Blocklisting/Admin: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Doing some refactoring for the kinto instructions)
Line 1: Line 1:
Blocklist entries are added through the AMO Admin Tools. Only authorized members of the Add-ons Team can manipulate the blocklist.
Blocklist entries are added through the Kinto Web Administration tool. Only authorized members of the Add-ons Team can manipulate the blocklist.


== Extension blocks ==
# Login via the [https://settings-writer.prod.mozaws.net/v1/admin/ Kinto admin page] (VPN connection is required)
# '''Authentication method''': Basic Auth
# '''Username''': jdoe@mozilla.com. This is your full LDAP email address.
# '''Password''': your_ldap_password


# Go to the [https://addons.mozilla.org/admin/models/blocklist/blocklistdetail/ blocklist detail page] and click on Add blocklist detail.
All blocks are first created in the '''staging''' bucket, are later moved to the '''blocklist-preview''' bucket for testing and review, and then deployed to the final '''blocklists''' bucket.
# Enter a clear name and descriptions for the block. End users will read these, so they need to be clear as to why the block was put in place and what options are available. If the extension being blocked is malware, add " (malware)" at the end of the name.
#* See the [https://addons.mozilla.org/firefox/blocked/ Blocked Add-ons page] for examples.
# Set the Bug field to the blocklist bug. The bug should also have instructions for end users if the extension is heavily used.
# In the Blocklist Item #1 section, set the add-on GUID, version range (0 to * to cover all versions) OS and Severity.
#* The OS can be set to [https://developer.mozilla.org/en-US/docs/OS_TARGET any of these].
#* The Severity should be 1 for soft blocks and 3 for hard blocks. A severity set to 2 (reserved for a medium block), or no severity will also produce a hard block. To avoid ambiguity, these options shouldn't be used. Hard blocks should be limited to malware.
To limit a block to a specific application versions, the detail can be added with a Severity set to 0, or an invalid GUID, to keep it temporarily disabled. Then you can add a [https://addons.mozilla.org/admin/models/blocklist/blocklistapp/ blocklist app item] and link it to the detail item. Once that's done, the Severity or GUID can be set to their real values.


===XML Examples===
== Extension blocks ==
This is how the different block types look in blocklist.xml.
===Staging===
 
# Click on '''staging bucket''' :: '''addons'''
Soft block:
<pre><emItem  blockID="i20" id="{AB2CE124-6272-4b12-94A9-7303C7397BD1}">
  <versionRange  minVersion="0.1" maxVersion="5.2.0.7164" severity="1">
  </versionRange>
</emItem></pre>
 
Soft block with target application:
<pre><emItem  blockID="i23" id="firefox@bandoo.com">
  <versionRange  minVersion="5.0" maxVersion="5.0" severity="1">
    <targetApplication  id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
      <versionRange  minVersion="3.7a1pre" maxVersion="*" />
    </targetApplication>
  </versionRange>
</emItem></pre>
 
Hard block:
<pre><emItem  blockID="i73" id="a1g0a9g219d@a1.com">
  <versionRange  minVersion="0" maxVersion="*" severity="3">
  </versionRange>
</emItem></pre>
 
== Extension blocks (DRAFT KINTO VERSION) ==
 
# Login via the [https://settings-writer.prod.mozaws.net/v1/admin/ Kinto admin page] (VPN is required)
## '''Server''': https://settings-writer.prod.mozaws.net/v1/admin/
## '''Authentication method''': Basic Auth
## '''Username''': jdoe@mozilla.com ''//this is your full LDAP email address''
## '''Password''': your_ldap_password
# Click on '''blocklist bucket''' :: '''addons'''
# Click on "Create" (or edit/delete icons if you need to change an existing record)
# Click on "Create" (or edit/delete icons if you need to change an existing record)
# Enter in the appropriate fields. Example below (see the current list<sup>1</sup> for more examples)
# Enter in the appropriate fields. Example below (see the current list<sup>1</sup> for more examples)
## '''guid''':
#* Keep the Enabled checkbox checked.
## '''id''':
#* You'll generally want to enter the add-on ID, version range (0 to * to block all versions), and severity of the block.
## '''versionRange''': The Firefox version range this should hit (0 to * to cover all versions)
#* The OS can be set to [https://developer.mozilla.org/en-US/docs/OS_TARGET any of these], but OS-specific blocks are rarely needed.
## '''who''': All users who have Savogram version 1.3.2 installed[...]
#* The Target Application is only necessary for blocks that only target specific applications, which should also be very rare.
## '''bug''': "https://bugzilla.mozilla.org/show_bug.cgi?id=1328594"
#* The Preferences fields are used in case the add-on changed important Firefox preferences that need to be reset.
## '''name''': Savogram 1.3.2
#* The '''name''', '''why''', '''who''', and '''bug''' fields are shown to end users, so they need to be clear as to why the block was put in place and what options are available. If the extension being blocked is malware, add " (malware)" at the end of the name. '''bug''' should be a Bugzilla URL.
## '''why''': Version 1.3.2 of this add-on loads remote code and performs DOM injection in an unsafe manner.
# Information on the workflow funnel goes here
# Information on publishing goes here


<sup>1</sup> Data for the blocklist can be found in the [https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/addons/records public JSON endpoint], or on [https://addons.mozilla.org/en-US/firefox/blocked/ addons.mozilla.org].
<sup>1</sup> Data for the blocklist can be found in the [https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/addons/records public JSON endpoint], or on [https://addons.mozilla.org/en-US/firefox/blocked/ addons.mozilla.org].
===Testing===


<sup>2</sup> '''[Still valid?]''' To limit a block to a specific application versions, the detail can be added with a Severity set to 0, or an invalid GUID, to keep it temporarily disabled. Then you can add a [https://addons.mozilla.org/admin/models/blocklist/blocklistapp/ blocklist app item] and link it to the detail item. Once that's done, the Severity or GUID can be set to their real values.
====JSON Example====
 
===JSON Example===


<pre>
<pre>
Line 92: Line 55:
}
}
</pre>
</pre>
===Deploying===


== Plugin blocks ==
== Plugin blocks ==

Revision as of 22:23, 27 January 2017

Blocklist entries are added through the Kinto Web Administration tool. Only authorized members of the Add-ons Team can manipulate the blocklist.

  1. Login via the Kinto admin page (VPN connection is required)
  2. Authentication method: Basic Auth
  3. Username: jdoe@mozilla.com. This is your full LDAP email address.
  4. Password: your_ldap_password

All blocks are first created in the staging bucket, are later moved to the blocklist-preview bucket for testing and review, and then deployed to the final blocklists bucket.

Extension blocks

Staging

  1. Click on staging bucket :: addons
  2. Click on "Create" (or edit/delete icons if you need to change an existing record)
  3. Enter in the appropriate fields. Example below (see the current list1 for more examples)
    • Keep the Enabled checkbox checked.
    • You'll generally want to enter the add-on ID, version range (0 to * to block all versions), and severity of the block.
    • The OS can be set to any of these, but OS-specific blocks are rarely needed.
    • The Target Application is only necessary for blocks that only target specific applications, which should also be very rare.
    • The Preferences fields are used in case the add-on changed important Firefox preferences that need to be reset.
    • The name, why, who, and bug fields are shown to end users, so they need to be clear as to why the block was put in place and what options are available. If the extension being blocked is malware, add " (malware)" at the end of the name. bug should be a Bugzilla URL.

1 Data for the blocklist can be found in the public JSON endpoint, or on addons.mozilla.org.

Testing

JSON Example

{
   "guid":"{de71f09a-3342-48c5-95c1-4b0f17567554}",
   "blockID":"i1493",
   "enabled":true,
   "last_modified":1484867614757,
   "details":{
      "who":"All users who have this add-on installed.",
      "created":"2017-01-12T22:17:59Z",
      "bug":"https://bugzilla.mozilla.org/show_bug.cgi?id=1329654",
      "name":"Search for Firefox Convertor (malware)",
      "why":"This is a malicious add-on that is installed using a fake name. It changes search and homepage settings."
   },
   "versionRange":[
      {
         "targetApplication":[

         ],
         "minVersion":"0",
         "maxVersion":"1.3.9",
         "severity":3
      }
   ],
   "prefs":[

   ],
   "id":"d6ec9f54-9945-088e-ba68-40117eaba24e",
   "schema":1484335370642
}


Deploying

Plugin blocks

  1. Go to the blocklist detail page and click on Add blocklist detail.
  2. Enter a clear name and descriptions for the block. End users will read these, so they need to be clear as to why the block was put in place and what options are available. If the extension being blocked is malware, add " (malware)" at the end of the name.
  3. Set the Bug field to the blocklist bug. The bug should also have instructions for end users if the plugin is heavily used.
  4. In the Blocklist Plugin #1 section, set the identification criteria and Severity.
    • Plugins rarely have a GUID, so we use the filename field to identify plugins. Since filenames are OS-specific, the OS field is usually redundant.
    • The OS can be set to any of these.
    • Plugin version numbers can also be tricky and inconsistent, specially on Linux, where the version number isn't properly detected. We generally use regular expressions in the Name or Descriptions to identify the versions to block.
    • Regular expressions in plugins should be meticulously tested. Regexp Pal is a good tool for this.
    • The Severity should be 1 for soft blocks and 3 for hard blocks. A severity set to 2 (reserved for a medium block), or no severity will also produce a hard block. To avoid ambiguity, these options shouldn't be used. Hard blocks should be limited to malware.
    • A Severity set to 0 has different meanings depending on the vulnerability status value. If not set, it is an update prompt block. If set to 1 or 2, it means it's a click-to-play block (1 when there's a known fixed update, 2 when there isn't).

To limit a block to a specific application versions, the detail can be added with an invalid filename, to keep it temporarily disabled. Then you can add a blocklist app item and link it to the detail item. Once that's done, the Severity or GUID can be set to their real values.

XML Examples

This is how the different block types look in blocklist.xml.

Soft block on Mac OS (where version numbers work correctly): 

<pluginItem  blockID="p85">
  <match name="filename" exp="JavaPlugin2_NPAPI\.plugin" />
  <versionRange  minVersion="0" maxVersion="13.6.0" severity="1">
  </versionRange>
</pluginItem>

Update prompt block: 

<pluginItem  blockID="p134">
  <match name="name" exp="Java\(TM\) Platform SE 7 U[5-6](\s[^\d\._U]|$)" />
  <match name="filename" exp="npjp2\.dll" />
  <versionRange  severity="0">
  </versionRange>
</pluginItem>

Hard block with target application: 

<pluginItem  blockID="p27">
  <match name="name" exp="QuickTime Plug-in 7[.]1[.]" />
  <match name="filename" exp="npqtplugin.?[.]dll" />
  <versionRange >
    <targetApplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
      <versionRange  minVersion="3.0a1" maxVersion="3.*" />
    </targetApplication>
  </versionRange>
</pluginItem>

Graphics card blocks

  1. Go to the blocklist detail page and click on Add blocklist detail.
  2. Enter a name and descriptions for the block. These detail pages aren't exposed to users, so these descriptions aren't very important.
  3. Set the Bug field to the blocklist bug.
  4. In the Blocklist Gfx #1 section, set the data that should have been detailed on the blocklist bug.

XML Examples

<gfxBlacklistEntry  blockID="g95">
  <os>WINNT 6.1</os>
  <vendor>0x1002</vendor>
  <devices>
    <device>0x9802</device>
    <device>0x9803</device>
    <device>0x9803</device>
    <device>0x9804</device>
    <device>0x9805</device>
    <device>0x9806</device>
    <device>0x9807</device>
  </devices>
  <feature>DIRECT3D_9_LAYERS</feature>
  <featureStatus>BLOCKED_DEVICE</featureStatus>
  <driverVersion>1.0.0.0</driverVersion>
  <driverVersionComparator>GREATER_THAN_OR_EQUAL</driverVersionComparator>
</gfxBlacklistEntry>
Retrieved from "https://wiki.mozilla.org/index.php?title=Blocklisting/Admin&oldid=1161264"