Bug 1492639 Add destination checks to bouncer validation r=mtabara
authorSimon Fraser <sfraser@mozilla.com>
Wed, 10 Oct 2018 15:00:18 +0100
changeset 499008 41506b1cb3857f99ffdf9dcb7291adb066265172
parent 499007 5cd5bff6c91e6c96c5e835d919f74913941390ae
child 499009 7757f7200917569e8630fb021ecb06d2425e20ed
push id1864
push userffxbld-merge
push dateMon, 03 Dec 2018 15:51:40 +0000
treeherdermozilla-release@f040763d99ad [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmtabara
bugs1492639
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1492639 Add destination checks to bouncer validation r=mtabara Reviewers: mtabara Reviewed By: mtabara Subscribers: bhearsum, sfraser, catlee, mtabara Tags: #secure-revision, #bmo-releng-security Bug #: 1492639 Differential Revision: https://phabricator.services.mozilla.com/D8189
.cron.yml
taskcluster/ci/cron-bouncer-check/kind.yml
testing/mozharness/scripts/release/bouncer_check.py
--- a/.cron.yml
+++ b/.cron.yml
@@ -114,16 +114,19 @@ jobs:
           by-project:
               # No default branch
               mozilla-beta:
                   - {hour: 7, minute: 0}
                   - {hour: 19, minute: 0}
               mozilla-release:
                   - {hour: 7, minute: 0}
                   - {hour: 19, minute: 0}
+              mozilla-esr60:
+                  - {hour: 7, minute: 0}
+                  - {hour: 19, minute: 0}
 
     - name: periodic-update
       job:
           type: decision-task
           treeherder-symbol: Nfile
           target-tasks-method: file_update
       run-on-projects:
           - mozilla-central
--- a/taskcluster/ci/cron-bouncer-check/kind.yml
+++ b/taskcluster/ci/cron-bouncer-check/kind.yml
@@ -46,16 +46,17 @@ jobs:
                     jamun:
                         - releases/dev_bouncer_firefox_esr.py
                     default:
                         - releases/dev_bouncer_firefox_beta.py
             product-field:
                 by-project:
                     mozilla-beta: LATEST_FIREFOX_RELEASED_DEVEL_VERSION
                     mozilla-release: LATEST_FIREFOX_VERSION
+                    mozilla-esr60: FIREFOX_ESR
                     default: LATEST_FIREFOX_DEVEL_VERSION
             products-url: https://product-details.mozilla.org/1.0/firefox_versions.json
         treeherder:
             platform: firefox-release/opt
 
     devedition:
         shipping-product: devedition
         index:
--- a/testing/mozharness/scripts/release/bouncer_check.py
+++ b/testing/mozharness/scripts/release/bouncer_check.py
@@ -96,26 +96,45 @@ class BouncerCheck(BaseScript, Virtualen
 
         if self.config['product_field'] not in firefox_versions:
             self.fatal('Unknown Firefox label: {}'.format(self.config['product_field']))
         self.config["version"] = firefox_versions[self.config["product_field"]]
         self.log("Set Firefox version {}".format(self.config["version"]))
 
     def check_url(self, session, url):
         from redo import retry
+        try:
+            from urllib.parse import urlparse
+        except ImportError:
+            # Python 2
+            from urlparse import urlparse
+
+        mozilla_locations = [
+            'download-installer.cdn.mozilla.net',
+            'download.cdn.mozilla.net',
+            'download.mozilla.org',
+            'archive.mozilla.org',
+        ]
 
         def do_check_url():
             self.log("Checking {}".format(url))
             r = session.head(url, verify=True, timeout=10, allow_redirects=True)
             try:
                 r.raise_for_status()
             except Exception:
                 self.warning("FAIL: {}, status: {}".format(url, r.status_code))
                 raise
 
+            final_url = urlparse(r.url)
+            if final_url.scheme != 'https':
+                self.warning('FAIL: URL scheme is not https: {}'.format(r.url))
+
+            if final_url.netloc not in mozilla_locations:
+                self.warning('FAIL: host not in allowed locations: {}'.format(r.url))
+
         retry(do_check_url, sleeptime=3, max_sleeptime=10, attempts=3)
 
     def get_urls(self):
         for product in self.config["products"].values():
             if not product["check_uptake"]:
                 continue
             product_name = product["product-name"] % {"version": self.config["version"]}
             for path in product["paths"].values():