Security/Reviews/BZ Elastic Search

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);

https://wiki.mozilla.org/Auto-tools/Projects/PublicES#SecReview_.2820_November_2013.2C_incomplete.29 Python code has been written that is responsible for

• Extracting data directly from Bugzilla's database,
• Transforming it to time-series data cube, and
• Loading into publicly accessible ElasticSearch

The known complications are:

• Private bugs must not be included, and the history on those bugs must be removed from the historical record in ElasticSearch.
• Private comments and private attachments must similarly be removed from the historical record.

Additional Information: About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES

• Property "SecReview feature goal" (as page type) with input value "*dashboards
  • historical snapshots of bugs (point-in-time view)
  • Provide public fast cache of BZ data to:
    1. demonstrate current work
    2. allow community to build tools
       • https://github.com/okononen/dash
       • http://www.joshmatthews.net/bugsahoy/
       • http://harthur.github.io/bzhome/
       • http://pike.github.io/beta-dash/
    3. allow community to analyze trends, patterns" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    4. Property "SecReview alt solutions" (as page type) with input value "* Tried to publicize the existing ES cluster information (private bugs with no comments or summary), but there was concern the CC list may reveal the bug's security category (https://bugzilla.mozilla.org/show_bug.cgi?id=823303)
  • Using the BZ-API directly requires sophisticated caching, which appears to stall attempts at making snappy dashboards." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview solution chosen" (as page type) with input value "* ElasticSearch is very fast
  • Direct DB access leverages existing code
  • Direct DB access puts no load on Bugzilla app
  • Proven to work with business intelligence queries, which demand fast aggregate data over thousands of bugs (https://wiki.mozilla.org/Bugzilla_Anthropology/2013-01-29)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview threats considered" (as page type) with input value "* Private bug data leaking into public cluster
  • ElasticSearch was not meant for direct public access, proxy added (https://bugzilla.mozilla.org/show_bug.cgi?id=879833)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview threat brainstorming" (as page type) with input value "* Elastic Search index tampering (delete, rename, etc)
  • ES Script injection (MVEL)
  • DOS
  • Bugs that are changed from public to private (aka, how often is data refreshed?)
  • Data exfiltration via bug posting" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.