Ex: WikibaseQualityConstraints - remove or sanitize regex for FormatChecker
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• csteipp
	Jun 4 2015, 11:38 PM

Description

As is, the CSV value can be used as a DoS vector, or in the worst case exploit stuff like http://www.openwall.com/lists/oss-security/2015/06/01/6. The regex either needs to be sanitized to a known good expression, or this check needs to be removed

Related Objects
Search...

Status	Assigned	Task
Resolved	Lydia_Pintscher	T99354 Review and deploy Wikibase-Quality-Constraints on wikidata.org
Resolved	• csteipp	T99355 Security review of Wikibase-Quality-Constraints - v1 branch
Resolved	Jonaskeutel	T101467 Ex: WikibaseQualityConstraints - remove or sanitize regex for FormatChecker
Resolved	Jonas.keutel	T102892 Collect all regular expressions used in Wikidata's Template:Constraint:Format

Event Timeline

• csteipp created this task.Jun 4 2015, 11:38 PM

• csteipp raised the priority of this task from to Needs Triage.

• csteipp updated the task description. (Show Details)

• csteipp added projects: Wikidata, Wikibase-Quality-Constraints, deprecated-security-team-reviews.

• csteipp added subscribers: Andreasburmeister, • csteipp, Tamslo and 4 others.

• csteipp mentioned this in T99355: Security review of Wikibase-Quality-Constraints - v1 branch.Jun 4 2015, 11:47 PM

• csteipp removed a project: deprecated-security-team-reviews.Jun 4 2015, 11:58 PM

• csteipp set Security to None.

We read about this and understand it's problematic, but we still have no idea how to fix this issue. For concerns about the runtime we could add a timeout which would lead in the worstcase to a false negative, but about the exploit-stuff-case...

Do you have any advice for us? We were curious how online regex tools handle this problem...

Lydia_Pintscher moved this task from incoming to ready to go on the Wikidata board.Jun 10 2015, 6:36 AM

"Sanitizing" usually isn't going to work. The only "solution" is to only allow certain user (usually administrators) to create and maintain these regular expressions.

Lydia_Pintscher triaged this task as High priority.Jun 12 2015, 1:15 PM

I'm not sure what kinds of regexes are expected here, so can't give great guidance on the best solution. Theomowmde's solution of only allowing admins to add them will prevent mass exploitation, but would still allow admins to attack the server in the case of another pcre exploit. So I'd prefer to not rely on that.

How important is this feature?

Assuming it's really needed, you could probably do a couple of things,

Only allow a subset of regex expressions-- if all you need is for people to say, "\w+" or "[0-9]*", then that should be possible
Have a sandboxed service (shell out to a confined binary, or make it a web service) that does the regex processing
Implement a descriptive language that always generates safe regexes

Jonaskeutel mentioned this in T102752: [RFC] Workaround for checking the format constraint.Jun 17 2015, 8:40 AM

Jonaskeutel moved this task from incoming to TODO on the Wikibase-Quality-Constraints board.Jun 17 2015, 9:26 AM

Jonaskeutel moved this task from TODO to DOING on the Wikibase-Quality-Constraints board.

We removed the check for the regular expression in the version that should be deployed and are working on a fix for the next version. (https://gerrit.wikimedia.org/r/#/c/218857/ ).
Can we close this ticket?