Security/Reviews/ActionItems

From MozillaWiki
Jump to: navigation, search
... further results
SecReview Name Action Item Status Target Rel Action Items
B2G Device Storage In Progress ` * Who :: What :: By when

pault: check cjones around sizes/dos risks/paths/partitions dougt**Investigate file blob -> File handle patch** dougt & Djf ** Further investigate permission granularity/implementation** adamm::file bug that isSafePath checks for "." and ".." paths, "..." would get by

dougt:: fix bug xxx filed by adamm above
Identity KPI Backend In Progress ` * code review of JS (when ready)
  • code review of WebService API (when ready)
Kuma 2.0 In Progress ` * Who :: What :: By when (Keep in mind all these things will be bugs that block the reivew bug, that blocks the feature bug)
  • adamm :: reveiw list of bleached whitelist items :: before launch
  • adamm :: Diagram overall architecture, build high-level architecture  :: asap
    • Identify existing areas of known tech debt  :: asap
    • adamm :: Review architecture, identify areas of architectural risk  :: asap
  • adamm :: Identify defensive approaches defined by the project for handling expected types of bugs (injection, output encoding, csrf, etc)  :: asap
    • code-review areas identified as high-risk
  • adamm :: Identify areas of techical risk which warrant code review
  • adamm :: Black-box test of staging environment
  • Android Service Based Installer In Progress `
    Audio Recording - Web API & Implementation In Progress ` - Pauljt::determine the threat model for WebRTC::

    - Cdiehl::fuzz this API

    - Pauljt::Tainting audio/video elements with cross-origin audio data, so that this API fails in such cases. (ie web page should not be able to access the contents of cross-origin resources)
    Autoland In Progress ` * autolander and patch review must not be the same person
    • individuals in the autoland group must be educated to respect sec-approval needs (security team to educate sheriffs and release management folks).
    • bug commit message and bug number must match (people fat finger this, or attackers could try to confuse us as to where a patch came from)
    Automated/Assisted landing from Bugzilla to tip of $branch In Progress `
    B2G AppUpdates In Progress ` * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
    • Confirm the update UI for pure hosted apps (ie no appcacheache)

    --> [jsmith] Just tested, no UI shown, update is automatically applied

      • Storage permission could be granted by MITM to a hosted app not using SSL. This grants unlimited storage, so the MITM could then try to fill up the disk.
      • Add UI the source of the app (install and app info section, under permission)
    --> install prompt bug might be https://bugzilla.mozilla.org/show_bug.cgi?id=827562
    B2G Browser In Progress ` * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
    • pauljt :: List of the required UI for URL Bar (SSL indicators etc?) :: by Aurora
    • pauljt :: Security testing of Browser API :: before beta completion
    B2G Updates In Progress ` bbondy::Check to make the update is not significantly larger than expected to prevent disk space being exhausted::https://bugzilla.mozilla.org/show_bug.cgi?id=801855 Resolved
    pauljt:: Fuzz mar format::804046 Resolved
    B2G Web Activities In Progress ` * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)

    pauljt::Revisit spoofing when doing security testing of web activities:: Post Implementation pauljt::ensure registered URL is restricted to same origin based on principal

    fabrice::Restrict handling sensitive activities (sms, others?) to trusted or certified apps.
    Balrog In Progress Q2 goal for live in nightly channel * bhearsum :: Are MAR signatures checked on all platforms? Only on windows, but hashes checked on all platforms
    • releng :: whitelisting URLs that we point to
    • releng :: notifications upon human addition (maybe change too?) of a release
    • bhearsum :: db dump w/ instructions on how to use
    • psiinon :: pentest admin UI
    Identity Project BigTent In Progress ` * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
  • [dchan] - Contact ozten and team about testing environment by EOD 08/20
  • Profile feature of Mozilla Persona/BrowserID In Progress ` * Who :: What :: By when (Keep in mind all these things will be bugs that block the reivew bug, that blocks the feature bug)
  • Yvan Boily :: code review :: before launch
  • identity team :: What are each of the milestones, how can these steps be broken down, specify when there is an increase in data collected.
  • Browser ID Sync Integration In Progress `
    Campaign management / product announcements for Firefox for Android In Progress ` * Snippet poll must be over SSL - let's make sure.
    Chicago Summer of Learning Website (incl. aestimia and openbadger) In Progress ` * chris :: add persona-auth to demo/ :: xx
    Click to Play Plugins In Progress ` *Keeler::ability to differentiate plugins in persisted permissions :: https://bugzilla.mozilla.org/show_bug.cgi?id=746374 ::FF19?
  • Keeler::differentiate regular click-to-play permissions from blocklisted click-to-play permissions::before regular click-to-play gets its own UI to enable it
  • Developer tools: Debugger In Progress `
    Fennec Private Browsing In Progress `
    GCLI In Progress `
    Geolocation WebAPI In Progress `
    Implement new IDN Unicode display algorithm In Progress `
    In App Payment In Progress `
    Add --marionette CLI to enable Marionette on all Firefox builds In Progress ` * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
  • Marionette Team :: reopen and address 741812 for AMO :: before enabling in optimize builds
  • Metrics Data ping In Progress Firefox 12
    Extend Pointer Lock (Mouse Lock) for non-fullscreen elements In Progress ` * Can we make sure that Esc (and cursor keys) cannot be used as a "user-triggered event handler" for the purpose of opening popups etc? Or maybe only a whitelist of keycodes / charcodes (space, enter, printable characters) https://bugzilla.mozilla.org/show_bug.cgi?id=748198
    • This will break the Doom case of "Esc opens the menu and releases pointer lock; Esc again closes the menu and regains pointer lock". Games like that will have to use a different keybinding for their in-game menu with a fake cursor, or put an item on the menu for resuming the game. (Just like a full-screen game has to use a key other than Esc for its menu.)
  • [mwobensmith?] Test what happens when you have a device with both touch and cursor.
  • Network Monitor In Progress `
    Notificaitons Backend In Progress `
    Packaged Apps: Signing & Revocation In Progress ` * Our app "revocation" seems to depend on the app coming from the marketplace (not simply being signed by the marketplace). Nothing at the moment seems to stop a web-site from installing a copy of a marketplace-signed privileged app. (is that a problem?)
  • Marketplace team: Add a link to the mini-manifest inside the packaged. (Merge into bug 814131?)
  • Platform team (bsmith): require that mini-manifest link inside the signed JAR and make sure that the mini-manifest inside the JAR overrides the original (download) mini-manifest URI. (Merge into bug 814136?)
  • Persona Realms SSO In Progress ` * technical privacy review
  • privacy review
  • server for test environment
  • Plugin Overlay API In Progress `
    Security/Reviews/Push API In Progress B2G Basecamp `
    Reader Mode In Progress `
    Release Kickof System In Progress `
    Create API for content to keep the screensaver from turning on (or to prevent phone/tablet's screen from turning off) In Progress `
    Settings API In Progress `
    Simple Push API In Progress ` * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)

    pauljt pauljt::Web App Test of Server Component:: when we can. pauljt::Web App Test of Telefonica Component:: ASAP

    Jlebar::Review notification telefonica server:: ASAP
    Firefox/SocialAPI/ In Progress `
    Expose a client TCP socket/UDP datagram API to web applications In Progress `
    Web Bluetooth In Progress ` * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)

    dchan - gonk update strategy for bluetooth, camera, etc

    dchan - looking into dbus testing tools that ChromeOS uses
    WebRT In Progress `
    WebSMS In Progress `
    Web Telephony In Progress `
    Windows 8 Metro Firefox In Progress `
    EsFrontLine In Progress ` * Stefan :: test the search filtering (http://klahnakoski-es.corp.tor1.mozilla.com:9292/):: ??
    Private Elastic Search In Progress ` * add "this is private" indicator
  • remove legal, hr, finance, confidential (and more?)
  • verify if legal product dominates all the confidential bugs
  • Navigator.pay In Progress ` * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)

    pauljt:: Review trusted modal dialog js ::asap
    dchan:: Investigate marketplace JWT generation code (have to review at the spec level, app servers can generate tokens as well)

    pauljt :: Prevent navigator.pay from the background:: Bug raised
    Token Server Client & Java BrowserID crypto library for Android services projects In Progress ` nalexander :: try to find diagram showing token flows through servers and clients for dchan :: Friday, 22 November

    dchan :: reach out to platform / fxos teams for their implementations of this dance :: Friday, 22 November

    yvan :: schedule Fx Accounts sec-review for protocol :: Friday 22, November
    IM in ThunderBird In Progress Thunderbird 13