Wed, Jun 29
fake-gitlab-bot: - Initial commit for repo, mostly app structure - https://gitlab.wikimedia.org/repos/security/semgrep-merge-tool/-/merge_requests/1
Tue, Jun 28
Mon, Jun 27
Security Review Summary - T302472 - 2022-06-27
Last commit reviewed: 7cf228480a
Fri, Jun 24
Hey @Lucas_Werkmeister_WMDE - The security team is attempting to get the next supplemental security release (T305209) out within the next week or two, and we were hoping to include this bug. I know there was some discussion above about polishing the two existing security patches a bit more. Would you still prefer to do that or should we try to push what exists now up to gerrit, get them merged so we can remove the patches from production and have something available for the supplemental release? I'd perfer that approach but I'm also fine with waiting and keeping this bug locked down for a while longer, perhaps until next quarter's supplemental security release, but likely not after that.
@kostajh - Sounds good, thanks for the update. A few extra days beyond the deadline is fine. We just don't want that turning into weeks or months, so if the work appears to be heading in that direction due to unknowns, etc, please let us know so that we can recalibrate on the grant. Also - the AppSec team is still planning to complete T304885 by the end of this current quarter, or thereabouts.
Wed, Jun 22
Ok, I've made this task public since there isn't really a security issue here. We can leave it open for a while to see if anybody would like to implement the version selection functionality.
Tue, Jun 21
This picked cleanly to all supported releases. If those test fine, I'll plan to merge them and this task can be resolved.
Thu, Jun 16
I ended up merging the changes to security-api's docker-compose.yml as a convenience. This way a default, named network is established for easier integration with mediawiki-docker or other containerized environments in the future.
Testing the link within the description (unauth'd) I'm not even able to generate a timeout error. I'm seeing some higher run times, in the 30 to 40 second range, but at worst, this seems like it may occasionally trigger some low-risk resource exhaustion. I concur that this should be declined for now, unless it can be demonstrated that the action api url in question consistently causes significant resource exhaustion to the point of being a much more significant and viable DoS vector.
So we have a new, interim director of security at this time: @Jcross. I plan to bring this issue to them soon for reconsideration. And hopefully have an answer before T305731 is fully-resolved.
Hey Release-Engineering-Team - guessing the releng path might need to be explicitly allow-listed as well? So: docker-registry.wikimedia.org/releng/*? And maybe docker-registry.wikimedia.org/dev/* as well? Assuming those are images we wish to allow within Gitlab CI.