Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DO NOT MERGE - 13 to dev testing #14261

Merged
merged 20 commits into from
Nov 28, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
05f5d3a
update locales from crowdin [ci skip]
openprojectci Nov 22, 2023
08d3884
update locales from crowdin [ci skip]
openprojectci Nov 23, 2023
dac3685
Add section on security relevant components during development requir…
oliverguenther Nov 23, 2023
2fea2b7
[#51199] Move statement on security underneith new security and priva…
MayaBerd Nov 23, 2023
838968c
docs(links): adjust changed statement-on-security url
as-op Nov 22, 2023
92dea70
docs(links): adjust changed statement-on-security url
as-op Nov 23, 2023
ce232a1
Merge pull request #14224 from opf/documentation/51199-move-statement…
as-op Nov 23, 2023
e7243ef
Add pg_client postgres 15 (#14180)
oliverguenther Nov 21, 2023
bf10fc5
update locales from crowdin [ci skip]
openprojectci Nov 24, 2023
d67e67e
update locales from crowdin [ci skip]
openprojectci Nov 25, 2023
052b740
Add information about involved services and integrations
oliverguenther Nov 27, 2023
86f1026
Add section on S3 storage
oliverguenther Nov 27, 2023
48acdd6
Add info about access modes
oliverguenther Nov 27, 2023
5cf7901
[#51265] Make Nextcloud synchronization more stable.
ba1ash Nov 27, 2023
37b9256
Update modules/storages/app/models/storages/nextcloud_storage.rb
ba1ash Nov 27, 2023
8fe83ae
Adjust logged error message in tests.
ba1ash Nov 27, 2023
c39f686
Merge pull request #14249 from opf/bug/51265-make-nextcloud-synchroni…
ba1ash Nov 27, 2023
0e44f3b
update locales from crowdin [ci skip]
openprojectci Nov 28, 2023
a3673b6
Add section on not offering bug bounty currently
oliverguenther Nov 28, 2023
e33a5d2
Merge remote-tracking branch 'origin/release/13.0' into dev
apfohl Nov 28, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ will keep our community secure. If you happen to come across a security issue we
you to disclose it to us privately to allow our users and community enough time to
upgrade. Security issues will always take precedence over anything else in the pipeline.

For more information on how to disclose a security vulnerability, [please see this page](docs/development/security/README.md).
For more information on how to disclose a security vulnerability, [please see this page](docs/security-and-privacy/statement-on-security/README.md).

## License

Expand Down
2 changes: 1 addition & 1 deletion SECURITY.md
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Please find our statement on security in this document: https://www.openproject.org/docs/development/security/
Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
36 changes: 29 additions & 7 deletions docs/development/application-architecture/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ keywords: architecture overview, hybrid application, Ruby on Rails, Angular
%%{init: {'theme':'neutral'}}%%

flowchart TD
browser[Web browser] -->|"HTTP(s) requests"| loadbalancer(Load balancer / proxy)
A1[Native client] -->|"HTTP(s) requests"| loadbalancer
A2[SVN or Git client] -->|"HTTP(s) requests"| loadbalancer
browser[Web browser] -->|"HTTPS requests"| loadbalancer(Load balancer / proxy)
A1[Native client] -->|"HTTPS requests"| loadbalancer
A2[SVN or Git client] -->|"HTTPS requests"| loadbalancer
loadbalancer -->|Proxy| openproject

subgraph openproject[OpenProject Core Application]
Expand All @@ -34,7 +34,7 @@ flowchart TD
gih["GitHub (gih)"]
cal["Calendar (cal)"]
O["API integrations (api)"]

W["Outgoing webhooks"]
end

subgraph services[Internal Services]
Expand All @@ -46,9 +46,9 @@ end
end


openproject <--> services
openproject --> integrations
loadbalancer <--> integrations
openproject <-->|"TCP requests"| services
openproject -->|"HTTPS requests"| integrations
loadbalancer <-->|"HTTPS requsts"| integrations

subgraph localclients[Local Client / User device]
direction TB
Expand All @@ -62,6 +62,28 @@ end

```

## Involved services

| Service | Relationship to OpenProject | Communication interfaces and mechanisms | Access modes<br />(R - read)<br />(W - write) | References |
| ----------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | --------------------------------------------- | ------------------------------------------------------------ |
| Web browser | Performs requests to the application | HTTPS | RW | n/a |
| Native client | Performs requests to the application | HTTPS | RW | n/a |
| SVN client | Performs SVN requests to the application web server | HTTPS | RW | [Repository integrations](https://www.openproject.org/docs/user-guide/repository/) |
| Git client | Performs Git Smart HTTP requests to the application server | HTTPS | RW | [Repository integrations](https://www.openproject.org/docs/user-guide/repository/) |
| Load balancer / Proxy | Depending on installation mechanism, terminates TLS/SSL, accepts and proxies or load balances web requests to the different OpenProject web application servers | HTTPS / PROXY | - | [Configuration for packaged installations](https://www.openproject.org/docs/installation-and-operations/installation/packaged/#step-3-apache2-web-server-and-ssl-termination)<br />[Configuration for Docker/Kubernetes](https://www.openproject.org/docs/installation-and-operations/installation/docker/#disabling-https-mode) |
| Puma application server | Accepts web requests, runs the OpenProject web facing application | Web requests (HTTP/HTTPS)<br />Database (TCP)<br />Memcached (TCP)<br />Email gateways (SMTP)<br />External integration requests (HTTPS) | RW | [Database TLS setup](https://www.openproject.org/docs/installation-and-operations/configuration/#database-configuration-and-ssl)<br />[Cache configuration](https://www.openproject.org/docs/installation-and-operations/configuration/#cache-configuration-options)<br />[SMTP configuration](https://www.openproject.org/docs/installation-and-operations/configuration/outbound-emails/)<br />[Integrations guide](https://www.openproject.org/docs/system-admin-guide/integrations/) |
| Memached / Redis / File cache | Application-level cache (if enabled) | TCP connections | RW | [Cache configuration](https://www.openproject.org/docs/installation-and-operations/configuration/#cache-configuration-options) |
| PostgreSQL | Database management system | (Encrypted) TCP connections between web and background workers | | [Database TLS setup](https://www.openproject.org/docs/installation-and-operations/configuration/#database-configuration-and-ssl)<br /> |
| Background worker | Handles asynchronous jobs, such as backup requests, email delivery, | Database (TCP)<br />Memcached (TCP)<br />Email gateways (SMTP)<br />External integration requests (HTTPS) | RW | [Database TLS setup](https://www.openproject.org/docs/installation-and-operations/configuration/#database-configuration-and-ssl)<br />[Cache configuration](https://www.openproject.org/docs/installation-and-operations/configuration/#cache-configuration-options)<br />[SMTP configuration](https://www.openproject.org/docs/installation-and-operations/configuration/outbound-emails/)<br />[Integrations guide](https://www.openproject.org/docs/system-admin-guide/integrations/) |
| Attached storages or Object storage | Access for attachments for the OpenProject application.<br />Either directly (or networked) attached storages, or configuration of an S3-compatible Object store | Local filesystem access (local drives, NFS)<br />HTTPS (S3-compatible storage) | RW | [Configuration of the attachment storage](https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage) |
| Email gateways | Send emails (e.g., notifications) from OpenProject application | SMTP | W (deliver mails to relay) | [SMTP configuration](https://www.openproject.org/docs/installation-and-operations/configuration/outbound-emails/) |
| Identity providers | External authentication providers (e.g., Keycloak, ADFS, etc.) | HTTPS through standard protocols (OpenID connect, SAML, OAuth 2.0) | R (Redirect and read user info) | [OpenID connect provider configuration](https://www.openproject.org/docs/system-admin-guide/authentication/openid-providers/)<br />[SAML provider configuration](https://www.openproject.org/docs/system-admin-guide/authentication/saml/)<br />[OAuth 2.0 application configuration](https://www.openproject.org/docs/system-admin-guide/authentication/oauth-applications/) |
| Nextcloud | External biliteral integration | HTTPS | RW | [Nextcloud integration guide](https://www.openproject.org/docs/system-admin-guide/integrations/nextcloud/) |
| GitHub | Pull Request / Issue referencing Integration into Openproject | HTTPS (Webhooks) | R (Incoming webhook from GitHub) | [GitHub integration guide](https://www.openproject.org/docs/system-admin-guide/integrations/github-integration/) |
| Calendars | External calendars requesting dynamic ICS calendar files from OpenProject | HTTPS (iCalendar/webdav) | R (Outgoing calendar data) | [Calendar subscriptions configuration](https://www.openproject.org/docs/system-admin-guide/calendars-and-dates/#calendar-subscriptions) |
| API integrations | Structural access to OpenProject through API endpoints. Optional access to users and third party organizations depending on authorized scopes | HTTPS | (Optional) R<br />(Optional) W<br /> | [API configuration](https://www.openproject.org/docs/system-admin-guide/api-and-webhooks/) |
| Outgoing Webhooks | Outgoing requests for changes within the application | HTTPS | R (Outgoing webhook data) | [Webhook configuration an adminstration](https://www.openproject.org/docs/system-admin-guide/api-and-webhooks/#webhooks) |



# Software
Expand Down
13 changes: 13 additions & 0 deletions docs/development/product-development-handbook/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -160,16 +160,29 @@ For internal or customer requirements requirements may directly be created, eval
Based on the Product Managers judgement (taking among other things the RICE score and customer backing into account) validated and prioritized features (status: “In specification”) are specified in more detail:

1. PM specifies the solution and creates mockups (e.g. PowerPoint, Google Docs, …).

2. PM updates the Opportunity Canvas (especially “Solution” section).

3. PM and Developer validate solution (technical feasibility / solution).

*If this solution touches security relevant components of the application, a Security Engineer is involved to identity and model the associated risks and impacts (thread modelling) according to the documented risks in the [Secure Coding Guidelines](https://www.openproject.org/docs/development/concepts/secure-coding/#secure-coding-guidelines).*

4. PM / UX Researcher validates the solution through user interviews. (optional)

5. PM / UX Researcher iterates through possible solutions based on user interviews and updates the Opportunity canvas. (optional)

6. PM / Developer adds more detailed effort and cost estimates.

7. Designer is assigned to the "Designer" field of the feature.

8. Designer creates visuals based on mockups (if necessary).

9. PM validates design with users (user interviews) (optional)

10. PM in coordination with Developer assigns feature to upcoming product version.

11. PM hands over features to the Developer.

12. PM highlights features that require change in documentation if necessary (custom field “Requires doc change”).

The features in a product version need to be specified at least one iteration prior to development start. If a feature is added to the current version it needs to be specified with high priority. If it is added to the next version it can be specified with a lower priority but still higher then other features in the product backlog.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,4 +73,4 @@ Please navigate to -> Administration -> GDPR and you can now online review and s



Find out more about [OpenProject's security features](../../../development/security/#openproject-security-features).
Find out more about [OpenProject's security features](../../../security-and-privacy/statement-on-security/#openproject-security-features).
2 changes: 1 addition & 1 deletion docs/release-notes/12/12-0-4/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are
If you are unable to upgrade in a timely fashion, the following patch can be applied: [https://github.com/opf/openproject/pull/9983.patch](https://github.com/opf/openproject/pull/9983.patch)

#### Credits
This security issue was responsibly disclosed by [Daniel Santos](https://github.com/bananabr) (Twitter [@bananabr](https://twitter.com/bananabr)). Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our [statement on security](https://www.openproject.org/docs/development/security/).
This security issue was responsibly disclosed by [Daniel Santos](https://github.com/bananabr) (Twitter [@bananabr](https://twitter.com/bananabr)). Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our [statement on security](https://www.openproject.org/docs/security-and-privacy/statement-on-security/).

### Bug fixes and changes
- Fixed: Frontend including editor and time logging unusable when there are many activities \[[#40314](https://community.openproject.com/wp/40314)\]
Expand Down
4 changes: 2 additions & 2 deletions docs/release-notes/12/12-5-4/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ The release contains two security related bug fixes and we recommend updating to

When a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device.

This security related issue was responsibly disclosed by [Vaishnavi Pardeshi](mailto:[email protected]). Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our [statement on security](https://www.openproject.org/docs/development/security/).
This security related issue was responsibly disclosed by [Vaishnavi Pardeshi](mailto:[email protected]). Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our [statement on security](https://www.openproject.org/docs/security-and-privacy/statement-on-security/).

For more information, [please see our security advisory](https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q).

Expand All @@ -33,7 +33,7 @@ When a user requests a password reset, an email is sent with a link to confirm a

The issue has been resolved in OpenProject version 12.5.4 by actively revoking any active password reset tokens for user accounts having changed their passwords successfully within the application.

This security related issue was responsibly disclosed by [Vaishnavi Pardeshi](mailto:[email protected]). Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our [statement on security](https://www.openproject.org/docs/development/security/).
This security related issue was responsibly disclosed by [Vaishnavi Pardeshi](mailto:[email protected]). Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our [statement on security](https://www.openproject.org/docs/security-and-privacy/statement-on-security/).

<!--more-->

Expand Down
2 changes: 1 addition & 1 deletion docs/release-notes/8/8-3-2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ For the full advisory and patches for older unsupported versions,
post](https://groups.google.com/d/msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ).
For our statement on security and further information on how to
responsible disclose security related issues to us, please see our
[statement on security](../../../development/security/).
[statement on security](https://www.openproject.org/docs/security-and-privacy/statement-on-security/).

Thanks to Thanaphon Soo from the [SEC Consult Vulnerability
Lab](https://www.sec-consult.com) for identifying and responsibly
Expand Down
3 changes: 3 additions & 0 deletions docs/security-and-privacy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,11 @@ The purpose of this document is to equip users of OpenProject with the necessar

## Data privacy

* Privacy policy: [OpenProject privacy policy](https://www.openproject.org/legal/privacy/)
* Data privacy documentation: [Processing of personal data](./processing-of-personal-data/)

## Data security

* Security documentation: BSI Grundschutzchecks (coming Q1 2024)
* Statement on data security: [Statement on data security](./statement-on-security)

Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
---
sidebar_navigation:
title: Statement on security
priority: 600
description: Statement of data security in OpenProject
keywords: GDPR, data security, security, OpenProject security, security alerts, single sign-on, password security, mailing list
---

# Statement on security

At its core, OpenProject is an open-source software that is [developed and published on GitHub](https://github.com/opf/openproject). Every change to the OpenProject code base ends up in an open repository accessible to everyone. This results in a transparent software where every commit can be traced back to the contributor.
Expand Down Expand Up @@ -49,10 +57,13 @@ If you can, please send us a PGP-encrypted email using the following key:

- Key ID: [0x7D669C6D47533958](https://keys.openpgp.org/vks/v1/by-fingerprint/BDCFE01EDE84EA199AE172CE7D669C6D47533958),
- Fingerprint BDCF E01E DE84 EA19 9AE1 72CE 7D66 9C6D 4753 3958
- You may also find the key [attached in our OpenProject repository.](https://github.com/opf/openproject/blob/dev/docs/development/security/security-at-openproject.com.asc)
- You may also find the key [attached in our OpenProject repository.](https://www.openproject.org/docs/security-and-privacy/statement-on-security/security-at-openproject.com.asc)

Please include a description on how to reproduce the issue if possible. Our security team will get your email and will attempt to reproduce and fix the issue as soon as possible.

> **Please note:** OpenProject currently does not offer a bug bounty program. We will do our best to give you the appropriate credits for responsibly disclosing a security vulnerability to us. We will gladly reference your work, name, website on every publication we do related to the security update.


## OpenProject security features

### Authentication and password security
Expand Down
Empty file.
Loading