[13:23:58] <zhuyifei1999_>	 infobliss: so any updates?
[13:24:22] <infobliss>	 yeah I am almost done with writing the code
[13:24:27] <zhuyifei1999_>	 k
[13:24:35] <infobliss>	 should be posting it on github today
[13:24:40] <zhuyifei1999_>	 ok
[13:24:58] <infobliss>	 experimenting with some inheritance related things now
[13:25:14] <zhuyifei1999_>	 k
[13:26:13] <infobliss>	 also https://github.com/infobliss/sibutest2/blob/master/libraries/infobox_templates.py#L59
[13:26:43] <infobliss>	 passing a simple dictionary may not work here
[13:27:46] <infobliss>	 I ma formatting it appropriatedly so that the data can be filled as desired.
[13:28:15] <infobliss>	 I am formatting it appropriately so that the data can be filled as desired.
[13:28:42] <zhuyifei1999_>	 I still don't think a single .format worth an entire function
[13:29:25] <infobliss>	 may be 
[13:30:00] <infobliss>	 some more work is necessary other than a single .format
[13:30:17] <zhuyifei1999_>	 such as?
[13:31:27] <infobliss>	 I mean just passing a dict with the given keys is not doing the job of getting the template filled
[13:32:00] <zhuyifei1999_>	 why not?
[13:32:13] <zhuyifei1999_>	 it's supposed to
[13:32:33] <infobliss>	 do you think 'parameters' is a dict?
[13:32:41] <infobliss>	 ok
[13:32:49] <zhuyifei1999_>	 yeah
[13:33:16] <zhuyifei1999_>	 or you can def fill_art_photo_template(**parameters):
[13:33:40] <infobliss>	 I wrote some tests where it did not get the values as desired
[13:33:44] <infobliss>	 ok I will try
[13:33:52] <zhuyifei1999_>	 can I see?
[13:34:00] <zhuyifei1999_>	 I mean the tests
[13:34:07] <zhuyifei1999_>	 the expected and actual results
[13:34:13] <infobliss>	 let me check where I placed the files
[13:34:22] <infobliss>	 it should be in this machine
[13:34:25] <zhuyifei1999_>	 k
[13:36:06] <infobliss>	 unfortunately not in this machine but give me a minute
[13:36:12] <infobliss>	 I will rewrite here
[13:36:14] <zhuyifei1999_>	 k
[13:43:37] <infobliss>	 https://gist.github.com/infobliss/d2bcb4498c0b211069fa5f3df8d4415a
[13:44:01] * zhuyifei1999_ tests
[13:45:17] <zhuyifei1999_>	 ...
[13:45:28] <zhuyifei1999_>	 you printed the template itself
[13:45:44] <zhuyifei1999_>	 not with the filled data
[13:46:28] <infobliss>	 ok yes
[13:46:47] <zhuyifei1999_>	 :P
[13:47:13] <infobliss>	 very silly 
[13:47:24] <zhuyifei1999_>	 lol
[13:51:20] <zhuyifei1999_>	 oh fyi I broke the security of one part of tool labs today ;)
[13:51:31] * zhuyifei1999_ admits that I'm showing off
[13:51:59] <infobliss>	 hahaha how did you do that horrible thing?
[13:52:52] <zhuyifei1999_>	 that's not horrible when you don't abuse it but rather report it so it can be fixed
[13:53:57] * zhuyifei1999_ was trying to prove the print that https://wikitech.wikimedia.org/wiki/Help:Tool_Labs#Security (redis) is bad security
[13:54:04] <infobliss>	 I mean you saved horrible things from happening
[13:54:42] <zhuyifei1999_>	 I don't think I can reveal how to do it until it get fixed, probably in a few hours
[13:55:16] <infobliss>	 aah yes :D
[13:55:59] <zhuyifei1999_>	 the report is https://phabricator.wikimedia.org/T169957
[13:56:23] <infobliss>	 "Access Denied: Restricted Task"
[13:56:53] <zhuyifei1999_>	 yeah, it might be un-hide once it is fixed
[13:57:26] <infobliss>	 ok good security measure
[13:58:13] <zhuyifei1999_>	 but it is literally three lines, one to a documentation page, one to tool labs configuration demonstrating how it is wrongly configured, one says "Proof of concept:", and after that is a paste
[13:59:25] <zhuyifei1999_>	 the paste literally contains forever-sensitive data (live redis keys), so I don't imagine it ever gets un-hide
[14:00:48] <infobliss>	 what are the possible security breaches if this remained unfixed?
[14:01:06] <zhuyifei1999_>	 it's probably the third tool-labs-wide security ticket I submitted
[14:01:24] <zhuyifei1999_>	 oh, I can control the cache of some tools
[14:01:47] <zhuyifei1999_>	 if some tools use redis as session storage, I might be able to steal sessions
[14:02:15] <zhuyifei1999_>	 basically anything you can use redis for I can corrupt it
[14:02:36] <infobliss>	 so v2c is also under threat
[14:02:42] <zhuyifei1999_>	 redis is a fast key-value storage if you are unaware
[14:02:57] <zhuyifei1999_>	 v2c use another password-protected redis server
[14:03:08] <zhuyifei1999_>	 video-redis, under video project
[14:03:12] <zhuyifei1999_>	 so it is unaffected
[14:03:36] <zhuyifei1999_>	 this bug affect those using the non-password protected server tools-redis
[14:04:55] <infobliss>	 ok I see
[14:04:57] <zhuyifei1999_>	 oh and my first ticket is an NFS setuid exploit, basically setuid to anyone on tool labs :)
[14:05:12] <zhuyifei1999_>	 which was fixed but never got un-hide
[14:06:23] <zhuyifei1999_>	 the second has not been fixed due to the difficulty of fixing, and I don't think I can say too much about it
[14:06:31] <infobliss>	 you could have been a great detective ;)
[14:06:36] <zhuyifei1999_>	 oh :P
[14:07:26] <zhuyifei1999_>	 all I can say about the second ticket is that it will allow you to act on another user's behalf on tool labs tools without them noticing
[14:08:24] <zhuyifei1999_>	 first is https://phabricator.wikimedia.org/T153073 second is https://phabricator.wikimedia.org/T157450
[14:08:28] <infobliss>	 I am not aware of many things. So is it possible for you to change code of sibutest in toollabs?
[14:08:44] <zhuyifei1999_>	 with?
[14:09:46] <infobliss>	 I mean just access and chage
[14:10:09] <zhuyifei1999_>	 oh about second ticket I meant oauth users
[14:10:45] <zhuyifei1999_>	 without finding and exploiting more bugs I'm afraid I can't cange code of sibutest
[14:10:53] <zhuyifei1999_>	 *change
[14:11:06] <infobliss>	 hahaha :)
[14:11:15] <zhuyifei1999_>	 the first bug will allow it though
[14:11:15] <infobliss>	 well said
[14:12:05] <zhuyifei1999_>	 the second, I might be able to spam using your account on some wikis :P (that's the extreme case)
[14:12:39] <infobliss>	 without getting discovered as a later stage?
[14:12:45] <infobliss>	 at
[14:13:22] <zhuyifei1999_>	 oh the attack could be made hard to discover
[14:13:40] <zhuyifei1999_>	 if I can "decorate" it as if I'm innocent
[14:13:54] <infobliss>	 cold-hearted :P
[14:14:20] <zhuyifei1999_>	 nah I won't do that of course
[14:14:35] <infobliss>	 Yeah I know.
[14:14:43] <zhuyifei1999_>	 but some real bag guys may do so
[14:14:47] <zhuyifei1999_>	 *bad
[14:15:06] <infobliss>	 won't you fix it ?
[14:15:48] <zhuyifei1999_>	 fix what?
[14:16:00] <infobliss>	 2nd one
[14:16:26] <zhuyifei1999_>	 I don't think I can tell you why it cannot be fixed at the current stage
[14:17:22] <infobliss>	 ok
[14:17:40] <zhuyifei1999_>	 the task depends on a visible task
[14:18:26] <infobliss>	 I think I will need a strong cup of coffee to understand the details.
[14:18:41] <infobliss>	 and may be more experience
[14:18:58] <zhuyifei1999_>	 it isn't that complicated
[14:19:32] <zhuyifei1999_>	 let me find a random task that has a dependency
[14:22:03] <zhuyifei1999_>	 man, that's harder than I thought
[14:22:30] <infobliss>	 ok
[14:23:17] <zhuyifei1999_>	 ok, so https://phabricator.wikimedia.org/T154102 depends on https://phabricator.wikimedia.org/T153488
[14:23:35] <zhuyifei1999_>	 um, this task graph is more complex than usual
[14:24:33] <zhuyifei1999_>	 https://phabricator.wikimedia.org/T169774 depends on https://phabricator.wikimedia.org/T169736
[14:24:52] <zhuyifei1999_>	 oh, "tool labs" is being renamed to "toolforge" fyi
[14:25:16] <infobliss>	 nice 
[14:25:49] <infobliss>	 what is the philosophy behind the name though?
[14:25:49] <zhuyifei1999_>	 just imagine a public ticket, like "https://phabricator.wikimedia.org/T169736", but in the task graph, you don't see "Open	None	T169774 Toolforge data loss for permissive data July 2 2017"
[14:26:05] <zhuyifei1999_>	 in its place you see "Restricted Task"
[14:26:43] <zhuyifei1999_>	 the renaming? https://wikitech.wikimedia.org/wiki/User:BryanDavis/Rebranding_Cloud_Services_products
[14:28:04] <infobliss>	 I don't see "Restricted Task" either
[14:28:15] <zhuyifei1999_>	 ?
[14:28:26] <infobliss>	 sorry it was another task
[14:29:11] <zhuyifei1999_>	 I mean bug #2 depends on a public task, and if you view the task graph of that public task you'll see a "Restricted Task"
[14:30:09] <zhuyifei1999_>	 and that public task is why bug #2 cannot be fixed
[14:30:38] <infobliss>	 I think I can see the task "T169774 Toolforge data loss for permissive data July 2 2017" too
[14:30:52] <infobliss>	 in the task graph
[14:30:53] <zhuyifei1999_>	 well, it's an example of a task dependency
[14:31:40] <zhuyifei1999_>	 if you see a task dependency that have "Restricted Task" in the place of "T169774 Toolforge data loss for permissive data July 2 2017" you might be at the right place :P
[14:32:20] <infobliss>	 got it
[14:33:12] <zhuyifei1999_>	 I cannot tell you which task it is because I think you're smart enough that given all the information I told you and the information available in that public task you might be able to figure out what bug #2 is about
[14:33:20] <zhuyifei1999_>	 :P
[14:34:20] <infobliss>	 may be but rest assured that I won't exploit anything in any case.
[14:34:59] <zhuyifei1999_>	 oh well you'll lose trust in tool labs if you see it :P just kidding
[14:35:59] <infobliss>	 now we will have 'toolforge' :P
[14:36:34] <zhuyifei1999_>	 oh yeah it's part of the plan in 'toolforge' migration
[14:36:47] <zhuyifei1999_>	 so right 'toolforge' will fix it
[14:37:20] <infobliss>	 yeah foreseeable
[14:37:39] <zhuyifei1999_>	 oh wait, I think I can give you an example of what the "restricted task" dependency looks like
[14:40:50] <zhuyifei1999_>	 yeah https://phabricator.wikimedia.org/T104453 is an example
[14:40:57] <zhuyifei1999_>	 but not this one
[14:41:19] <infobliss>	 ok
[14:42:55] <zhuyifei1999_>	 oh and that "restricted task" in https://phabricator.wikimedia.org/T104453 is not a security task, but an nda (privacy-related) task
[14:43:30] <infobliss>	 ok I see
[14:45:49] <zhuyifei1999_>	 I think I can show you the first bug though, if you want
[14:46:54] <zhuyifei1999_>	 I honestly don't know why it is still hidden and I didn't get a response when I asked to unhide it (I don't have the permission to unhide it myself)
[14:47:46] <infobliss>	 ok
[14:48:45] <infobliss>	 need a brb
[14:49:28] <zhuyifei1999_>	 https://usercontent.irccloud-cdn.com/file/V170DhsP/Firefox_Screenshot_2017-07-07T14-49-06.920Z.png
[14:50:02] <infobliss>	 ok nice
[14:50:17] <infobliss>	 will come back and look deep
[14:50:22] <zhuyifei1999_>	 k
[14:50:36] <zhuyifei1999_>	 tell me how you think about it :P
[15:11:20] <infobliss>	 I am back
[15:11:27] <infobliss>	 sure let me check now
[15:12:14] <zhuyifei1999_>	 k
[15:20:10] <infobliss>	 ok NFS is Network File System
[15:20:15] <zhuyifei1999_>	 yeah
[15:20:53] <zhuyifei1999_>	 tool labs use nfs to make sure every instance gets the same files for /data/project, /home, /data/scratch
[15:21:23] <zhuyifei1999_>	 see https://wikitech.wikimedia.org/wiki/Help:Shared_storage
[15:21:24] <infobliss>	 ok
[15:22:11] <infobliss>	 hmm I only knew NFS=Need For Speed ;)
[15:22:18] <zhuyifei1999_>	 o.O
[15:22:28] <zhuyifei1999_>	 I didn't know that
[15:22:49] <infobliss>	 a video game
[15:22:56] <zhuyifei1999_>	 oh
[15:23:54] <zhuyifei1999_>	 well, coc=code of conduct and clash of clans :)
[15:24:21] <zhuyifei1999_>	 one is what you see on tech places, one is a video game
[15:24:55] <infobliss>	 haha yep
[15:25:00] <zhuyifei1999_>	 fyi, tool labs may get rid of nfs in the very distant future
[15:25:17] <infobliss>	 so  yours was a good trick
[15:25:37] <zhuyifei1999_>	 a few years ago, almost every single labs outage was caused by NFS meltdown
[15:25:42] <zhuyifei1999_>	 ?
[15:25:47] <zhuyifei1999_>	 mine what?
[15:26:00] <infobliss>	 to read the secret data
[15:26:42] <zhuyifei1999_>	 um, it's more of an exploit than a trick I'd say
[15:27:33] <infobliss>	 yes may be
[15:27:44] <infobliss>	 I don't know the exact usage of the two
[15:28:04] <infobliss>	 i.e., when to call a trick and when an exploit
[15:28:15] <zhuyifei1999_>	 imo, trick = good, exploit = bad
[15:28:29] <infobliss>	 aah ok