Examine individual changes
From Gentoo Wiki
This page allows you to examine the variables generated by the Abuse Filter for an individual change, and test it against filters.
Variables generated for this change
| Variable | Value |
|---|---|
Edit count of the user (user_editcount) | 312 |
Name of the user account (user_name) | 'Sam' |
Age of the user account (user_age) | 110787686 |
Page ID (page_id) | 20131 |
Page namespace (page_namespace) | 510 |
Page title (without namespace) (page_title) | 'Auditing' |
Full page title (page_prefixedtitle) | 'Project:Auditing' |
Action (action) | 'edit' |
Edit summary/reason (summary) | 'Retire K_F' |
Old content model (old_content_model) | 'wikitext' |
New content model (new_content_model) | 'wikitext' |
Old page wikitext, before the edit (old_wikitext) | '{{Project
|Name=Security Audit Project
|Description=The Security Audit Project is focused upon auditing packages for security issues. The aim of the project is to audit as many of the packages available through Gentoo Linux stable Portage tree as possible for potential flaws.
|Email=security-audit@gentoo.org
|IRC=#gentoo-security
|ParentProject=Project:Security
|PropagatesMembers=No
|LeadElectionDate=2019/04/25
|Members={{Project Member
|Developer=User:Zx2c4
|Role=Lead
|IsLead=Yes
}}{{Project Member
|Developer=User:K f
|IsLead=No
}}
}}
== Auditing methodology ==
=== Scope ===
Due to the sheer size of the portage tree, it is infeasible for this project to be able to audit all the packages. The system of prioritizing is based on the time, risk factor, motivation and skills necessary to audit a given package.
=== Tools ===
There are several packages available within the portage tree which are designed to aid source code audits. Some of the these include:
* {{Package|dev-util/flawfinder}}
* {{Package|dev-util/rats}}
* {{Package|dev-util/pscan}}
* {{Package|app-forensics/examiner}}
* {{Package|dev-util/splint}}
Each of the general scanning tools will include output describing the flaw detected, and possibly giving advice on how the code can be fixed. For example the following is taken from the output of RATS describing the dangers of getenv: ''"Environment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length."''
If you need any further advice on how to correct a hole which has been reported you should study a book on programming securely, such as the [http://www.dwheeler.com/secure-programs/ Secure Programming for Linux and Unix HOWTO] by David A. Wheeler or the [https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Coding+Standard C Secure Coding Standard] by CERT (Remember that when reporting security issues a patch closing the hole is greatly appreciated).
=== Submitting found flaws ===
When you find a vulnerability, you should write a vulnerability description and submit it for peer-review as a new security bug (with "Gentoo Security" as product and "Auditing" as component, restricted to Gentoo Security). Other auditors (and security team members) will double-check what you found, ensure that it is indeed a bug with a security impact.
When it has been thoroughly peer-reviewed, it will be cleared to go upstream as a "Gentoo Security Audit Subproject" sighting. Depending on its severity and how the package is common amongst distributions, it might need to be coordinated with vendor-sec for coordinated release and CVE number attribution.
{{Important|Please do not submit non-peer-reviewed vulnerabilities to any disclosure channel (including upstream) under the Gentoo name or a gentoo.org email address. Nothing hurts more our credibility than issuing Gentoo-branded bogus vulnerability reports.}}' |
New page wikitext, after the edit (new_wikitext) | '{{Project
|Name=Security Audit Project
|Description=The Security Audit Project is focused upon auditing packages for security issues. The aim of the project is to audit as many of the packages available through Gentoo Linux stable Portage tree as possible for potential flaws.
|Email=security-audit@gentoo.org
|IRC=#gentoo-security
|ParentProject=Project:Security
|PropagatesMembers=No
|LeadElectionDate=2019/04/25
|Members={{Project Member
|Developer=User:Zx2c4
|Role=Lead
|IsLead=Yes
}}
}}
== Auditing methodology ==
=== Scope ===
Due to the sheer size of the portage tree, it is infeasible for this project to be able to audit all the packages. The system of prioritizing is based on the time, risk factor, motivation and skills necessary to audit a given package.
=== Tools ===
There are several packages available within the portage tree which are designed to aid source code audits. Some of the these include:
* {{Package|dev-util/flawfinder}}
* {{Package|dev-util/rats}}
* {{Package|dev-util/pscan}}
* {{Package|app-forensics/examiner}}
* {{Package|dev-util/splint}}
Each of the general scanning tools will include output describing the flaw detected, and possibly giving advice on how the code can be fixed. For example the following is taken from the output of RATS describing the dangers of getenv: ''"Environment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length."''
If you need any further advice on how to correct a hole which has been reported you should study a book on programming securely, such as the [http://www.dwheeler.com/secure-programs/ Secure Programming for Linux and Unix HOWTO] by David A. Wheeler or the [https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Coding+Standard C Secure Coding Standard] by CERT (Remember that when reporting security issues a patch closing the hole is greatly appreciated).
=== Submitting found flaws ===
When you find a vulnerability, you should write a vulnerability description and submit it for peer-review as a new security bug (with "Gentoo Security" as product and "Auditing" as component, restricted to Gentoo Security). Other auditors (and security team members) will double-check what you found, ensure that it is indeed a bug with a security impact.
When it has been thoroughly peer-reviewed, it will be cleared to go upstream as a "Gentoo Security Audit Subproject" sighting. Depending on its severity and how the package is common amongst distributions, it might need to be coordinated with vendor-sec for coordinated release and CVE number attribution.
{{Important|Please do not submit non-peer-reviewed vulnerabilities to any disclosure channel (including upstream) under the Gentoo name or a gentoo.org email address. Nothing hurts more our credibility than issuing Gentoo-branded bogus vulnerability reports.}}' |
Unified diff of changes made by edit (edit_diff) | '@@ -11,7 +11,4 @@
|Role=Lead
|IsLead=Yes
-}}{{Project Member
-|Developer=User:K f
-|IsLead=No
}}
}}
' |
Old page size (old_size) | 3080 |
Lines added in edit (added_lines) | [] |
Lines removed in edit (removed_lines) | [
0 => '}}{{Project Member',
1 => '|Developer=User:K f',
2 => '|IsLead=No'
] |
New page text, stripped of any markup (new_text) | '
Security Audit Project
Description
The Security Audit Project is focused upon auditing packages for security issues. The aim of the project is to audit as many of the packages available through Gentoo Linux stable Portage tree as possible for potential flaws.
Project email
security-audit@gentoo.org
IRC channel
#gentoo-security
Lead(s)
Jason A. Donenfeld
(zx2c4)Lead Last elected: 2019/04/25
Member(s)
Kristian Fiskerstrand
(k_f)
Subproject(s)(and inherited member(s))
(none)
Parent Project
Security Project
Project listing
Contents
1 Auditing methodology
1.1 Scope
1.2 Tools
1.3 Submitting found flaws
Auditing methodology[edit | edit source]
Scope[edit | edit source]
Due to the sheer size of the portage tree, it is infeasible for this project to be able to audit all the packages. The system of prioritizing is based on the time, risk factor, motivation and skills necessary to audit a given package.
Tools[edit | edit source]
There are several packages available within the portage tree which are designed to aid source code audits. Some of the these include:
dev-util/flawfinder
dev-util/rats
dev-util/pscan
app-forensics/examiner
dev-util/splint
Each of the general scanning tools will include output describing the flaw detected, and possibly giving advice on how the code can be fixed. For example the following is taken from the output of RATS describing the dangers of getenv: "Environment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length."
If you need any further advice on how to correct a hole which has been reported you should study a book on programming securely, such as the Secure Programming for Linux and Unix HOWTO by David A. Wheeler or the C Secure Coding Standard by CERT (Remember that when reporting security issues a patch closing the hole is greatly appreciated).
Submitting found flaws[edit | edit source]
When you find a vulnerability, you should write a vulnerability description and submit it for peer-review as a new security bug (with "Gentoo Security" as product and "Auditing" as component, restricted to Gentoo Security). Other auditors (and security team members) will double-check what you found, ensure that it is indeed a bug with a security impact.
When it has been thoroughly peer-reviewed, it will be cleared to go upstream as a "Gentoo Security Audit Subproject" sighting. Depending on its severity and how the package is common amongst distributions, it might need to be coordinated with vendor-sec for coordinated release and CVE number attribution.
ImportantPlease do not submit non-peer-reviewed vulnerabilities to any disclosure channel (including upstream) under the Gentoo name or a gentoo.org email address. Nothing hurts more our credibility than issuing Gentoo-branded bogus vulnerability reports.' |
Parsed HTML source of the new revision (new_html) | '<div class="mw-parser-output"><table class="table table-condensed" style="width: 30em; font-size: 95%; border: 1px solid #ddd; background-color: #f9f9f9; color: black; margin-bottom: 0.5em; margin-left: 1em; padding: 0.2em; float: right; clear: right; text-align:left;">
<tbody><tr>
<th style="text-align: center; background-color:#3E355A; color: white;" colspan="2"><big>Security Audit Project</big>
</th></tr>
<tr valign="top">
<th>Description
</th>
<td style="text-align: justify;">The Security Audit Project is focused upon auditing packages for security issues. The aim of the project is to audit as many of the packages available through Gentoo Linux stable Portage tree as possible for potential flaws.
</td></tr>
<tr>
<th><span title="Mails to member(s) listed below.">Project email</span>
</th>
<td><a rel="nofollow" class="external text" href="mailto:security-audit@gentoo.org">security-audit@gentoo.org</a>
</td></tr>
<tr>
<th><span title="The link opens a webchat to this project's Freenode IRC channel.">IRC channel</span>
</th>
<td><a rel="nofollow" class="external text" href="https://webchat.freenode.net/?channels=gentoo-security">#gentoo-security</a>
</td></tr>
<tr valign="top">
<th>Lead(s)
</th>
<td><ul><li><a href="/wiki/User:Zx2c4" title="User:Zx2c4">Jason A. Donenfeld</a>
(zx2c4)<br /><i>Lead</i></li></ul> <br />Last elected: 2019/04/25
</td></tr>
<tr valign="top">
<th>Member(s)
</th>
<td><ul><li><a href="/wiki/User:K_f" title="User:K f">Kristian Fiskerstrand</a>
(k_f)</li></ul>
</td></tr>
<tr valign="top">
<th>Subproject(s)<br /><small style="font-weight: normal;">(and inherited member(s))</small>
</th>
<td>(none)
</td></tr>
<tr>
<th>Parent Project
</th>
<td><a href="/wiki/Project:Security" title="Project:Security">Security Project</a>
</td></tr>
<tr>
<td colspan="2" style="border-top: 1px solid #ddd; font-size: smaller; text-align: center;"><a href="/wiki/Project:Gentoo" title="Project:Gentoo">Project listing</a>
</td></tr></tbody></table>
<div id="toc" class="toc" role="navigation" aria-labelledby="mw-toc-heading"><input type="checkbox" role="button" id="toctogglecheckbox" class="toctogglecheckbox" style="display:none" /><div class="toctitle" lang="en" dir="ltr"><h2 id="mw-toc-heading">Contents</h2><span class="toctogglespan"><label class="toctogglelabel" for="toctogglecheckbox"></label></span></div>
<ul>
<li class="toclevel-1 tocsection-1"><a href="#Auditing_methodology"><span class="tocnumber">1</span> <span class="toctext">Auditing methodology</span></a>
<ul>
<li class="toclevel-2 tocsection-2"><a href="#Scope"><span class="tocnumber">1.1</span> <span class="toctext">Scope</span></a></li>
<li class="toclevel-2 tocsection-3"><a href="#Tools"><span class="tocnumber">1.2</span> <span class="toctext">Tools</span></a></li>
<li class="toclevel-2 tocsection-4"><a href="#Submitting_found_flaws"><span class="tocnumber">1.3</span> <span class="toctext">Submitting found flaws</span></a></li>
</ul>
</li>
</ul>
</div>
<h2><span class="mw-headline" id="Auditing_methodology">Auditing methodology</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Project:Auditing&veaction=edit&section=1" class="mw-editsection-visualeditor" title="Edit section: Auditing methodology">edit</a><span class="mw-editsection-divider"> | </span><a href="/index.php?title=Project:Auditing&action=edit&section=1" title="Edit section: Auditing methodology">edit source</a><span class="mw-editsection-bracket">]</span></span></h2>
<h3><span class="mw-headline" id="Scope">Scope</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Project:Auditing&veaction=edit&section=2" class="mw-editsection-visualeditor" title="Edit section: Scope">edit</a><span class="mw-editsection-divider"> | </span><a href="/index.php?title=Project:Auditing&action=edit&section=2" title="Edit section: Scope">edit source</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>Due to the sheer size of the portage tree, it is infeasible for this project to be able to audit all the packages. The system of prioritizing is based on the time, risk factor, motivation and skills necessary to audit a given package.
</p>
<h3><span class="mw-headline" id="Tools">Tools</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Project:Auditing&veaction=edit&section=3" class="mw-editsection-visualeditor" title="Edit section: Tools">edit</a><span class="mw-editsection-divider"> | </span><a href="/index.php?title=Project:Auditing&action=edit&section=3" title="Edit section: Tools">edit source</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>There are several packages available within the portage tree which are designed to aid source code audits. Some of the these include:
</p>
<ul><li><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/dev-util/flawfinder">dev-util/flawfinder</a></li>
<li><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/dev-util/rats">dev-util/rats</a></li>
<li><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/dev-util/pscan">dev-util/pscan</a></li>
<li><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/app-forensics/examiner">app-forensics/examiner</a></li>
<li><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/dev-util/splint">dev-util/splint</a></li></ul>
<p>Each of the general scanning tools will include output describing the flaw detected, and possibly giving advice on how the code can be fixed. For example the following is taken from the output of RATS describing the dangers of getenv: <i>"Environment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length."</i>
</p><p>If you need any further advice on how to correct a hole which has been reported you should study a book on programming securely, such as the <a rel="nofollow" class="external text" href="http://www.dwheeler.com/secure-programs/">Secure Programming for Linux and Unix HOWTO</a> by David A. Wheeler or the <a rel="nofollow" class="external text" href="https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Coding+Standard">C Secure Coding Standard</a> by CERT (Remember that when reporting security issues a patch closing the hole is greatly appreciated).
</p>
<h3><span class="mw-headline" id="Submitting_found_flaws">Submitting found flaws</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Project:Auditing&veaction=edit&section=4" class="mw-editsection-visualeditor" title="Edit section: Submitting found flaws">edit</a><span class="mw-editsection-divider"> | </span><a href="/index.php?title=Project:Auditing&action=edit&section=4" title="Edit section: Submitting found flaws">edit source</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>When you find a vulnerability, you should write a vulnerability description and submit it for peer-review as a new security bug (with "Gentoo Security" as product and "Auditing" as component, restricted to Gentoo Security). Other auditors (and security team members) will double-check what you found, ensure that it is indeed a bug with a security impact.
</p><p>When it has been thoroughly peer-reviewed, it will be cleared to go upstream as a "Gentoo Security Audit Subproject" sighting. Depending on its severity and how the package is common amongst distributions, it might need to be coordinated with vendor-sec for coordinated release and CVE number attribution.
</p>
<div class="alert alert-warning gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-exclamation-circle"></i> Important</strong><br />Please do not submit non-peer-reviewed vulnerabilities to any disclosure channel (including upstream) under the Gentoo name or a gentoo.org email address. Nothing hurts more our credibility than issuing Gentoo-branded bogus vulnerability reports.</div>
' |
Unix timestamp of change (timestamp) | 1612311409 |