Bug 186831

Summary: EWS should not try to post comments or upload result archives to security-sensitive bugs unless it has access
Product: WebKit Reporter: Daniel Bates <dbates>
Component: Tools / TestsAssignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aakash_jain, ap, ews-watchlist, glenn, lforschler, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=186834
Attachments:
Description Flags
Patch none

Daniel Bates
Reported 2018-06-19 21:16:18 PDT
Following the patch for bug #186291, EWS bots that cannot access security-sensitive patches on Bugzilla can now fetch them from the status server. Obviously these bots cannot post comments or upload result failure archives for a security-sensitive patch they fetched from the status server. Doing so will cause an exception. Although the EWS code is robust enough that such exceptions will be caught they will be treated as "unexpected" and logged accordingly. For now, we should explicitly handle such failures gracefully and avoid classifying them as unexpected because they are now expected. Eventually we want to support a means for comments and result archives from EWS bots to be posted to security-sensitive bugs without giving these bots access to all security bugs or even some security bugs. We will likely need to take a similar approach as done in the patch for bug #186291 and use the status server as an intermediate data store for some privileged bot to download and re-upload to Bugzilla. Maybe the privileged bot could be the feeder EWS?
Attachments
Patch (5.33 KB, patch)
2018-06-19 21:21 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2018-06-19 21:21:22 PDT
Created attachment 343131 [details] Patch
EWS Watchlist
Comment 2 2018-06-19 21:24:37 PDT
Attachment 343131 [details] did not pass style-queue: ERROR: Tools/ChangeLog:11: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.
Daniel Bates
Comment 3 2018-06-21 14:11:45 PDT
Comment on attachment 343131 [details] Patch Clearing flags on attachment: 343131 Committed r233058: <https://trac.webkit.org/changeset/233058>
Daniel Bates
Comment 4 2018-06-21 14:12:05 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 5 2018-06-21 14:13:17 PDT
<rdar://problem/41343252>
Note You need to log in before you can comment on or make changes to this bug.