Page MenuHomeMiraheze

SecurityPolicy
ActivePublic

Members

  • This project does not have any members.
  • View All

Details

Description

This project is used for tracking security related tasks (from TLS settings to system hardening, a broad scope). Tasks do not have to be private to qualify for this project's workboard. Please do not use this project as an access control list for security sensitive tasks, we have acl*security for that.

Members of this project are likely to be Miraheze's security contacts. A security contact can help you with information security related questions. Currently, @Southparkfan is the security contact.

Recent Activity

Yesterday

Reception123 added a comment to T7214: Write docs for GHSA.

@RhinosF1 This is high priority so could you please do this ASAP?

Mon, May 10, 06:12 · Security, MediaWiki (SRE)

Thu, May 6

RhinosF1 created T7257: Expand managewiki blacklist for *.
Thu, May 6, 15:08 · Configuration, MediaWiki (SRE)

Sun, May 2

Void added a comment to T7214: Write docs for GHSA.

For clarity, my comment was more along the lines of incorporate the GitHub documentation into our processes instead of rewriting what was already there. I may have also been asking for clarification if my link was what GHSA was referring to, as it is not immediately clear what that abbreviation stands for. Either way, having a clear security policy for working on security patches is definitely a good idea.

Sun, May 2, 23:08 · Security, MediaWiki (SRE)

Thu, Apr 29

Reception123 reassigned T7216: Private configs are also exposed by DataDump from Reception123 to Paladox.
Thu, Apr 29, 20:29 · MediaWiki (SRE), Security
Reception123 changed the visibility for T7216: Private configs are also exposed by DataDump.
Thu, Apr 29, 20:29 · MediaWiki (SRE), Security
Reception123 closed T7216: Private configs are also exposed by DataDump as Resolved.
Thu, Apr 29, 20:28 · MediaWiki (SRE), Security
Reception123 changed the edit policy for T7216: Private configs are also exposed by DataDump.
Thu, Apr 29, 20:28 · MediaWiki (SRE), Security
John closed T7067: Subscribe SRE to OpenCVE for notifications as Resolved.

I have created an account on OpenCVE and populated it with products/services we are using. Password can be found on Private Git.

Thu, Apr 29, 17:18 · Security, Site Reliability Engineering
Dmehus added a comment to T7214: Write docs for GHSA.
In T7214#143264, @John wrote:
In T7214#143206, @Void wrote:

Our main focus is on the allowing others to view and managing private patches.

I could be wrong, but I think what @Void is suggesting with this comment is that the GitHub docs for creating security advisories in GitHub exist and are, presumably, fairly adequate, so there's not a real need to create our own tech docs?

You’d think that, but when dealing with an incident, it was clear there was insufficient documentation as this was pushed twice publicly for review before anyone figured out how to do this correctly

Thu, Apr 29, 15:27 · Security, MediaWiki (SRE)
RhinosF1 added a comment to T7214: Write docs for GHSA.

What John said. From the 3 times I've done it before, it seemed straight forward but no one managed it yesterday.

Thu, Apr 29, 14:51 · Security, MediaWiki (SRE)
John added a comment to T7214: Write docs for GHSA.
In T7214#143206, @Void wrote:

Our main focus is on the allowing others to view and managing private patches.

I could be wrong, but I think what @Void is suggesting with this comment is that the GitHub docs for creating security advisories in GitHub exist and are, presumably, fairly adequate, so there's not a real need to create our own tech docs?

Thu, Apr 29, 13:44 · Security, MediaWiki (SRE)
Dmehus added a comment to T7214: Write docs for GHSA.
In T7214#143206, @Void wrote:

Our main focus is on the allowing others to view and managing private patches.

Thu, Apr 29, 13:33 · Security, MediaWiki (SRE)
Dmehus added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.
In T7213#143208, @revi wrote:

Also (somewhat related): The PSA for the Discord/Slack hook security issue is probably of no interest for vast majority of the users: only Bureaucrats can act on the stuff, and the readers from external links don't even care if there's discord or slack stuff. It is probably a wise idea to implement some hacks (i.e. Wikimedia Stewards Election Call for Candidates CN banner which is only displayed if you have sysop on the wiki) so those who are simply not affected can skip it even further. (Or think of a better way to alert crats without relying on sitenotice/CN)

Thu, Apr 29, 13:30 · MediaWiki (SRE), ManageWiki, Security
John removed a project from T7216: Private configs are also exposed by DataDump: DataDump.
Thu, Apr 29, 13:19 · MediaWiki (SRE), Security
Reception123 added projects to T7216: Private configs are also exposed by DataDump: DataDump, MediaWiki (SRE).
Thu, Apr 29, 13:15 · MediaWiki (SRE), Security
John added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.
In T7213#143182, @Void wrote:

It seems that the visibility check is awkwardly implemented if each interface that exposes a setting needs to independently check the visibility.

Thu, Apr 29, 10:38 · MediaWiki (SRE), ManageWiki, Security
Reception123 updated subscribers of T7216: Private configs are also exposed by DataDump.
Thu, Apr 29, 10:21 · MediaWiki (SRE), Security
RhinosF1 added a comment to T7216: Private configs are also exposed by DataDump.

No

Thu, Apr 29, 09:01 · MediaWiki (SRE), Security
Reception123 added a comment to T7216: Private configs are also exposed by DataDump.

Any objections to adding Universal Omega to this task as he did resolve the other one, so he might be able to find a fix relatively quickly for this as well.

Thu, Apr 29, 08:36 · MediaWiki (SRE), Security
RhinosF1 added a comment to T7214: Write docs for GHSA.
In T7214#143206, @Void wrote:

Our main focus is on the allowing others to view and managing private patches.

Thu, Apr 29, 06:15 · Security, MediaWiki (SRE)
Universal_Omega added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.
In T7213#143208, @revi wrote:

Also (somewhat related): The PSA for the Discord/Slack hook security issue is probably of no interest for vast majority of the users: only Bureaucrats can act on the stuff, and the readers from external links don't even care if there's discord or slack stuff. It is probably a wise idea to implement some hacks (i.e. Wikimedia Stewards Election Call for Candidates CN banner which is only displayed if you have sysop on the wiki) so those who are simply not affected can skip it even further. (Or think of a better way to alert crats without relying on sitenotice/CN)

Thu, Apr 29, 02:52 · MediaWiki (SRE), ManageWiki, Security
revi added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

Also (somewhat related): The PSA for the Discord/Slack hook security issue is probably of no interest for vast majority of the users: only Bureaucrats can act on the stuff, and the readers from external links don't even care if there's discord or slack stuff. It is probably a wise idea to implement some hacks (i.e. Wikimedia Stewards Election Call for Candidates CN banner which is only displayed if you have sysop on the wiki) so those who are simply not affected can skip it even further. (Or think of a better way to alert crats without relying on sitenotice/CN)

Thu, Apr 29, 02:46 · MediaWiki (SRE), ManageWiki, Security
Void added a comment to T7214: Write docs for GHSA.

https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories ??

Thu, Apr 29, 02:33 · Security, MediaWiki (SRE)
Dmehus added a comment to T7214: Write docs for GHSA.

This could probably be lowered to normal priority, no?

Thu, Apr 29, 01:18 · Security, MediaWiki (SRE)

Wed, Apr 28

Void created T7216: Private configs are also exposed by DataDump.
Wed, Apr 28, 23:48 · MediaWiki (SRE), Security
Void added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

It seems that the visibility check is awkwardly implemented if each interface that exposes a setting needs to independently check the visibility.

Wed, Apr 28, 23:38 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 triaged T7214: Write docs for GHSA as High priority.
Wed, Apr 28, 20:47 · Security, MediaWiki (SRE)
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv

Wed, Apr 28, 20:46 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 closed T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly as Resolved.
Wed, Apr 28, 20:45 · MediaWiki (SRE), ManageWiki, Security
Universal_Omega added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

https://github.com/miraheze/ManageWiki/pull/272

Wed, Apr 28, 18:56 · MediaWiki (SRE), ManageWiki, Security
Universal_Omega added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

Well I guess you make a point ill redo commits to use ManageWikiSettings config.

Wed, Apr 28, 18:41 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

You can create private patches too on GitHub so that's a doc to right after.

Wed, Apr 28, 18:39 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

I'm 1000% with John, we need a single source of truth whatever that might be.

Wed, Apr 28, 18:38 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

Well what about other scenarios also, there can be multiple reasons configs shouldn't be shown in API rather then that one key, this allows multiple reasons without adding hard coded checks for them all.

Can you think of any?

Wed, Apr 28, 18:38 · MediaWiki (SRE), ManageWiki, Security
Universal_Omega added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.
In T7213#143142, @John wrote:

If this can’t be done as a single source of truth, my personal opinion would be to get rid of public/private settings until they can be done safely and securely.

Wed, Apr 28, 18:37 · MediaWiki (SRE), ManageWiki, Security
Universal_Omega added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

But SpecialManageWiki can access it so why can't API do the same and just not emit it. That's a mistake waiting to happen.

Technically it probably could but it'd have to read the entire ManageWikiSettings config and check for the right keys, this seemed better.

I disagree. It's an extra step to think about and introduces a risk.

Wed, Apr 28, 18:35 · MediaWiki (SRE), ManageWiki, Security
John added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

If this can’t be done as a single source of truth, my personal opinion would be to get rid of public/private settings until they can be done safely and securely.

Wed, Apr 28, 18:35 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

But SpecialManageWiki can access it so why can't API do the same and just not emit it. That's a mistake waiting to happen.

Technically it probably could but it'd have to read the entire ManageWikiSettings config and check for the right keys, this seemed better.

I disagree. It's an extra step to think about and introduces a risk.

Wed, Apr 28, 18:34 · MediaWiki (SRE), ManageWiki, Security
Universal_Omega added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

But SpecialManageWiki can access it so why can't API do the same and just not emit it. That's a mistake waiting to happen.

Wed, Apr 28, 18:33 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

But SpecialManageWiki can access it so why can't API do the same

Wed, Apr 28, 18:31 · MediaWiki (SRE), ManageWiki, Security
Universal_Omega added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

@Universal_Omega: Should that not match the private config flag? It seems like duplication to me.

Wed, Apr 28, 18:31 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

@Universal_Omega: Should that not match the private config flag? It seems like duplication to me.

Wed, Apr 28, 18:28 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

You should be able to do a private patch via https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv

Wed, Apr 28, 17:33 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

Oh I see what you mean now

Wed, Apr 28, 17:15 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

Ack they're near forks of each other.

Wed, Apr 28, 17:10 · MediaWiki (SRE), ManageWiki, Security
Universal_Omega added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

Is it just discord webhooks?

Wed, Apr 28, 17:08 · MediaWiki (SRE), ManageWiki, Security
RhinosF1 added a comment to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.

Is it just discord we hooks?

Wed, Apr 28, 17:08 · MediaWiki (SRE), ManageWiki, Security
Reception123 added a project to T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly: ManageWiki.
Wed, Apr 28, 17:04 · MediaWiki (SRE), ManageWiki, Security
Universal_Omega created T7213: ManageWiki API allows viewing configs that shouldn't be viewed publicly.
Wed, Apr 28, 16:58 · MediaWiki (SRE), ManageWiki, Security

Sat, Apr 17

DarkMatterMan4500 created T7151: Error on Crappy Games Wiki with Special:ReplaceText.
Sat, Apr 17, 10:28 · MediaWiki, MediaWiki (SRE)