This is a request for a security review for the Bugzilla extension implementing TryAutoLand. Therefore it is related to, but not the same as, bug 726193, which is about TryAutoLand itself. Also more information can be found on the wiki: https://wiki.mozilla.org/BMO/AutoLand > A quick intro to what this app does. > Where is the source code located? http://bzr.mozilla.org/bmo/4.0-dev/files/head:/extensions/TryAutoLand/ > Is there a stage server running that we can also test against? If so, please indicate > what machine the web server is running on. https://bugzilla-stage-tip.mozilla.org/ I will need to add the reviewers Bugzilla account to the proper 'hg-try' group on the test server to be able to see the extension UI in a bug report with patches. > Where would you like the bugs filed in bugzilla? Please specify the product, component > and if anyone specific should be copied on the bugs. Once the component is created you will be able to file bugs under Product: bugzilla.mozilla.org, Component: Extensions: TryAutoLand > Will this application be collecting any personally identifiable information from users > (email address, physical address, phone number, etc)? None; This will flag patches that are already visible in the bug report and does not collect any additional personal information about the user that is not already present in the bug report. The external landing system will see the bug id, branch information, try command syntax, attachment ids, and the user login of the person who flagged the patch when it contacts the server for work. > Please describe if this app will be connecting to any internal or external services or > if it is able to interact with the OS. The new extension will not be contacting any other systems as part of normal operation. When a user flags a patch to be picked up by the autoland system, it just stored the values in the Bugzilla database. The external autolanding system will poll bugzilla for any patches that have been flagged and then update the status when the patch is completed. > Does this app support logins or multiple roles? If so, we'll need test accounts created > for each available role. Nothing other than normal Bugzilla logins. I will be able to grant the necessary permissions to the reviewer/tester if needed to make the extension visible. > What is the worst case scenario that could happen with this system, data or connected > systems? (This is used to help understand the criticality of this server.) Worst case is that the extension causes outage of BMO because of faulty code in the extension itself or excessive use of the WebService by the external autolanding system or other DoS type attack. Potential leak of information is limited as the WebService API only exports bug ids, branch/try_syntax, attachment ids and user login names. No other sensitive bug data is included such as comments, summaries, etc. > Does this website contain an administration page? If so, have the admin page blockers > (listed here) all been addressed? No admin; the list of permitted groups is hard-coded into the extension. > This review will be scheduled amongst other requested reviews. What is the urgency or > needed completion date of this review? Normal urgency. dkl

Just to add, there is already a security review scheduled for the AutoLand system itself outside of BMO on March 15th, 10am so it would be good if this could be lumped together with that as well. dkl

review scheduled for 15-Mar

what's the status of this review?

Wiki page from review https://wiki.mozilla.org/Security/Reviews/AutomatedLanding