Page MenuHomePhabricator

Adopt a CSP policy for query.wikidata.org
Open, Needs TriagePublic

Description

As part of the effort to put CSP on all the things, as well as to help mitigate the risk of an XSS in the query service (like T233213), I think it would be prudent to adopt a CSP policy for WDQS.

Looking at query.wikidata.org, at first glance the GUI appears to be a fairly modern JS application that mostly avoids inline javascript - and where there is inline js (like in embed mode), it appears to be mostly static scripts. Anyways, i need to investigate a little more, but at first glance, it looks like it would be fairly easy to adopt a CSP policy that would increase the security of WDQS without any negative side effects.

Details

Related Gerrit Patches:

Event Timeline

Bawolff created this task.Tue, Nov 19, 3:32 AM
Restricted Application added a project: Wikidata. · View Herald TranscriptTue, Nov 19, 3:32 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Yeah, that should be possible – I think we only load scripts from query.wikidata.org itself (plus a handful of inline ones that could be converted), not from any other domains.

Bawolff added a comment.EditedSun, Nov 24, 12:48 PM

So investigating this a bit further:

  • embed.html would ideally have its script in a separate file
  • Move the current usages of JSONP with www.wikidata.org to CORS
  • polestar uses angular, from what I understand, angular can be used to bypass CSP (Although I'm not sure how much that applies to DOM xss's, since these are static html files, that would be the relevant type of XSS)

So if I was ignoring polestar (aka graph builder mode) the ideal CSP would be something like:

default-src 'self' data:;
style-src 'unsafe-inline' data: 'self';
img-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
media-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
script-src 'report-sample' https://query.wikidata.org/js/ blob:;
connect-src meta.wikimedia.org www.wikidata.org 'self';
object-src 'none';
report-uri https://www.wikidata.org/w/api.php?action=cspreport&format=none

Change 552652 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[wikidata/query/gui@master] Split initialization JS of embed.html to separate file

https://gerrit.wikimedia.org/r/552652

Change 552656 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[wikidata/query/gui@master] Use CORS instead of jsonp for cross domain requests

https://gerrit.wikimedia.org/r/552656

Bawolff added a comment.EditedSun, Nov 24, 3:08 PM

Polestar also has a button to load datasets from http://ec2-52-1-38-182.compute-1.amazonaws.com:8753 - which seems a bit suspect from a privacy policy perspective...

It also has a button to load data from arbitrary url (if url has appropriate CORS headers). Not sure if we want to support that or not. In terms of CSP, that means we would have to allow arbitrary connect-src, not terrible, but at the same time, not the most locked down, especially in terms of using CSP to enforce privacy policy

So revised suggested CSP header:

For everything except in the polestar directory:

default-src 'self' data:; 
style-src 'unsafe-inline' data: 'self';
img-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
media-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
script-src 'report-sample' https://query.wikidata.org/js/ blob:; 
connect-src meta.wikimedia.org/w/api.php www.wikidata.org/w/api.php 'self' query.wikidata.org;
object-src 'none';
report-uri https://www.wikidata.org/w/api.php?action=cspreport&format=none&source=wdqs

For the polestar directory:

default-src 'self' data:;
style-src 'unsafe-inline' data: 'self';
img-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
media-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
script-src 'report-sample' https://query.wikidata.org/polestar/scripts/ 'unsafe-eval';
object-src 'none';
sandbox allow-scripts;
report-uri https://www.wikidata.org/w/api.php?action=cspreport&format=none&source=wdqs-polestar

This will cause the bookmark feature of polestar to be disabled (Is that acceptable?). It will also break the import data option, but that doesn't look like it works anyways, and isn't shown in the normal workflow.

Change 552660 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[wikidata/query/gui@master] Make polestar no longer use inline scripts

https://gerrit.wikimedia.org/r/552660

Change 552652 merged by jenkins-bot:
[wikidata/query/gui@master] Split initialization JS of embed.html to separate file

https://gerrit.wikimedia.org/r/552652

Change 552656 merged by jenkins-bot:
[wikidata/query/gui@master] Use CORS instead of jsonp for cross domain requests

https://gerrit.wikimedia.org/r/552656

Change 552660 merged by jenkins-bot:
[wikidata/query/gui@master] Make polestar no longer use inline scripts

https://gerrit.wikimedia.org/r/552660

So I guess the next question is, where to set the CSP headers. My guess would be in sub cluster_fe_deliver of text-frontend.inc.vcl.erb, but I'm really not sure if that is the correct place.

(Just to be clear – the above changes have been merged, but not deployed yet, so please don’t set any CSP headers yet :) )