Page MenuHomePhabricator

Local interface-admin need to be sysop for some operations
Open, HighPublic

Description

I am not sure whether it is already implemented, but to avoid bypassing it is necessary to be member of both interface-admin and sysop (or specific) for the following operations in MediWiki/Gadget: namespace or “another user”:

  • undelete a *.js or *.css or reciprocal content model
  • deleterevision for such page (to restore)
  • suppressrevision for such page (to make visible again)
  • import / importupload a *.js or *.css

It is necessary to be member of interface-admin for

  • move into a *.js or *.css “page name extension”
  • editcontentmodel from or to javascript / css

To be more precise, the related editsitejs editsitecss edituserjs editusercss for the particular circumstances are required.

It is sufficient to be member of sysop (OS) for

  • delete such page
  • move into unrestricted namespace or page name
  • deleterevision for such page when hiding
  • suppressrevision for such page when hiding (OS)

However, since by such operations the page is vanishing from the vulnerable sphere, interface-admin is not required.

Related to T190015 finalization.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 2 2018, 5:35 PM
RP88 added a subscriber: RP88.Aug 5 2018, 8:00 PM
Tgr added a subscriber: Tgr.Aug 5 2018, 9:36 PM

I think this can be closed in favor of the more specific T200176: Deletion of user js and css requires deletion and edituser* rights. Or am I misunderstanding what you are asking for?

Anomie added a subscriber: Anomie.Aug 5 2018, 10:28 PM

This seems to be something of the opposite of T200176. This task is identifying certain operations that should require both interface-admin and sysop, while that is complaining about one particular operation that does do so.

I tested these on my local dev wiki using a few pages:

  • MediaWiki:Common.js
  • MediaWiki:Foobar which was edited to have a JavaScript content model
  • MediaWiki:Foobar.js which was edited to have a wikitext content model
  • MediaWiki:Foobaz which has the default wikitext content model
  • undelete a *.js or *.css or reciprocal content model

Special:Undelete would not allow undeleting MediaWiki:Common.js at all. It would not allow undeleting MediaWiki:Foobar when the page existed, but would allow undeleting when the page didn't exist even though the top undeleted revision had the JS content model.

  • deleterevision for such page (to restore)
  • suppressrevision for such page (to make visible again)

These did not require the editsitejs or similar right at all. I don't see why they would need to, since you can't hide or unhide the text of the top revision anyway.

  • import / importupload a *.js or *.css

These worked much like undeletion: import to MediaWiki:Common-imported.js was blocked, while import to MediaWiki:Foobar-imported succeeded when that page did not exist and failed when it existed with a JS content model.

  • move into a *.js or *.css “page name extension”

I was unable to move MediaWiki:Foobar or MediaWiki:Common.js. I was also unable to move MediaWiki:Foobaz to MediaWiki:Foobaz.js.

  • editcontentmodel from or to javascript / css

This failed to change MediaWiki:Foobar to the wikitext content model, and failed to change MediaWiki:Foobaz to the JS content model.

  • delete such page

Deletion of MediaWiki:Common.js and MediaWiki:Foobar was not allowed.

  • move into unrestricted namespace or page name

Moving from MediaWiki:Foobaz to MediaWiki:Foobaz2 was allowed. As noted above, moving a restricted page failed even when the target was not restricted.

  • deleterevision for such page when hiding
  • suppressrevision for such page when hiding (OS)

I didn't test these, since the new rights weren't required even for "restricted" pages.

I think this can be closed in favor of the more specific T200176: Deletion of user js and css requires deletion and edituser* rights. Or am I misunderstanding what you are asking for?

I am afraid, yes. This task has a much broader scope.

Imagine there is a hijacked sysop account which attempts to bypass the mechanisms, heading for activating malicious code, but without editsite* privilege (and edituser* as well, but limited audience).

This epic is about to seal the current leakages, if any.

Arrival

We are used to edit and create a code page.

Other ways to place a page version are:

  • move into restricted area
  • undelete
  • deleterevision (to restore)
  • suppressrevision (to make visible again)
  • import / importupload

That offers bypassing the straight way.

A page may have been deleted, since malicious code was detected. That is useless if it can be undeleted the next day by any sysop.

Vulnerable pages

In the related namespaces any page with the following qualities needs protection:

  1. Page name ending on *.js *.css *.JS *.jS etc.
  2. Content model CSS/JS.

Some wiki software might be persuaded to deliver such code into client, even if actually not supposed to. At least it is confusing and error-prone if vulnerable resources might be active or not when the behaviour is not obvious. In doubt it is regarded as a critical page.

Moving a page that it matches the first condition or changing the content model towards the second condition requires interface-admin privilege.

Removing

If a page contains bad things that has to be discarded immediately.

  • sysop is sufficient for deletion.
  • The same goes for deleterevision and suppressrevision (OS) when hiding.
  • No obstacle must prevent a quick reaction.
  • A privacy violation or detected malicious code must not wait until a global person is convinced to react, broken English stumbled perfectly. Any close local sysop shall help.

Moving a page outside the critical namespace or naming does not require special privileges. Making bad things disappear ASAP is improving security.

In T200176 deletion has to be granted.

Versioning

This is a tricky thing.

  • Imagine a security leak has been found in page MediWiki:useful.js (revision 123) last year.
  • That was remedied soon by revision 456.
  • Now our attacker wants to re-activate the old version, which he might have originated himself.
  • Just deleterevision 456 and 123 is active again.

That scenario is contradicting the request that bad things must be hidden immediately. There is no software solution, since it has to be judged which version is the toxic one and which is harmless.

This can be solved by T200766 Public monitoring of JS/CSS edits only.

jrbs moved this task from Backlog to Radar on the Trust-and-Safety board.Aug 7 2018, 10:05 PM
Tgr added a comment.Aug 27 2018, 3:08 PM

@Anomie thanks for the detailed testing!

I think this behavior is as expected, except for:

but would allow undeleting when the page didn't exist even though the top undeleted revision had the JS content model.
[import/importupload] worked much like undeletion: import to MediaWiki:Common-imported.js was blocked, while import to MediaWiki:Foobar-imported succeeded when that page did not exist and failed when it existed with a JS content model.

These run permission checks before recreating the page so Title uses the default content model instead of the not-yet-existing content model. Filed as T202900: Content model based permission checks do not use the actual content model on undelete/import but seems cumbersome to fix and relatively harmless.

In https://en.wikipedia.org/wiki/Special:Diff/891619141, Xaosflux said that interface-admin is not needed to import a user script - can someone with the requisite rights check if this is still the case?

Tgr added a comment.Aug 13 2019, 7:59 AM

Yes, as mentioned in T190015, import does not check page permissions.

chasemp triaged this task as High priority.Dec 9 2019, 4:53 PM