Jump to content

Developing security patches

From mediawiki.org

The following is a proposed workflow for managing security/embargoed patches for Wikimedia code.

Reporting, creating and deploying security patches

[edit]

Initial steps

[edit]
Do not post security reports or related patches to gerrit, github, patchdemo or any other PUBLIC developer tools, websites, mailing lists, IRC channels, etc. prior to any responsible disclosure of the underlying security issue.
  1. Upon discovery of any security issues, please review the information and steps within Wikimedia's Reporting Security Bugs documentation.
  2. If you have opted to create a Phabricator security report (as opposed to emailing a report to security@wikimedia.org), you will first need to create a Phabricator account to do so if you do not have one. Then submit a secure report via this form. Submit as much detailed information as possible following the guidelines within the aforementioned Reporting Security Bugs documentation.
  3. Develop your patch locally (preferably on a temporary branch) and test it within MediaWiki-Vagrant, MediaWiki-Docker or an an-hoc local development environment. Please do not use a public-facing tool such as patchdemo.
  4. Create a patch file within your working directory by running git format-patch HEAD^ --stdout > 01-Txxxxx.patch (where "Txxxxx" is the Phabricator task id). Please also prepend the top line of the commit message (subject line) with SECURITY:. Finally, include any relevant local test steps or documentation related to your security patch when you post your patch for review on the relevant protected Phabricator task.
  5. Upload the patch by attaching it to the relevant Phabricator task as a secure file attachment. Coordinate with other developers to review your patch by reaching out to them via email, IRC, etc. and then subscribing them to the security task. Add the Phabricator #Patch-For-Review project to the task.

For code which canonically exists within gerrit.wikimedia.org, please follow the steps below

[edit]
  1. Once again, please do not upload the patch publicly to gerrit for review at this time, unless approved to do so by a member of the Security Team. Backports can happen via gerrit once any relevant security patches have been deployed to Wikimedia production OR when relevant parties have been sufficiently alerted to the issue. For any clarifications on this policy, please contact security-help@wikimedia.org.

For code which canonically exists at gitlab.wikimedia.org, please follow the steps below

[edit]
Assuming a security patch has been created and reviewed within Phabricator, as per the initial steps mentioned above, please proceed with the following Gitlab-specific steps.

See GitLab/Workflows/Security patches

Other systems

[edit]
  1. For code which canonically exists within github, please follow the steps within Wikimedia's Reporting Security Bugs documentation and do not create any public pull requests.
  2. If the relevant code repositories exist canonically within another versioning system or repository, please contact security-help@wikimedia.org for additional guidance.
Retrieved from "https://www.mediawiki.org/w/index.php?title=Developing_security_patches&oldid=7862680"