search

publicsuffix / list

The Public Suffix List
https://publicsuffix.org/
Mozilla Public License 2.0
2k stars 1.2k forks source link

Security advisory not functional #2086

Open groundcat opened 1 month ago

groundcat commented 1 month ago

https://github.com/publicsuffix/list/blob/4f58803a4353778a3ddd337f55e15ac6e7c3ce67/SECURITY.md?plain=1#L11

The security advisory link https://github.com/publicsuffix/list/security/advisories/new (added from #1856) is currently not functional and may require some setup to be completed, if necessary.

weppos commented 1 month ago

@groundcat can you provide a screenshot or explain why it's not functional? I followed the link and I was able to access a form to submit a report.

But since I have admin rights in the repo, perhaps it's working differently. I will need an external example.

felixfontein commented 1 month ago

I get a regular GitHub 404 page: image

dnsguru commented 4 weeks ago

The PSL is a static text file. I still scratch my head as to why tf we need to have any security advisory like this for ANY practical reason.

simon-friedberger commented 3 weeks ago

Because we have things like Github actions which are really easy to mess up in a way they give people write access to the repo. 😞

simon-friedberger commented 3 weeks ago

Could one of the admins please enable private reporting as described here: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#enabling-or-disabling-private-vulnerability-reporting-for-a-repository

mozfreddyb commented 1 week ago

This was already discussed in #1856 and we agreed that it would be good to allow for reports related to list infra, not list entries. The security file reflects this decision (as well as the discussion in the pull request).

We should just make that change, as suggested by simon above.

simon-friedberger commented 6 days ago

@weppos Would you mind? Or just make me an admin maybe?

weppos commented 5 hours ago

I enabled the feature. Can someone give it another try and confirm it works? I am unable to test, as an admin I could already access it before.

felixfontein commented 4 hours ago

It seems to work. I can access the form, and was able to submit a test report (it now says "Thank you for reporting a vulnerability to publicsuffix/list. Maintainers have been notified and will review your submission.").

simon-friedberger commented 4 hours ago

@weppos Just FYI: It seems I cannot see the submissions on Github so yall will have to handle them.

weppos commented 2 hours ago

@weppos Just FYI: It seems I cannot see the submissions on Github so yall will have to handle them.

This is strange. According to GitHub, you should be able to manage them.

Screenshot 2024-09-12 at 16 30 39 Screenshot 2024-09-12 at 16 30 46