Page MenuHomePhabricator
Create Task
Maniphest T308659

Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty (CVE-2022-34750)
Closed, ResolvedPublic3 Estimated Story PointsSecurity
Actions

Assigned To
Lucas_Werkmeister_WMDE
Authored By
Lucas_Werkmeister_WMDE
May 18 2022, 11:25 AM
Tags
Referenced Files
F35169060: 0001-SECURITY-Validate-lemma-length-in-Special-NewLexeme-.patch
May 23 2022, 10:24 AM
F35151954: 0001-SECURITY-Validate-term-length-in-Special-NewProperty.patch
May 18 2022, 4:46 PM
Subscribers
Aklapper
Erdinc_Ciftci_WMDE
guergana.tzatchkova
ItamarWMDE
karapayneWMDE
Lucas_Werkmeister_WMDE
Lydia_Pintscher
View All 13 Subscribers

Description

The lemma of a Lexeme is supposed to be no longer than 1000 characters (code points, mb_strlen), but this is currently not validated when creating a new Lexeme through Special:NewLexeme, or through the no-JS version of Special:NewLexemeAlpha. (The JS version of Special:NewLexemeAlpha uses the API to create the Lexeme, where the lemma length is properly validated.) This lets you create a Lexeme with a lemma much longer than should be supported (I tested 32768 🤔s, which was enough to start slowing down the browser), where the lemma can’t afterwards be edited unless you make it short enough to be below the limit.

Update: Likewise, the label, description and aliases of a new Property should also be limited to a certain length (though in this case the limit is configurable instead of hard-coded), see T308659#7939007.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Deutschland
SubjectRepoBranchLines +/-
Clean up lemma length validationmediawiki/extensions/WikibaseLexememaster+71 -25
SECURITY: Validate lemma length in Special:NewLexememediawiki/extensions/WikibaseLexemeREL1_35+18 -1
SECURITY: Validate term length in Special:NewPropertymediawiki/extensions/WikibaseREL1_35+168 -56
SECURITY: Validate lemma length in Special:NewLexememediawiki/extensions/WikibaseLexemeREL1_37+18 -1
SECURITY: Validate term length in Special:NewPropertymediawiki/extensions/WikibaseREL1_37+178 -60
SECURITY: Validate lemma length in Special:NewLexeme(Alpha)mediawiki/extensions/WikibaseLexemeREL1_38+36 -2
SECURITY: Validate term length in Special:NewPropertymediawiki/extensions/WikibaseREL1_38+175 -57
SECURITY: Validate term length in Special:NewPropertymediawiki/extensions/Wikibasemaster+175 -57
SECURITY: Validate lemma length in Special:NewLexeme(Alpha)mediawiki/extensions/WikibaseLexememaster+36 -2
Customize query in gerrit

Related Objects

Event Timeline

Lucas_Werkmeister_WMDE created this task.May 18 2022, 11:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 18 2022, 11:25 AM
Lucas_Werkmeister_WMDE added projects: Wikidata, Wikidata Lexicographical data, Special:NewLexeme revival.May 18 2022, 11:26 AM
Lucas_Werkmeister_WMDE added subscribers: Lydia_Pintscher, Manuel, karapayneWMDE and 5 others.
Lucas_Werkmeister_WMDE added a comment.May 18 2022, 11:29 AM

Also, if you make the lemma shorter, you can still restore an old revision with the long lemma, both via regular MediaWiki “undo” and via the Wikibase-specific “restore” feature. This surprises me (I would have thought that restoring old revisions would go through the ChangeOp mechanism, which seems to be where the lemma length validation happens), but I’m not sure if we should fix it.

Lucas_Werkmeister_WMDE added a comment.May 18 2022, 11:36 AM

Also, Lexemes with overlong lemmas can be merged into other Lexemes, so in theory you can “edit” the overlong lemma:

  • change lemma to something short and with a different language code
  • create new Lexeme with edited language code (spelling variant)
  • merge that Lexeme into the original one
  • remove short lemma again

This is probably not worth fixing separately, once it’s impossible to create these Lexemes in the first place it should no longer be an issue.

The Wikidata Query Service doesn’t find any existing Lexemes with a lemma above 1000 UTF-16 code units (queryBlazegraph STRLEN() counts code units not code points); since code units ≥ code points, I think that means there are no Lexemes with a lemma that’s too long in Wikidata at the moment.

Manuel added a comment.May 18 2022, 1:22 PM

Good catch, Lucas! Am I right to assume that the team will work on things like this with a high priority even without me doing something about it specifically?

ItamarWMDE mentioned this in T305854: Per-field inline validation and error messages for invalid input in lemma, language, spelling variant or lexical category field.May 18 2022, 1:40 PM
Lucas_Werkmeister_WMDE claimed this task.May 18 2022, 1:47 PM
Lucas_Werkmeister_WMDE edited projects, added Special:NewLexeme revival (Special:NewLexeme revival - sprint 8); removed Special:NewLexeme revival.
Lucas_Werkmeister_WMDE moved this task from To Do to Doing on the Special:NewLexeme revival (Special:NewLexeme revival - sprint 8) board.

Yeah, I can look into it now (we agreed to pull it into the sprint).

Lucas_Werkmeister_WMDE added a comment.May 18 2022, 3:58 PM

This turns out to affect Special:NewProperty as well, it doesn’t validate the label, description and aliases using the general term validators. (Special:NewItem does validate them.)

Lucas_Werkmeister_WMDE moved this task from Doing to Peer Review on the Special:NewLexeme revival (Special:NewLexeme revival - sprint 8) board.EditedMay 18 2022, 4:46 PM

Wikibase patch for Special:NewProperty:

0001-SECURITY-Validate-term-length-in-Special-NewProperty.patch20 KBDownload

I’ll do Special:NewLexeme(Alpha) tomorrow on Friday, probably.

Lucas_Werkmeister_WMDE renamed this task from Validate lemma length in Special:NewLexeme(Alpha) to Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty.May 18 2022, 5:16 PM
Lucas_Werkmeister_WMDE updated the task description. (Show Details)
Michael added a comment.May 23 2022, 9:37 AM
In T308659#7939191, @Lucas_Werkmeister_WMDE wrote:

Wikibase patch for Special:NewProperty:

0001-SECURITY-Validate-term-length-in-Special-NewProperty.patch20 KBDownload

I’ll do Special:NewLexeme(Alpha) tomorrow on Friday, probably.

While that would be a fine patch on Gerrit, it does touch quite a bit of code. Do we actually need the cleanup changes to Special:NewItem in this security patch, when the actual issue we want to fix is in Special:NewProperty? Maybe this is ok though if the actual security release is done very soon

Lucas_Werkmeister_WMDE added a comment.May 23 2022, 9:56 AM

We don’t really need them, but I would prefer to do them at the same time so that we don’t forget about it or have the two special pages inconsistent with one another for longer than is necessary. Looking at the Release policy and News, it looks like we can expect the next security release by the end of June, which feels soon enough to me.

Michael added a comment.May 23 2022, 10:14 AM

Mh, ok. After trying it out locally, the patch seems to work fine. And given that Special:NewItem and Special:NewProperty shouldn't seeing that many changes, I think going forward with it in its current form is ok. Let's make sure we really get that end-of-june security release though.

Lucas_Werkmeister_WMDE added a comment.May 23 2022, 10:24 AM

Okay, and here’s a WikibaseLexeme patch (shorter, because the relevant WikibaseLexeme code is more likely to have other changes in the coming weeks, so in this case it’s probably better to err on the side of caution and keep the security patch minimal):

0001-SECURITY-Validate-lemma-length-in-Special-NewLexeme-.patch5 KBDownload

sbassett subscribed.May 24 2022, 6:50 PM
In T308659#7949381, @Lucas_Werkmeister_WMDE wrote:

Okay, and here’s a WikibaseLexeme patch (shorter, because the relevant WikibaseLexeme code is more likely to have other changes in the coming weeks, so in this case it’s probably better to err on the side of caution and keep the security patch minimal):

+1 to this as an efficient security patch, for now, though I didn't test. The logic seems simple and correct enough. I assume the TODOs imply this patch might not be directly backported in gerrit, but improved upon once deployed?

Lucas_Werkmeister_WMDE added a comment.May 25 2022, 8:07 AM

My thinking was that the patch could be pushed to Gerrit and merged as is (together with other patches for the next security release), and then the TODO could be addressed afterwards.

Lucas_Werkmeister_WMDE added a comment.May 25 2022, 2:09 PM

Though I’m interested what workflow you would prefer for improving security changes once deployed – should we leave instructions in the commit messages about how the changes are to be combined for Gerrit (git rebase --autosquash style, perhaps), or directly squash patches together, altering history in /src/mediwiki-staging and committing changes to existing patch files in /srv/patches?

Lucas_Werkmeister_WMDE added a comment.May 25 2022, 2:34 PM

Alright, Wikibase and WikibaseLexeme patches deployed (tested on Test Wikidata). https://sal.toolforge.org/log/kF-j-4AB8Fs0LHO5NIzv

sbassett added a comment.May 25 2022, 2:40 PM
In T308659#7955574, @Lucas_Werkmeister_WMDE wrote:

My thinking was that the patch could be pushed to Gerrit and merged as is (together with other patches for the next security release), and then the TODO could be addressed afterwards.
...
Though I’m interested what workflow you would prefer for improving security changes once deployed – should we leave instructions in the commit messages about how the changes are to be combined for Gerrit (git rebase --autosquash style, perhaps), or directly squash patches together, altering history in /src/mediwiki-staging and committing changes to existing patch files in /srv/patches?

We don't have any official guidance for this as it's generally been handled on a case-by-case basis, IME. I think it comes down to a judgment call on how "sloppy" the security patches are. If they're hastily developed and intended as a very temporary fix and/or involve multiple patches due to iterative bug-fixing, then we'd likely recommend refactoring/squashing before backporting in gerrit. If the patches themselves are mostly fine but could or should be cleaned up later, such follow-up work can happen at a later date, after the initial security patch backports are merged in gerrit, at the discretion of the code maintainers.

Lucas_Werkmeister_WMDE added a comment.May 25 2022, 2:45 PM

Alright, thanks. I’d see this as the latter category, i.e. I don’t plan to further work on it until the current patches have been published as part of the next security release.

Lucas_Werkmeister_WMDE edited projects, added Special:NewLexeme revival; removed Special:NewLexeme revival (Special:NewLexeme revival - sprint 8).May 25 2022, 4:06 PM
Lucas_Werkmeister_WMDE moved this task from Backlog to Tech backlog on the Special:NewLexeme revival board.
Mstyles mentioned this in T305209: Write and send supplementary release announcement for extensions and skins with security patches (1.35.7/1.37.3/1.38.2).Jun 3 2022, 7:43 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Jun 6 2022, 4:28 PM
sbassett added a project: Vuln-DoS.Jun 24 2022, 6:33 PM
sbassett added a comment.Jun 24 2022, 6:52 PM

Hey @Lucas_Werkmeister_WMDE - The security team is attempting to get the next supplemental security release (T305209) out within the next week or two, and we were hoping to include this bug. I know there was some discussion above about polishing the two existing security patches a bit more. Would you still prefer to do that or should we try to push what exists now up to gerrit, get them merged so we can remove the patches from production and have something available for the supplemental release? I'd perfer that approach but I'm also fine with waiting and keeping this bug locked down for a while longer, perhaps until next quarter's supplemental security release, but likely not after that.

Lucas_Werkmeister_WMDE added a comment.Jun 27 2022, 7:58 AM

Feel free to upload and merge them now, the intention was to polish them afterwards (and it should be fine if the polishing patches don’t make it into the security release – they’d only make the code more maintainable, without changing anything at runtime, so they’re mostly important for the master branch).

sbassett triaged this task as Low priority.Jun 27 2022, 6:45 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
gerritbot added a comment.Jun 27 2022, 6:45 PM

Change 808989 had a related patch set uploaded (by SBassett; author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@master] SECURITY: Validate term length in Special:NewProperty

https://gerrit.wikimedia.org/r/808989

gerritbot added a project: Patch-For-Review.Jun 27 2022, 6:45 PM
gerritbot added a comment.Jun 27 2022, 6:49 PM

Change 808990 had a related patch set uploaded (by SBassett; author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/WikibaseLexeme@master] SECURITY: Validate lemma length in Special:NewLexeme(Alpha)

https://gerrit.wikimedia.org/r/808990

gerritbot added a comment.Jun 27 2022, 7:01 PM

Change 808948 had a related patch set uploaded (by SBassett; author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@REL1_38] SECURITY: Validate term length in Special:NewProperty

https://gerrit.wikimedia.org/r/808948

gerritbot added a comment.Jun 27 2022, 7:02 PM

Change 808949 had a related patch set uploaded (by SBassett; author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/WikibaseLexeme@REL1_38] SECURITY: Validate lemma length in Special:NewLexeme(Alpha)

https://gerrit.wikimedia.org/r/808949

gerritbot added a comment.Jun 27 2022, 7:56 PM

Change 808989 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] SECURITY: Validate term length in Special:NewProperty

https://gerrit.wikimedia.org/r/808989

gerritbot added a comment.Jun 27 2022, 7:57 PM

Change 808990 merged by jenkins-bot:

[mediawiki/extensions/WikibaseLexeme@master] SECURITY: Validate lemma length in Special:NewLexeme(Alpha)

https://gerrit.wikimedia.org/r/808990

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.18; 2022-06-27).Jun 27 2022, 8:00 PM
Zabe subscribed.Jun 27 2022, 8:17 PM
gerritbot added a comment.Jun 28 2022, 9:03 AM

Change 808948 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@REL1_38] SECURITY: Validate term length in Special:NewProperty

https://gerrit.wikimedia.org/r/808948

gerritbot added a comment.Jun 28 2022, 9:30 AM

Change 808949 merged by jenkins-bot:

[mediawiki/extensions/WikibaseLexeme@REL1_38] SECURITY: Validate lemma length in Special:NewLexeme(Alpha)

https://gerrit.wikimedia.org/r/808949

karapayneWMDE edited projects, added Special:NewLexeme revival (Special:NewLexeme revival - sprint 11); removed Special:NewLexeme revival.Jun 28 2022, 9:31 AM
karapayneWMDE set Summary to 3.
Lucas_Werkmeister_WMDE moved this task from To Do to Doing on the Special:NewLexeme revival (Special:NewLexeme revival - sprint 11) board.Jun 28 2022, 2:47 PM
karapayneWMDE removed Summary.Jun 28 2022, 2:48 PM
karapayneWMDE set the point value for this task to 3.
gerritbot added a comment.Jun 28 2022, 3:31 PM

Change 809203 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/WikibaseLexeme@master] Clean up lemma length validation

https://gerrit.wikimedia.org/r/809203

Lucas_Werkmeister_WMDE moved this task from Doing to Peer Review on the Special:NewLexeme revival (Special:NewLexeme revival - sprint 11) board.Jun 28 2022, 3:49 PM
MoritzMuehlenhoff subscribed.Jun 29 2022, 9:37 AM

This appeared in the CVE feed as https://www.cve.org/CVERecord?id=CVE-2022-34750

MoritzMuehlenhoff renamed this task from Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty to Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty (CVE-2022-34750).Jun 29 2022, 9:37 AM
gerritbot added a comment.Jun 29 2022, 10:52 AM

Change 809572 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@REL1_37] SECURITY: Validate term length in Special:NewProperty

https://gerrit.wikimedia.org/r/809572

gerritbot added a comment.Jun 29 2022, 1:47 PM

Change 809601 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@REL1_35] SECURITY: Validate term length in Special:NewProperty

https://gerrit.wikimedia.org/r/809601

sbassett added a comment.Jun 29 2022, 1:50 PM
In T308659#8036319, @MoritzMuehlenhoff wrote:

This appeared in the CVE feed as https://www.cve.org/CVERecord?id=CVE-2022-34750

Yes, I requested that ID a couple of days ago and forgot to update the task title here. Thanks for doing that.

gerritbot added a comment.Jun 29 2022, 1:52 PM

Change 809603 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/WikibaseLexeme@REL1_37] SECURITY: Validate lemma length in Special:NewLexeme

https://gerrit.wikimedia.org/r/809603

gerritbot added a comment.Jun 29 2022, 1:52 PM

Change 809604 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/WikibaseLexeme@REL1_35] SECURITY: Validate lemma length in Special:NewLexeme

https://gerrit.wikimedia.org/r/809604

gerritbot added a comment.Jun 29 2022, 2:04 PM

Change 809572 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@REL1_37] SECURITY: Validate term length in Special:NewProperty

https://gerrit.wikimedia.org/r/809572

gerritbot added a comment.Jun 29 2022, 2:52 PM

Change 809603 merged by jenkins-bot:

[mediawiki/extensions/WikibaseLexeme@REL1_37] SECURITY: Validate lemma length in Special:NewLexeme

https://gerrit.wikimedia.org/r/809603

gerritbot added a comment.Jun 29 2022, 2:53 PM

Change 809601 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@REL1_35] SECURITY: Validate term length in Special:NewProperty

https://gerrit.wikimedia.org/r/809601

gerritbot added a comment.Jun 29 2022, 3:25 PM

Change 809604 merged by Lucas Werkmeister (WMDE):

[mediawiki/extensions/WikibaseLexeme@REL1_35] SECURITY: Validate lemma length in Special:NewLexeme

https://gerrit.wikimedia.org/r/809604

Lucas_Werkmeister_WMDE added a comment.Jun 29 2022, 3:32 PM

Backported the patches to REL1_35 and REL1_37 (1.36 is out of support). Leaving the task open for review of the cleanup patch (which doesn’t need backporting).

gerritbot added a comment.Jun 29 2022, 4:23 PM

Change 809203 merged by jenkins-bot:

[mediawiki/extensions/WikibaseLexeme@master] Clean up lemma length validation

https://gerrit.wikimedia.org/r/809203

Lucas_Werkmeister_WMDE closed this task as Resolved.Jun 29 2022, 4:29 PM
Lucas_Werkmeister_WMDE moved this task from Peer Review to Done on the Special:NewLexeme revival (Special:NewLexeme revival - sprint 11) board.

I think we’re done here (but please reopen if the task should still be open for security release process purposes).

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jun 29 2022, 4:33 PM
In T308659#8037779, @Lucas_Werkmeister_WMDE wrote:

I think we’re done here (but please reopen if the task should still be open for security release process purposes).

Yes, looks good. This will be (re-)announced via the upcoming supplemental security release, due out tomorrow or early next week. And thanks for shepherding all of those additional backports.

ReleaseTaggerBot edited projects, added MW-1.39-notes (1.39.0-wmf.21; 2022-07-18); removed MW-1.39-notes (1.39.0-wmf.18; 2022-06-27).Jul 11 2022, 9:02 PM
Stashbot added a comment.Jul 20 2022, 1:54 PM

Mentioned in SAL (#wikimedia-operations) [2022-07-20T13:54:10Z] <Lucas_WMDE> lucaswerkmeister-wmde@deploy1002 /srv/mediawiki-staging (master $ u=) $ git -C php-1.39.0-wmf.19/extensions/WikibaseLexeme am --skip # T308659 backport already applied

Lucas_Werkmeister_WMDE mentioned this in T313027: MUL - Do not allow adding term descriptions with the language code mul on Wikidata.Nov 2 2022, 9:51 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL