Page MenuHomePhabricator
Create Task
Maniphest T248483

Security Readiness Review For MediaModeration
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:

MediaModeration extension will post jobs on the job queue upon media upload to the wiki. The job would asynchronously post a thumbnail of the media to the PhotoDNA cloud service which would match the media to the known database of child abuse media. Upon detection of the problematic content, an email would be sent automatically to the Trust-and-Safety team to take appropriate action.

After the initial testing period, its planned to take down the media from wiki automatically, initially by deletion with suppression.

For more info see T245595 as well.

Description of how the tool will be used at WMF

  • All uploaded media would eventually go through hash matching, all already uploaded media would be asynchronously processed via a maintenance script posting jobs on the job queue
  • The emails would be sent with minimal information to the trust and safety team with manual steps taken to remove the media from the sites and report it
  • PhotoDNA cloud API access keys will be stored in the secret portion of mediawiki-config

Dependencies
No vendor dependencies, however the extension depends on an external PhotoDNA cloud service maintained by Microsoft.

Has this project been reviewed before?
Yes, code review was done by the Platform Engineering

Working test environment
Not easy to set it up, since the primary purpose of the extension is to contact an external cloud provider, thus for full integration testing you'd need a secret API key. WMF does have access to generating the API key, please contact @Pchelolo if you decide to do a complete test and require a key.

Post-deployment
Platform Engineering Trust-and-Safety

Details

SubjectRepoBranchLines +/-
maintenance: add security check for $basePath, updated mpn packagesmediawiki/extensions/MediaModerationmaster+33 -19
Customize query in gerrit

Related Objects
Search...

Event Timeline

Pchelolo created this task.Mar 25 2020, 2:56 PM
Restricted Application added a project: secscrum. · View Herald TranscriptMar 25 2020, 2:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Pchelolo added a parent task: T247943: Deploy MediaModeration Extension to Wikimedia Production.Mar 25 2020, 2:56 PM
Pchelolo updated the task description. (Show Details)
Pchelolo updated the task description. (Show Details)Mar 25 2020, 3:06 PM
Pchelolo updated the task description. (Show Details)
Pchelolo mentioned this in T247943: Deploy MediaModeration Extension to Wikimedia Production.Mar 25 2020, 3:08 PM
sbassett triaged this task as Medium priority.Mar 30 2020, 3:13 PM
Jcross subscribed.Mar 30 2020, 5:25 PM

Hi there @Pchelolo - we were able to take a look at this in our clinic meeting today and have noted that you are aiming for an April 30th deployment date. While we don't currently see any issues with that date, please keep in mind that our ability to review in a timely fashion is subject to change (due to world pandemic chaos, and team members being affected, etc). Please let us know of any questions or concerns and we will be in touch as we move forward.

Jcross moved this task from Incoming to Back Orders on the secscrum board.Mar 31 2020, 5:01 PM
sbassett claimed this task.Apr 6 2020, 4:01 PM
sbassett moved this task from Back Orders to In Progress on the secscrum board.
sbassett added a project: user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
CCicalese_WMF added projects: MediaModeration, Core Platform Team Initiatives (Hash Checking).Apr 7 2020, 4:59 PM
eprodromou subscribed.Apr 9 2020, 4:04 PM
drochford subscribed.Apr 28 2020, 5:55 PM
CCicalese_WMF subscribed.Apr 28 2020, 5:56 PM

Are we still on target for this review?

sbassett added a comment.Apr 29 2020, 5:01 PM

@CCicalese_WMF - I'm hopeful to have a report by the end of this week. I've glanced at the code a couple of times and the extension appears well-written and uncontroversial, though I definitely need to perform a more rigorous analysis.

CCicalese_WMF added a comment.May 5 2020, 3:36 PM

@sbassett Checking on the status of the security review report. Thanks.

sbassett added a comment.EditedMay 6 2020, 5:12 AM

@CCicalese_WMF @Pchelolo - sorry for the delay on this. Overall this looks fine from a basic security perspective.

Security Review Summary - T248483 - 2020-05-05
Last commit reviewed: dbd207998c55af1b7918690a0199e0d29e4e72a5

Vulnerable Packages
As reported by snyk test:

  1. lodash@4.17.15, Prototype Pollution (medium risk)

Policy Compliance

  1. Without digging very deeply, I assume this extension's interactions with a third-party API has gone through review by WMF-Legal and is in compliance with the current Wikimedia privacy policy.

Other General Security Issues

  1. While it's fairly common for MediaWiki maintenance scripts (e.g. ModerateExistingFiles.php) to include files with dynamically-created paths via variables like $IP and RUN_MAINTENANCE_IF_MAIN, these get picked up by various static analysis tools as potential means of remote code injection. While such vulnerabilities should be difficult to exploit in the case of MediaWiki maintenance scripts, fortifying such includes with checks for valid/expected paths may be a worthwhile effort in defensive coding. Though I'd rate this as a very low risk and note that it has been a point of contention in the past, e.g. some discussion on this review: T242134.
sbassett moved this task from In Progress to Waiting on the secscrum board.May 6 2020, 5:13 AM
sbassett moved this task from In Progress to Waiting on the user-sbassett board.
CCicalese_WMF added a comment.May 6 2020, 11:27 PM

Thank you, @sbassett! I have requested a response to the policy compliance question. @Pchelolo is looking into the other general security question.

gerritbot added a comment.May 7 2020, 1:09 PM

Change 594948 had a related patch set uploaded (by Peter.ovchyn; owner: Peter.ovchyn):
[mediawiki/extensions/MediaModeration@master] maintenance: add security check for $basePath, updated mpn packages

https://gerrit.wikimedia.org/r/594948

gerritbot added a project: Patch-For-Review.May 7 2020, 1:09 PM
Peter.ovchyn subscribed.May 7 2020, 1:50 PM

@Pchelolo @sbassett

I've upload a patch that adds additional security verification on $IP.
As to lodash, the vulnerability was found Apr, 28, it appears on the latest version of lodash (4.17.15) and no official patch has been released yet.

So there's no way impossible to fix the issue just by increasing the version in package.json.
There's a patch that, probably, fixes the issue: https://snyk-patches.s3.amazonaws.com/npm/lodash/20200430/lodash_0_0_20200430_6baae67d501e4c45021280876d42efe351e77551.patch

We could apply it as a postinstall step. I'm not sure how safe is this though.

Another thing is that lodash and npm is used by 'grunt' and 'grunt-banana-checker' which are CLI tools and are going to be run in dev mode only.

So, I need and advice on what is the best option here.

sbassett changed the task status from Open to Stalled.May 7 2020, 4:00 PM
In T248483#6116068, @Peter.ovchyn wrote:

I've upload a patch that adds additional security verification on $IP.

Thanks, looks good. To be clear: this is a very low risk issue and it's even debatable how worthwhile such defensive code might be within this context. Definitely not a blocker for this extension.

As to lodash, the vulnerability was found Apr, 28, it appears on the latest version of lodash (4.17.15) and no official patch has been released yet.

The 3 susceptible lodash@4.17.15 instances are all for the dev dependency grunt (or one of its sub-components), so the issue is very low risk IMO. This could be tracked with a separate bug, reminder or whatever. It's definitely not any kind of blocker for this extension.

I'm going to stall this for now until we get the thumbs up from WMF-Legal, then it can be resolved.

Jrogers-WMF subscribed.May 8 2020, 7:49 PM

@sbassett Just to confirm, legal has reviewed the use of the API here and this is approved.

RhinosF1 subscribed.May 8 2020, 7:52 PM

I'm going to stall this for now until we get the thumbs up from WMF-Legal, then it can be resolved.

Should this be closed then?

sbassett closed this task as Resolved.May 9 2020, 2:33 AM
In T248483#6119874, @Jrogers-WMF wrote:

@sbassett Just to confirm, legal has reviewed the use of the API here and this is approved.

Great, thanks.

In T248483#6119891, @RhinosF1 wrote:

Should this be closed then?

Yes.

sbassett moved this task from Waiting to Our Part Is Done on the secscrum board.May 9 2020, 2:33 AM
sbassett moved this task from Waiting to Done on the user-sbassett board.
gerritbot added a comment.May 14 2020, 1:40 PM

Change 594948 merged by jenkins-bot:
[mediawiki/extensions/MediaModeration@master] maintenance: add security check for $basePath, updated mpn packages

https://gerrit.wikimedia.org/r/594948

Maintenance_bot removed a project: Patch-For-Review.May 14 2020, 2:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits