Page MenuHomePhabricator

Do a security audit of *.planet.wikimedia.org
Closed, ResolvedPublic

Description

Its running under wikimedia.org. As far as i know, nobody has really ever reviewed it. We should do a security audit of it at some point just to ensure it actually sanitizes everything correctly and following our privacy policy.

See https://wikitech.wikimedia.org/wiki/Planet.wikimedia.org for details about it.

Event Timeline

Hi,

at https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/467100/ @Paladox is suggesting a change that replaces the design of planet and also the CSS framework it uses, (remove Bootstrap, add Bulma)

https://bulma.io/

It also says "reduces page size due to no js library loading", where the second part sounds good to me especially in the security context i guess.

It removes jquery !

So i wanted to say before you start a review on the existing situation, maybe do it on the suggested new version in the change above. I was looking forward to merge that but since this ticket exists of course i will first wait. Could be an improvement though, right?

Hi, http://planet-hotdog.wmflabs.org is using the new css class. It's better formatted at a responsive display so images and videos are correctly resized!

It dosen't use jQuery and uses very little js (only to make images responsive and also to get the menu to correctly work on mobile)

sbassett triaged this task as Lowest priority.

Note that planet does not use planet-venus anymore since T180498

The current software is https://packages.debian.org/stretch/rawdog (http://offog.org/code/rawdog/)

Hi, http://planet-hotdog.wmflabs.org is using the new css class. It's better formatted at a responsive display so images and videos are correctly resized!

It dosen't use jQuery and uses very little js (only to make images responsive and also to get the menu to correctly work on mobile)

And this is in production.

So for this review, it looks like we're talking about:

  1. rawdog (the aforementioned, disgustingly-named stretch package)
  2. rawdog's dependencies:
    1. python27
    2. python-feedparser >= 5.1.2
    3. python-tidylib
  3. Some CSS that looks the same across all language sub-sites:
    1. https://en.planet.wikimedia.org/main.css
    2. https://en.planet.wikimedia.org/bulma.min.css (https://bulma.io/)
  4. This JS in a <script> tag towards the bottom of the main page, which appears to add/remove CSS classes from various dom elements:
document.addEventListener('DOMContentLoaded', function() {

    // Get all "navbar-burger" elements
    var $navbarBurgers = Array.prototype.slice.call(document.querySelectorAll('.navbar-burger'), 0);

    // Check if there are any navbar burgers
    if ($navbarBurgers.length > 0) {

        // Add a click event on each of them
        $navbarBurgers.forEach(function(el) {
            el.addEventListener('click', function() {

                // Get the target from the "data-target" attribute
                const target = el.dataset.target;
                const $target = document.getElementById(target);

                // Toggle the "is-active" class on both the "navbar-burger" and the "navbar-menu"
                el.classList.toggle('is-active');
                $target.classList.toggle('is-active');
            });
        });
    }
});

document.querySelector('a#subscriptions').addEventListener('click', function(event) {
    event.preventDefault();
    var modal = document.querySelector('.modal'); // assuming you have only 1
    var html = document.querySelector('html');
    modal.classList.add('is-active');
    html.classList.add('is-clipped');

    modal.querySelector('.delete').addEventListener('click', function(e) {
        e.preventDefault();
        modal.classList.remove('is-active');
        html.classList.remove('is-clipped');
    });

    modal.querySelector('.dismiss').addEventListener('click', function(e) {
        e.preventDefault();
        modal.classList.remove('is-active');
        html.classList.remove('is-clipped');
    });
});

document.querySelectorAll('.navbar-link').forEach(function(navbarLink) {
    navbarLink.addEventListener('click', function() {
        navbarLink.nextElementSibling.classList.toggle('is-hidden-mobile');
    })
});

function addClass(selector, imgClass) {
    els = document.querySelectorAll(selector);
    for (var i = 0; i < els.length; i++) {
        els[i].className += imgClass;
    }
}

addClass('figure', ' img-responsive');
addClass('div.wp-video', ' img-responsive');
addClass('img', ' img-responsive');
addClass('div.wp-caption.alignnone', ' img-responsive');

Some basic, quick checks:

  1. bulma.io CSS
    1. No CVEs, nothing in snyk.io or npm audit dbs, no reported/open security issues found on their github.
  2. rawdog
    1. No CVEs, nothing in snyk.io db, nothing in python safety db.
  3. rawdog dependencies
    1. python-tidylib - No CVEs, nothing in snyk.io db, nothing in python safety db.
    2. python-feedparser - Some CVEs in older versions, but nothing post 5.1.2.

I think the main things we want to check:

  • Are things properly escaped, especially for any custom skin files
  • Is the allowed list of tags sane
    • What are the (technical not political) privacy implications here. Can blogs set third-party cookies? What information can blogs get about who is visiting planet. The most obvious one is external images. Is there anything worse than that?
    • Would any of the allowed tags allow javascript. Is there any way for a blog to have content that is executed in a *.wikimedia.org origin.

Re: privacy, the sites reference the standard Wikimedia PP. And while most resources seem to come from internal Wikimedia sites, some definitely do not (e.g. images within the Shocking tales from ornithology post on en.planet.wikimedia.org and a few others.)

Re: privacy, the sites reference the standard Wikimedia PP. And while most resources seem to come from internal Wikimedia sites, some definitely do not (e.g. images within the Shocking tales from ornithology post on en.planet.wikimedia.org and a few others.)

That's more T207244. But yes, posts on enplanet are entirely controlled by untrusted third parties (with a sanitation step).

sbassett changed the task status from Open to Stalled.Jun 11 2019, 5:36 PM
sbassett changed the task status from Stalled to Open.Jul 9 2019, 6:17 PM
sbassett removed a project: Wikimedia-Planet.
Jcross added a subscriber: mmarble.

The software we are currently using for planet will not be in the coming Debian bullseye release anymore. So we already started looking for a replacement software (T281219) independent of this audit.

https://github.com/feedreader/pluto is a possible candidate

@Dzahn - Thanks for letting us know. Unfortunately, this isn't the best timing since we already have a vendor engaged to complete this review this quarter. I suppose it might still provide some necessary insights (we'll keep the review public as well) until a replacement is chosen.

sbassett claimed this task.
sbassett moved this task from Vendor Confirmed to Our Part Is Done on the secscrum board.

@Dzahn - We did have one of our vendors (ROS) perform a security audit of the current planet.wikimedia. The following are their non-findings:

During the penetration test, we performed the following test cases/checks, which did not result in vulnerability discovery:
• Analysis of the code
• Dependencies check
• JS analysis

I do understand that given the previous comments, a new solution is currently being sourced to replace the current planet.wikimedia software. Once that decision has been made, feel free to file a new security review task if you'd like.