Page MenuHomePhabricator
Create Task
Maniphest T219676

Symfony Twig - Sandbox Information Disclosure (iegreview, wikimania-scholarships, slimapp)
Closed, ResolvedPublic
Actions

Description

php-composer-security-docker keeps spamming the Security-Team with this (low) vulnerability for three apps:

We can split these into separate tasks, but since the solution requires version-bumping twig in composer.json, I thought we could possibly take care of these in one fell swoop. Additionally, this vulnerability specifically affects apps running twig in sandbox mode, which I don't believe any of these apps do. Though we still get automated alerts for them :/

The issue was fixed in twig 1.38 and testing locally, php security checker doesn't complain with "twig/twig": "~1.38". I would've pushed some patch sets up to gerrit for each of these, but couldn't get the unit tests to run locally, so I held off.

Details

SubjectRepoBranchLines +/-
Update vendor librarieswikimedia/iegreviewmaster+20 K -31 K
Update vendor librarieswikimedia/wikimania-scholarshipsmaster+21 K -32 K
Customize query in gerrit

Related Objects

Event Timeline

sbassett created this task.Mar 29 2019, 9:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 29 2019, 9:25 PM
sbassett triaged this task as Low priority.Mar 29 2019, 9:29 PM
sbassett added projects: Security-Team, Wikimedia-Wikimania-Scholarships, Wikimedia-IEG-grant-review.
sbassett added subscribers: Niharika, bd808, AlexWang, Reedy.
sbassett mentioned this in T222665: Code Stewardship Review: iegreview.May 6 2019, 9:52 PM
bd808 moved this task from Backlog to Must have on the Wikimedia-IEG-grant-review board.Jun 6 2019, 4:31 AM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.Dec 2 2019, 8:52 PM
bd808 added a comment.Jan 16 2020, 11:46 PM

T243037: Shutdown scholarships.wikimedia.org and archive project will take care of wikimania-scholarships :(

chasemp added a project: Security.Feb 10 2020, 11:00 PM
sbassett added a project: Patch-For-Review.Feb 12 2020, 11:12 PM
sbassett updated the task description. (Show Details)
sbassett added a comment.Feb 12 2020, 11:17 PM

Update: I've got some (hopefully nondescript) patches up on gerrit for iegreview and wikimania-scholarships, as noted within the description.

T243037: Shutdown scholarships.wikimedia.org and archive project will take care of wikimania-scholarships :(

I think there are still a lot of questions there, re: the new solution, but if we can assume the current app is absolutely going away, then I can abandon the related patch. Though if it isn't too much trouble, it might be nice to just merge it so the Security-Team no longer receives any obnoxious alerts :) Failing that, I might just remove it from php-composer-security-docker.

sbassett mentioned this in rWIEGbebbe61137cc: Update vendor libraries.Feb 13 2020, 8:56 PM
sbassett updated the task description. (Show Details)Feb 19 2020, 9:09 PM
sbassett updated the task description. (Show Details)
sbassett removed a project: Patch-For-Review.
sbassett moved this task from Back Orders to Our Part Is Done on the Security-Team board.
sbassett added a comment.Feb 19 2020, 9:12 PM

I think everything is updated and merged for these now. Not sure if the patches auto-deploy post-merge in gerrit or if a manual deploy is still required, but confirmation or execution of that step would be all that was needed to resolve and make this task public.

bd808 added a comment.Feb 20 2020, 2:55 AM
In T219676#5898837, @sbassett wrote:

I think everything is updated and merged for these now. Not sure if the patches auto-deploy post-merge in gerrit or if a manual deploy is still required, but confirmation or execution of that step would be all that was needed to resolve and make this task public.

Manual scap3 deploys are needed to change the live sites. I think they are both hosted on ganneti vms with a PHP 5.6 runtime too, so the deploys may not go as hoped if that was not taken into account when building the vendor components.

chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
sbassett changed the task status from Open to Stalled.Feb 20 2020, 9:37 PM
In T219676#5899944, @bd808 wrote:

Manual scap3 deploys are needed to change the live sites. I think they are both hosted on ganneti vms with a PHP 5.6 runtime too, so the deploys may not go as hoped if that was not taken into account when building the vendor components.

I'm guessing a PHP upgrade on the ganeti clusters is probably both non-trivial and de-prioritized at the moment. I think it makes sense to mark this task stalled and keep it security-protected until either iegreview and wikimania-scholarships are officially undeployed or the cluster is upgraded.

sbassett moved this task from Our Part Is Done to Watching on the Security-Team board.May 17 2021, 6:29 PM
Dzahn subscribed.Nov 17 2021, 10:43 PM

wikimania-scholarships is in the process of being removed. the general public can't access it anymore. you can remove it from the list here

Dzahn removed a project: Wikimedia-Wikimania-Scholarships.Nov 17 2021, 10:43 PM
sbassett updated the task description. (Show Details)EditedNov 18 2021, 4:50 PM
In T219676#7511920, @Dzahn wrote:

wikimania-scholarships is in the process of being removed. the general public can't access it anymore. you can remove it from the list here

Done. For the other two, the mitigations were merged but I don't know if they were ever deployed.

Dzahn added a comment.Nov 18 2021, 5:25 PM
In T219676#5899944, @bd808 wrote:

I think they are both hosted on ganneti vms with a PHP 5.6 runtime

[miscweb1002:~] $ php -v
PHP 7.3.29-1~deb10u1 (cli) (built: Jul 2 2021 04:04:33) ( NTS )

Dzahn added a comment.EditedNov 18 2021, 5:33 PM
In T219676#5905337, @sbassett wrote:

I'm guessing a PHP upgrade on the ganeti clusters is probably both non-trivial and de-prioritized at the moment. I think it makes sense to mark this task stalled and keep it security-protected until either iegreview and wikimania-scholarships are officially undeployed or the cluster is upgraded.

well, unstalled since quite some time then :)

In T219676#5905337, @sbassett wrote:

For the other two, the mitigations were merged but I don't know if they were ever deployed.

I spot checked iegreview (patch https://gerrit.wikimedia.org/r/c/wikimedia/iegreview/+/571823). compared against what is deployed on prod.

The patch changes "wikimedia/slimapp": from 0.9.0 to "0.9.2". In prod this file already says 1.20.0.

Also [miscweb2002:/srv/deployment/iegreview/iegreview/vendor/twig/twig] $ vi CHANGELOG is at 1.20.0

sbassett closed this task as Resolved.Nov 18 2021, 5:56 PM
sbassett assigned this task to bd808.
sbassett updated the task description. (Show Details)
In T219676#7514382, @Dzahn wrote:

I spot checked iegreview (patch https://gerrit.wikimedia.org/r/c/wikimedia/iegreview/+/571823). compared against what is deployed on prod.

The patch changes "wikimedia/slimapp": from 0.9.0 to "0.9.2". In prod this file already says 1.20.0.

Also [miscweb2002:/srv/deployment/iegreview/iegreview/vendor/twig/twig] $ vi CHANGELOG is at 1.20.0

Great. I'm just going to resolve and disclose this then. slimapp is just a framework anyways, and not actually a deployed app AFAIK.

Restricted Application added a project: User-bd808. · View Herald TranscriptNov 18 2021, 5:57 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Nov 18 2021, 5:57 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett edited subscribers, added: Mstyles, mmartorana; removed: AlexWang.
Dzahn added a comment.Nov 19 2021, 9:19 PM

cool:) yes, iegreview and scholarships were actually installed apps/sites but slimapp is a framework used by them afaict

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL