Page MenuHomePhabricator

Security review request: Electron render service
Closed, ResolvedPublic

Description

Project Information

Description of the tool/project

Given a URL pointing to a printable wiki page, render the page to a PDF using Chrome's print-to-pdf functionality.

Description of how the tool will be used at WMF

This service will be the backend service behind a "this page as PDF" REST API entry point. Externally controlled parameter is the page title to render.

Dependencies

List dependencies, or upstream projects that this project relies on

  • Electron / Chromium

Has this project been reviewed before?

Not inside WMF.

Working test environment

  • There is a simple test install on pdf.services.eqiad.wmflabs.org, in /home/gwicke. This instance is publicly available as pdf-electron.wmflabs.org. Example test page.
  • Instructions for setting up a test environment: T134205#2261997
  • Ongoing deployment prep: T143129

Post-deployment

Services

Related Objects

StatusAssignedTask
ResolvedJhernandez
Resolved atgo
DeclinedNone
ResolvedNone
DeclinedNone
OpenJKatzWMF
StalledNone
ResolvedWMDE-Fisch
ResolvedAddshore
InvalidNone
InvalidNone
ResolvedTobi_WMDE_SW
ResolvedTobi_WMDE_SW
Resolvedgabriel-wmde
ResolvedAddshore
ResolvedTobi_WMDE_SW
ResolvedTobi_WMDE_SW
ResolvedTobi_WMDE_SW
DeclinedNone
ResolvedTobi_WMDE_SW
Resolved GWicke
Resolved dpatrick
Resolved Lea_WMDE
ResolvedAddshore

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 18 2016, 7:39 PM
GWicke updated the task description. (Show Details)Oct 18 2016, 7:41 PM
GWicke updated the task description. (Show Details)

Also, as part of T143129: New service request - PDF Render, there is Gerrit 305256 which contains the Puppet code needed to put the service in WMF production. It is currently running in BetaCluster on the deployment-pdfrender host.

@dpatrick, did you find any actionables in the security review that we could start addressing?

This has been reviewed and no major issues were found.

Because testing of Chromium was considered out-of-scope due to the breadth of its attack surface, the rendering service should be run in production with constraints using a tool such as Firejail, to protect against the possibility of malicious content submitted for rendering somehow causing remote code execution in the underlying Electron/Chromium instance.

mobrovac closed this task as Resolved.Nov 9 2016, 2:31 PM
mobrovac assigned this task to dpatrick.
mobrovac edited projects, added Electron-PDFs, Services (done); removed Services (blocked).

Thank you @dpatrick ! Firejail support will be dealt with as part of T143336: Investigate better protection modes for electron render service (xvfb setuid), so resolving this task.