Security/Reviews/BZ Elastic Search

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Store Bugzilla data in public ElasticSearch
Target

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);

https://wiki.mozilla.org/Auto-tools/Projects/PublicES#SecReview_.2820_November_2013.2C_incomplete.29 Achitecture.png Python code has been written that is responsible for

  • Extracting data directly from Bugzilla's database,
  • Transforming it to time-series data cube, and
  • Loading into publicly accessible ElasticSearch

The known complications are:

  • Private bugs must not be included, and the history on those bugs must be removed from the historical record in ElasticSearch.
  • Private comments and private attachments must similarly be removed from the historical record.

Additional Information: About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES

Code: https://github.com/klahnakoski/Bugzilla-ETL
The given value "

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);

https://wiki.mozilla.org/Auto-tools/Projects/PublicES#SecReview_.2820_November_2013.2C_incomplete.29 Achitecture.png Python code has been written that is responsible for

  • Extracting data directly from Bugzilla's database,
  • Transforming it to time-series data cube, and
  • Loading into publicly accessible ElasticSearch

The known complications are:

  • Private bugs must not be included, and the history on those bugs must be removed from the historical record in ElasticSearch.
  • Private comments and private attachments must similarly be removed from the historical record.

Additional Information: About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES

Code: https://github.com/klahnakoski/Bugzilla-ETL" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

What solutions/approaches were considered other than the proposed solution?

  • Tried to publicize the existing ES cluster information (private bugs with no comments or summary), but there was concern the CC list may reveal the bug's security category (https://bugzilla.mozilla.org/show_bug.cgi?id=823303)
  • Using the BZ-API directly requires sophisticated caching, which appears to stall attempts at making snappy dashboards.

Why was this solution chosen?

Any security threats already considered in the design and why?

Threat Brainstorming

  • Elastic Search index tampering (delete, rename, etc)
  • ES Script injection (MVEL)
  • DOS
  • Bugs that are changed from public to private (aka, how often is data refreshed?)
  • Data exfiltration via bug posting
  • Property "SecReview feature goal" (as page type) with input value "*dashboards
    • historical snapshots of bugs (point-in-time view)
    • Provide public fast cache of BZ data to:
      1. demonstrate current work
      2. allow community to build tools
      3. allow community to analyze trends, patterns" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      4. Property "SecReview alt solutions" (as page type) with input value "* Tried to publicize the existing ES cluster information (private bugs with no comments or summary), but there was concern the CC list may reveal the bug's security category (https://bugzilla.mozilla.org/show_bug.cgi?id=823303)
    • Using the BZ-API directly requires sophisticated caching, which appears to stall attempts at making snappy dashboards." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview solution chosen" (as page type) with input value "* ElasticSearch is very fast
    • Direct DB access leverages existing code
    • Direct DB access puts no load on Bugzilla app
    • Proven to work with business intelligence queries, which demand fast aggregate data over thousands of bugs (https://wiki.mozilla.org/Bugzilla_Anthropology/2013-01-29)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threats considered" (as page type) with input value "* Private bug data leaking into public cluster
    • ElasticSearch was not meant for direct public access, proxy added (https://bugzilla.mozilla.org/show_bug.cgi?id=879833)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threat brainstorming" (as page type) with input value "* Elastic Search index tampering (delete, rename, etc)
    • ES Script injection (MVEL)
    • DOS
    • Bugs that are changed from public to private (aka, how often is data refreshed?)
    • Data exfiltration via bug posting" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status None
Release Target `
Action Items
'