Page MenuHomePhabricator
Create Task
Maniphest T364555

Application Security Review Request : ICalendar Generator
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:
This package implements RFC 5545 and some extensions from RFC 7986 to provide an easy to use API for creating calendars.

Description of how the tool will be used at WMF:
To generate calendar invitations in the CampaignEvents extension

Dependencies

"php": "^7.4|^8.0",
"ext-mbstring": "*",
"spatie/enum": "^3.11"
"ext-json": "*",
"nesbot/carbon": "^2.63|^3.0",
"larapack/dd": "^1.1",
"pestphp/pest": "^1.22",
"spatie/pest-plugin-snapshots": "^1.1",
"vimeo/psalm": "^4.13"

Has this project been reviewed before?
No

Post-deployment
@MHorsey-WMF Campaigns team

Details

Risk Rating
Niedrig

Related Objects
Search...

Event Timeline

MHorsey-WMF created this task.May 9 2024, 3:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 9 2024, 3:47 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.May 13 2024, 4:02 PM
Daimona added a project: Campaign-Tools.May 16 2024, 4:15 PM
Daimona moved this task from Backlog to Following on the Campaign-Tools board.
Daimona added a parent task: T358493: Participant can add event details to external calendar via registration confirmation email.
ifried subscribed.May 16 2024, 8:48 PM
ifried added a subscriber: sbassett.Jun 3 2024, 5:16 PM

Hello, @sbassett! Thank you for adding this ticket to the Security team board.

I wanted to quickly check in on its status. Do you know when it may be reviewed by the Security team?

sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.Jun 3 2024, 5:18 PM

@ifried - Our team completes reviews on a quarterly cadence, and we schedule reviews at the beginning of each quarter. So this review will likely be scheduled to be completed next quarter (July 1 through September 30).

VPuffetMichel subscribed.EditedJun 3 2024, 7:28 PM

@sbassett Do we actually need a security review for this?

sbassett added a comment.Jun 3 2024, 8:59 PM
In T364555#9856827, @VPuffetMichel wrote:

@sbassett Do we actually need a security review for this?

Is it literally just for the change set at https://gerrit.wikimedia.org/r/1029612? If so, I see that's still WIP; how large would you envision that change set to be? If it's likely to be "gerrit large" or smaller, I'd say we wouldn't need to perform an application security review for this.

MHorsey-WMF added a comment.Jun 4 2024, 12:41 PM

@sbassett it's to review any security concerns about the 3rd party code in that changeset, the changeset isn't actually real work, it was just a sample created for you guys to see it but the actual work won't be much bigger than that.

sbassett added a comment.Jun 4 2024, 2:06 PM
In T364555#9859237, @MHorsey-WMF wrote:

@sbassett it's to review any security concerns about the 3rd party code in that changeset, the changeset isn't actually real work, it was just a sample created for you guys to see it but the actual work won't be much bigger than that.

Oh, ok. Is this just concerning the Spatie\IcalendarGenerator package? That's all I really see within the gerrit change set. If so, that dependency seems pretty low-risk at the moment. I'm not finding any known vulnerabilities for it, checking a few different databases, and it's scorecard score isn't completely terrible.

MHorsey-WMF added a comment.Jun 13 2024, 12:07 PM

@sbassett so are we safe to go ahead?

sbassett added a comment.Jun 13 2024, 3:33 PM
In T364555#9888341, @MHorsey-WMF wrote:

@sbassett so are we safe to go ahead?

Can you confirm the statements from my last comment about the Spatie\IcalendarGenerator package?

MHorsey-WMF added a comment.Jun 13 2024, 4:21 PM

Oh, yes sorry. I can confirm it's all about that package.

sbassett added a comment.Jun 13 2024, 4:23 PM
In T364555#9889741, @MHorsey-WMF wrote:

Oh, yes sorry. I can confirm it's all about that package.

Ok, yes, this is low-risk then. Nothing else needs to be done for now.

sbassett closed this task as Resolved.Jun 13 2024, 4:24 PM
sbassett claimed this task.
sbassett triaged this task as Low priority.
sbassett moved this task from Upcoming Quarter Planning Queue to Our Part Is Done on the secscrum board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits