Fw: security related pull requests planned

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fw: security related pull requests planned

Plante, Raymond L. (Fed)
Dear Foswiki  developers,

I'm interested in submitting a series of pull requests that address some still open security issues.  I'm writing here first as a heads up to my hope/intention, but also I would be interested in getting any advice and direction for proceeding.  I'm new to Foswiki development, but I've been studying the developer documentation (technical overview, bible, security features, and in particular how automated testing is handled); however, there may be more specific discussions either on the wiki or in the list that would be pertinent.  Also, there may be some advice out there for how best to document the issues (use the wiki?  GitHub Issues?).

A bit of background:  I work at the US National Institute of Standards and Technology (NIST), and I'm interested in seeing Foswiki made more available for both internal use and as a platform for interacting with the broader world outside of the government.  It might go without saying that to be approved for such use on government servers, it must meet certain security requirements, and NIST tends to be a bit stricter than other agencies.  We recently did a scan of the Foswiki application (on an instance here at NIST) using the HP Fortify Webinspect  product, and it raised a number of issues such as Cross-site scripting vulnerabilities.  Digging deeper into the first one, I was able to find the problem and fix it in my sandbox.  I thought, then, that I might try to get through as many as I can.

Just as a rough sketch, I thought I would break this effort up into a series of separable patches/pull requests, each with some documentation describing the issue and a unit test illustrating the problem (and its fix).  I'm used to the GitHub workflow using Issues, but it appears that this community prefers documenting such things on the Foswiki.org wiki.  Again, advice from the developer team would be helpful here.

thanks,
Ray Plante

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Fw: security related pull requests planned

George Clark-2
Hi,

Thanks for your interest.  For security issues we prefer that they be reported via our security reporting mechanism.  See  https://foswiki.org/Development/SecurityAlertProcess
  • You can contact [hidden email] where we can triage issues without public discussion.
  • You can also report Security issues in our Tasks web - https://foswiki.org/Tasks  But please be sure to set the task to Priority "Security", so that it is restricted to the Security group.

We gladly accept pull requests via github.  It's helpful if the Commit message identifies the task by using the Itemxxxx: number in the first line. That way when we push the commit, it updates the tasks on the Foswiki web as well. 

For bugfix for the next patch release, please fork the Release02x01 branch and generate your pull requests there.  We can then merge, and merge into our master branch where Foswiki 2.2 is being developed.

You can also request developer access, and we can arrange direct commit access onto Github.

The developers do most interaction on the #foswiki IRC channel.   We also have bi-weekly release meetings on Monday's at 1300Z in #foswiki-release channel.  See https://foswiki.org/Development/FoswikiCalendar

George Clark
Release Manager Foswiki 2.1

On 05/09/2016 04:15 PM, Plante, Raymond L. (Fed) wrote:
Dear Foswiki  developers,

I'm interested in submitting a series of pull requests that address some still open security issues.  I'm writing here first as a heads up to my hope/intention, but also I would be interested in getting any advice and direction for proceeding.  I'm new to Foswiki development, but I've been studying the developer documentation (technical overview, bible, security features, and in particular how automated testing is handled); however, there may be more specific discussions either on the wiki or in the list that would be pertinent.  Also, there may be some advice out there for how best to document the issues (use the wiki?  GitHub Issues?).

A bit of background:  I work at the US National Institute of Standards and Technology (NIST), and I'm interested in seeing Foswiki made more available for both internal use and as a platform for interacting with the broader world outside of the government.  It might go without saying that to be approved for such use on government servers, it must meet certain security requirements, and NIST tends to be a bit stricter than other agencies.  We recently did a scan of the Foswiki application (on an instance here at NIST) using the HP Fortify Webinspect  product, and it raised a number of issues such as Cross-site scripting vulnerabilities.  Digging deeper into the first one, I was able to find the problem and fix it in my sandbox.  I thought, then, that I might try to get through as many as I can.

Just as a rough sketch, I thought I would break this effort up into a series of separable patches/pull requests, each with some documentation describing the issue and a unit test illustrating the problem (and its fix).  I'm used to the GitHub workflow using Issues, but it appears that this community prefers documenting such things on the Foswiki.org wiki.  Again, advice from the developer team would be helpful here.

thanks,
Ray Plante

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Fw: security related pull requests planned

Plante, Raymond L. (Fed)
In reply to this post by Plante, Raymond L. (Fed)
Thanks, George; very helpful and just what I was hoping for.  I'll send my first item to foswiki-security.  

cheers,
Ray

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss