Page MenuHomePhabricator

Do a security review of the Widgets extension
Open, LowPublic


Considering the security issues found out this year and the wide distribution of this extension, a security review would be really appreciated. Maybe, even the Security-Team could step in here?

Event Timeline

A look at WikiApiary tells that this is the second most popular Mediawiki extension which is not deployed by WMF and the 21st most popular extension in general.

The Security-Team can likely help out with this. Here is our SOP which governs the current security readiness review process. Not sure exactly how this request would be prioritized, as we can only accommodate so many reviews per quarter and things going into Wikimedia production are often deemed highest priority.

Should this be tagged as Application Security Reviews instead?

I think it could be once the complete task description from the SOP is filled out by someone. Until then, we can't really do anything, as per our policy.

This sounds really promising! However, I would like to hear from the maintainers of this extension before initiating anything further.

sbassett removed a project: Security-Team.

Just FYI, I looked at this a little bit a long time ago. I don't think much has changed, but its possible it has, so this might be out of date, but my main take aways at the time were:

  • The extension is extremely difficult to use correctly, particularly if the widgets have any parameters
    • The way of specifying escaping is error prone. If you make a typo, it fails insecurely. Many users do not know what the proper escaping method is to use. Smiley is not the most well designed templating langauge in terms of security imo.
  • The vast majority of people who are using it, are using it in an insecure way. A significant portion of the examples from the official website are insecure.
  • T149488 has not been fixed. Its not always applicable (And technically you can make widgets that don't fall victim to it, but its difficult). Most of the time this issue can be used to get an XSS
  • Having some sort of automated testing special page (e.g. stuff onclick="alert(1)" and variations into every paramter, so that users can load and easily test their widget) would probably go a long way to helping users make secure widgets.
  • T109828 is considered at least semi a feature and not a bug. And well normally I scoff anytime someone uses this line, in this case, I think its actually somewhat justified to consider it a feature and not a bug. That said, this is another example of how the security implications of widgets can be really confusing and can lead to users accidentally doing things that are quite insecure without realizing it.

YMMV, but hope that helps.

Is it possible to add me as a subscriber to the relevant tasks, so I can take a look at them?

Is it possible to add me as a subscriber to the relevant tasks, so I can take a look at them?