavaScript
sbassett added a comment to T332003: Evaluate StopForumSpam operations in es.wikiversity.

Can a project determine what actions are being stopped by this? (Log?)

Tue, Mar 14, 4:47 PM · user-sbassett, SecTeam-Processed, Stewards-and-global-tools, MediaWiki-extensions-StopForumSpam, Security-Team
sbassett moved T332003: Evaluate StopForumSpam operations in es.wikiversity from Backlog to In Progress on the user-sbassett board.

Thanks, @MarcoAurelio. Some initial notes on the proposed questions/metrics:

Tue, Mar 14, 4:10 PM · user-sbassett, SecTeam-Processed, Stewards-and-global-tools, MediaWiki-extensions-StopForumSpam, Security-Team
brennen awarded T331928: Phabricator Admin Access Request for Scott Bassett a Like token.
Tue, Mar 14, 4:03 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett added projects to T332003: Evaluate StopForumSpam operations in es.wikiversity: SecTeam-Processed, user-sbassett.
Tue, Mar 14, 3:58 PM · user-sbassett, SecTeam-Processed, Stewards-and-global-tools, MediaWiki-extensions-StopForumSpam, Security-Team
sbassett changed the status of T332003: Evaluate StopForumSpam operations in es.wikiversity from Open to In Progress.
Tue, Mar 14, 3:56 PM · user-sbassett, SecTeam-Processed, Stewards-and-global-tools, MediaWiki-extensions-StopForumSpam, Security-Team
sbassett changed the status of T332003: Evaluate StopForumSpam operations in es.wikiversity, a subtask of T273220: Deploy StopForumSpam extension to production, from Open to In Progress.
Tue, Mar 14, 3:56 PM · Privacy Engineering, MW-1.40-notes (1.40.0-wmf.17; 2023-01-02), Security-Team, user-sbassett, User-notice, Wikimedia-Extension-setup, MediaWiki-extensions-StopForumSpam
sbassett moved T332003: Evaluate StopForumSpam operations in es.wikiversity from Incoming to Watching on the Security-Team board.
Tue, Mar 14, 3:56 PM · user-sbassett, SecTeam-Processed, Stewards-and-global-tools, MediaWiki-extensions-StopForumSpam, Security-Team
sbassett updated subscribers of T331928: Phabricator Admin Access Request for Scott Bassett.

Ping @thcipriani @brennen et al to see if there are any objections to this request. Thanks.

Tue, Mar 14, 3:55 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett moved T331928: Phabricator Admin Access Request for Scott Bassett from Backlog to In Progress on the user-sbassett board.
Tue, Mar 14, 3:52 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett added a project to T331928: Phabricator Admin Access Request for Scott Bassett: user-sbassett.
Tue, Mar 14, 3:52 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett moved T331928: Phabricator Admin Access Request for Scott Bassett from Incoming to In Progress on the Security-Team board.
Tue, Mar 14, 3:45 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett added a comment to T331492: Security issue access for 2023 Stewards.

Ok, I've revised the policy description (the warning, specifically): https://phabricator.wikimedia.org/project/manage/4570/. Let me know if there are any additional concerns.

Tue, Mar 14, 3:30 PM · Security, Stewards-and-global-tools, Security-Team
sbassett edited Description on acl*security_steward.
Tue, Mar 14, 3:29 PM

Mon, Mar 13

sbassett closed T331182: Set $wgSFSReportOnly to false for es.wikiversity as Resolved.

Done. Logstash seems happy and I confirmed the verb switch in the log messages.

Mon, Mar 13, 10:36 PM · user-sbassett, SecTeam-Processed
sbassett removed a project from T331182: Set $wgSFSReportOnly to false for es.wikiversity: Wikimedia-Site-requests.
Mon, Mar 13, 10:36 PM · user-sbassett, SecTeam-Processed
sbassett closed T331182: Set $wgSFSReportOnly to false for es.wikiversity, a subtask of T273220: Deploy StopForumSpam extension to production, as Resolved.
Mon, Mar 13, 10:36 PM · Privacy Engineering, MW-1.40-notes (1.40.0-wmf.17; 2023-01-02), Security-Team, user-sbassett, User-notice, Wikimedia-Extension-setup, MediaWiki-extensions-StopForumSpam
Aklapper awarded T331928: Phabricator Admin Access Request for Scott Bassett a Like token.
Mon, Mar 13, 9:32 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett added a comment to T331928: Phabricator Admin Access Request for Scott Bassett.

On T306708#8661705 you said your team can't handle 2fa reset requests while on this ticket you request admin access to handle 2fa requests. This is confusing me a bit.

Mon, Mar 13, 9:18 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett added a comment to T331928: Phabricator Admin Access Request for Scott Bassett.

@Aklapper Looks like this could solve T306708

Mon, Mar 13, 9:12 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett added a comment to T331125: Security Issue Access Request for nfraison.

@Aklapper - see T331928

Mon, Mar 13, 9:06 PM · SecTeam-Processed, Security-Team, Security
sbassett created T331928: Phabricator Admin Access Request for Scott Bassett.
Mon, Mar 13, 9:06 PM · user-sbassett, SecTeam-Processed, Release-Engineering-Team, Security-Team, Phabricator
sbassett added a comment to T331492: Security issue access for 2023 Stewards.

Hmm, that's weird. We don't require that for other security ACLs. I think the idea of self-management for those (members performing these updates) was built into that architecture, but I guess that's another matter. I mean, there's nothing stopping members from managing those ACLs AFAIK. Anyhow, the Security-Team approves any verified, newly-elected stewards for Phabricator security issue access, assuming they have 2fa enabled.

Should the description be updated based on this? That as long as an admin confirms 2FA status, the group can be self-managed by stewards?

Mon, Mar 13, 8:57 PM · Security, Stewards-and-global-tools, Security-Team
sbassett added a comment to T331492: Security issue access for 2023 Stewards.
Mon, Mar 13, 5:30 PM · Security, Stewards-and-global-tools, Security-Team
sbassett added a comment to T331492: Security issue access for 2023 Stewards.

Any Phab admin could check (the Security team also has Phab admin members). :)

Mon, Mar 13, 5:30 PM · Security, Stewards-and-global-tools, Security-Team
sbassett moved T330312: Address Gerrit WMCS instance authenticating against LDAP (breaching WMCS policy) from Watching to Our Part Is Done on the Security-Team board.
Mon, Mar 13, 3:40 PM · SecTeam-Processed, Release-Engineering-Team (Yak Shaving 🐃🪒), serviceops-collab, Security, Security-Team
sbassett triaged T330312: Address Gerrit WMCS instance authenticating against LDAP (breaching WMCS policy) as Medium priority.
Mon, Mar 13, 3:39 PM · SecTeam-Processed, Release-Engineering-Team (Yak Shaving 🐃🪒), serviceops-collab, Security, Security-Team
sbassett removed a project from T315580: Upgrade Puppet code to make Airflow configuration files compatible with version 2.5.0: Patch-For-Review.
Mon, Mar 13, 3:06 PM · Data Pipelines (Sprint 11), Vuln-VulnComponent, SecTeam-Processed, Data-Engineering-Planning

Fri, Mar 10

sbassett added a comment to T241451: Security Review For SpamRegex extension.

Note that on ShoutWiki this table is shared between all wikis; WMF may or may not want to do the same.

Fri, Mar 10, 6:51 PM · secscrum, Application Security Reviews, SpamRegex, User-DannyS712
sbassett updated subscribers of T271108: Log errors / exceptions to Slack (or Telegram).

This ticket is currently awaiting security review. We shall resume after reviews are complete.

Fri, Mar 10, 5:49 PM · Patch-For-Review, Language-Team (Language-2023-January-March), translatewiki.net
sbassett moved T289518: Code Stewardship Review for search.wikimedia.org from Backlog to Done on the Code-Stewardship-Reviews board.
Fri, Mar 10, 3:55 PM · Code-Stewardship-Reviews
sbassett added a comment to T331492: Security issue access for 2023 Stewards.

So, in that case, the description of the project's actually correct, as Security-Team approval is needed each time the ACL membership changes (in bulk after elections, or individually if a need arises during the term), and there's actually nothing to do differently than I did here? Or am I missing something?

Fri, Mar 10, 3:36 PM · Security, Stewards-and-global-tools, Security-Team
sbassett awarded T331554: New production ssh key for sbassett a Like token.
Fri, Mar 10, 3:25 PM · SecTeam-Processed, Security, SRE-Access-Requests, SRE

Thu, Mar 9

sbassett placed T324989: Application Security Review Request : OurWorldInData up for grabs.
Thu, Mar 9, 6:47 PM · Privacy Engineering, secscrum, Security, Application Security Reviews
sbassett moved T324989: Application Security Review Request : OurWorldInData from Waiting to Back Orders on the secscrum board.
Thu, Mar 9, 6:46 PM · Privacy Engineering, secscrum, Security, Application Security Reviews
sbassett added a comment to T331492: Security issue access for 2023 Stewards.

Can you clarify what "verified" means in this context? Does that mean simply verifying that the Phabricator accounts actually belong to a duly elected steward? Or some other kind of verification that needs to happen?

Thu, Mar 9, 6:44 PM · Security, Stewards-and-global-tools, Security-Team
sbassett added a comment to T331554: New production ssh key for sbassett.

@sbassett I've opened a CR to update your ssh key - if you can confirm it's correct and +1 the CR, I'll merge it.

Thu, Mar 9, 6:14 PM · SecTeam-Processed, Security, SRE-Access-Requests, SRE

Wed, Mar 8

sbassett added a comment to T331554: New production ssh key for sbassett.

Normally these are handled by the SRE on clinic duty but since it's late in Europe and to be on the safe side I just revoked the existing key and ran puppet on bast* hosts for right now.

Wed, Mar 8, 11:20 PM · SecTeam-Processed, Security, SRE-Access-Requests, SRE
sbassett closed T329602: deploy_security.py hangs after scap as Resolved.
Wed, Mar 8, 8:44 PM · SecTeam-Processed, Release-Engineering-Team
sbassett created T331554: New production ssh key for sbassett.
Wed, Mar 8, 7:00 PM · SecTeam-Processed, Security, SRE-Access-Requests, SRE
sbassett updated subscribers of T331492: Security issue access for 2023 Stewards.

Hi, I need the Security team to add the newly-elected stewards to the ACL group (acl*security_steward description says Security-Team needs to approve each addition).

Wed, Mar 8, 6:30 PM · Security, Stewards-and-global-tools, Security-Team
sbassett added a comment to T297839: Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2).

Just as a note, a lot of these cves for extensions seem to have the product field set to mediawiki, and the version numbers of affected versions set to mediawiki core versions. This is pretty confusing for the extensions not bundled with mediawiki core. I think its causing confusion in downstream packagers of mediawiki - e.g. https://bugzilla.redhat.com/show_bug.cgi?id=2161180 which doesn't make much sense

Wed, Mar 8, 6:01 PM · Security-Team, user-sbassett, MediaWiki-Releasing, Security
sbassett changed the status of T331182: Set $wgSFSReportOnly to false for es.wikiversity, a subtask of T273220: Deploy StopForumSpam extension to production, from Open to In Progress.
Wed, Mar 8, 5:45 PM · Privacy Engineering, MW-1.40-notes (1.40.0-wmf.17; 2023-01-02), Security-Team, user-sbassett, User-notice, Wikimedia-Extension-setup, MediaWiki-extensions-StopForumSpam
sbassett changed the status of T331182: Set $wgSFSReportOnly to false for es.wikiversity from Open to In Progress.
Wed, Mar 8, 5:45 PM · user-sbassett, SecTeam-Processed
sbassett added a project to T331182: Set $wgSFSReportOnly to false for es.wikiversity: user-sbassett.
Wed, Mar 8, 5:45 PM · user-sbassett, SecTeam-Processed
sbassett edited projects for T331182: Set $wgSFSReportOnly to false for es.wikiversity, added: SecTeam-Processed; removed Security-Team.
Wed, Mar 8, 5:44 PM · user-sbassett, SecTeam-Processed
sbassett updated subscribers of T328667: Add --pause-after-testserver-sync option to deploy_security.py.

@dancy @kostajh et al - Can we resolve this for now? The issue was addressed but I guess technically the problem wasn't solved, IIUC? So not sure if we want to leave this open or stalled or something.

Wed, Mar 8, 5:41 PM · SecTeam-Processed, Security-Team, Release-Engineering-Team
sbassett added a comment to T330312: Address Gerrit WMCS instance authenticating against LDAP (breaching WMCS policy).

Hey @hashar et al - Any reason not to make this task public at this point? Thanks.

Wed, Mar 8, 5:19 PM · SecTeam-Processed, Release-Engineering-Team (Yak Shaving 🐃🪒), serviceops-collab, Security, Security-Team
sbassett added a comment to T328163: Application Security Review Request : VueTest extension (proposed for beta cluster deployment only).

That's fine with us. We just wanted to make sure we were doing everything by the book and that we're in the clear, security policy-wise.

Wed, Mar 8, 5:02 PM · secscrum, Security, Application Security Reviews
sbassett moved T328163: Application Security Review Request : VueTest extension (proposed for beta cluster deployment only) from Upcoming Quarter Planning Queue to Back Orders on the secscrum board.
Wed, Mar 8, 4:47 PM · secscrum, Security, Application Security Reviews
sbassett added a comment to T149488: CVE-2023-22911: E:Widgets does widget replacement in html attributes potentially leading to XSS .

I noticed that the CVE ( https://www.cvedetails.com/cve/CVE-2023-22911/ ) has the product marked as "mediawiki". Normally I would assume this would imply mediawiki-core or at least an extension distributed with MediaWiki. It also has language like "An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1" which is pretty misleading.

Wed, Mar 8, 4:09 PM · Security, MediaWiki-extensions-Widgets, Vuln-XSS

Mon, Mar 6

sbassett added a project to T273220: Deploy StopForumSpam extension to production: Privacy Engineering.

I wonder if we should not add some sort of privacy warning for onOtherBlockLogLink in rESFS includes/Hooks.php for stopforumspam-is-blocked to indicate that the link leads you to stopforumspam, a external website which has a different Privacy Policy than ours.

Mon, Mar 6, 4:00 PM · Privacy Engineering, MW-1.40-notes (1.40.0-wmf.17; 2023-01-02), Security-Team, user-sbassett, User-notice, Wikimedia-Extension-setup, MediaWiki-extensions-StopForumSpam
sbassett changed the status of T324989: Application Security Review Request : OurWorldInData, a subtask of T303853: Enable OurWorldInDataMirror extension at euwiki, from In Progress to Open.
Mon, Mar 6, 3:50 PM · Wikimedia-Site-requests
sbassett changed the status of T324989: Application Security Review Request : OurWorldInData, a subtask of T324988: Deploy Extension:OurWorldInData to Basque Wikipedia, from In Progress to Open.
Mon, Mar 6, 3:50 PM · Wikimedia-extension-review-queue, Wikimedia-Extension-setup
sbassett changed the status of T324989: Application Security Review Request : OurWorldInData from In Progress to Open.

Thanks, @sguebo_WMF for the privacy review. I'm going to block this review for now on the above issues being acknowledged and either accepted by the correct level of WMF staff per our current risk management framework or mitigated in some other fashion to reduce the assessed risk level.

Mon, Mar 6, 3:50 PM · Privacy Engineering, secscrum, Security, Application Security Reviews
sbassett updated subscribers of T331182: Set $wgSFSReportOnly to false for es.wikiversity.

Regardless of T309900#8462082 (and the currently open, related change set), I'm personally fine putting es.wikiversity in enforce mode, given its relatively lower traffic and the fact that it's fairly trivial to disable ext:SFS if it causes problems or proves mostly ineffective. Thoughts, @Reedy?

Mon, Mar 6, 3:42 PM · user-sbassett, SecTeam-Processed
sbassett triaged T331245: Videocuttool OAuth credentials publicly visible? as Low priority.
Mon, Mar 6, 3:35 PM · SecTeam-Processed, cloud-services-team, Vuln-Infoleak, VideoCutTool, Security
sbassett added a project to T331245: Videocuttool OAuth credentials publicly visible?: SecTeam-Processed.
Mon, Mar 6, 3:34 PM · SecTeam-Processed, cloud-services-team, Vuln-Infoleak, VideoCutTool, Security

Thu, Mar 2

sbassett added a project to T70982: Remove X-Hacker HTTP header served on sites hosted by WordPress VIP (Automattic): SecTeam-Processed.
Thu, Mar 2, 8:01 PM · SecTeam-Processed, Technical Blog, Security-Team, WMF-Legal
sbassett moved T70982: Remove X-Hacker HTTP header served on sites hosted by WordPress VIP (Automattic) from Watching to Our Part Is Done on the Security-Team board.
Thu, Mar 2, 8:00 PM · SecTeam-Processed, Technical Blog, Security-Team, WMF-Legal
sbassett added a comment to T306708: Establish a workflow that scales for requesting Phab 2FA resets.

@sbassett: Thanks. Any updates? This is a bottleneck, e.g. I missed T330073 (and nobody else picked it up either)...

Thu, Mar 2, 6:20 PM · user-sbassett, Security-Team, Release-Engineering-Team (Blocking 🧱), User-AKlapper, Phabricator

Wed, Mar 1

sbassett updated subscribers of T324989: Application Security Review Request : OurWorldInData.

Tagging Privacy Engineering for an opinion/risk rating about the following. I'm not certain there's precedent for this on Wikimedia production or that wmcs would completely satisfy any privacy concerns for proposed, embedded content like this.

Wed, Mar 1, 4:52 PM · Privacy Engineering, secscrum, Security, Application Security Reviews

Feb 27 2023

sbassett added a comment to T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable.

The vast majority of these seem to have been fixed over the years? A quick code search reveals a few rawParams(...)->text(...) calls. Sourcegraph finds some others with its structural search of our github mirrors. A few of these are likely true positives, maybe, though the rest have either been noted as exceptions via // @phan-suppress-next-line SecurityCheck-XSS comments or are in unit test files.

Feb 27 2023, 6:09 PM · Security, Google-Code-in-2019, Google-Code-in-2018, MediaWiki-General, MediaWiki-extensions-General, Google-Code-in-2017, good first task
sbassett moved T330312: Address Gerrit WMCS instance authenticating against LDAP (breaching WMCS policy) from Incoming to Watching on the Security-Team board.
Feb 27 2023, 5:20 PM · SecTeam-Processed, Release-Engineering-Team (Yak Shaving 🐃🪒), serviceops-collab, Security, Security-Team

Feb 24 2023

sbassett updated subscribers of T228759: Merge the Phabricator Priority values "Low" and "Lowest".

To be honest, I don't know if this and similar issues matter much unless a more formal strategy around Technical-Debt is implemented and code stewardship/maintenance is reassessed. Phabricator in aggregate is pretty noisy and, as others have noted, is without commonly-shared standards around its usage for things like task priority, which I'm not sure is even solvable. I do like @Bawolff's suggestion (in his wikitech-l response) - as an initial step - to separate various teams (wmf, community, both) from actual codebases or projects within Phabricator, in relation to what is being prioritized and worked upon. I believe that would help with various misunderstandings like "the Security-Team works on every task tagged with Security". This would be a significant change though and likely difficult to propagate.

Feb 24 2023, 4:02 PM · Patch-For-Review, PM, Phabricator
sbassett triaged T328163: Application Security Review Request : VueTest extension (proposed for beta cluster deployment only) as Low priority.
Feb 24 2023, 3:33 PM · secscrum, Security, Application Security Reviews