Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list.

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Akshat Jaimini <destrex271(at)gmail(dot)com>
Cc: pgsql-www(at)lists(dot)postgresql(dot)org, Magnus Hagander <magnus(at)hagander(dot)net>
Subject: Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list.
Date: 2023-10-06 12:38:35
Message-ID: 433F3C16-B91E-45D1-8C5A-E1AAEAA2541C@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-www

> On 6 Oct 2023, at 08:05, Akshat Jaimini <destrex271(at)gmail(dot)com> wrote:
>
> > Publishing this report to a website would handle that I think.
> I had sent a proposal/tried to start a discussion for this a few days earlier

It would probably help if you could link to a report from a run of the test
suite. I clicked through the linked repo but I was unable to see an example
testrun.

> > One question, would this test harness detect and report potential security issues like XSS?
> Security related tests were not added in the Gsoc timeline but we are planning to add them. Maybe when we add those tests we can create a separate section on the proposed website only available to some 'admins' with all these sensitive reports being displayed there.

For tests like that we must really think about scope, limiting the report isn't
useful if we publish the tests for anyone to run themselves and thus generate
the report. Malicious actors are no doubt probing the website continuously
regardless of this, but we don't necessarily need to do the job for them.

--
Daniel Gustafsson

In response to

Responses

Browse pgsql-www by date

  From Date Subject
Next Message Akshat Jaimini 2023-10-06 17:12:28 Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list.
Previous Message Akshat Jaimini 2023-10-06 06:05:01 Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list.