Page MenuHomePhabricator
Create Task
Maniphest T212787

Wikidata slack channel token in public config file
Closed, ResolvedPublic
Actions

Description

Security@wikimedia.org email:

I'm not very familiar with slack, so i don't know how sensitive this token is.

Anurag Jain <cs.anurag.jain@gmail.com>

3:07 PM (23 minutes ago)

to security
Hi Security Team,

Kindly consider this under your bug bounty program
One of the github project is revealing the slack token for your slack channel.

Vulnerable URL
https://github.com/wikimedia/mediawiki-extensions-WikibaseQualityExternalValidation/blob/d1b351d615b754a11e22857d9dab788ddaf7465a/.travis.yml

Token Revealed:
https://wikidataquality.slack.com/services/hooks/travis?token=6RzuL6LCKzoPupOKuNUhpCSt

Proof that it is working
curl https://wikidataquality.slack.com/services/hooks/travis?token=6RzuL6LCKzoPupOKuNUhpCSt
Output: invalid_payload

Which shows that credentials were accepted.

This gives unauthorized access to post on your slack channel

Recommendation
Revoke this token and use encrypted token in .travis.yml

Kindly let me know in case any other details are required from my side.

Regards,
Anurag

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/WikibaseQualityConstraintsmaster+0 -1Remove unused travis slack token
Customize query in gerrit

Event Timeline

Bawolff created this task.Jan 2 2019, 3:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 2 2019, 3:32 PM
Bawolff added a project: Wikidata.Jan 2 2019, 3:33 PM
sbassett added a subscriber: sbassett.EditedJan 2 2019, 3:51 PM

Looks like this is for travis CI's integration w/ slack:

https://docs.travis-ci.com/user/notifications/#configuring-slack-notifications

Within the docs, they recommend encrypting the token (which it doesn't appear to be within .travis.yml, but I can't say for sure) if it's stored within a public repo, as it is here. Of course placing it within a private config repo should also work.

(and of course, with public exposure, the token value should change, if possible)

Vgutierrez added a subscriber: Vgutierrez.EditedJan 2 2019, 4:48 PM

it can be stored in .travis.yml as an encrypted value, it would look like this:

notifications:
  slack:
    rooms:
      - secure: "sdfusdhfsdofguhdfgubdsifgudfbgs3453durghssecurestringidsuag34522irueg="
    on_success: always
Aklapper added a comment.Jan 2 2019, 5:36 PM

That very codebase has been archived according to https://phabricator.wikimedia.org/T204490, however the information also exists in other active (?) ones:

$:acko\> grep --include="*.yml" -r slack .
./WikibaseQualityExternalValidation/.travis.yml:  slack: wikidataquality:6RzuL6LCKzoPupOKuNUhpCSt
./WikibaseQuality/.travis.yml:  slack: wikidataquality:6RzuL6LCKzoPupOKuNUhpCSt
./WikibaseQualityConstraints/.travis.yml:  slack: wikidataquality:6RzuL6LCKzoPupOKuNUhpCSt
MaxSem added a subscriber: MaxSem.Jan 2 2019, 7:37 PM

There's a GitHub bot in Slack that shows CI results for PRs, you don't need to touch the Travis config for notifications at all.

Addshore added a subscriber: Addshore.Jan 3 2019, 9:28 AM

This must be left over from when the group of students originally developed the extension.
We don't use slack at WMDE, so we can probably just remove the token now.

Addshore added a comment.Jan 3 2019, 9:41 AM

Patch for WikibaseQualityConstraints https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/WikibaseQualityConstraints/+/481995/

Can we also remove it from archived extensions? I guess we can't write to those?

Addshore added a project: Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)).Jan 3 2019, 9:41 AM
Addshore moved this task from To Do (prioritised from top to bottom) to Peer Review on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Addshore added subscribers: Tarrow, Lucas_Werkmeister_WMDE, Lydia_Pintscher and 6 others.
Lydia_Pintscher added a comment.Jan 3 2019, 9:49 AM

Yeah we can just remove the integration with Slack. It's a leftover from the students.

Addshore triaged this task as Low priority.Jan 3 2019, 11:08 AM
Addshore raised the priority of this task from Low to Needs Triage.
Addshore triaged this task as Low priority.
Addshore moved this task from incoming to in progress on the Wikidata board.Jan 3 2019, 1:50 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 3 2019, 2:36 PM
Addshore closed this task as Resolved.Jan 4 2019, 11:06 AM
Addshore moved this task from Peer Review to Done on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL