Page MenuHomePhabricator

Wikidata slack channel token in public config file
Closed, ResolvedPublic

Description

Security@wikimedia.org email:

I'm not very familiar with slack, so i don't know how sensitive this token is.

Anurag Jain <cs.anurag.jain@gmail.com>
3:07 PM (23 minutes ago)
to security
Hi Security Team,
Kindly consider this under your bug bounty program
One of the github project is revealing the slack token for your slack channel.
Vulnerable URL
https://github.com/wikimedia/mediawiki-extensions-WikibaseQualityExternalValidation/blob/d1b351d615b754a11e22857d9dab788ddaf7465a/.travis.yml
Token Revealed:
https://wikidataquality.slack.com/services/hooks/travis?token=6RzuL6LCKzoPupOKuNUhpCSt
Proof that it is working
curl https://wikidataquality.slack.com/services/hooks/travis?token=6RzuL6LCKzoPupOKuNUhpCSt
Output: invalid_payload
Which shows that credentials were accepted.
This gives unauthorized access to post on your slack channel
Recommendation
Revoke this token and use encrypted token in .travis.yml
Kindly let me know in case any other details are required from my side.
Regards,
Anurag

Event Timeline

Bawolff created this task.Jan 2 2019, 3:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 2 2019, 3:32 PM
sbassett added a subscriber: sbassett.EditedJan 2 2019, 3:51 PM

Looks like this is for travis CI's integration w/ slack:

https://docs.travis-ci.com/user/notifications/#configuring-slack-notifications

Within the docs, they recommend encrypting the token (which it doesn't appear to be within .travis.yml, but I can't say for sure) if it's stored within a public repo, as it is here. Of course placing it within a private config repo should also work.

(and of course, with public exposure, the token value should change, if possible)

Vgutierrez added a subscriber: Vgutierrez.EditedJan 2 2019, 4:48 PM

it can be stored in .travis.yml as an encrypted value, it would look like this:

notifications:
  slack:
    rooms:
      - secure: "sdfusdhfsdofguhdfgubdsifgudfbgs3453durghssecurestringidsuag34522irueg="
    on_success: always

That very codebase has been archived according to https://phabricator.wikimedia.org/T204490, however the information also exists in other active (?) ones:

$:acko\> grep --include="*.yml" -r slack .
./WikibaseQualityExternalValidation/.travis.yml:  slack: wikidataquality:6RzuL6LCKzoPupOKuNUhpCSt
./WikibaseQuality/.travis.yml:  slack: wikidataquality:6RzuL6LCKzoPupOKuNUhpCSt
./WikibaseQualityConstraints/.travis.yml:  slack: wikidataquality:6RzuL6LCKzoPupOKuNUhpCSt
MaxSem added a subscriber: MaxSem.Jan 2 2019, 7:37 PM

There's a GitHub bot in Slack that shows CI results for PRs, you don't need to touch the Travis config for notifications at all.

This must be left over from when the group of students originally developed the extension.
We don't use slack at WMDE, so we can probably just remove the token now.

Patch for WikibaseQualityConstraints https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/WikibaseQualityConstraints/+/481995/

Can we also remove it from archived extensions? I guess we can't write to those?

Yeah we can just remove the integration with Slack. It's a leftover from the students.

Addshore triaged this task as Low priority.Jan 3 2019, 11:08 AM
Addshore raised the priority of this task from Low to Needs Triage.
Addshore triaged this task as Low priority.
Addshore moved this task from incoming to in progress on the Wikidata board.Jan 3 2019, 1:50 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 3 2019, 2:36 PM