Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list.

Поиск
Список
Период
Сортировка
От Akshat Jaimini
Тема Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list.
Дата
Msg-id CAMaW3ViOZYfxYMTYVHLOZHhVejSQ-BA0_X8hAmwwAPkxuVVObg@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list.  (Daniel Gustafsson <daniel@yesql.se>)
Ответы Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list.
Список pgsql-www
Дерево обсуждения
> I clicked through the linked repo but I was unable to see an example testrun. 
 You can find the reports here: https://github.com/destrex271/pgweb-testing-harness/actions/runs/6189299124 . You can check the 'report', 'test-log' and 'failure_logs' artifacts, the other ones are experimental for now.

> For tests like that we must really think about scope, limiting the report isn't useful if we publish the tests for anyone to run themselves and thus generate the report. 
> Malicious actors are no doubt probing the website continuously regardless of this, but we don't necessarily need to do the job for them.

Oh yes, that is a valid point, I guess we might need to separate these tests then in some private repo? I don't know if this is possible though but we can think of some other approaches. Because if we keep those tests publicly available that will just create more problems for us, as you mentioned in your reply.

I'll try to find more approaches to this because the private repository does not seem to go with the idea of open source. I might be wrong about this, so please let me know if I am wrong.

Regards,
Akshat Jaimini

On Fri, Oct 6, 2023 at 6:09 PM Daniel Gustafsson <daniel@yesql.se> wrote:
> On 6 Oct 2023, at 08:05, Akshat Jaimini <destrex271@gmail.com> wrote:
>
> > Publishing this report to a website would handle that I think.
> I had sent a proposal/tried to start a discussion for this a few days earlier

It would probably help if you could link to a report from a run of the test
suite.  I clicked through the linked repo but I was unable to see an example
testrun.

> > One question, would this test harness detect and report potential security issues like XSS?
> Security related tests were not added in the Gsoc timeline but we are planning to add them. Maybe when we add those tests we can create a separate section on the proposed website only available to some 'admins' with all these sensitive reports being displayed there.

For tests like that we must really think about scope, limiting the report isn't
useful if we publish the tests for anyone to run themselves and thus generate
the report.  Malicious actors are no doubt probing the website continuously
regardless of this, but we don't necessarily need to do the job for them.

--
Daniel Gustafsson

В списке pgsql-www по дате отправления:

Предыдущее
От: Daniel Gustafsson
Дата:
Сообщение: Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list.
Следующее
От: Magnus Hagander
Дата:
Сообщение: Re: pglister: issue with materialized view after upgrade (+ solution)