TL;DR: arbitrary JS execution on query.wikidata.org (not CORS-whitelisted)
The Wikidata Query Service UI has a convenient feature (implemented in I6c8a7ebac1, T137784) where mathematical expressions in results are displayed directly, for example:
Unfortunately, it does this by directly pasting the contents of MathML literals into the HTML:
case DATATYPE_MATHML: $html.append( $( data.value ) ); break;
I think this is fine for MathML from the Wikibase RDF output, which is generated by Extension:Math and hopefully trustworthy at the markup level regardless of what the underlying TeX value on Wikidata is. However, nothing stops a query author from tagging any other string as MathML:
SELECT * WHERE { BIND("<script>alert('XSS')</script>"^^<http://www.w3.org/1998/Math/MathML> AS ?xss) }
This means that if an attacker can trick a victim to open a link like this one, they can run arbitrary JavaScript on query.wikidata.org in the user’s browser. (Clicking a link to query results is a pretty common operation for Wikidata users.)
Fortunately, query.wikidata.org is not on the CORS whitelist ($wgCrossSiteAJAXdomains) for production wikis (I had proposed this in T218568, but it was declined), so I don’t think this is enough to let the attacker steal the victim’s Wikimedia accounts.
Steps to fix (from T233213#5584298):
- Turn P9315 into a patch against wikidata/query/gui-deploy
- On the deployment server (is that deployment.eqiad.wmnet or a different one, btw?), apply that patch in the gui submodule of the wikidata/query/deploy checkout (/srv/deployment/wdqs/wdqs?)
- Commit that patch to the gui submodule, and then commit the submodule update in the main deploy repository? Not sure if this is necessary
- Deploy the current tree (scap deploy?)
- Verify that the vulnerability is fixed
So tomorrow EU time (2pm GMT) we will...
Get the on gerrit code in shape:
- Merge the patch on gerrit into the main repo
- Merge the patch that will be generated in wikidata/query/gui-deploy
- https://gerrit.wikimedia.org/r/#/c/wikidata/query/gui-deploy/+/549461/ hash: 7445472ab0ec61890b42e4d524416fbc6a18aa8a
- Update gui submodule in wikidata/query/deploy repository, bringing it in line with the deployment server’s version
- Confirm that https://archiva.wikimedia.org/repository/snapshots/org/wikidata/query/rdf has been regenerated
- Build versions of our docker images with the new code
Announce and update final things:
- Update our test things on labs (and wikibase-registry) that also run this code
- Create a CVE including details of the fixed versions
- Announce to wikitech-l/wikidata-l/wikidata-tech/wikibase/telegram
- Directly contact the people that we know run this GUI in the wild
- Discuss any further changes to math rendering in T214980: Support mathematical formulae in Wikidata Query Service UI on all browsers (public)