Phabricator/Security

By default, tasks, files, and other objects in Wikimedia Phabricator are publicly visible (for anonymous users as well), and editable by all registered users. However, sometimes there are reasons to keep some information private. This document explains how private information is handled in https://phabricator.wikimedia.org/.

See also Phabricator/Permissions.

Requirements
Tasks regarding sensitive topics need to be filed in Phabricator. Some of these are related to security bugs, and some of these are related to general sensitive work.

Preamble
Phabricator does not associate policy with any project labels implicitly. Upstream Phabricator developers have affirmed repeatedly that to do so is not in their plan, and it is not intended functionality. The task-centric interface means that policies are explicitly associated with tasks themselves instead. Each task has an "edit" and a "view" policy. The right to adjust policies on tasks is global. In order to grant that right, it has to be granted for all tasks. Because the right to adjust task policy is global it has been limited to members of the Security and acl*operations-team projects.

All users are expected to have the ability to file tasks that require a high degree of discretion, but Wikimedia cannot grant all users the right to adjust policy globally. In order to achieve this, we have created an additional 'Security' drop down field in the task creation form and the task edit interface. This 'Security' drop down allows users to select a transform on a task that appropriately adjusts the viewability/editability without needing global policy permission. This drop down is a transform which sets the appropriate policies, includes relevant projects, and sanitizes the issue if necessary to prevent further disclosure. At this time, the transform is applied as a custom Herald action whenever an issue is saved after editing. To allow for converting existing issues and filing new ones, in a secure state, the transform must be applied any time the drop down is active. The effect of this is that, any time the drop down is active, the basic policy template will be enforced. Changing the 'Security' selector from 'Security or Sensitive Bug' (where it is limited to a known good state for policy) to 'none' does not change the policy on the issue, but it does allow the policy on an issue to be changed. If the determination is made by Security that additional resources are needed after initial filing, this is simple to adjust to allow specific groups or users within Phabricator.

Understanding 'Security' Field Transforms
The latest complete run through of the Security field drop down can be seen in T76564
 * None
 * Applies no transform
 * Preserves the existing policy, project, and other metadata properties of a task.
 * MediaWiki security bug
 * Ensures the Security project is included
 * Ensures the Security project association
 * Allow author to edit/view
 * Allow any subscriber to edit/view (This is very custom behavior that works only for this setting)
 * Allows adhoc additions to policy (users or groups)
 * Will prevent accidental "public" or "all users" settings
 * Other confidential issue
 * Ensures the WMF-NDA project association
 * Enforces the WMF-NDA project for edit and view policy.
 * Allow author to edit/view
 * Access Request
 * This will associate the Phabricator project Ops-Access-Requests and cause a second hidden subtask to be created. See requesting shell access.

When to Select a Security Option

 * None - This is the default under which no adjustments will be made.
 * Mediawiki security bug - This is appropriate for any bugs or security issues related to MediaWiki or other Wikimedia software.
 * Other confidential issue - This is appropriate for confidential issues within Wikimedia Phabricator, Operations, or any task the author is unsure of for disclosure.
 * Access Request - When requesting shell access.

Valid Security States for Tasks

 * The default task policies are Viewable by Public and Editable by All Users (registered users)
 * Non-registered users cannot manage resources within the Phabricator ecosystem as they do not have an identify to tie audit or actions back to. Public is not a valid edit policy setting in Phabricator.
 * Issues that may have policy different from the default: Operations issues that need to be restricted to edit (and possibly view) for WMF-NDA, security issues that need to be restricted to a special group of users, and other issues of a sensitive nature. This list is not complete.  There will be instances where a particular task or project is more sensitive for a period of time.

How to Lower the Security of a Task

 * Note: this may not work as described currently, due to T153742

To make an access restricted task entirely public again, a user who has permissions to modify the task's policy has to edit the task: Set 'Visible to' to 'Public (No Login Required)', set 'Editable by' to 'All Users', set 'Security' to none, and potentially remove projects like 'WMF-NDA' and/or 'Security' if appropriate. Obviously such an action should only be taken for good reasons (e.g. on a security task that has been made public in the meantime).

Being Open While Providing Private Tasks
We want to allow everyone to follow along with project activity. As such, projects meant for ACL use should follow the following scheme separating them:

acl*&lt;restricted-group>

They should also use the "policy" lock icon.

https://phabricator.wikimedia.org/project/query/.56Kqk_sr48z/#R

These are not meant to be applied via type ahead as association projects.

A direct way to submit a security report as a private task

 * Currently the intention for a few specific projects related to Operations is to route certain emails as bot created tasks from anonymous senders.
 * The security transform is applied via the existing and known mechanisms outlined above (using the auxiliary field via task creation with Conduit).
 * There is no way to set policy on a task via email.
 * There is no way to set policy on a task via project association.

Process to request a private project

 * Upstream has declined implicit security behavior with project association.
 * In the short term, if a team really needs private tasks for a project, a custom form can be implemented.
 * For projects with tasks being private by default, a Space can be requested.