Page MenuHomePhabricator

Security review of Html5Depurate and ParserMigration
Closed, ResolvedPublic


Please review the Html5Depurate service and the ParserMigration extension for security.

Security notes by the author:

  • Html5Depurate
    • Unlike XML, the HTML5 spec has no provision for remote loading of resources. So it's not surprising that grepping the source for HTTP fetches shows no results.
    • The security.policy file deployed by the puppet role prevents outgoing network connections anyway. It should also prevent shell execution.
    • It most likely has O(N^2) worst case performance (it would be difficult to implement the spec with O(N) performance), and malicious input can probably cause Java to exhaust the memory limit assigned to it.
    • The packaging procedure (documented here) uses Maven and pulls in a huge amount code from Maven Central during build, the vast majority of which is unreachable from the Html5Depurate API. Most of it doesn't even end up in the final jar file.
    • The service is unauthenticated. The plan is to put it on the private network. If it were public and available from a sensitive domain, it would be an XSS vulnerability.
  • ParserMigration
    • HTML is built up by concatenating output from the MediaWiki parser.
    • Is it possible that there are XSS bugs in the parser that are mitigated by using Tidy but will be uncovered by using Depurate? Unlikely in my opinion.

Event Timeline

@tstarling , this task is currently assigned to you. Does that mean you want to perform the review, or are you awaiting review from someone else (e.g. @dpatrick or @Bawolff) ?

The assignment was just by default because I created it as a subtask. It wouldn't be a review if I did it myself. I'm asking for a review because Greg said it was required before deploying to deployment-prep.

I reviewed these and found no major issues in either project.


  • No mediawiki-vagrant role
  • No on-wiki documentation about how ParserMigration should be properly configured.
  • Hooks.php: "Edit with migration tool" link appears without regard for state of "Enable parser migration tool" preference


  • No mediawiki-vagrant role
  • security.policy: "/usr/share/html5depurate/-" could be changed to "/usr/share/html5depurate/*" to further limit file reads


  • Hooks.php: "Edit with migration tool" link appears without regard for state of "Enable parser migration tool" preference

tstarling claimed this task.