Page MenuHomePhabricator

Security Readiness Review For Wikifunctions
Closed, ResolvedPublic

Description

This request is being filed in anticipation of Q4 FY 2020-2021 security readiness review. We're discussing in the team probable timing for stable enough components amenable to security readiness initial pass.

The task submitter has scheduled a meeting with Security managerial peer to discuss security and the Abstract Wikipedia roadmap. Additionally, Security is looped in on architectural discussions.

Project Information

Description of the tool/project:

Wikifunctions (but not this) is a project where users can collaborate on user defined functions in different programming languages.

Description of how the tool will be used at WMF:

We anticipate functions to be invoked from internal contexts (e.g., inline in renderable contexts) as well as external contexts (i.e., via some web API).

Dependencies

List dependencies, or upstream projects that this project relies on.

  • MediaWiki
  • Vue.js
  • Additional npm, php, etc. dependencies for relevant codebases
  • Programming language runtimes (shortlist for initial launch: Python, NodeJS, Lua)
  • Service infrastructure at Wikimedia

Has this project been reviewed before?
No

Working test environment
The full system isn't ready yet. However, you can get a feel for the MediaWiki part by using the Docker container in the MW repo for the project and checking out https://notwikilambda.toolforge.org/ (volunteer maintained, please do not probe)

Post-deployment
Abstract Wikipedia - project lead Denny V, tech lead James F, engineering management Adam B

Event Timeline

sbassett triaged this task as High priority.
sbassett moved this task from Incoming to In Progress on the secscrum board.
sbassett added a project: user-sbassett.
sbassett added a subscriber: sbassett.

Hey all - thanks for submitting this review request. As discussed a bit with @Jdforrester-WMF, the security readiness review of the WikiLambda extension will be my primary focus/deliverable for Q3 for the Abstract Wikipedia project. The code currently seems to be in a reasonable state of completion for such a review, though as a lot of code for this project is likely to be quite volatile, I imagine this and the related services might undergo a few different reviews depending upon various deltas. Of course I'd like to keep those to a minimum as much as possible. For the forthcoming node services (orchestrator, evaluator), I'd imagine those to be ready for review sometime in Q4. Since they are based upon the existing (and what we believe to be reasonably-mature) service-template-node code, I'll likely be most concerned with the various measures to best protect against potential vulnerabilities specifically related to the execution of user-submitted code - though it is important to note that any system which allows for such a feature will always be inherently vulnerable, at least from a conceptual standpoint.

sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)

This and performance review timing.

Update: The Abstract Wikipedia team and Security-Team worked through the vendor scoping doc on Monday, 2021-05-17 (thanks again, all). This document was then sent along to our vendor PM contact that afternoon. I also owe the vendor our Threat Modeling outline doc and Threat Dragon model for review, which I plan to provide them today or tomorrow.

Note that we're using opis/json-schema ^1.0 and symfony/yaml ^5.2 in the forthcoming PHP json-schema code, which will be new. (Though there's already a patch adding the latter to vendor as part of PHP 8.0 prep/clean-up work, IIRC.)

@Jdforrester-WMF @dr0ptp4kt @DVrandecic - I'm going to resolve this task for now, with the following qualifiers:

  1. I will continue the planned internal security review work within the more recent pre-launch task at T289322: Pre-launch security review of Wikifunctions, to be completed sometime this quarter (Q2 2021, October to December).
  2. Here is a link to the final vendor review, just for posterity's sake. This is obviously internal-only for now even though it did not result in any actionable items in the Security-Team's opinion. This report is the same one linked within the relevant Slack channel for this work.
  3. Here is a link to the threat modeling exercise outline (and ThreatDragon json and png), again for posterity's sake, as one of the listed deliverables for this task.
sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.
sbassett moved this task from In Progress to Done on the user-sbassett board.

@Jdforrester-WMF @dr0ptp4kt @DVrandecic - I'm going to resolve this task for now, with the following qualifiers:

  1. I will continue the planned internal security review work within the more recent pre-launch task at T289322: Pre-launch security review of Wikifunctions, to be completed sometime this quarter (Q2 2021, October to December).
  2. Here is a link to the final vendor review, just for posterity's sake. This is obviously internal-only for now even though it did not result in any actionable items in the Security-Team's opinion. This report is the same one linked within the relevant Slack channel for this work.
  3. Here is a link to the threat modeling exercise outline (and ThreatDragon json and png), again for posterity's sake, as one of the listed deliverables for this task.

Thanks, that makes sense. For clarity, what does this mean for review of https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/716462 – this blocks our deployment to the Beta Cluster.

...what does this mean for review of https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/716462 – this blocks our deployment to the Beta Cluster.

I've tagged our team on T290274 and added @Mstyles and myself to c716462 (@Reedy was already there). Looks like we'll just want to do a vendor-ish review of opis/json-schema 1.1.0 and symfony/yaml 5.3.6 prior to merging that patch to mediawiki/vendor. I'd guess we could accommodate that by next week.