It essentially allows you to take over the account. You should need to reauthenticate
Description
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Require reauthentication for proposing or managing consumers | mediawiki/extensions/OAuth | master | +68 -1 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T197160 All security-sensitive MediaWiki functionality should require elevated security | |||
Stalled | Security | None | T208008 Consumer owner-only oauth proposals should require reauth |
Event Timeline
Are you trying to say that the OAuth extension should use AuthManager::securitySensitiveOperationStatus() when someone creates an owner-only consumer?
Yes. Possibly when doing a consumer proposal/approval in general maybe (?) Not sure. But definitely for the auto-approved consumer only oauth apps
From a security perspective, probably. Note a proposed-but-not-approved consumer can be used by the owner's account without approval for testing.
Although you might get complaints from people (Stewards?) actually doing the approvals.
(Same as T197156: Creating OAuth owner-only consumers should require elevated security)
We should probably have a reauth time significantly larger than 5 min, though, filling out the form can take a while, especially if you do it the first time and need to read documentation.
Non-owner-only consumers send an Echo ping to OAuth admins so that would be an exploitable but very conspicuous attack vector. (On wikis which have Echo installed, anyway.)
Although you might get complaints from people (Stewards?) actually doing the approvals.
I'm probably doing most of the approvals these days, there's about one non-owner-only request per day. Requiring reauth for that would be annoying but not the end of the world.
I'm not 100% sure who should be claiming this task. Could one of you please claim it in support of this recent security incident?
Sounds reasonable. I think we'd still want it under 2 hours
Non-owner-only consumers send an Echo ping to OAuth admins so that would be an exploitable but very conspicuous attack vector. (On wikis which have Echo installed, anyway.)
Although you might get complaints from people (Stewards?) actually doing the approvals.
I'm probably doing most of the approvals these days, there's about one non-owner-only request per day. Requiring reauth for that would be annoying but not the end of the world.
Yeah, I'm less worried about that vector. Maybe something like reauth in the last 48 hours makes sense for approving non-owner only consumers.
Note that different reauth time for owner-only and normal consumers would only be possible if they used a separate form; while that might be preferable (per T142279), it is not the case currently.
Only skimmed it.
+ // TODO: Maybe make it possible to put this in extension.json + $wgReauthenticateTime += [ + 'OAuthManage' => 172800, + 'OAuthProposeOwnerOnly' => 60, + ];
Adding support for that in extension.json seems like a good idea.
As with T208007#4706897, I can't seem to apply Patch-For-Review here.
Added. Not sure why you can't...??
I still can't edit the projects on this task. Is there a Phab task for the permissions issue so we can leave this one to the OAuth feature request?
Yep, understood. I'm re-opening the original task to create the task subtype used here so we can sort things out
Any objections to making this task public? There is no vulnerability here, and private patches tend to linger forever without getting review / getting deployed.
60 seconds are way too short for filling out this form. Also, the management form dies on reauth-during-submission with
[05ef31b4ae43033ca4927166] /w/index.php?title=Special:OAuthManageConsumers/156f882c478400553c5f44994770224b&postUniqueId=20107b TypeError from line 340 of /vagrant/mediawiki/extensions/OAuth/backend/MWOAuthConsumer.php: Argument 2 passed to MediaWiki\Extensions\OAuth\MWOAuthConsumer::userCanSee() must be an instance of RequestContext, instance of DerivativeContext given, called in /vagrant/mediawiki/extensions/OAuth/backend/MWOAuthDAO.php on line 408 Backtrace: #0 /vagrant/mediawiki/extensions/OAuth/backend/MWOAuthDAO.php(408): MediaWiki\Extensions\OAuth\MWOAuthConsumer->userCanSee(string, DerivativeContext) #1 /vagrant/mediawiki/extensions/OAuth/control/MWOAuthDAOAccessControl.php(104): MediaWiki\Extensions\OAuth\MWOAuthDAO->userCanAccess(string, DerivativeContext) #2 /vagrant/mediawiki/extensions/OAuth/frontend/specialpages/SpecialMWOAuthManageConsumers.php(258): MediaWiki\Extensions\OAuth\MWOAuthDAOAccessControl->get(string, Closure) #3 /vagrant/mediawiki/extensions/OAuth/frontend/specialpages/SpecialMWOAuthManageConsumers.php(115): MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers->handleConsumerForm(string) #4 /vagrant/mediawiki/includes/specialpage/SpecialPage.php(569): MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers->execute(string) #5 /vagrant/mediawiki/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(string) #6 /vagrant/mediawiki/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext) #7 /vagrant/mediawiki/includes/MediaWiki.php(862): MediaWiki->performRequest() #8 /vagrant/mediawiki/includes/MediaWiki.php(517): MediaWiki->main() #9 /vagrant/mediawiki/index.php(42): MediaWiki->run() #10 /var/www/w/index.php(5): require(string) #11 {main}
Hmm, how'd I get 60 seconds in there? I wonder if I forgot to change it back after testing.
Also, the management form dies on reauth-during-submission with
[05ef31b4ae43033ca4927166] /w/index.php?title=Special:OAuthManageConsumers/156f882c478400553c5f44994770224b&postUniqueId=20107b TypeError from line 340 of /vagrant/mediawiki/extensions/OAuth/backend/MWOAuthConsumer.php: Argument 2 passed to MediaWiki\Extensions\OAuth\MWOAuthConsumer::userCanSee() must be an instance of RequestContext, instance of DerivativeContext given, called in /vagrant/mediawiki/extensions/OAuth/backend/MWOAuthDAO.php on line 408
Why is that typehinting RequestContext instead of IContextSource?
@Tgr and @Anomie - I'm fine with treating this as a code-hardening measure (as opposed to a standard security issue with all the protections) and making this task public. I assume the patch above ( T208008#4754351) would need a rebase/rewrite at this point.
Thanks @sbassett! Would you be able to make it public? I don't think I have the rights to do that.
Done. Also removed a certain tag. I assume we just need to rewrite/rebase the (old) patch from T208008#4754351 and get that into gerrit?
Change 611342 had a related patch set uploaded (by Gergő Tisza; owner: Anomie):
[mediawiki/extensions/OAuth@master] Require reauthentication for proposing or managing consumers