Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security advisory not functional #2086

Closed
groundcat opened this issue Aug 8, 2024 · 14 comments
Closed

Security advisory not functional #2086

groundcat opened this issue Aug 8, 2024 · 14 comments
Assignees

Comments

@groundcat
Copy link
Contributor

Please disclose it at [security advisory](https://github.com/publicsuffix/list/security/advisories/new) and send an email with the link to the newly filed issue to [[email protected]](mailto:[email protected]) to expedite the review on our end.

The security advisory link https://github.com/publicsuffix/list/security/advisories/new (added from #1856) is currently not functional and may require some setup to be completed, if necessary.

@weppos
Copy link
Member

weppos commented Aug 13, 2024

@groundcat can you provide a screenshot or explain why it's not functional? I followed the link and I was able to access a form to submit a report.

But since I have admin rights in the repo, perhaps it's working differently. I will need an external example.

@felixfontein
Copy link

I get a regular GitHub 404 page:
image

@dnsguru
Copy link
Member

dnsguru commented Aug 13, 2024

The PSL is a static text file. I still scratch my head as to why tf we need to have any security advisory like this for ANY practical reason.

@simon-friedberger
Copy link
Contributor

Because we have things like Github actions which are really easy to mess up in a way they give people write access to the repo. 😞

@publicsuffix publicsuffix deleted a comment from Apromixately Aug 21, 2024
@mozfreddyb
Copy link
Contributor

This was already discussed in #1856 and we agreed that it would be good to allow for reports related to list infra, not list entries. The security file reflects this decision (as well as the discussion in the pull request).

We should just make that change, as suggested by simon above.

@simon-friedberger
Copy link
Contributor

@weppos Would you mind? Or just make me an admin maybe?

@weppos
Copy link
Member

weppos commented Sep 12, 2024

I enabled the feature. Can someone give it another try and confirm it works? I am unable to test, as an admin I could already access it before.

@felixfontein
Copy link

It seems to work. I can access the form, and was able to submit a test report (it now says "Thank you for reporting a vulnerability to publicsuffix/list. Maintainers have been notified and will review your submission.").

@simon-friedberger
Copy link
Contributor

@weppos Just FYI: It seems I cannot see the submissions on Github so yall will have to handle them.

@weppos
Copy link
Member

weppos commented Sep 12, 2024

@weppos Just FYI: It seems I cannot see the submissions on Github so yall will have to handle them.

This is strange. According to GitHub, you should be able to manage them.

Screenshot 2024-09-12 at 16 30 39 Screenshot 2024-09-12 at 16 30 46

@dnsguru
Copy link
Member

dnsguru commented Sep 14, 2024

Why again is this needed?

@wdhdev
Copy link
Contributor

wdhdev commented Sep 14, 2024

Because we have things like Github actions which are really easy to mess up in a way they give people write access to the repo. 😞

@simon-friedberger
Copy link
Contributor

Fixed afaiu.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants