Fix security issues found in Graphs extension during review of vega 2
Closed, DeclinedPublic
Actions

Assigned To

None

Authored By

	Bawolff
	Dec 10 2017, 3:56 PM

Description

Split from other bug

For CORS, in the interest of paranoia, could we set the origin parameter to be * instead of the actual origin. This wasn't available when the wrapper was originally written, but it extra ensures that cross-domain requests won't use cookies.
Currently the title parameter is checked to make sure it doesn't have a | (pipe) character in it. We also need to check for \x1f (That is ASCII control character UNIT SEPARATOR) as the api also uses that to separate titles. Alternatively we could validate with mw.Title
wikititle:/// is supposed to prevent query paramters from being used, however it could probably be bypassed if they are percent encoded due to T96274 (e.g. https://en.wikipedia.org/wiki/Main_Page%3faction=history%26curid=2120 is interpreted by our servers incorrectly )

Details

	Subject	Repo	Branch	Lines +/-
	Update to mw-graph-shared 5.0.0	mediawiki/extensions/Graph	master	+8 -8
	Hardening changes. Cors use *	mediawiki/extensions/Graph	master	+2 -6

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open	BUG REPORT	CCiufo-WMF	T334940 All Graphs broken on Wikimedia wikis (due to security issue T336556)
Resolved	Security	Jdlrobson	T334895 XSS via Graph extension
Duplicate		None	T292341 [Epic] Graphs extension maintenance
Open		None	T335128 Update documentation and examples of Extension:Graph after deployment of Vega 5
Declined		None	T346291 Re-enable the Graph Extension for use at all Wikimedia Wikis
Open	Feature	Jdlrobson	T165118 Support Vega 5.0+
Resolved		Bawolff	T172938 Security review new version of the Vega lib
Declined		None	T182536 Fix security issues found in Graphs extension during review of vega 2

Event Timeline

Bawolff triaged this task as Medium priority.Dec 10 2017, 3:56 PM

Bawolff created this task.

Bawolff created this object with visibility "Custom Policy".

Bawolff removed projects: deprecated-security-team-reviews, Graphoid, MediaWiki-Vendor.Dec 11 2017, 12:46 PM

Aklapper renamed this task from Fix security issues found in Graphs extension duing review of vega 2 to Fix security issues found in Graphs extension during review of vega 2.Dec 11 2017, 1:21 PM

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".May 8 2019, 5:37 PM

Change 508872 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/Graph@master] Hardening changes. Cors use *, no \x1F in wikiraw

https://gerrit.wikimedia.org/r/508872

gerritbot added a project: Patch-For-Review.May 8 2019, 5:38 PM

wikititle:/// is supposed to prevent query paramters from being used, however it could probably be bypassed if they are percent encoded due to T96274 (e.g. https://en.wikipedia.org/wiki/Main_Page%3faction=history%26curid=2120 is interpreted by our servers incorrectly )

HHVM is going away shortly anyways, and php7 does not have this issue.

• chasemp added a project: Security.Feb 10 2020, 10:58 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM

Change 755823 had a related patch set uploaded (by TheDJ; author: TheDJ):

[mediawiki/extensions/Graph@master] Update to mw-graph-shared 5.0.0

https://gerrit.wikimedia.org/r/755823

Change 508872 merged by jenkins-bot:

[mediawiki/extensions/Graph@master] Hardening changes. Cors use *

https://gerrit.wikimedia.org/r/508872

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.19; 2022-01-24).Jan 21 2022, 1:00 AM

Change 755823 abandoned by TheDJ:

[mediawiki/extensions/Graph@master] Update to mw-graph-shared 5.0.0