Security review of Ex:JsonConfig/Ex:Kartographer interaction
Closed, ResolvedPublic5 Estimated Story Points
Actions

Assigned To

Authored By

	• dpatrick
	Apr 25 2017, 8:49 PM

Description

Project Information

Name of tool/project: Extension:JsonConfig / Extension:Kartographer
Project home page: https://www.mediawiki.org/wiki/Extension:JsonConfig / https://www.mediawiki.org/wiki/Extension:Kartographer
Name of team requesting review: Security
Primary contact: Darian Anthony Patrick
Target date for deployment: Currently in production
Link to code repository / patchset:
- https://phabricator.wikimedia.org/diffusion/EJSC/
- https://phabricator.wikimedia.org/diffusion/EKAR/
Programming Language(s) Used: PHP, JavaScript

Has this project been reviewed before?

Kartographer has been reviewed (T121058). However, JsonConfig appears not to have been reviewed. This review was prompted by T163166.

Post-deployment

Reading Infrastructure

Related Objects

Mentioned In: T242163: Restore resolved security-team-reviews tasks
E591: Security review of Ex:JsonConfig/Ex:Kartographer interaction
Mentioned Here: T134719: Kartographer has an XSS using magic javascript __proto__ property in GeoJson description
T163166: XSS in object descriptions from tabular data

Event Timeline

• dpatrick created this task.Apr 25 2017, 8:49 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 25 2017, 8:49 PM

• dpatrick updated the task description. (Show Details)Apr 25 2017, 8:54 PM

• dpatrick updated the task description. (Show Details)Apr 25 2017, 9:00 PM

Aklapper added projects: JsonConfig, Maps (Kartographer).Apr 26 2017, 11:28 AM

• dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.May 2 2017, 8:37 PM

• dpatrick mentioned this in E591: Security review of Ex:JsonConfig/Ex:Kartographer interaction.May 11 2017, 5:41 PM

• dpatrick updated the task description. (Show Details)Jun 6 2017, 4:13 PM

debt added a project: Maps-Sprint.Jun 6 2017, 4:25 PM

debt subscribed.

Moving to waiting to see if there is anything this team needs to do to help.

Where is/what is the extent of he integration?

All I can obviously see in Kartographer...

				if ( !class_exists( 'JsonConfig\\JCSingleton' ) ) {
					return Status::newFatal( 'kartographer-error-service-name', $object->service );
				}
				$jct = JCSingleton::parseTitle( $object->title, NS_DATA );
				if ( !$jct || JCSingleton::getContentClass( $jct->getConfig()->model ) !==
							  JCMapDataContent::class
				) {
					return Status::newFatal( 'kartographer-error-title', $object->title );
				}

Reedy moved this task from Scheduled to In Progress on the deprecated-security-team-reviews board.Jul 20 2017, 5:13 PM

@Reedy yep, that's pretty much all of it. Also, JsonConfig is mostly a refactoring of the original ZeroAccess extension, which was originally implemented ~7? years ago, and later had many changes. It grew so big that at one point i simply split it into 3 extensions - JsonConfig, ZeroPortal, and ZeroBanner.

How is the security review going?

Was it done?

LGoto added a project: Product-Infrastructure-Team-Backlog-Deprecated (Kanban).Jul 25 2018, 3:40 PM

• Jhernandez edited projects, added Product-Infrastructure-Team-Backlog-Deprecated; removed Product-Infrastructure-Team-Backlog-Deprecated (Kanban).Aug 6 2018, 11:41 AM

• Jhernandez moved this task from Needs triage to Tracking on the Product-Infrastructure-Team-Backlog-Deprecated board.

MSantos removed a project: Maps-Sprint.Sep 26 2018, 3:16 PM

• Mholloway moved this task from Unsorted to General on the Maps (Kartographer) board.Oct 2 2018, 3:29 PM

• Mholloway changed the task status from Open to Stalled.Oct 29 2018, 4:47 PM

• Mholloway updated the task description. (Show Details)Nov 7 2018, 2:39 PM

Quiddity subscribed.Dec 9 2018, 1:17 AM

• chasemp moved this task from In Progress to Incoming on the deprecated-security-team-reviews board.Dec 17 2018, 6:37 PM

sbassett claimed this task.Jan 7 2019, 6:56 PM

sbassett edited projects, added Security-Team-Review-Active; removed deprecated-security-team-reviews.

sbassett set the point value for this task to 5.

sbassett added a subscriber: Bawolff.

MSantos awarded a token.Jan 7 2019, 7:02 PM

Update: Sorry for the crazy delays on all of this. I'm officially starting in on this today (2/8).

Thanks, @sbassett!

Update: Still working on this :) I've run some automated scans/tests against the JsonConfig code and didn't find much beyond basic linter-y issues ($wgParser global and wfLoadExtension entrypoints being deprecated and the like.) Phan-taint-check didn't come up with anything either, which makes sense as there aren't any direct db or shell interactions, other smells like unserialize() or obviously unsafe uses of Html::rawElement().

That said, in evaluating some of the previous known security issues (T163166, T134719) I'd like to focus a bit more on the specific interaction between Kartographer/JsonConfig and areas such as JCUtil::sanitizeRecursive, JCDataContent->renderDescription() and the valueToHtml() functions within the JC*ContentView.php files. Should have a report on any resulting issues by tomorrow or early next week.

Security Review Summary - March 2019
Per T163827#5010048, after running some automated scanning tools and digging into the code of JsonConfig a bit more, specifically how the extension is currently used by Kartographer, I wasn't able to find anything obviously concerning. Given that JsonConfig has been in production for nearly 5 years now, I'm going to assume some level of stability and that the issues which prompted the creation of this task (XSS within Kartographer) have been resolved within those separate tasks. I may do a little more local testing against the extension just for my own curiosity, but for now I'm going to mark this task as resolved.

sbassett closed this task as Resolved.Mar 14 2019, 10:17 PM

sbassett edited projects, added deprecated-security-team-reviews; removed Security-Team-Review-Active.