Security review of Extension:3d
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	MarkTraceur
	Feb 2 2017, 9:46 PM

Description

Please review the 3d extension.

This extension enables upload of, thumbnailing, and interactive viewing of three-dimensional model files, currently only the STL file format, but with the potential for expansion based on request.

We intend to enable this on beta-commons, then the testwikis, then on Commons to see how file uploaders make use of it. If all of those experiments go well, and we are able to respond to requests, we will push the extension out to other wikis to allow use of models across the projects.

@MarkTraceur is the primary contact. The Multimedia team is generally responsible for the project. @Jdforrester-WMF
is the product manager.

Target dates for deployments: 2017-03-01 for beta, 1-2 weeks later for test, 1-2 weeks later for Commons.

The command-line utility used for thumbnailing, 3d2png, was already reviewed - T132063

Languages: JavaScript, a tiny bit of PHP

Repository: https://phabricator.wikimedia.org/source/3d/

https://www.mediawiki.org/wiki/Extension:3d

Thanks!

Details

	Subject	Repo	Branch	Lines +/-
	Fix security/general concerns	mediawiki/extensions/3D	master	+37 -579

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T44725 Multimedia file format support (tracking)
Declined	None	T107410 Wiki 3d warehouse
Open	None	T133526 Epic saga: immersive hypermedia (Myst for Wikipedia)
Resolved	TheDJ	T3790 Allow uploading of 3D files to Wikimedia Commons
Resolved	MarkTraceur	T132058 3d extension supporting STL (3d printing files)
Resolved	Reedy	T157077 Security review of Extension:3d

Event Timeline

MarkTraceur created this task.Feb 2 2017, 9:46 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 2 2017, 9:46 PM

MarkTraceur added a parent task: T132058: 3d extension supporting STL (3d printing files).Feb 2 2017, 9:46 PM

Jopparn subscribed.Feb 6 2017, 2:12 PM

• dpatrick mentioned this in E484: Security review of Extension:3d.Feb 7 2017, 5:13 PM

• dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Feb 7 2017, 5:35 PM

As an aside, the repo needs pushing to gerrit for deployment to WMF wikis... AFAIK we can't branch from Phab...

In T157077#3048611, @Reedy wrote:

As an aside, the repo needs pushing to gerrit for deployment to WMF wikis... AFAIK we can't branch from Phab...

That was filed as T158881: Create repo for extension 3d and import into gerrit.

ThreeDHandler.php has no security concerns

Other non security specific (dumping here due to lack of more general "review" task) issues...

PHP code

https://phabricator.wikimedia.org/source/3d/browse/master/ThreeDHandler.php;f5dbb9ecfac876eda0d4c1129272147a5dc9b1bc$104 $removed is undefined

https://phabricator.wikimedia.org/source/3d/browse/master/ThreeDHandler.php;f5dbb9ecfac876eda0d4c1129272147a5dc9b1bc$101 should the memory limit be factored out into some global, with a "sane" default set? Like we do with various other things like that. Or, just reuse $wgMaxShellMemory

ThreeDHooks.php has a hook that doesn't do anything. If it's gonna be used, great, use it. If not, remove it, and probably remove the whole class as aswell as it has no use (at the moment, at least)

https://phabricator.wikimedia.org/source/3d/browse/master/ThreeDHandler.php;f5dbb9ecfac876eda0d4c1129272147a5dc9b1bc$44 inconsistent comments

https://phabricator.wikimedia.org/source/3d/browse/master/modules/mmv.3d.js;f5dbb9ecfac876eda0d4c1129272147a5dc9b1bc$2 -- Fairly sure it's in the 3d extension
three.js is MIT licence, as is seemingly the rest of the extension... But see T157409 as there are other inconsistencies
three.js is on r75, r84 is out. https://github.com/mrdoob/three.js/compare/r75...r84 - No obvious signs of security issues fixed (or, if they were, they're not highlighted). Worth looking if we should upgrade now/in the near future
- T107561 of course would make this nicer rather than copying in JS files
cf T132063#2435663 do we want JSZip? And did the other comments get addressed?

General

tests folder contents should use tests/phpunit and tests/qunit for autoloading goodness, at least, on phpunit. Or is that manifest_version 2? Either way, better structure, even if we don't use the test autoloading
both test files are empty though

Reedy added a project: 3D.Feb 26 2017, 12:54 AM

Oh, another one from the PHP...

https://phabricator.wikimedia.org/source/3d/browse/master/ThreeDHandler.php;f5dbb9ecfac876eda0d4c1129272147a5dc9b1bc$83 both $height and $width are undefined. They don't come part of those variables till 86/87

en.json, qqq.json and extension.json are all space indented, should be tabs

mmv.3d.js

lots of == should they be === ? Type coercion etc. I notice we mostly seem to use triple equals in other MW JS code
I keep thinking threed is a typo for thread (due to all lower case)

There's various == that maybe should be === in Three too?

Security:

Should three/AMFLoader.js still be about? It was removed from 3d2png in rTDTPf8be12e34ce91fed5caa728e3597dfebb46818b3 due to security concerns with XML formats. And similar, if not, should we remove the amf code from mmv.3d.js; no point it being around otherwise

General

three.js is hell to even try and code review. Over 40k lines of javascript? And I notice, it seems to be comprised of various individual files. I guess it came from here? My browser doesn't like it, and neither does PhpStorm
- https://github.com/mrdoob/three.js/blob/dev/src/Three.js vs https://phabricator.wikimedia.org/source/3d/browse/master/modules/three/three.js vs https://github.com/mrdoob/three.js/blob/r75/src/Three.js
- Can we just include them 1:1 from upstream? Again, T107561 would be a much nicer way to fix/include these for sure

Disclaimer: As most of you know, I'm not a JS developer.... I don't see anything obviously wrong from a security point of view. But there are some more general improvements that should be made to the extension with this and the last few comments to fix various other issues

MarkTraceur mentioned this in T157409: 3d extension has inconsistent license.Feb 27 2017, 5:40 PM

D580 should fix these concerns, but I skipped a couple as noted in the commit message.

Change 340330 had a related patch set uploaded (by Jforrester; owner: MarkTraceur):
Fix security/general concerns

https://gerrit.wikimedia.org/r/340330

gerritbot added a project: Patch-For-Review.Feb 28 2017, 4:25 PM

Jdforrester-WMF mentioned this in rETHR5969a007825c: Fix security/general concerns.Feb 28 2017, 11:11 PM

Diffusion mentioned this in rETHR8f0a2c9c37ba: Fix security/general concerns.Feb 28 2017, 11:11 PM

Jdforrester-WMF mentioned this in rETHRd60b9a59eb31: Fix security/general concerns.Feb 28 2017, 11:11 PM

Diffusion mentioned this in rETHR6438cc510ed2: Fix security/general concerns.Mar 1 2017, 3:59 PM

Diffusion mentioned this in rETHR27b27e9a6ad3: Fix security/general concerns.Mar 1 2017, 4:11 PM

Jdforrester-WMF mentioned this in rETHRb0552a93c724: Fix security/general concerns.Mar 1 2017, 4:30 PM

Jdforrester-WMF mentioned this in rETHR9011dbe778c0: Fix security/general concerns.Mar 1 2017, 4:38 PM

MarkTraceur mentioned this in rETHR4f1a5b2b90b9: Fix security/general concerns.Mar 1 2017, 4:57 PM

Diffusion mentioned this in rETHR583b01066845: Fix security/general concerns.Mar 1 2017, 5:10 PM

Jdforrester-WMF mentioned this in T158830: Communicate enabling Extension:3d on Commons.Mar 2 2017, 1:32 AM

• Elitre added a subtask: T158830: Communicate enabling Extension:3d on Commons.Mar 2 2017, 12:22 PM

Jdforrester-WMF mentioned this in rETHR95a8edae6671: Fix security/general concerns.Mar 2 2017, 4:10 PM

Jdforrester-WMF mentioned this in rETHR72e62c5fccd2: Fix security/general concerns.Mar 2 2017, 4:15 PM

Change 340330 merged by Jforrester:
[mediawiki/extensions/3D] Fix security/general concerns

https://gerrit.wikimedia.org/r/340330

Jdforrester-WMF removed a project: Patch-For-Review.Mar 2 2017, 6:22 PM

MarkTraceur mentioned this in T159717: Deploy Extension:3d to beta cluster.Mar 6 2017, 3:12 PM

Could deployment to Commons please be delayed until some tools etc. has been created to deal with copyvio detection and protection work etc.? Right now Commons users does not have any tools to detect if a 3d file is a copyvio (code-wise), nor an easy way to check if is a 3d-derviative of something copyrightable, or of other 3D-files.

Can some time be spend by the Multimedia team be spent on helping the community finding ways to detect bad and "stolen" 3d-works/file, before deploying this live on Commons?

Josve05a added a project: Commons.Mar 6 2017, 11:52 PM

@Josve05a The security review isn't a good fit to discuss deployment strategy. It seems T132058 is used for coordination. I've copied your comment there.

Dereckson mentioned this in T132058: 3d extension supporting STL (3d printing files).Mar 7 2017, 3:16 AM

In T157077#3078624, @Dereckson wrote:

@Josve05a The security review isn't a good fit to discuss deployment strategy. It seems T132058 is used for coordination. I've copied your comment there.

Oh, I had that task open in another tab, and wrote my comment in the wrong tab. Sorry 'bout that.

Josve05a removed a project: Commons.Mar 7 2017, 4:31 AM

Reedy closed this task as Resolved.Mar 7 2017, 2:45 PM

Reedy claimed this task.

MarkTraceur removed a subtask: T158830: Communicate enabling Extension:3d on Commons.May 8 2017, 3:27 PM

sbassett moved this task from Scheduled to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:27 PM

Restricted Application added a project: Multimedia. · View Herald TranscriptJul 9 2019, 8:27 PM

• chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:12 PM

• chasemp added a project: Application Security Reviews.Jan 8 2020, 4:39 PM

• chasemp moved this task from Incoming to Our Part Is Done on the Application Security Reviews board.Jan 8 2020, 4:43 PM

• chasemp added a project: secscrum.Mar 10 2020, 8:11 PM

• chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM