Please advise on security

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Please advise on security

Steven Tierney
Hi,

I have developed a new extension for Bugzilla.  It uses the web service
to access previously entered bug information in order to suggest
autocomplete data for custom fields.  Using jQuery, it's fully
configurable through Bugzilla web pages accessible from within the
Administration area.

There are security implications here because it will potentially expose
bug data which might otherwise be secure.  For that reason I need advice
on how to verify in the web service that
1. a user is logged in and,
2. is cleared to access bug data.

I did check the Bugzilla source files but, not being very used to coding
in Perl and not knowing how security 'works' in Bugzilla, I don't know
where to start!

I wonder if anyone can point me towards some documentation or give
advice / code snippets that may help.

The validation has to happen in the Webservice.pm file of the extension.


Thanks in advance!
---
Steven

-
To view or change your list settings, click here:
<http://bugzilla.org/cgi-bin/mj_wwwusr?user=lists@...>
Reply | Threaded
Open this post in threaded view
|

Re: Please advise on security

Marc Schumann
Steven,

use Bugzilla->user to find out whether the user is logged in (see http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla.html).
Check out http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/User.html, too -- there are some can_see_* methods which may be of use to you.

Further reading is at http://www.bugzilla.org/docs/tip/en/html/api/.

   Good luck
      Marc

2012/6/5 Steven Tierney <[hidden email]>
Hi,

I have developed a new extension for Bugzilla.  It uses the web service to access previously entered bug information in order to suggest autocomplete data for custom fields.  Using jQuery, it's fully configurable through Bugzilla web pages accessible from within the Administration area.

There are security implications here because it will potentially expose bug data which might otherwise be secure.  For that reason I need advice on how to verify in the web service that
1. a user is logged in and,
2. is cleared to access bug data.

I did check the Bugzilla source files but, not being very used to coding in Perl and not knowing how security 'works' in Bugzilla, I don't know where to start!

I wonder if anyone can point me towards some documentation or give advice / code snippets that may help.

The validation has to happen in the Webservice.pm file of the extension.


Thanks in advance!
Reply | Threaded
Open this post in threaded view
|

Re: Please advise on security

Steven Tierney
In reply to this post by Steven Tierney
Hi Marc,

Thanks for your quick reply.

I had a look at the links you suggested, thanks for them.

In my extension/Extension.pm file I try to get the logged in user and there is no problem, the logged in user & encrypted password can be found.

The problem I face is at the callback stage.  Eg. The user types 3 characters into the field and that triggers the Javascript to issue a callback to the web service. 

At the callback time I try to do the find (in my extension/lib/WebService.pm file) but the logged in user is undefined.  

I can't help thinking I'm missing something blindingly obvious!  Do I need to pass in credentials when calling the webservice, so that the user can first be logged in here then the details I need can be found?  That can be done but I don't want to be writing the user id and encrypted password to the page, or depending on a browser cookie.  

I don't know what the proper 'bugzilla' methodology/workflow of using the web service is.

Anyway I am rambling on!  If you could offer me further guidance it would be greatly appreciated.


Thanks,
---
Steven



On 5 June 2012 17:15, Marc Schumann <[hidden email]> wrote:
Steven,

use Bugzilla->user to find out whether the user is logged in (see http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla.html).
Check out http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/User.html, too -- there are some can_see_* methods which may be of use to you.

Further reading is at http://www.bugzilla.org/docs/tip/en/html/api/.

   Good luck
      Marc


2012/6/5 Steven Tierney <[hidden email]>
Hi,

I have developed a new extension for Bugzilla.  It uses the web service to access previously entered bug information in order to suggest autocomplete data for custom fields.  Using jQuery, it's fully configurable through Bugzilla web pages accessible from within the Administration area.

There are security implications here because it will potentially expose bug data which might otherwise be secure.  For that reason I need advice on how to verify in the web service that
1. a user is logged in and,
2. is cleared to access bug data.

I did check the Bugzilla source files but, not being very used to coding in Perl and not knowing how security 'works' in Bugzilla, I don't know where to start!

I wonder if anyone can point me towards some documentation or give advice / code snippets that may help.

The validation has to happen in the Webservice.pm file of the extension.


Thanks in advance!
Reply | Threaded
Open this post in threaded view
|

Re: Please advise on security

Ali Irfan Ustek

Steven,

Bugzilla->user object can be used to find the details of the user in the current session, just check the objects methods
Regards,
Rojanu

On Jun 6, 2012 8:05 AM, "Steven Tierney" <[hidden email]> wrote:
Hi Marc,

Thanks for your quick reply.

I had a look at the links you suggested, thanks for them.

In my extension/Extension.pm file I try to get the logged in user and there is no problem, the logged in user & encrypted password can be found.

The problem I face is at the callback stage.  Eg. The user types 3 characters into the field and that triggers the Javascript to issue a callback to the web service. 

At the callback time I try to do the find (in my extension/lib/WebService.pm file) but the logged in user is undefined.  

I can't help thinking I'm missing something blindingly obvious!  Do I need to pass in credentials when calling the webservice, so that the user can first be logged in here then the details I need can be found?  That can be done but I don't want to be writing the user id and encrypted password to the page, or depending on a browser cookie.  

I don't know what the proper 'bugzilla' methodology/workflow of using the web service is.

Anyway I am rambling on!  If you could offer me further guidance it would be greatly appreciated.


Thanks,
---
Steven



On 5 June 2012 17:15, Marc Schumann <[hidden email]> wrote:
Steven,

use Bugzilla->user to find out whether the user is logged in (see http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla.html).
Check out http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/User.html, too -- there are some can_see_* methods which may be of use to you.

Further reading is at http://www.bugzilla.org/docs/tip/en/html/api/.

   Good luck
      Marc


2012/6/5 Steven Tierney <[hidden email]>
Hi,

I have developed a new extension for Bugzilla.  It uses the web service to access previously entered bug information in order to suggest autocomplete data for custom fields.  Using jQuery, it's fully configurable through Bugzilla web pages accessible from within the Administration area.

There are security implications here because it will potentially expose bug data which might otherwise be secure.  For that reason I need advice on how to verify in the web service that
1. a user is logged in and,
2. is cleared to access bug data.

I did check the Bugzilla source files but, not being very used to coding in Perl and not knowing how security 'works' in Bugzilla, I don't know where to start!

I wonder if anyone can point me towards some documentation or give advice / code snippets that may help.

The validation has to happen in the Webservice.pm file of the extension.


Thanks in advance!
Reply | Threaded
Open this post in threaded view
|

Re: Please advise on security

Marc Schumann
In reply to this post by Steven Tierney
Steven,

unless you use ENV authentication (which you probably don't), Bugzilla uses cookies to identify the logged in user. I believe Javascript sends these unless you did something so that it doesn't, so you should be fine...
Maybe you can take a look at what YAHOO.bugzilla.userAutocomplete does (in js/field.js), calling User.get (in Bugzilla/WebService/User.pm). User.get calls can_see_user, referencing the logged in user, and it works. Maybe you can use this as a template for your web service call.

   Best
      Marc
Reply | Threaded
Open this post in threaded view
|

Re: Please advise on security

Steven Tierney
Sounds like that's where I need to look then.  It's an obvious place to look but sometimes one stares at a problem for so long that the obvious goes unnoticed!
 
Thanks again,
---
Steven



From: Marc Schumann <[hidden email]>
To: Steven Tierney <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Sent: Wednesday, 6 June 2012, 11:59
Subject: Re: Please advise on security

Steven,

unless you use ENV authentication (which you probably don't), Bugzilla uses cookies to identify the logged in user. I believe Javascript sends these unless you did something so that it doesn't, so you should be fine...
Maybe you can take a look at what YAHOO.bugzilla.userAutocomplete does (in js/field.js), calling User.get (in Bugzilla/WebService/User.pm). User.get calls can_see_user, referencing the logged in user, and it works. Maybe you can use this as a template for your web service call.

   Best
      Marc


Reply | Threaded
Open this post in threaded view
|

Re: Please advise on security

Max Kanat-Alexander
In reply to this post by Steven Tierney
On 06/05/2012 08:57 AM, Steven Tierney wrote:
> I did check the Bugzilla source files but, not being very used to coding
> in Perl and not knowing how security 'works' in Bugzilla, I don't know
> where to start!

        Hey Steven.

        You probably want two things:

        (1) Bugzilla->login(LOGIN_REQUIRED) for methods that can only be used
by logged-in users.

        (2) Bugzilla->user->visible_bugs (which is defined in Bugzilla::User).

        If you are going to show products and components to users as well, you
will have to do security on those in a different way.

        -Max
--
Max Kanat-Alexander
Chief Architect, Community Lead, and Release Manager
Bugzilla Project
http://www.bugzilla.org/
-
To view or change your list settings, click here:
<http://bugzilla.org/cgi-bin/mj_wwwusr?user=lists@...>