Security/Reviews/Autoland

   

     Full Query    

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

• Property "SecReview feature goal" (as page type) with input value "* Autoland is a system that scans bugzilla for changes made by authorized people, and reflects those changes into hg. It interacts with the releng try system to "try" patches and with hg to "land" them into various trees.
  • Additional Information:

  https://mana.mozilla.org/wiki/display/IT/Autoland

  • Dev branch location: https://github.com/rail/build-autoland/
  • The initial code (master branch) has been sec reviewed at some point. Since then we decided to simplify the code, switch to Celery as a framework for distributed computing.
  • Additionally we plan to use message signing (see http://docs.celeryproject.org/en/latest/userguide/security.html#message-signing for the details) to increase security.
  • Used services: Bugzilla (read/write), LDAP (read-only), treestatus.mozilla.org (REST API, read-only), hg.mozilla.org (read-write), celery cluster (?), Build API (read-only)
  • UI of current state:
    • must be in a special group to autoland" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threats considered" (as page type) with input value "* Autoland can change information in 2 systems:
    • Bugzilla
      • Username/password over HTTPS authentication using a separate account with limited access
        • [Jesse] What account is this? Does it have access to security bugs for autolanding patches from security bugs, or can I CC it on a security bug I want autolanded? autolanduser@mozilla.com
      • Uses a special Bugzilla extension to retrieve pending autoland requests
      • Exposed on Bugzilla and available for users in the “autoland” group
      • Source IP addresses can be limited (?)
      • Relies on reviewer/approver SCM level bit in LDAP
    • Mercurial repos" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threat brainstorming" (as page type) with input value "* restrict autolanding of security-sensitive bugs (these currently require approval to land)
  • Who is in the autoland group? Do some people have access to “Try autoland” but not “Inbound autoland”? (Yes!! Try privs are given out to lots of community members)
    • There are two checks. (1) The person requesting autoland is in the “autoland” group, and (2) the reviewer has write access to the relevant hg branch
    • the initial group is just sheriffs
      • we will want strong checks on adding people to this group
      • in part because “it's easier to hack someone's bugzilla account than steal someone's ssh key"
        • on the other hand, you can use a hacked bugzilla account to request an ssh key “update”...
  • Perhaps we should require that at least two trusted people were involved in {patch authorship, reviewing, requesting autoland} to limit damage from a single compromised Bugzilla account
  • Attacker with editbugs messes with patch metadata (renames them to reorder them, or marks “the one that keeps the patch queue from introducing a security hole” as obsolete or unreviewed)
    • I suggest canceling any pending autoland requests if patch metadata is changed (by someone other than the patch author, reviewer, or autoland requester??)
  • It's kinda disturbing that there's no way to cancel an autoland request
  • We should make sure autoland requests are visible in Bug History
  • Does Bugzilla prevent me from marking a patch as having been reviewed by Boris Zbarsky? (Bugzilla's JS UI doesn't let me, but I'm not sure the Bugzilla backend actually prevents it.)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.