Opened 6 years ago

Closed 5 years ago

#57 closed change (rejected)

Set up RhodeCode

Reported by: fhd Assignee: AAlvz
Priority: P4 Milestone:
Module: Infrastructure Keywords:
Cc: matze Blocked By:
Blocking: Platform: Unknown
Ready: no Confidential: no
Tester: Verified working: no
Review URL(s):

https://github.com/adblockplus/infrastructure/pull/1

Description

Background

We want to use RhodeCode.

What to change

Set up RhodeCode.

Change History (9)

comment:1 Changed 6 years ago by fhd

  • Reporter changed from philll to fhd

comment:2 Changed 6 years ago by fhd

  • Priority changed from Unknown to P4

comment:3 Changed 6 years ago by AAlvz

Pull request sent.

RhodeCode module (Hg) automatic installer.

(installer is downloaded, configurations are on private module)

Added node to vagrant.

https://github.com/adblockplus/infrastructure/pull/1

comment:4 follow-up: Changed 6 years ago by fhd

  • Cc christian added
  • in_progress set to 0
  • Ready unset
  • Status changed from new to reviewing

Sorry for not getting around to this earlier, we'll review it now.

Christian, can you have a look first here? You should be able to comment on the PR since you're in the adblockplus organisation on GitHub.

comment:5 Changed 6 years ago by fhd

  • Ready set

comment:6 Changed 6 years ago by fhd

  • Review URL(s) modified (diff)

comment:7 in reply to: ↑ 4 Changed 6 years ago by christian

Replying to fhd:

Sorry for not getting around to this earlier, we'll review it now.

Christian, can you have a look first here? You should be able to comment on the PR since you're in the adblockplus organisation on GitHub.

I'm looking into it.

comment:8 Changed 6 years ago by christian

  • Owner set to AAlvz

comment:9 Changed 5 years ago by trev

  • Cc matze added; christian removed
  • Platform set to Unknown
  • Ready unset
  • Resolution set to rejected
  • Status changed from reviewing to closed

Removing "ready" flag and closing as "rejected".

RhodeCode is no longer an open source project. That in itself isn't an issue, however I noticed that their approach to XSS prevention is "let's escape stuff manually." Recently, a fork called Kallithea fixed an XSS vulnerability that they apparently inherited from RhodeCode. Not only is it a really bad fix (adding escaping in the controller on top of the escaping performed in the template), it is also incomplete and leaves more vulnerabilities open. I tested a live RhodeCode instance and they seem to have applied exactly the same fix as Kallithea. I could easily reproduce another XSS vulnerability, one that wasn't covered by that fix.

The summary is unfortunately: neither RhodeCode nor Kallithea seem terribly competent as far as web application security goes. It isn't about individual bugs, their security architecture is inherently flawed.

Note: See TracTickets for help on using tickets.