Page MenuHomePhabricator
Create Task
Maniphest T260636

OAuth doesn't validate length of grants fields
Open, MediumPublicSecurity
Actions

Description

Basically the same as T260633: BotPasswords doesn't validate length of resultant bp_grants JSON, but for numerous different fields

oarc_grants, oarc_oauth2_allowed_grants and oaac_grants don't validate the JSON going into them... So in a case where there's many many many grants, it's possible to end up with JSON longer than BLOB, which will be inserted and truncated

Technically blocks T108255: Enable MariaDB/MySQL's Strict Mode

Details

Risk Rating
Low
Author Affiliation
WMF Technology

Related Objects
Search...

Event Timeline

Reedy created this task.Aug 18 2020, 12:42 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 18 2020, 12:42 AM
Reedy added projects: MediaWiki-extensions-OAuth, Platform Engineering.Aug 18 2020, 12:43 AM
Reedy updated the task description. (Show Details)Aug 18 2020, 12:45 AM
eprodromou triaged this task as Medium priority.Aug 18 2020, 8:30 PM
eprodromou edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.
eprodromou subscribed.

All right, this seems like something we can do.

eprodromou moved this task from Inbox to Later on the Platform Team Workboards (Clinic Duty Team) board.Aug 18 2020, 8:30 PM
Reedy moved this task from Incoming to Watching on the Security-Team board.Aug 24 2020, 3:13 PM
Reedy added a subtask: T277379: OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON.Mar 20 2021, 7:45 PM
Reedy added a comment.EditedApr 2 2021, 1:21 AM

oaac_grants is probably less of an issue, as IIRC, there's no way to modify oarc_grants before it's copied over to oaac_grants when "approved"; so as long as we make sure it's valid when it's originally inserted, it should be valid when it's copied across

sbassett closed subtask T277379: OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON as Resolved.May 17 2021, 4:51 PM
Reedy reopened subtask T277379: OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON as Open.Mar 1 2022, 2:40 AM
Reedy changed the task status from Open to In Progress.Jan 17 2023, 12:54 AM
Reedy claimed this task.
Reedy closed subtask T277379: OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON as Resolved.

This might be done now... Need to have a poke around.

Aklapper changed the task status from In Progress to Open.Mar 19 2025, 2:51 PM

Resetting task status from "In Progress" to "Open" as this task has not seen updates for two years.

Aklapper removed Reedy as the assignee of this task.Jun 24 2025, 12:21 PM

@Reedy: Removing task assignee as this open task has been assigned for more than two years - See the email sent on 2025-05-22.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome!
If this task has been resolved in the meantime, or should not be worked on by anybody ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJun 24 2025, 12:21 PM
sbassett subscribed.Jun 24 2025, 2:27 PM

I feel like this could probably be made public, especially given its age. It seems like a low-risk Vuln-DoS or SQL error at worst.

Tgr subscribed.Jun 30 2025, 12:51 PM

The SQL command will work and then we'll end up with a consumer that cannot be used or modified, like with {T260578}. Agreed it's low risk.
(Also does this actually happen? People do sometimes make requests with all checkboxes checked.)

Also, seems mostly fixed by T277379: OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON. I guess the same change would have to be done for oaac_grants as well?

matmarex added a subscriber: OWresch-WMF.Jun 30 2025, 2:31 PM
Tgr added a subscriber: JTweed-WMF.Jul 7 2025, 2:57 PM
JTweed-WMF moved this task from Inbox, needs triage to Next (DO NOT USE) on the MediaWiki-Platform-Team board.Jul 7 2025, 2:59 PM
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.Nov 21 2025, 11:39 AM
Tgr added a comment.Dec 18 2025, 11:39 AM
In T260636#10943112, @sbassett wrote:

I feel like this could probably be made public, especially given its age.

+1, can you please do it?

sbassett changed Author Affiliation from N/A to WMF Technology.Dec 18 2025, 3:07 PM
sbassett removed a project: Platform Team Workboards (Clinic Duty Team).
sbassett changed Risk Rating from N/A to Low.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett removed a subscriber: eprodromou.
sbassett added a subscriber: gerritbot.
In T260636#11472401, @Tgr wrote:

+1, can you please do it?

Done. If you have a gerrit ready, I'd be happy to review/merge it.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits