CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Tobi_406
	Dec 22 2020, 4:53 PM

Description

If a user with protect permission protects a page using APISandbox they can protect the page to a higher protection level than they can edit. If action=edit and action=protect are not restricted, the user can also unprotect the page

How to reproduce

Add the following to LocalSettings.php:

$wgGroupPermissions['protect']['protect'] = true;

Create an account and assign it to the protect group (for example, using maintenance scripts, php maintenance/createAndPromote.php --custom-groups protect TestUser TestPassword)
Login as the newly created user
Go to index.php?title=TestPage&action=protect
- see that user can't protect to "allow only administrators"
Go to index.php?title=Special:ApiSandbox#action=protect&format=json&title=TestPage&protections=create%3Dsysop
- you can also choose other protection levels and types from $wgRestrictionLevels and $wgRestrictionTypes respectively
- click action=protect
- hit "auto-fill the token"
- hit "make request"
Go to index.php?title=TestPage&action=history
- see that page is protected so that only administrators may create it
You can also remove the protection level again by going to Special:ApiSandbox#action=protect&format=json&title=TestPage&protections=create%3Dall
- this doesn't work if you've previously restricted the edit and/or protect types

(Credit for finding this goes to my friend Magiczocker10)

Details

Subject	Repo	Branch	Lines +/-
SECURITY: Allow user to only apply protection they have right to do so via action=protect	mediawiki/core	REL1_36	+5 -1
SECURITY: Allow user to only apply protection they have right to do so via action=protect	mediawiki/core	master	+5 -1
SECURITY: Allow user to only apply protection they have right to do so via action=protect	mediawiki/core	REL1_35	+5 -1
SECURITY: Allow user to only apply protection they have right to do so via action=protect	mediawiki/core	REL1_31	+5 -1

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		Reedy	T270458 Release MediaWiki 1.31.13/1.35.2
Resolved		Reedy	T270459 Tracking bug for MediaWiki 1.31.13/1.35.2
Resolved	Security	Reedy	T270713 CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level

Event Timeline

Tobi_406 created this task.Dec 22 2020, 4:53 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 22 2020, 4:53 PM

Tobi_406 renamed this task from APISandbox lets users with 'protect' permission bypass protection levels to APISandbox lets users with 'protect' permission protect to higher protection level.Dec 22 2020, 4:54 PM

Tobi_406 updated the task description. (Show Details)Dec 22 2020, 6:32 PM

Legoktm set Security to Software security bug.Dec 22 2020, 6:33 PM

Legoktm added projects: Security, Security-Team.

Legoktm changed the visibility from "Public (No Login Required)" to "Custom Policy".

Legoktm changed the subtype of this task from "Task" to "Security Issue".

Legoktm subscribed.

Tobi_406 updated the task description. (Show Details)Dec 22 2020, 6:59 PM

Tobi_406 added subscribers: Magiczocker10, MarkusRost.

@Tobi_406 are you sure this is due to the api sandbox and not the api itself? The api should just be calling the relevant action specified and not override any of the behavior

The api should just be calling the relevant action specified and not override any of the behavior

Do you mean the api samdbox in that sentence?
But no, I'm not sure, I wasn't able to get it working to check with the API directly (I don't use it often, sorry).
So I used ApiSandbox and to make the task as detailed as possible I specified I used ApiSandbox.
But yes, I do think it has to do with the API, just don't have any evidence for that.

In T270713#6709472, @Tobi_406 wrote:

The api should just be calling the relevant action specified and not override any of the behavior

Do you mean the api samdbox in that sentence?
But no, I'm not sure, I wasn't able to get it working to check with the API directly (I don't use it often, sorry).
So I used ApiSandbox and to make the task as detailed as possible I specified I used ApiSandbox.
But yes, I do think it has to do with the API, just don't have any evidence for that.

Yes, sorry, I meant "the api sandbox should just be calling the relevant action specified and not override any of the behavior"

Reedy added a project: Vuln-MissingAuthz.Dec 23 2020, 3:33 AM

sbassett moved this task from Incoming to Watching on the Security-Team board.Jan 4 2021, 4:10 PM

https://www.mediawiki.org/w/api.php?action=help&modules=protect
https://www.mediawiki.org/w/api.php?action=paraminfo&modules=protect

Reedy updated the task description. (Show Details)Jan 4 2021, 5:07 PM

I will note that allowing users to protect higher than their rights allow isn't necessarily an issue. Being able to remove that is more of an issue.

And there's the discrepency between endpoints

Reedy updated the task description. (Show Details)Jan 4 2021, 5:12 PM

Reedy updated the task description. (Show Details)

The user facing form does

		$levels = $this->permManager->getNamespaceRestrictionLevels(
			$this->mTitle->getNamespace(), $this->mContext->getUser()
		);

and

			$val = $request->getVal( "mwProtect-level-$action" );
			if ( isset( $val ) && in_array( $val, $levels ) ) {
				$this->mRestrictions[$action] = $val;
			}

~~The API doesn't do anything with getNamespaceRestrictionLevels. No validation~~

We can't fix the API allowed parameters, to be documented in the autogenerated page, as it can vary between pages (or, well, Namespaces)

			'protections' => [
				ApiBase::PARAM_ISMULTI => true,
				ApiBase::PARAM_REQUIRED => true,
			],

Ok, so looking further, the problem is the way the API does the validation;

			if ( !in_array( $p[1], $this->getConfig()->get( 'RestrictionLevels' ) ) && $p[1] != 'all' ) {
				$this->dieWithError( [ 'apierror-protect-invalidlevel', wfEscapeWikiText( $p[1] ) ] );
			}

It just uses effectively $wgRestrictionLevels which is not modified for the user

> var_dump( $wgRestrictionLevels );
/var/www/wiki/mediawiki/core/maintenance/eval.php(82) : eval()'d code:1:
array(3) {
  [0] =>
  string(0) ""
  [1] =>
  string(13) "autoconfirmed"
  [2] =>
  string(5) "sysop"
}

The error message is

	"apierror-protect-invalidlevel": "Invalid protection level \"$1\".",

So for a patch that should be good for production.. As yet untested...

diff --git a/includes/api/ApiProtect.php b/includes/api/ApiProtect.php
index 16f7a55a56..50f2521caf 100644
--- a/includes/api/ApiProtect.php
+++ b/includes/api/ApiProtect.php
@@ -67,6 +67,10 @@ class ApiProtect extends ApiBase {
                }
 
                $restrictionTypes = $titleObj->getRestrictionTypes();
+               $levels = $this->getPermissionManager()->getNamespaceRestrictionLevels(
+                       $titleObj->getNamespace(),
+                       $user
+               );
 
                $protections = [];
                $expiryarray = [];
@@ -85,7 +89,7 @@ class ApiProtect extends ApiBase {
                        if ( !in_array( $p[0], $restrictionTypes ) && $p[0] != 'create' ) {
                                $this->dieWithError( [ 'apierror-protect-invalidaction', wfEscapeWikiText( $p[0] ) ] );
                        }
-                       if ( !in_array( $p[1], $this->getConfig()->get( 'RestrictionLevels' ) ) && $p[1] != 'all' ) {
+                       if ( !in_array( $p[1], $levels ) && $p[1] != 'all' ) {
                                $this->dieWithError( [ 'apierror-protect-invalidlevel', wfEscapeWikiText( $p[1] ) ] );
                        }

It will give the "Invalid protection level" error, which technically isn't correct, but is better than just allowing it.

Also, adding i18n messages into WMF production in security patches is painful. So we won't do that

We can do a followup/add on patch for this to add another message to be used in this case. It depends whether we really care about differentiating between "invalid" restrictions, and restrictions that are "invalid" (or rather, not allowed) for that user

Which means a patch more like

diff --git a/includes/api/ApiProtect.php b/includes/api/ApiProtect.php
index 16f7a55a56..7abedede93 100644
--- a/includes/api/ApiProtect.php
+++ b/includes/api/ApiProtect.php
@@ -67,6 +67,10 @@ class ApiProtect extends ApiBase {
                }
 
                $restrictionTypes = $titleObj->getRestrictionTypes();
+               $levels = $this->getPermissionManager()->getNamespaceRestrictionLevels(
+                       $titleObj->getNamespace(),
+                       $user
+               );
 
                $protections = [];
                $expiryarray = [];
@@ -88,6 +92,10 @@ class ApiProtect extends ApiBase {
                        if ( !in_array( $p[1], $this->getConfig()->get( 'RestrictionLevels' ) ) && $p[1] != 'all' ) {
                                $this->dieWithError( [ 'apierror-protect-invalidlevel', wfEscapeWikiText( $p[1] ) ] );
                        }
+                       if ( !in_array( $p[1], $levels ) && $p[1] != 'all' ) {
+                               // TODO: Add new message for "user isn't allowed to add this protection"
+                               $this->dieWithError( [ 'apierror-protect-invalidlevel', wfEscapeWikiText( $p[1] ) ] );
+                       }
 
                        if ( wfIsInfinity( $expiry[$i] ) ) {
                                $expiryarray[$p[0]] = 'infinity';

I don't imagine this is actually necessary, so we can probably just re-purpose this message for the master/deployment branch patches

T270713-master.patch1 KBDownload

is basically the first first posted above; no i18n changes

Reedy added a project: Patch-For-Review.Jan 4 2021, 6:09 PM

Reedy renamed this task from APISandbox lets users with 'protect' permission protect to higher protection level to action=protect lets users with 'protect' permission protect to higher protection level.Jan 4 2021, 6:11 PM

Reedy added a parent task: T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.

Wouldn't returning a permissions error be the better message? That message should already exist as well and the user is in fact missing the permission to protect to that level.

If you can find a better pre-existing message, sure.

Like I say, I'm not adding (or altering an existing) message for the patch deployed to Wikimedia production. We can do so for a patch that eventually lands in master and release branches.

There's some similar, but not quite right messages, for example:

	"protect-locked-access": "Your account does not have permission to change page protection levels.\nHere are the current settings for the page <strong>$1</strong>:",

It kinda looks like the form for protect just silently discards it where the user doesn't have the right. so some error from the API is better than the apparent silent failure

			$val = $request->getVal( "mwProtect-level-$action" );
			if ( isset( $val ) && in_array( $val, $levels ) ) {
				$this->mRestrictions[$action] = $val;
			}

• holger.knust triaged this task as High priority.Jan 5 2021, 9:19 PM

• holger.knust edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.

• holger.knust moved this task from Inbox to Later on the Platform Team Workboards (Clinic Duty Team) board.

sbassett subscribed.Jan 14 2021, 7:22 PM

sbassett moved this task from Watching to Security Patch To Deploy on the Security-Team board.Jan 27 2021, 9:49 PM

Should probably get this deployed...

Deployed the patch from T270713#6720158 to wmf.27. Logs seem fine.

What's the status here? Is this fixed in master?

In T270713#6944605, @daniel wrote:

What's the status here? Is this fixed in master?

The security patch is deployed per T270713#6794141 (also tracked at T276237) and being held for the next security release, which I'd imagine will be out in the next couple of weeks. So no, not on master yet. The tracking task for embargoed security bugs is here: T270459.

Reedy mentioned this in T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Mar 30 2021, 12:40 AM

Reedy claimed this task.Mar 30 2021, 1:07 AM

Master patch applies cleanly on 1.35 and 1.31. Wheee.

Reedy renamed this task from action=protect lets users with 'protect' permission protect to higher protection level to [CVE-2021-30152] action=protect lets users with 'protect' permission protect to higher protection level.Apr 6 2021, 7:09 PM

Reedy renamed this task from [CVE-2021-30152] action=protect lets users with 'protect' permission protect to higher protection level to CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level.

Reedy added a subscriber: gerritbot.Apr 8 2021, 7:11 PM

Change 678032 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_31] SECURITY: Allow user to only apply protection they have right to do so via action=protect

https://gerrit.wikimedia.org/r/678032

Change 678038 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_35] SECURITY: Allow user to only apply protection they have right to do so via action=protect

https://gerrit.wikimedia.org/r/678038

Change 678032 merged by jenkins-bot:

[mediawiki/core@REL1_31] SECURITY: Allow user to only apply protection they have right to do so via action=protect

https://gerrit.wikimedia.org/r/678032

Change 678038 merged by jenkins-bot:

[mediawiki/core@REL1_35] SECURITY: Allow user to only apply protection they have right to do so via action=protect

https://gerrit.wikimedia.org/r/678038

Change 678073 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@master] SECURITY: Allow user to only apply protection they have right to do so via action=protect

https://gerrit.wikimedia.org/r/678073

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 8 2021, 9:07 PM

Reedy mentioned this in T279717: Followup to T270713.

Bugreporter mentioned this in T217005: Fix wgRestrictionLevels for all Serbian projects to fully work.Apr 8 2021, 9:43 PM

Change 678073 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Allow user to only apply protection they have right to do so via action=protect

https://gerrit.wikimedia.org/r/678073

Change 677962 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_36] SECURITY: Allow user to only apply protection they have right to do so via action=protect

https://gerrit.wikimedia.org/r/677962

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.1; 2021-04-13).Apr 8 2021, 11:00 PM

Change 677962 merged by jenkins-bot: