Security/Reviews/ReleaseKickOffSys

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Release Kickof System
Target
   
     Full Query    
ID Summary Priority Status
763929 tracking bug for initial implementation + deployment of release kickoff and release runner P3 RESOLVED
810472 security review of release kickoff system -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

http://rail:isawesome@dev-master01.build.scl1.mozilla.com:5000

http://git.mozilla.org/?p=build/release-kickoff.git;a=summary

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • This is currently done manually, this project is meant to automate the tasks for release automation
    • builds Firefox, Fennec, Thunderbird
  • webapp behind a vpn
  • submit information to start a new release
  • gathers info, bumps things, does all the build stuff and checks and starts the release
  • should only be acessable by RelEng (for now)

What solutions/approaches were considered other than the proposed solution?

  • cont to be a manual solution

Why was this solution chosen?

`

Any security threats already considered in the design and why?

  • regular web security issues (CSRF considered)
  • authentication - moving to LDAP based authentication using apache (new LDAP group ?)

Threat Brainstorming

  • remote code execution
  • cover off on web security
  • Property "SecReview feature goal" (as page type) with input value "* This is currently done manually, this project is meant to automate the tasks for release automation
      • builds Firefox, Fennec, Thunderbird
    • webapp behind a vpn
    • submit information to start a new release
    • gathers info, bumps things, does all the build stuff and checks and starts the release
    • should only be acessable by RelEng (for now)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threats considered" (as page type) with input value "* regular web security issues (CSRF considered)
    • authentication - moving to LDAP based authentication using apache (new LDAP group ?)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threat brainstorming" (as page type) with input value "* remote code execution
    • cover off on web security" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
   
     Full Query    
ID Summary Priority Status
812230 SecReview Item: Review WebAppSec Secure coding checklist -- RESOLVED
812232 SecReview Item: Log Retention review -- RESOLVED
812234 SecReview Item: Test release kickoff system -- RESOLVED

3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%);

The given value "
   
     Full Query    
ID Summary Priority Status
812230 SecReview Item: Review WebAppSec Secure coding checklist -- RESOLVED
812232 SecReview Item: Log Retention review -- RESOLVED
812234 SecReview Item: Test release kickoff system -- RESOLVED

3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.