Page MenuHomePhabricator
Create Task
Maniphest T148567

Restrict outgoing network connections from Electron render service
Closed, ResolvedPublic
Actions

Description

As part of its task of rendering web pages to PDF, Electron / Chrome loads linked resources like images, stylesheet and scripts from the network. While the sanitized HTML we will render should not contain references to private IPs, we should rely on this as the sole protection.

An option for restricting access from this service to public IPs would be to set up an iptables rule matching on the service user, and dropping any requests to the private production IPs. Examples: iptables -A OUTPUT -o eth0 -m owner --uid-owner 1000 .., man page.

Another might be to use a proxy, although this would likely affect performance negatively.

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved JhernandezT148358 Prepare for November user research
 Resolved atgoT148359 Complete Wikilater prototype for testing
 DeclinedNoneT149627 Update Wikilater to use Electron service in production
 ResolvedNoneT148364 Complete Quickfact prototype for testing
 DeclinedNoneT149628 Update Flashcard to use Electron service in production
 Resolved JKatzWMFT150871 [EPIC] (Proposal) Replicate core OCG features and sunset OCG service
 ResolvedNoneT135643 Show tables in pdfs (#9)
 ResolvedWMDE-FischT135616 Investigate underlying issues with tables in PDF rendering
 ResolvedAddshoreT135613 [GTWL] Include hint about excluded tables when generating a PDF
 InvalidNoneT137431 Improve patch to show tables in pdfs
 InvalidNoneT137432 Add a table appendix to pdfs
 ResolvedTobi_WMDE_SWT142201 Create a mediawiki extension for browser-based rendered pdf support
 ResolvedTobi_WMDE_SWT142202 Only render single articles, and not collections or books
 Resolvedgabriel-wmdeT142204 Investigate what is needed to use browser based rendering for books
ResolvedAddshoreT145413 Request repository for browser-based rendered pdf support extension
 ResolvedTobi_WMDE_SWT146894 Replace "Printable version" with link to ElectronPdfService
 ResolvedTobi_WMDE_SWT146895 Implement SpecialPage according to mockup
 ResolvedTobi_WMDE_SWT147842 Update extension documentation on mw.org
 DeclinedNoneT149086 Implement caching for ElectronPdfService extension
 ResolvedTobi_WMDE_SWT149189 Add and enable basic browsertests
 Resolved GWickeT142226 Productize the Electron PDF render service & create a REST API end point
 Resolved dpatrickT148567 Restrict outgoing network connections from Electron render service
 ResolvedLea_WMDET143410 Voices from the Community about current pdf use
 ResolvedAddshoreT150326 Track numbers for Electron- vs. OCG-Rendering

Event Timeline

GWicke created this task.Oct 18 2016, 6:29 PM
GWicke mentioned this in T142226: Productize the Electron PDF render service & create a REST API end point.Oct 18 2016, 7:01 PM
dpatrick moved this task from Incoming to In Progress on the deprecated-security-team-reviews board.Dec 20 2016, 10:22 PM
dpatrick added a comment.Nov 21 2017, 4:59 PM

Just following up on some lingering security reviews. I know that this service has been deployed. Do we have appropriate firejail and iptables rules in place now to restrict egress?

mobrovac added a comment.Nov 22 2017, 8:37 AM
In T148567#3778518, @dpatrick wrote:

Just following up on some lingering security reviews. I know that this service has been deployed. Do we have appropriate firejail and iptables rules in place now to restrict egress?

The service cannot establish any connections outside of the production environment because it does not contact the production proxy, so any attempt to request an external resource will simply time out.

dpatrick closed this task as Resolved.Nov 22 2017, 6:33 PM
dpatrick claimed this task.
In T148567#3780384, @mobrovac wrote:
In T148567#3778518, @dpatrick wrote:

Just following up on some lingering security reviews. I know that this service has been deployed. Do we have appropriate firejail and iptables rules in place now to restrict egress?

The service cannot establish any connections outside of the production environment because it does not contact the production proxy, so any attempt to request an external resource will simply time out.

Thanks Marko. That works. I'll close this ticket.

sbassett moved this task from In Progress to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:15 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL