Security/Reviews/Autoland

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Autoland
Target
   
     Full Query    
ID Summary Priority Status
910029 Security Review: Autoland -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

The given value "
   
     Full Query    
ID Summary Priority Status
910029 Security Review: Autoland -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • Autoland is a system that scans bugzilla for changes made by authorized people, and reflects those changes into hg. It interacts with the releng try system to "try" patches and with hg to "land" them into various trees.
  • Additional Information:

https://mana.mozilla.org/wiki/display/IT/Autoland

  • Dev branch location: https://github.com/rail/build-autoland/
  • The initial code (master branch) has been sec reviewed at some point. Since then we decided to simplify the code, switch to Celery as a framework for distributed computing.
  • Additionally we plan to use message signing (see http://docs.celeryproject.org/en/latest/userguide/security.html#message-signing for the details) to increase security.
  • Used services: Bugzilla (read/write), LDAP (read-only), treestatus.mozilla.org (REST API, read-only), hg.mozilla.org (read-write), celery cluster (?), Build API (read-only)
  • UI of current state: 622fd01d.png
    • must be in a special group to autoland

What solutions/approaches were considered other than the proposed solution?

  • None. Since the service is very specific to Mozilla infrastructure

Why was this solution chosen?

`

Any security threats already considered in the design and why?

  • Autoland can change information in 2 systems:
    • Bugzilla
      • Username/password over HTTPS authentication using a separate account with limited access
        • [Jesse] What account is this? Does it have access to security bugs for autolanding patches from security bugs, or can I CC it on a security bug I want autolanded? autolanduser@mozilla.com
      • Uses a special Bugzilla extension to retrieve pending autoland requests
      • Exposed on Bugzilla and available for users in the “autoland” group
      • Source IP addresses can be limited (?)
      • Relies on reviewer/approver SCM level bit in LDAP
    • Mercurial repos

Threat Brainstorming

  • restrict autolanding of security-sensitive bugs (these currently require approval to land)
  • Who is in the autoland group? Do some people have access to “Try autoland” but not “Inbound autoland”? (Yes!! Try privs are given out to lots of community members)
    • There are two checks. (1) The person requesting autoland is in the “autoland” group, and (2) the reviewer has write access to the relevant hg branch
    • the initial group is just sheriffs
      • we will want strong checks on adding people to this group
      • in part because “it's easier to hack someone's bugzilla account than steal someone's ssh key"
        • on the other hand, you can use a hacked bugzilla account to request an ssh key “update”...
  • Perhaps we should require that at least two trusted people were involved in {patch authorship, reviewing, requesting autoland} to limit damage from a single compromised Bugzilla account
  • Attacker with editbugs messes with patch metadata (renames them to reorder them, or marks “the one that keeps the patch queue from introducing a security hole” as obsolete or unreviewed)
    • I suggest canceling any pending autoland requests if patch metadata is changed (by someone other than the patch author, reviewer, or autoland requester??)
  • It's kinda disturbing that there's no way to cancel an autoland request
  • We should make sure autoland requests are visible in Bug History
  • Does Bugzilla prevent me from marking a patch as having been reviewed by Boris Zbarsky? (Bugzilla's JS UI doesn't let me, but I'm not sure the Bugzilla backend actually prevents it.)
  • Property "SecReview feature goal" (as page type) with input value "* Autoland is a system that scans bugzilla for changes made by authorized people, and reflects those changes into hg. It interacts with the releng try system to "try" patches and with hg to "land" them into various trees.
    • Additional Information:

    https://mana.mozilla.org/wiki/display/IT/Autoland

    • Dev branch location: https://github.com/rail/build-autoland/
    • The initial code (master branch) has been sec reviewed at some point. Since then we decided to simplify the code, switch to Celery as a framework for distributed computing.
    • Additionally we plan to use message signing (see http://docs.celeryproject.org/en/latest/userguide/security.html#message-signing for the details) to increase security.
    • Used services: Bugzilla (read/write), LDAP (read-only), treestatus.mozilla.org (REST API, read-only), hg.mozilla.org (read-write), celery cluster (?), Build API (read-only)
    • UI of current state: 622fd01d.png
      • must be in a special group to autoland" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview threats considered" (as page type) with input value "* Autoland can change information in 2 systems:
      • Bugzilla
        • Username/password over HTTPS authentication using a separate account with limited access
          • [Jesse] What account is this? Does it have access to security bugs for autolanding patches from security bugs, or can I CC it on a security bug I want autolanded? autolanduser@mozilla.com
        • Uses a special Bugzilla extension to retrieve pending autoland requests
        • Exposed on Bugzilla and available for users in the “autoland” group
        • Source IP addresses can be limited (?)
        • Relies on reviewer/approver SCM level bit in LDAP
      • Mercurial repos" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview threat brainstorming" (as page type) with input value "* restrict autolanding of security-sensitive bugs (these currently require approval to land)
    • Who is in the autoland group? Do some people have access to “Try autoland” but not “Inbound autoland”? (Yes!! Try privs are given out to lots of community members)
      • There are two checks. (1) The person requesting autoland is in the “autoland” group, and (2) the reviewer has write access to the relevant hg branch
      • the initial group is just sheriffs
        • we will want strong checks on adding people to this group
        • in part because “it's easier to hack someone's bugzilla account than steal someone's ssh key"
          • on the other hand, you can use a hacked bugzilla account to request an ssh key “update”...
    • Perhaps we should require that at least two trusted people were involved in {patch authorship, reviewing, requesting autoland} to limit damage from a single compromised Bugzilla account
    • Attacker with editbugs messes with patch metadata (renames them to reorder them, or marks “the one that keeps the patch queue from introducing a security hole” as obsolete or unreviewed)
      • I suggest canceling any pending autoland requests if patch metadata is changed (by someone other than the patch author, reviewer, or autoland requester??)
    • It's kinda disturbing that there's no way to cancel an autoland request
    • We should make sure autoland requests are visible in Bug History
    • Does Bugzilla prevent me from marking a patch as having been reviewed by Boris Zbarsky? (Bugzilla's JS UI doesn't let me, but I'm not sure the Bugzilla backend actually prevents it.)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
* autolander and patch review must not be the same person
  • individuals in the autoland group must be educated to respect sec-approval needs (security team to educate sheriffs and release management folks).
  • bug commit message and bug number must match (people fat finger this, or attackers could try to confuse us as to where a patch came from)