Security review of Html5Depurate and ParserMigration
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• tstarling
	Jul 29 2016, 12:34 AM

Description

Please review the Html5Depurate service and the ParserMigration extension for security.

Security notes by the author:

Html5Depurate
- Unlike XML, the HTML5 spec has no provision for remote loading of resources. So it's not surprising that grepping the validator.nu source for HTTP fetches shows no results.
- The security.policy file deployed by the puppet role prevents outgoing network connections anyway. It should also prevent shell execution.
- It most likely has O(N^2) worst case performance (it would be difficult to implement the spec with O(N) performance), and malicious input can probably cause Java to exhaust the memory limit assigned to it.
- The packaging procedure (documented here) uses Maven and pulls in a huge amount code from Maven Central during build, the vast majority of which is unreachable from the Html5Depurate API. Most of it doesn't even end up in the final jar file.
- The service is unauthenticated. The plan is to put it on the private network. If it were public and available from a sensitive domain, it would be an XSS vulnerability.
ParserMigration
- HTML is built up by concatenating output from the MediaWiki parser.
- Is it possible that there are XSS bugs in the parser that are mitigated by using Tidy but will be uncovered by using Depurate? Unlikely in my opinion.

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		• tstarling	T141586 Deploy ParserMigration extension
		Resolved		• tstarling	T141591 Security review of Html5Depurate and ParserMigration

Event Timeline

• tstarling created this task.Jul 29 2016, 12:34 AM

• MZMcBride subscribed.Jul 29 2016, 3:07 AM

@tstarling , this task is currently assigned to you. Does that mean you want to perform the review, or are you awaiting review from someone else (e.g. @dpatrick or @Bawolff) ?

The assignment was just by default because I created it as a subtask. It wouldn't be a review if I did it myself. I'm asking for a review because Greg said it was required before deploying to deployment-prep.

• RobLa-WMF added a project: acl*security.Aug 9 2016, 1:25 AM

Restricted Application added a subscriber: Malyacko. · View Herald TranscriptAug 9 2016, 1:25 AM

• dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Aug 11 2016, 8:34 PM

hashar unsubscribed.Aug 22 2016, 10:04 AM

I reviewed these and found no major issues in either project.

ParserMigration

No mediawiki-vagrant role
No on-wiki documentation about how ParserMigration should be properly configured.
Hooks.php: "Edit with migration tool" link appears without regard for state of "Enable parser migration tool" preference

Html5Depurate

No mediawiki-vagrant role
security.policy: "/usr/share/html5depurate/-" could be changed to "/usr/share/html5depurate/*" to further limit file reads

• dpatrick moved this task from Scheduled to Waiting on the deprecated-security-team-reviews board.Sep 5 2016, 8:46 PM

In T141591#2609752, @dpatrick wrote:

ParserMigration

Hooks.php: "Edit with migration tool" link appears without regard for state of "Enable parser migration tool" preference

https://gerrit.wikimedia.org/r/#/c/307554/

• tstarling closed this task as Resolved.Sep 19 2016, 6:05 AM

• tstarling claimed this task.

sbassett moved this task from Waiting to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:23 PM

• chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:16 PM

• chasemp added a project: Security.Feb 10 2020, 10:59 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM

DannyS712 added a project: MediaWiki-extensions-ParserMigration.Apr 23 2020, 7:17 AM

cscott mentioned this in T333179: (Re)deploy ParserMigration extension to production.Apr 10 2023, 4:41 PM