186831 2018-06-19 21:16:18 -0700 EWS should not try to post comments or upload result archives to security-sensitive bugs unless it has access 2018-06-21 14:13:17 -0700 1 1 1 Unclassified WebKit Tools / Tests WebKit Local Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=186834 InRadar P2 Normal --- 1 dbates dbates aakash_jain ap ews-watchlist glenn lforschler rniwa webkit-bug-importer oldest_to_newest 1434685 0 dbates 2018-06-19 21:16:18 -0700 Following the patch for bug #186291, EWS bots that cannot access security-sensitive patches on Bugzilla can now fetch them from the status server. Obviously these bots cannot post comments or upload result failure archives for a security-sensitive patch they fetched from the status server. Doing so will cause an exception. Although the EWS code is robust enough that such exceptions will be caught they will be treated as "unexpected" and logged accordingly. For now, we should explicitly handle such failures gracefully and avoid classifying them as unexpected because they are now expected. Eventually we want to support a means for comments and result archives from EWS bots to be posted to security-sensitive bugs without giving these bots access to all security bugs or even some security bugs. We will likely need to take a similar approach as done in the patch for bug #186291 and use the status server as an intermediate data store for some privileged bot to download and re-upload to Bugzilla. Maybe the privileged bot could be the feeder EWS? 1434686 1 343131 dbates 2018-06-19 21:21:22 -0700 Created attachment 343131 Patch 1434687 2 ews-watchlist 2018-06-19 21:24:37 -0700 Attachment 343131 did not pass style-queue: ERROR: Tools/ChangeLog:11: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style. 1435245 3 343131 dbates 2018-06-21 14:11:45 -0700 Comment on attachment 343131 Patch Clearing flags on attachment: 343131 Committed r233058: <https://trac.webkit.org/changeset/233058> 1435246 4 dbates 2018-06-21 14:12:05 -0700 All reviewed patches have been landed. Closing bug. 1435247 5 webkit-bug-importer 2018-06-21 14:13:17 -0700 <rdar://problem/41343252> 343131 2018-06-19 21:21:22 -0700 2018-06-21 14:11:45 -0700 Patch bug-186831-20180619212122.patch text/plain 5461 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMjMyOTgwCmRpZmYgLS1naXQgYS9Ub29scy9DaGFuZ2VMb2cg Yi9Ub29scy9DaGFuZ2VMb2cKaW5kZXggMTBlYjY2ZTNiMGU3MzI2OTMxNTgzMmNmZjVlNmQxNDBh YWIxMTliNi4uYzJlNDQ4MzBlNTZlZTEzMDg5OTI3ZTg2ZDIxMjE3ZDI0NmI5ODllYiAxMDA2NDQK LS0tIGEvVG9vbHMvQ2hhbmdlTG9nCisrKyBiL1Rvb2xzL0NoYW5nZUxvZwpAQCAtMSw1ICsxLDMx IEBACiAyMDE4LTA2LTE5ICBEYW5pZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KIAorICAg ICAgICBFV1Mgc2hvdWxkIG5vdCB0cnkgdG8gcG9zdCBjb21tZW50cyBvciB1cGxvYWQgcmVzdWx0 IGFyY2hpdmVzIHRvIHNlY3VyaXR5LXNlbnNpdGl2ZQorICAgICAgICBidWdzIHVubGVzcyBpdCBo YXMgYWNjZXNzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9p ZD0xODY4MzEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICBGb2xsb3dpbmcgcjIzMjk3OSBzZWN1cml0eS1zZW5zaXRpdmUgcGF0Y2hlcyBhcmUgdXBsb2Fk ZWQgdG8gdGhlIHN0YXR1cyBzZXJ2ZXIgc28KKyAgICAgICAgdGhhdCB0aGV5IGNhbiBiZSByZXRy aWV2ZWQgYW5kIHByb2Nlc3NlZCBieSBFV1MgYm90cyB3aXRob3V0IHRoZSBuZWVkIGZvciBCdWd6 aWxsYQorICAgICAgICBzZWN1cml0eSBidWcgYWNjZXNzLiBBbHRob3VnaCB0aGUgRVdTIG1hY2hp bmVyeSBpcyByb2J1c3QgYWdhaW5zdCB1bmV4cGVjdGVkIGV4Y2VwdGlvbnMsCisgICAgICAgIGlu Y2x1ZGluZyBleGNlcHRpb25zIHJhaXNlZCB3aGVuIGludGVyYWN0aW5nIHdpdGggQnVnemlsbGEg YnVncy9hdHRhY2htZW50cyB3aXRoCisgICAgICAgIGluc3VmZmljaWVudCBjcmVkZW50aWFscywg d2Ugc2hvdWxkIG5vdCBkZXBlbmQgb24gc3VjaCBkZWZlbnNlcyBhcyB0aGV5IGNhdXNlIHdlYmtp dC0KKyAgICAgICAgcGF0Y2ggdG8gbG9nIGEgbWVzc2FnZSBmb3IgdGhlICJ1bmV4cGVjdGVkIiBl eGNlcHRpb24uIFdlIHNob3VsZCByZXNlcnZlIHN1Y2ggbG9nZ2luZworICAgICAgICBmb3IgdHJ1 bHkgdW5leHBlY3RlZCBleGNlcHRpb25zIHRoYXQgaW5kaWNhdGUgYSBwcm9ncmFtbWluZyBtaXN0 YWtlIHRoYXQgd2UgbmVlZCB0byBmaXguCisKKyAgICAgICAgKiBTY3JpcHRzL3dlYmtpdHB5L3Rv b2wvY29tbWFuZHMvZWFybHl3YXJuaW5nc3lzdGVtLnB5OgorICAgICAgICAoQWJzdHJhY3RFYXJs eVdhcm5pbmdTeXN0ZW0uX3Bvc3RfcmVqZWN0X21lc3NhZ2Vfb25fYnVnKTogQmFpbCBvdXQgZWFy bHkgaWYgd2UgY2Fubm90CisgICAgICAgIGFjY2VzcyB0aGUgYnVnLgorICAgICAgICAqIFNjcmlw dHMvd2Via2l0cHkvdG9vbC9jb21tYW5kcy9xdWV1ZXMucHk6CisgICAgICAgIChQYXRjaFByb2Nl c3NpbmdRdWV1ZS5fY2FuX2FjY2Vzc19idWcpOiBBZGRlZC4KKyAgICAgICAgKFBhdGNoUHJvY2Vz c2luZ1F1ZXVlLl91cGxvYWRfcmVzdWx0c19hcmNoaXZlX2Zvcl9wYXRjaCk6IE9ubHkgYWRkIGFu IGF0dGFjaG1lbnQgaWYgd2UKKyAgICAgICAgY2FuIGFjY2VzcyB0aGUgYnVnLgorICAgICAgICAo Q29tbWl0UXVldWUucHJvY2Vzc193b3JrX2l0ZW0pOiBPbmx5IHBvc3QgYSByZWplY3Rpb24gY29t bWVudCAoaS5lLiBjYWxsIENvbW1pdHRlclZhbGlkYXRvcnJlamVjdF9wYXRjaF9mcm9tX2NvbW1p dF9xdWV1ZSgpKQorICAgICAgICBpZiB3ZSBjYW4gYWNjZXNzIHRoZSBidWcuCisKKzIwMTgtMDYt MTkgIERhbmllbCBCYXRlcyAgPGRhYmF0ZXNAYXBwbGUuY29tPgorCiAgICAgICAgIEltcGxlbWVu dCBFV1MgcmVhbC10aW1lIHBhdGNoIHN0YXR1cyB1cGRhdGVzIGFuZCB0YWlsIGxvZ2dpbmcKICAg ICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE4NjgyMwogCmRp ZmYgLS1naXQgYS9Ub29scy9TY3JpcHRzL3dlYmtpdHB5L3Rvb2wvY29tbWFuZHMvZWFybHl3YXJu aW5nc3lzdGVtLnB5IGIvVG9vbHMvU2NyaXB0cy93ZWJraXRweS90b29sL2NvbW1hbmRzL2Vhcmx5 d2FybmluZ3N5c3RlbS5weQppbmRleCA3YTIwMDczNjhlNDBmMjFmMjkwZGYxYjhjOWI2YjhmN2I2 MTg1M2RmLi5jZDJkOGZiYzgzM2Y1Y2I3ZjgwNGM2Mzk4M2NjZmI2MGRiYzI3MjZhIDEwMDY0NAot LS0gYS9Ub29scy9TY3JpcHRzL3dlYmtpdHB5L3Rvb2wvY29tbWFuZHMvZWFybHl3YXJuaW5nc3lz dGVtLnB5CisrKyBiL1Rvb2xzL1NjcmlwdHMvd2Via2l0cHkvdG9vbC9jb21tYW5kcy9lYXJseXdh cm5pbmdzeXN0ZW0ucHkKQEAgLTg5LDYgKzg5LDggQEAgY2xhc3MgQWJzdHJhY3RFYXJseVdhcm5p bmdTeXN0ZW0oQWJzdHJhY3RSZXZpZXdRdWV1ZSwgRWFybHlXYXJuaW5nU3lzdGVtVGFza0RlbGUK ICAgICAgICAgICAgIG1lc3NhZ2UgKz0gIlxuXG4lcyIgJSBleHRyYV9tZXNzYWdlX3RleHQKICAg ICAgICAgIyBGSVhNRTogV2UgbWlnaHQgd2FudCB0byBhZGQgc29tZSB0ZXh0IGFib3V0IHJlamVj dGluZyBmcm9tIHRoZSBjb21taXQtcXVldWUgaW4KICAgICAgICAgIyB0aGUgY2FzZSB3aGVyZSBw YXRjaC5jb21taXRfcXVldWUoKSBpc24ndCBhbHJlYWR5IHNldCB0byAnLScuCisgICAgICAgIGlm IG5vdCBzZWxmLl9jYW5fYWNjZXNzX2J1ZyhwYXRjaC5idWdfaWQoKSk6CisgICAgICAgICAgICBy ZXR1cm4KICAgICAgICAgaWYgc2VsZi53YXRjaGVyczoKICAgICAgICAgICAgIHRvb2wuYnVncy5h ZGRfY2NfdG9fYnVnKHBhdGNoLmJ1Z19pZCgpLCBzZWxmLndhdGNoZXJzKQogICAgICAgICB0b29s LmJ1Z3Muc2V0X2ZsYWdfb25fYXR0YWNobWVudChwYXRjaC5pZCgpLCAiY29tbWl0LXF1ZXVlIiwg Ii0iLCBtZXNzYWdlKQpkaWZmIC0tZ2l0IGEvVG9vbHMvU2NyaXB0cy93ZWJraXRweS90b29sL2Nv bW1hbmRzL3F1ZXVlcy5weSBiL1Rvb2xzL1NjcmlwdHMvd2Via2l0cHkvdG9vbC9jb21tYW5kcy9x dWV1ZXMucHkKaW5kZXggODBkOGM4NDU1ZDljYzY4MWQ5ZWU4YzIxZmI4MGRhOGQ3NGQzZTcxYi4u NTEwNDU3Y2JiZmQ5NjY2NTdlYjFiZGY4ZThjNjM0NjU4NjQ3MDM4NSAxMDA2NDQKLS0tIGEvVG9v bHMvU2NyaXB0cy93ZWJraXRweS90b29sL2NvbW1hbmRzL3F1ZXVlcy5weQorKysgYi9Ub29scy9T Y3JpcHRzL3dlYmtpdHB5L3Rvb2wvY29tbWFuZHMvcXVldWVzLnB5CkBAIC0zMDQsNiArMzA0LDEz IEBAIGNsYXNzIFBhdGNoUHJvY2Vzc2luZ1F1ZXVlKEFic3RyYWN0UGF0Y2hRdWV1ZSk6CiAKICAg ICAgICAgc2VsZi5fY3JlYXRlX3BvcnQoKQogCisgICAgIyBGSVhNRTogQnVnemlsbGEgbWVtYmVy IGZ1bmN0aW9ucyBzaG91bGQgcGVyZm9ybSB0aGlzIGNoZWNrIGFzIHRoZXkgY2FuIGRvIGl0IGFz IHBhcnQgb2YgdGhlIHNhbWUKKyAgICAjIG5ldHdvcmsgcmVxdWVzdC4gVGhpcyB3b3VsZCBhbHNv IGF2b2lkIGJ1Z3Mgd2hlcmUgdGhlIGFjY2VzcyBvZiB0aGUgQnVnemlsbGEgYnVnIGNoYW5nZXMg YmV0d2VlbgorICAgICMgdGhlIHRpbWUtb2YtY2hlY2sgKGNhbGxpbmcgdGhpcyBmdW5jdGlvbikg YW5kIHRpbWUtb2YtdXNlICh3aGVuIHdlIGFzayBCdWd6aWxsYSB0byBwZXJmb3JtIHRoZQorICAg ICMgYWN0dWFsIG9wZXJhdGlvbikuCisgICAgZGVmIF9jYW5fYWNjZXNzX2J1ZyhzZWxmLCBidWdf aWQpOgorICAgICAgICByZXR1cm4gYm9vbChzZWxmLl90b29sLmJ1Z3MuZmV0Y2hfYnVnKGJ1Z19p ZCkpCisKICAgICBkZWYgX3VwbG9hZF9yZXN1bHRzX2FyY2hpdmVfZm9yX3BhdGNoKHNlbGYsIHBh dGNoLCByZXN1bHRzX2FyY2hpdmVfemlwKToKICAgICAgICAgaWYgbm90IHNlbGYuX3BvcnQ6CiAg ICAgICAgICAgICBzZWxmLl9jcmVhdGVfcG9ydCgpCkBAIC0zMjEsNyArMzI4LDggQEAgY2xhc3Mg UGF0Y2hQcm9jZXNzaW5nUXVldWUoQWJzdHJhY3RQYXRjaFF1ZXVlKToKICAgICAgICAgIyBGSVhN RTogV2UgY291bGQgZWFzaWx5IGxpc3QgdGhlIHRlc3QgZmFpbHVyZXMgZnJvbSB0aGUgYXJjaGl2 ZSBoZXJlLAogICAgICAgICAjIGN1cnJlbnRseSBjYWxsZXJzIGRvIHRoYXQgc2VwYXJhdGVseS4K ICAgICAgICAgY29tbWVudF90ZXh0ICs9IEJvdEluZm8oc2VsZi5fdG9vbCwgc2VsZi5fcG9ydC5u YW1lKCkpLnN1bW1hcnlfdGV4dCgpCi0gICAgICAgIHNlbGYuX3Rvb2wuYnVncy5hZGRfYXR0YWNo bWVudF90b19idWcocGF0Y2guYnVnX2lkKCksIHJlc3VsdHNfYXJjaGl2ZV9maWxlLCBkZXNjcmlw dGlvbiwgZmlsZW5hbWU9ImxheW91dC10ZXN0LXJlc3VsdHMuemlwIiwgY29tbWVudF90ZXh0PWNv bW1lbnRfdGV4dCkKKyAgICAgICAgaWYgc2VsZi5fY2FuX2FjY2Vzc19idWcocGF0Y2guYnVnX2lk KCkpOgorICAgICAgICAgICAgc2VsZi5fdG9vbC5idWdzLmFkZF9hdHRhY2htZW50X3RvX2J1Zyhw YXRjaC5idWdfaWQoKSwgcmVzdWx0c19hcmNoaXZlX2ZpbGUsIGRlc2NyaXB0aW9uLCBmaWxlbmFt ZT0ibGF5b3V0LXRlc3QtcmVzdWx0cy56aXAiLCBjb21tZW50X3RleHQ9Y29tbWVudF90ZXh0KQog CiAKIGNsYXNzIENvbW1pdFF1ZXVlKFBhdGNoUHJvY2Vzc2luZ1F1ZXVlLCBTdGVwU2VxdWVuY2VF cnJvckhhbmRsZXIsIENvbW1pdFF1ZXVlVGFza0RlbGVnYXRlKToKQEAgLTM1NSw4ICszNjMsOSBA QCBjbGFzcyBDb21taXRRdWV1ZShQYXRjaFByb2Nlc3NpbmdRdWV1ZSwgU3RlcFNlcXVlbmNlRXJy b3JIYW5kbGVyLCBDb21taXRRdWV1ZVRhcwogICAgICAgICAgICAgc2VsZi5fZGlkX2Vycm9yKHBh dGNoLCAiJXMgZGlkIG5vdCBwcm9jZXNzIHBhdGNoLiBSZWFzb246ICVzIiAlIChzZWxmLm5hbWUs IGVycm9yLmZhaWx1cmVfbWVzc2FnZSkpCiAgICAgICAgICAgICByZXR1cm4gRmFsc2UKICAgICAg ICAgZXhjZXB0IFNjcmlwdEVycm9yIGFzIGU6Ci0gICAgICAgICAgICB2YWxpZGF0b3IgPSBDb21t aXR0ZXJWYWxpZGF0b3Ioc2VsZi5fdG9vbCkKLSAgICAgICAgICAgIHZhbGlkYXRvci5yZWplY3Rf cGF0Y2hfZnJvbV9jb21taXRfcXVldWUocGF0Y2guaWQoKSwgc2VsZi5fZXJyb3JfbWVzc2FnZV9m b3JfYnVnKHRhc2ssIHBhdGNoLCBlKSkKKyAgICAgICAgICAgIGlmIHNlbGYuX2Nhbl9hY2Nlc3Nf YnVnKHBhdGNoLmJ1Z19pZCgpKToKKyAgICAgICAgICAgICAgICB2YWxpZGF0b3IgPSBDb21taXR0 ZXJWYWxpZGF0b3Ioc2VsZi5fdG9vbCkKKyAgICAgICAgICAgICAgICB2YWxpZGF0b3IucmVqZWN0 X3BhdGNoX2Zyb21fY29tbWl0X3F1ZXVlKHBhdGNoLmlkKCksIHNlbGYuX2Vycm9yX21lc3NhZ2Vf Zm9yX2J1Zyh0YXNrLCBwYXRjaCwgZSkpCiAgICAgICAgICAgICByZXN1bHRzX2FyY2hpdmUgPSB0 YXNrLnJlc3VsdHNfYXJjaGl2ZV9mcm9tX3BhdGNoX3Rlc3RfcnVuKHBhdGNoKQogICAgICAgICAg ICAgaWYgcmVzdWx0c19hcmNoaXZlOgogICAgICAgICAgICAgICAgIHNlbGYuX3VwbG9hZF9yZXN1 bHRzX2FyY2hpdmVfZm9yX3BhdGNoKHBhdGNoLCByZXN1bHRzX2FyY2hpdmUpCg==