Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.
User Details
- User Since
- Sep 12 2018, 3:52 PM (287 w, 5 d)
- Roles
- Administrator
- Availability
- Available
- IRC Nick
- sbassett
- LDAP User
- SBassett
- MediaWiki User
- SBassett (WMF) [ Global Accounts ]
Yesterday
This effort has been become quite dusty, largely due to me not really being able to work on it much. I'm wondering though, if a better approach might be to propose integrating stopforumspam.org data within the new iPoid-Service. I'm not sure exactly how much overlap there is between SFS's and Spur's data sets - that would likely be critical in determining if this could be a useful path forward.
Hey @Catrope - Quick update: unfortunately, I've found a few issues with floating-ui during review. I'm going to make this task private and post them soon.
Hey @Aklapper - the issue here is that @JFishback_WMF has left the Foundation, their Phab account is inactive and they may not be contactable at this point. But it sounds like we really don't have any options in this case, except to maybe disable/delete @priv_eng_sync and start over.
Wed, Mar 13
Tue, Mar 12
Thanks, @hashar. Looks like all we're waiting on now is a +2/deploy for https://gerrit.wikimedia.org/r/q/Id099f2602c333bf5843fa66776662d7bbb9fd923 and then this task can be resolved?
Mon, Mar 11
Hey @Ladsgroup, thanks for filing this. As I noted on Slack, I kind of agree with @Bawolff's take above. SBOMs can be useful tools to assist in finding vulnerable dependencies (I've seen that term and supply chain attacks used interchangeably despite them being slightly different concepts). Just finding some tooling to create SBOMs from various lockfiles and potentially bundling them with MediaWiki, extensions, etc. is fairly trivial and doesn't create much value on its own IMO. But as you imply in this task, using them to help find vulnerable dependencies and related issues would be valuable. My issue is that we already do this with LibUp, our Gitlab AppSec Pipeline and our manual security review process. We don't necessarily generate SBOMs all of the time, but that's only because most tools that scan for CVEs within dependencies and similar issues readily support a number of lockfile formats out of the box (e.g. osv-scanner). So I guess a good question might be "what is the end goal of generating SBOMs?" Is it to improve some of the above processes that already accomplish similar goals? Or is it to create new processes or tooling to be run via CI, by developers themselves or via some other form of automation?
Sat, Mar 9
Fri, Mar 8
Thu, Mar 7
Confirming that @Sfaci currently has Phabricator MFA enabled:
@SGupta-WMF does not currently have Phabricator MFA enabled.
Wed, Mar 6
Works just as well (and seemingly as fast) with PHP-Parser. We just need to update ast.php and bring in the new dependency via composer:
#!/usr/bin/env php
<?php
Tue, Mar 5
Mon, Mar 4
Fri, Mar 1
Yes, this definitely works and is very fast. Though there might be more benefits to using PHP-Parser instead of php-ast, which is maintained by the same person who maintains php-ast. PHP-Parser is definitely slower, but has better support for traversing the generated ast nodes and converting back and forth in a couple of ways: php -> ast -> php and php -> ast -> json, which will likely be handy for our intended use-case.
Thu, Feb 29
Wed, Feb 28
See team's issue tracking task: T358257: Wikipedia Library January 2024 Pentest
Tue, Feb 27
Confirming that user @MShilova_WMF currently has Phab MFA enabled:
Mon, Feb 26
It looks like this issue is due to some really unfortunate javascript code. If one views the html source of the XSS payload URL within the above description, you can see:
var match = unescape(window.location.hash).match(/^#!(.+)/); var name = match ? match[1] : 'index.html'; name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, ''); window.top.location = name;
which is attempting to match anything after #! within the query string, perform some minor slash-escaping and then write it directly to the browser's location. Even implementing some basic url scheme sanitization as described here and other places would likely be mostly effective in mitigation this issue.
This will likely be reviewed next quarter (April 1st to June 30th, 2024).
Fri, Feb 23
Anything here that would keep us from making this task public? I'm not seeing anything obvious.
Thu, Feb 22
Confirming that user @jhsoby has Phab MFA enabled:
I think this should now be unblocked due to T353393#9568781.