Page MenuHomePhabricator

Public monitoring of JS/CSS edits
Open, MediumPublic

Description

Create edit tag like ResourceModification and mark all events with

  • editsitejs
  • editsitecss
  • edituserjs
  • editusercss
  • Similar, if other ideas arriving later.

Avoid JSON and plain text system messages, focus on vulnerable stuff.

Naturally, include page creation and undelete or moves into, as well as content model change, but deletion is probably not of interest, nor moving outside.

Content model reliability

Tracking should not be bypassed by faked content model. Regular execution as gadget or skin/common configuration must be blocked if content model does not match expectation by page name extension. Then all activities on a page of js or css model can be checked easily whether the page is in MediaWiki:, Gadget: or User: namespace, and if last then for the same account or not. Every page with any name or content model may contain some code, but execution by wiki mechanism must match both expected page name for this case as well as supposed content model.

Use cases

Local

Every local user may patrol weekly or daily on the marked edits for his own wiki and check the activities. They might contain an unnoticed innocent security gap or plain abuse, or turn out to be safe. Filtering these edits by tagged actions is very easy, but detecting whether someone did change JS of another user is rather difficult.

Global

Something like a bot might patrol every hour over the entire farm, or listen to a kind of feeder.

  • All tagged edits from all WMF wikis shall be collected at least for the recent 30 days, as sortable table, perhaps filtered by namespace and JS/CSS or wiki name substring.
  • The output is made available e.g. on Labs or at another r/o site.
  • A record contains: Timestamp, wiki, user, page, action, difflink, summary.
  • Every person with skills can monitor all wikis and look for suspicious activities. Nobody knows who is observing, if any, or how many, and when.

Advertising

Tell everybody that JS/CSS is crowd monitored at such places, and invite people to observe. Let the watch dogs bark. Put an agile access counter and a clock since last inspection on page, fed by random generator if idle.

@Tgr You might coordinate further steps and assign an appropriate project.

Event Timeline

Tgr renamed this task from Monitoring of JS/CSS edits to Public monitoring of JS/CSS edits.Jul 31 2018, 1:09 PM

I guess we would need some hook for checking when some piece of content is raw CSS/JS/HTML. We'll probably need that for extending editsitejs and similar permissions to some edge cases, so this might not be much work.

Izno added a subscriber: Izno.

I'd like to see a more generic/general dropdown to filter by content model, which is a task I've been thinking about proposing and which would have general benefits aside from CSS/JS editing, for example being able to watch TemplateStyles edits, which is of general interest to me.

I'd like to see a more generic/general dropdown to filter by content model, which is a task I've been thinking about proposing and which would have general benefits aside from CSS/JS editing, for example being able to watch TemplateStyles edits, which is of general interest to me.

This task is about dangerous ressource edits, leaking privacy information by beacon (touching foreign domains by accessing small images etc.). This could be made by black hat sysops, e.g. in Russia, Belarus, Iran, Turkey etc. It will tell big business or governments who is reading or editing which Wikipedia article via which IP address, and ISP may be controlled by government.

  • A TemplateStyles edit may be made by any anonymous user on the planet.
  • Since TemplateStyles are sanitized, they are preventing bad code, as far as known.
  • Your suggestion would overflow the surveillance of a few edits per day within entire WMF farm by lots of non-hazardous activities.
  • It is not the business of global WMF security to worry about CSS rendering in certain articles somewhere.

This task is about dangerous ressource edits [snip]

Huh? Exposing content model in the context of RecentChanges and Watchlist filters seems in the realm of trivial, and can be used to set up a filter which is exclusive to CSS and JavaScript content models for people concerned about such things. Open your mind just a bit to the more general value. :)

Incidentally,

Regular execution as gadget or skin/common configuration must be blocked if content model does not match expectation by page name extension.

Is actually T171563: Only allow MediaWiki, Gadget, and User namespace pages to be treated as JS or CSS (no project namespace, etc.)

You might not have understood the background, or living in English Wikipedia World only.

Imagine that a sysop in Chinese language Wikipedia is granted inteface admin, but on the payroll of Chinese secret service.

  • Now in a dark corner of some gadget code an obfuscated touch of a governmental server is added, perhaps encoding username and pageid into URL.
  • From now on every page viewing can be monitored, and page editing is connected as well with IP address of Chinese ISP, which is belonging to the state.
  • On editing an article about Hongkong or Uigurs the Wikipedia author get sentenced to some years in jail or concentration camp, or even to death.

Exposing content model in the context of RecentChanges and Watchlist filters seems in the realm of trivial, and can be used to set up a filter which is exclusive to CSS and JavaScript content models for people concerned about such things.

This is from the view of a local community which has the power to control all technical things that happen. Be glad.

  • This task here is about a world wide monitoring of all critical resource edits in all WMF projects.
  • After a clean state has been found, and currently no security gaps are known, injection of malicious code shall be detected, at least for site resources.

for example being able to watch TemplateStyles edits

This task does not care about local CSS styling of rendering some pages.

  • TemplateStyles edits are not known to have security risks since they are sanitized.

You might not have understood the background, or living in English Wikipedia World only.

No, I understood the background perfectly. Do not presume.

  • This task here is about a world wide monitoring of all critical resource edits in all WMF projects.

We do not need the tag system for this; content model is a quality of the page itself which should be visible to users in our change monitoring systems (watchlist/recentchanges). Filters can provide such visibility. They are moreover useful generally for the other cases noted; page tags are not.

If you think there should be an external tool for this, that is a different question which is not the purpose of MediaWiki-Change-tagging . If you actually want global visibility on such things (I don't think that's unreasonable), you should make that clear in the task description.

If what you want is local visibility, then you still have suggested a solution to a problem with multiple solutions, which is bad feature-requesting practice. That is why I indicated another solution that provides the same level of change monitoring but more generally.

The goal of this task is to monitor about 1000 wikis of WMF for hazardeous codes by global tech community.

What you are talking about is either non-hazardeous or just local in your own wiki.

This is not the scope of this task.

Please do not crash the thread by issues not related to this task.

Tagging activities of vulnerable coding is prerequisite for global surveillance. Otherwise there would be nothing which could be monitored.

This

The goal of this task is to monitor about 1000 wikis of WMF for hazardeous codes by global tech community.

Requires

A tool that surfaces edits to content model JS and CSS
A tool that does so globally

Which in fact requires no tagging. A particularly interested coder could put such a tool together using the replicas, or an extension, which provides a query against each database (recent changes to content model CSS and JS pages). I've adjusted the projects accordingly.