Page MenuHomePhabricator

Do a security audit of *.planet.wikimedia.org
Open, LowestPublic

Description

Its running under wikimedia.org. As far as i know, nobody has really ever reviewed it. We should do a security audit of it at some point just to ensure it actually sanitizes everything correctly and following our privacy policy.

See https://wikitech.wikimedia.org/wiki/Planet.wikimedia.org for details about it.

Event Timeline

Bawolff created this task.Oct 17 2018, 12:10 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 17 2018, 12:10 AM
Dzahn added a subscriber: Dzahn.Oct 17 2018, 6:02 PM
Dzahn added a subscriber: Paladox.Oct 23 2018, 7:58 PM

Hi,

at https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/467100/ @Paladox is suggesting a change that replaces the design of planet and also the CSS framework it uses, (remove Bootstrap, add Bulma)

https://bulma.io/

It also says "reduces page size due to no js library loading", where the second part sounds good to me especially in the security context i guess.

It removes jquery !

So i wanted to say before you start a review on the existing situation, maybe do it on the suggested new version in the change above. I was looking forward to merge that but since this ticket exists of course i will first wait. Could be an improvement though, right?

Hi, http://planet-hotdog.wmflabs.org is using the new css class. It's better formatted at a responsive display so images and videos are correctly resized!

It dosen't use jQuery and uses very little js (only to make images responsive and also to get the menu to correctly work on mobile)

sbassett triaged this task as Lowest priority.
Dzahn added a comment.Apr 23 2019, 8:20 PM

Note that planet does not use planet-venus anymore since T180498

The current software is https://packages.debian.org/stretch/rawdog (http://offog.org/code/rawdog/)

Dzahn added a comment.Apr 23 2019, 8:20 PM

Hi, http://planet-hotdog.wmflabs.org is using the new css class. It's better formatted at a responsive display so images and videos are correctly resized!
It dosen't use jQuery and uses very little js (only to make images responsive and also to get the menu to correctly work on mobile)

And this is in production.

So for this review, it looks like we're talking about:

  1. rawdog (the aforementioned, disgustingly-named stretch package)
  2. rawdog's dependencies:
    1. python27
    2. python-feedparser >= 5.1.2
    3. python-tidylib
  3. Some CSS that looks the same across all language sub-sites:
    1. https://en.planet.wikimedia.org/main.css
    2. https://en.planet.wikimedia.org/bulma.min.css (https://bulma.io/)
  4. This JS in a <script> tag towards the bottom of the main page, which appears to add/remove CSS classes from various dom elements:
document.addEventListener('DOMContentLoaded', function() {

    // Get all "navbar-burger" elements
    var $navbarBurgers = Array.prototype.slice.call(document.querySelectorAll('.navbar-burger'), 0);

    // Check if there are any navbar burgers
    if ($navbarBurgers.length > 0) {

        // Add a click event on each of them
        $navbarBurgers.forEach(function(el) {
            el.addEventListener('click', function() {

                // Get the target from the "data-target" attribute
                const target = el.dataset.target;
                const $target = document.getElementById(target);

                // Toggle the "is-active" class on both the "navbar-burger" and the "navbar-menu"
                el.classList.toggle('is-active');
                $target.classList.toggle('is-active');
            });
        });
    }
});

document.querySelector('a#subscriptions').addEventListener('click', function(event) {
    event.preventDefault();
    var modal = document.querySelector('.modal'); // assuming you have only 1
    var html = document.querySelector('html');
    modal.classList.add('is-active');
    html.classList.add('is-clipped');

    modal.querySelector('.delete').addEventListener('click', function(e) {
        e.preventDefault();
        modal.classList.remove('is-active');
        html.classList.remove('is-clipped');
    });

    modal.querySelector('.dismiss').addEventListener('click', function(e) {
        e.preventDefault();
        modal.classList.remove('is-active');
        html.classList.remove('is-clipped');
    });
});

document.querySelectorAll('.navbar-link').forEach(function(navbarLink) {
    navbarLink.addEventListener('click', function() {
        navbarLink.nextElementSibling.classList.toggle('is-hidden-mobile');
    })
});

function addClass(selector, imgClass) {
    els = document.querySelectorAll(selector);
    for (var i = 0; i < els.length; i++) {
        els[i].className += imgClass;
    }
}

addClass('figure', ' img-responsive');
addClass('div.wp-video', ' img-responsive');
addClass('img', ' img-responsive');
addClass('div.wp-caption.alignnone', ' img-responsive');

Some basic, quick checks:

  1. bulma.io CSS
    1. No CVEs, nothing in snyk.io or npm audit dbs, no reported/open security issues found on their github.
  2. rawdog
    1. No CVEs, nothing in snyk.io db, nothing in python safety db.
  3. rawdog dependencies
    1. python-tidylib - No CVEs, nothing in snyk.io db, nothing in python safety db.
    2. python-feedparser - Some CVEs in older versions, but nothing post 5.1.2.

I think the main things we want to check:

  • Are things properly escaped, especially for any custom skin files
  • Is the allowed list of tags sane
    • What are the (technical not political) privacy implications here. Can blogs set third-party cookies? What information can blogs get about who is visiting planet. The most obvious one is external images. Is there anything worse than that?
    • Would any of the allowed tags allow javascript. Is there any way for a blog to have content that is executed in a *.wikimedia.org origin.
Krenair added a subscriber: Krenair.May 6 2019, 6:50 AM

Re: privacy, the sites reference the standard Wikimedia PP. And while most resources seem to come from internal Wikimedia sites, some definitely do not (e.g. images within the Shocking tales from ornithology post on en.planet.wikimedia.org and a few others.)

Re: privacy, the sites reference the standard Wikimedia PP. And while most resources seem to come from internal Wikimedia sites, some definitely do not (e.g. images within the Shocking tales from ornithology post on en.planet.wikimedia.org and a few others.)

That's more T207244. But yes, posts on enplanet are entirely controlled by untrusted third parties (with a sanitation step).

sbassett changed the task status from Open to Stalled.Jun 11 2019, 5:36 PM
sbassett changed the task status from Stalled to Open.Jul 9 2019, 6:17 PM
sbassett removed a project: Wikimedia-Planet.
Jcross removed mmarble as the assignee of this task.Thu, Aug 29, 2:54 PM
Jcross added a subscriber: mmarble.