Page MenuHomePhabricator
Create Task
Maniphest T238618

Adopt a CSP policy for query.wikidata.org
Open, Needs TriagePublic
Actions

Description

As part of the effort to put CSP on all the things, as well as to help mitigate the risk of an XSS in the query service (like T233213), I think it would be prudent to adopt a CSP policy for WDQS.

Looking at query.wikidata.org, at first glance the GUI appears to be a fairly modern JS application that mostly avoids inline javascript - and where there is inline js (like in embed mode), it appears to be mostly static scripts. Anyways, i need to investigate a little more, but at first glance, it looks like it would be fairly easy to adopt a CSP policy that would increase the security of WDQS without any negative side effects.

Details

SubjectRepoBranchLines +/-
Make polestar no longer use inline scriptswikidata/query/guimaster+8 -8
Use CORS instead of jsonp for cross domain requestswikidata/query/guimaster+4 -4
Split initialization JS of embed.html to separate filewikidata/query/guimaster+136 -138
Customize query in gerrit

Related Objects

Event Timeline

Bawolff created this task.Nov 19 2019, 3:32 AM
Restricted Application added a project: Wikidata. · View Herald TranscriptNov 19 2019, 3:32 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Lucas_Werkmeister_WMDE edited projects, added Wikidata Query UI; removed Wikidata-Query-Service.Nov 19 2019, 12:26 PM
Lucas_Werkmeister_WMDE subscribed.
Lucas_Werkmeister_WMDE added a comment.Nov 19 2019, 12:29 PM

Yeah, that should be possible – I think we only load scripts from query.wikidata.org itself (plus a handful of inline ones that could be converted), not from any other domains.

Bawolff added a comment.EditedNov 24 2019, 12:48 PM

So investigating this a bit further:

  • embed.html would ideally have its script in a separate file
  • Move the current usages of JSONP with www.wikidata.org to CORS
  • polestar uses angular, from what I understand, angular can be used to bypass CSP (Although I'm not sure how much that applies to DOM xss's, since these are static html files, that would be the relevant type of XSS)
Bawolff added a comment.Nov 24 2019, 1:13 PM

So if I was ignoring polestar (aka graph builder mode) the ideal CSP would be something like:

default-src 'self' data:;
style-src 'unsafe-inline' data: 'self';
img-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
media-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
script-src 'report-sample' https://query.wikidata.org/js/ blob:;
connect-src meta.wikimedia.org www.wikidata.org 'self';
object-src 'none';
report-uri https://www.wikidata.org/w/api.php?action=cspreport&format=none
gerritbot added a comment.Nov 24 2019, 1:30 PM

Change 552652 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[wikidata/query/gui@master] Split initialization JS of embed.html to separate file

https://gerrit.wikimedia.org/r/552652

gerritbot added a project: Patch-For-Review.Nov 24 2019, 1:30 PM
gerritbot added a comment.Nov 24 2019, 2:41 PM

Change 552656 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[wikidata/query/gui@master] Use CORS instead of jsonp for cross domain requests

https://gerrit.wikimedia.org/r/552656

Bawolff added a comment.EditedNov 24 2019, 3:08 PM

Polestar also has a button to load datasets from http://ec2-52-1-38-182.compute-1.amazonaws.com:8753 - which seems a bit suspect from a privacy policy perspective...

It also has a button to load data from arbitrary url (if url has appropriate CORS headers). Not sure if we want to support that or not. In terms of CSP, that means we would have to allow arbitrary connect-src, not terrible, but at the same time, not the most locked down, especially in terms of using CSP to enforce privacy policy

Bawolff added a comment.Nov 24 2019, 3:57 PM

So revised suggested CSP header:

For everything except in the polestar directory:

default-src 'self' data:; 
style-src 'unsafe-inline' data: 'self';
img-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
media-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
script-src 'report-sample' https://query.wikidata.org/js/ blob:; 
connect-src meta.wikimedia.org/w/api.php www.wikidata.org/w/api.php 'self' query.wikidata.org;
object-src 'none';
report-uri https://www.wikidata.org/w/api.php?action=cspreport&format=none&source=wdqs

For the polestar directory:

default-src 'self' data:;
style-src 'unsafe-inline' data: 'self';
img-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
media-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
script-src 'report-sample' https://query.wikidata.org/polestar/scripts/ 'unsafe-eval';
object-src 'none';
sandbox allow-scripts;
report-uri https://www.wikidata.org/w/api.php?action=cspreport&format=none&source=wdqs-polestar

This will cause the bookmark feature of polestar to be disabled (Is that acceptable?). It will also break the import data option, but that doesn't look like it works anyways, and isn't shown in the normal workflow.

gerritbot added a comment.Nov 24 2019, 4:00 PM

Change 552660 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[wikidata/query/gui@master] Make polestar no longer use inline scripts

https://gerrit.wikimedia.org/r/552660

Bawolff moved this task from Backlog to misc services on the ContentSecurityPolicy board.Nov 25 2019, 8:18 AM
gerritbot added a comment.Nov 28 2019, 12:06 PM

Change 552652 merged by jenkins-bot:
[wikidata/query/gui@master] Split initialization JS of embed.html to separate file

https://gerrit.wikimedia.org/r/552652

gerritbot added a comment.Nov 28 2019, 12:09 PM

Change 552656 merged by jenkins-bot:
[wikidata/query/gui@master] Use CORS instead of jsonp for cross domain requests

https://gerrit.wikimedia.org/r/552656

gerritbot added a comment.Nov 28 2019, 12:09 PM

Change 552660 merged by jenkins-bot:
[wikidata/query/gui@master] Make polestar no longer use inline scripts

https://gerrit.wikimedia.org/r/552660

Maintenance_bot removed a project: Patch-For-Review.Nov 28 2019, 12:10 PM
Bawolff added a comment.Dec 2 2019, 4:40 AM

So I guess the next question is, where to set the CSP headers. My guess would be in sub cluster_fe_deliver of text-frontend.inc.vcl.erb, but I'm really not sure if that is the correct place.

Lucas_Werkmeister_WMDE added a comment.Dec 2 2019, 11:13 AM

(Just to be clear – the above changes have been merged, but not deployed yet, so please don’t set any CSP headers yet :) )

WMDE-leszek subscribed.Dec 3 2019, 10:00 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL