Page MenuHomePhabricator

Security review of vue.js library
Closed, ResolvedPublic

Description

The WikibaseLexeme extension (and possibly Wikibase later) use the vue.js and vuex.js libraries. These need review before deployment.

The desired versions are vue-2.3.3.js and vuex-2.3.0.js. The files are currently managed in the WikibaseLexeme repo in the
resources/vendor/ directory.

Related Objects

StatusAssignedTask
OpenNone
Resolved zeljkofilipin
OpenNone
OpenWMDE-leszek
OpenNone
Resolved Addshore
Resolved Addshore
Resolved Addshore
Resolved Addshore
ResolvedLydia_Pintscher
ResolvedLydia_Pintscher
ResolvedLydia_Pintscher
ResolvedLydia_Pintscher
Resolveddaniel
ResolvedNone
Resolvedthiemowmde
ResolvedNone
Resolved Jonas
ResolvedLydia_Pintscher
Resolveddaniel
ResolvedNone
Resolvedthiemowmde
ResolvedJakob_WMDE
ResolvedJakob_WMDE
ResolvedWMDE-leszek
ResolvedWMDE-leszek
ResolvedWMDE-leszek
DuplicateNone
ResolvedWMDE-leszek
ResolvedLydia_Pintscher
ResolvedJakob_WMDE
ResolvedNone
ResolvedLucas_Werkmeister_WMDE
ResolvedLydia_Pintscher
Resolved Aleksey_WMDE
ResolvedWMDE-leszek
Resolved Jonas
Resolved Jonas
ResolvedJakob_WMDE
Resolved Jonas
InvalidNone
ResolvedLydia_Pintscher
ResolvedNone
Resolved Aleksey_WMDE
ResolvedWMDE-leszek
ResolvedLydia_Pintscher
ResolvedNone
ResolvedLydia_Pintscher
Resolved Aleksey_WMDE
ResolvedLydia_Pintscher
Resolved Aleksey_WMDE
Resolved Aleksey_WMDE
Resolved Aleksey_WMDE
Resolvedthiemowmde
ResolvedWMDE-leszek
ResolvedWMDE-leszek
ResolvedWMDE-leszek
Resolvedthiemowmde
Resolvedthiemowmde
Resolvedthiemowmde
ResolvedNone
ResolvedWMDE-leszek
ResolvedNone
ResolvedNone
ResolvedLadsgroup
ResolvedLydia_Pintscher
Resolved Aleksey_WMDE
ResolvedWMDE-leszek
ResolvedLydia_Pintscher
DuplicateLadsgroup
ResolvedWMDE-leszek
ResolvedLydia_Pintscher
ResolvedNone
Declined Jonas
Resolved Jonas
DeclinedNone
Resolved Addshore
ResolvedJakob_WMDE
ResolvedLydia_Pintscher
ResolvedWMDE-leszek
ResolvedWMDE-leszek
ResolvedWMDE-leszek
ResolvedLadsgroup
ResolvedLydia_Pintscher
ResolvedLydia_Pintscher
ResolvedWMDE-leszek
ResolvedWMDE-leszek
InvalidNone
Resolvedthiemowmde
ResolvedWMDE-leszek
ResolvedNone
OpenNone
InvalidNone
ResolvedLadsgroup
ResolvedLydia_Pintscher
Resolvedthiemowmde
ResolvedLydia_Pintscher
ResolvedLydia_Pintscher
ResolvedJakob_WMDE
ResolvedPablo-WMDE
ResolvedJakob_WMDE
Resolved Addshore
ResolvedJakob_WMDE
Resolved Addshore
ResolvedLydia_Pintscher
ResolvedLydia_Pintscher
ResolvedLadsgroup
ResolvedLydia_Pintscher
Resolved Addshore
ResolvedJakob_WMDE
ResolvedJakob_WMDE
OpenNone
ResolvedLydia_Pintscher
InvalidNone
Resolved Addshore
ResolvedLydia_Pintscher
ResolvedNone
Resolved Addshore
ResolvedNone
ResolvedLydia_Pintscher
Resolved Addshore
ResolvedJakob_WMDE
Resolved Addshore
Resolved Addshore
Resolvedssastry
Resolved Addshore
ResolvedLydia_Pintscher
Resolved dpatrick

Event Timeline

daniel created this task.Jun 19 2017, 10:41 AM
Restricted Application added a subscriber: PokestarFan. · View Herald TranscriptAug 3 2017, 7:46 AM

@dpatrick any news on this? E643 indicates you looked into this in July, but I could not find any information about the outcome.

Getting this through security review is becoming critical to the Wikidata team, as they are increasingly relying on vue.js for their UI code.

To add relevance to this, Wikistats 2.0 which will be launching soon, and is hosted on stats.wikimedia.org, is also using Vue.

thiemowmde triaged this task as High priority.Nov 13 2017, 10:31 AM
thiemowmde moved this task from incoming to blocked on others on the Wikidata board.

Many apologies for the delay here. I reviewed this back in June, failed to add my notes, then re-reviewed last week due to code changes since the last time I looked at it. I found no issues while reviewing this library. I checked for the following:

  • XSS via unescaped input or failure to maintain escaping (via mustache interpolation, v-model, static data, etc.)
  • Resource consumption/DoS
  • Template expression injection at runtime from user-controlled data

My only recommendation is to give care to consume only trusted data when using v-html. Outside of this, I think we're good to go to use this library.

Addshore closed this task as Resolved.Nov 30 2017, 4:49 PM
Addshore claimed this task.
Addshore added a subscriber: Addshore.

Marking as resolved as this looks done

Restricted Application added a project: User-Addshore. · View Herald TranscriptNov 30 2017, 4:49 PM
Addshore moved this task from Unsorted 💣 to Closing ✔️ on the User-Addshore board.