WordPress.org

Making WordPress.org

Opened 4 months ago

Last modified 4 months ago

#5744 new defect

For plugins using release confirmation, email confirmation is not required to add/remove committers.

Reported by: wfmatt Owned by:
Milestone: Priority: normal
Component: Plugin Directory Keywords:
Cc:

Description

Currently the release confirmation for plugin releases will email all plugin committers a link with an access token to verify the plugin release is ready to go live. From a security perspective, a compromised wp.org account with commit access to a plugin won't be able to approve of a new plugin release without also having access to the account's email address. But the compromised account can add a committer account which they control to the plugin which bypasses this security feature.

Additionally, a compromised account can update the email address of the victim account without verification of the victim email address which would also bypass this feature.

There was a few features mentioned in the original ticket for this feature that I think would be good to include:

List item 5 here: #5352

Ideally, the committer who committed the release would not be able to be the sole person who approves the release as well, which would effectively make this always a 2+ person scenario. Maybe an exception would be the same person can sign it off, as long as it's not forcefully enabled for the plugin due to level of usage.

I saw some push back in the discussion. I think this would be good to have even though it doesn't necessarily address this issue. I think making it configurable by plugin developers would help address some of the concerns. For instance, being able to set release confirmations to 2 approvals, but not be able to decrease that without involving the plugins or meta team.

List item 7:

Only those who have been a committer on a plugin for >1 week should be able to sign off a release. (Also, Committers should know when a new committer is added - #5351)

This would be good to include as a feature that would help to address this issue (or at least give developers time to get ahead of a potential compromise). I don't see it implemented anywhere in the confirmation code though. I do think having email confirmation for changes in commit access as well as updating the account email would be good to incorporate.

Change History (1)

#1 in reply to: ↑ description @dd32
4 months ago

Replying to wfmatt:

Ideally, the committer who committed the release would not be able to be the sole person who approves the release as well, which would effectively make this always a 2+ person scenario. Maybe an exception would be the same person can sign it off, as long as it's not forcefully enabled for the plugin due to level of usage.

I saw some push back in the discussion. I think this would be good to have even though it doesn't necessarily address this issue. I think making it configurable by plugin developers would help address some of the concerns. For instance, being able to set release confirmations to 2 approvals, but not be able to decrease that without involving the plugins or meta team.

This is possible by contacting the plugins team, who can enable multi-sign-off. It's not able to be opt-in through the plugin admin as many plugin authors already enable single-sign-off "accidentally" despite the two warnings as they "want to see if it will actually enable".

Note: See TracTickets for help on using tickets.