Page MenuHomePhabricator
Create Task
Maniphest T274682

Security Readiness Review For Wikifunctions
Closed, ResolvedPublic
Actions

Description

This request is being filed in anticipation of Q4 FY 2020-2021 security readiness review. We're discussing in the team probable timing for stable enough components amenable to security readiness initial pass.

The task submitter has scheduled a meeting with Security managerial peer to discuss security and the Abstract Wikipedia roadmap. Additionally, Security is looped in on architectural discussions.

Project Information

Description of the tool/project:

Wikifunctions (but not this) is a project where users can collaborate on user defined functions in different programming languages.

Description of how the tool will be used at WMF:

We anticipate functions to be invoked from internal contexts (e.g., inline in renderable contexts) as well as external contexts (i.e., via some web API).

Dependencies

List dependencies, or upstream projects that this project relies on.

  • MediaWiki
  • Vue.js
  • Additional npm, php, etc. dependencies for relevant codebases
  • Programming language runtimes (shortlist for initial launch: Python, NodeJS, Lua)
  • Service infrastructure at Wikimedia

Has this project been reviewed before?
No

Working test environment
The full system isn't ready yet. However, you can get a feel for the MediaWiki part by using the Docker container in the MW repo for the project and checking out https://notwikilambda.toolforge.org/ (volunteer maintained, please do not probe)

Post-deployment
Abstract Wikipedia - project lead Denny V, tech lead James F, engineering management Adam B

Related Objects
Search...

Event Timeline

dr0ptp4kt created this task.Feb 12 2021, 9:26 PM
Restricted Application added a project: secscrum. · View Herald TranscriptFeb 12 2021, 9:26 PM
RhinosF1 subscribed.Feb 12 2021, 10:31 PM
sbassett claimed this task.EditedFeb 17 2021, 4:11 PM
sbassett triaged this task as High priority.
sbassett moved this task from Incoming to In Progress on the secscrum board.
sbassett added a project: user-sbassett.
sbassett subscribed.

Hey all - thanks for submitting this review request. As discussed a bit with @Jdforrester-WMF, the security readiness review of the WikiLambda extension will be my primary focus/deliverable for Q3 for the Abstract Wikipedia project. The code currently seems to be in a reasonable state of completion for such a review, though as a lot of code for this project is likely to be quite volatile, I imagine this and the related services might undergo a few different reviews depending upon various deltas. Of course I'd like to keep those to a minimum as much as possible. For the forthcoming node services (orchestrator, evaluator), I'd imagine those to be ready for review sometime in Q4. Since they are based upon the existing (and what we believe to be reasonably-mature) service-template-node code, I'll likely be most concerned with the various measures to best protect against potential vulnerabilities specifically related to the execution of user-submitted code - though it is important to note that any system which allows for such a feature will always be inherently vulnerable, at least from a conceptual standpoint.

sbassett moved this task from Backlog to In Progress on the user-sbassett board.Feb 17 2021, 4:11 PM
DVrandecic moved this task from To triage to Phase δ on the Abstract Wikipedia team board.Feb 17 2021, 5:20 PM
DVrandecic edited projects, added Abstract Wikipedia team (Phase δ); removed Abstract Wikipedia team.
sbassett updated the task description. (Show Details)Feb 18 2021, 4:36 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Feb 22 2021, 6:48 PM
sbassett updated the task description. (Show Details)Mar 2 2021, 5:11 PM
sbassett updated the task description. (Show Details)
dr0ptp4kt added a comment.Mar 16 2021, 12:12 PM

This and performance review timing.

DVrandecic merged a task: T261473: Security review of the builtin phase.Apr 6 2021, 2:30 AM
DVrandecic added a subscriber: Aklapper.
DVrandecic moved this task from Phase δ to Phase ε on the Abstract Wikipedia team board.Apr 7 2021, 4:18 PM
DVrandecic edited projects, added Abstract Wikipedia team (Phase ε); removed Abstract Wikipedia team (Phase δ).
sbassett moved this task from In Progress to Waiting on the secscrum board.May 6 2021, 9:43 PM
sbassett added a comment.May 18 2021, 4:06 PM

Update: The Abstract Wikipedia team and Security-Team worked through the vendor scoping doc on Monday, 2021-05-17 (thanks again, all). This document was then sent along to our vendor PM contact that afternoon. I also owe the vendor our Threat Modeling outline doc and Threat Dragon model for review, which I plan to provide them today or tomorrow.

sbassett moved this task from Waiting to In Progress on the secscrum board.May 27 2021, 9:03 PM
LucasWerkmeister added a subtask: T284403: WikiLambda extension (wikilambda_edit action) is missing CSRF protection.Jun 6 2021, 4:40 PM
DVrandecic moved this task from Phase ε to Phase ζ on the Abstract Wikipedia team board.Jun 23 2021, 4:32 PM
DVrandecic edited projects, added Abstract Wikipedia team (Phase ζ); removed Abstract Wikipedia team (Phase ε).
Jdforrester-WMF closed subtask T284403: WikiLambda extension (wikilambda_edit action) is missing CSRF protection as Resolved.Jul 1 2021, 8:57 AM
DannyS712 subscribed.Jul 4 2021, 8:33 AM
DVrandecic added a parent task: T281763: Migrate PHP Normalization/Canonicalization Code to function-schemata.Jul 16 2021, 1:35 AM
Jdforrester-WMF added a parent task: T283031: Begin branching the WikiLambda extension.Jul 26 2021, 3:20 PM
Jdforrester-WMF moved this task from Phase ζ to Launch Beta Cluster wikifunctions.org on the Abstract Wikipedia team board.Aug 20 2021, 4:04 PM
Jdforrester-WMF edited projects, added Abstract Wikipedia team; removed Abstract Wikipedia team (Phase ζ).
taavi subscribed.Aug 29 2021, 4:54 PM
Jdforrester-WMF added a comment.Sep 2 2021, 5:45 PM

Note that we're using opis/json-schema ^1.0 and symfony/yaml ^5.2 in the forthcoming PHP json-schema code, which will be new. (Though there's already a patch adding the latter to vendor as part of PHP 8.0 prep/clean-up work, IIRC.)

sbassett updated the task description. (Show Details)Oct 5 2021, 5:00 PM
sbassett added a comment.EditedOct 5 2021, 5:12 PM

@Jdforrester-WMF @dr0ptp4kt @DVrandecic - I'm going to resolve this task for now, with the following qualifiers:

  1. I will continue the planned internal security review work within the more recent pre-launch task at T289322: Pre-launch security review of Wikifunctions, to be completed sometime this quarter (Q2 2021, October to December).
  2. Here is a link to the final vendor review, just for posterity's sake. This is obviously internal-only for now even though it did not result in any actionable items in the Security-Team's opinion. This report is the same one linked within the relevant Slack channel for this work.
  3. Here is a link to the threat modeling exercise outline (and ThreatDragon json and png), again for posterity's sake, as one of the listed deliverables for this task.
sbassett closed this task as Resolved.Oct 5 2021, 5:13 PM
sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.
sbassett moved this task from In Progress to Done on the user-sbassett board.
Quiddity subscribed.Oct 7 2021, 8:40 PM
Jdforrester-WMF added a comment.Oct 8 2021, 5:32 PM
In T274682#7403055, @sbassett wrote:

@Jdforrester-WMF @dr0ptp4kt @DVrandecic - I'm going to resolve this task for now, with the following qualifiers:

  1. I will continue the planned internal security review work within the more recent pre-launch task at T289322: Pre-launch security review of Wikifunctions, to be completed sometime this quarter (Q2 2021, October to December).
  2. Here is a link to the final vendor review, just for posterity's sake. This is obviously internal-only for now even though it did not result in any actionable items in the Security-Team's opinion. This report is the same one linked within the relevant Slack channel for this work.
  3. Here is a link to the threat modeling exercise outline (and ThreatDragon json and png), again for posterity's sake, as one of the listed deliverables for this task.

Thanks, that makes sense. For clarity, what does this mean for review of https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/716462 – this blocks our deployment to the Beta Cluster.

sbassett added subscribers: Mstyles, Reedy.Oct 8 2021, 5:45 PM
In T274682#7412907, @Jdforrester-WMF wrote:

...what does this mean for review of https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/716462 – this blocks our deployment to the Beta Cluster.

I've tagged our team on T290274 and added @Mstyles and myself to c716462 (@Reedy was already there). Looks like we'll just want to do a vendor-ish review of opis/json-schema 1.1.0 and symfony/yaml 5.3.6 prior to merging that patch to mediawiki/vendor. I'd guess we could accommodate that by next week.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL