Page MenuHomePhabricator
Create Task
Maniphest T277379

OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON
Closed, ResolvedPublicSecurity
Actions

Description

Basically the same as T260633: BotPasswords doesn't validate length of resultant bp_grants JSON

The length of oarc_grants is not validated before it's inserted into the DB

So if "too many" grants are selected (and/or too many with long names) and end up with truncated JSON

Technically blocks T108255: Enable MariaDB/MySQL's Strict Mode. See also {T260635}

Details

SubjectRepoBranchLines +/-
Make sure oarc_oauth2_allowed_grants fits in a MySQL blobmediawiki/extensions/OAuthREL1_39+5 -1
Make sure oarc_oauth2_allowed_grants fits in a MySQL blobmediawiki/extensions/OAuthmaster+5 -1
Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blobmediawiki/extensions/OAuthREL1_31+3 -0
Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blobmediawiki/extensions/OAuthREL1_35+3 -0
Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blobmediawiki/extensions/OAuthmaster+3 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedSecurityReedyT277379 OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON

Event Timeline

Reedy created this task.Mar 13 2021, 5:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2021, 5:04 PM
Reedy triaged this task as Low priority.Mar 13 2021, 5:06 PM
Reedy added a project: MediaWiki-extensions-OAuth.
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)
Reedy added a subscriber: gerritbot.Mar 13 2021, 6:19 PM
gerritbot added a comment.Mar 13 2021, 6:27 PM

Change 671655 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OAuth@master] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/671655

gerritbot added a project: Patch-For-Review.Mar 13 2021, 6:27 PM
gerritbot added a comment.Mar 13 2021, 6:38 PM

Change 671658 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OAuth@master] Make sure oauth_registered_consumer.oarc_oauth2_allowed_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/671658

Reedy moved this task from Backlog to Needs Review on the MediaWiki-extensions-OAuth board.Mar 13 2021, 7:05 PM
Reedy mentioned this in T277399: Allow more specific error messages in SubmitControl::validateFields().Mar 14 2021, 12:51 AM
sbassett moved this task from Incoming to In Progress on the Security-Team board.Mar 15 2021, 3:28 PM
sbassett added a project: SecTeam-Processed.
sbassett added a project: Vuln-Misconfiguration.Mar 17 2021, 3:13 PM
gerritbot added a comment.Mar 19 2021, 7:42 PM

Change 671655 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/671655

gerritbot added a comment.Mar 19 2021, 7:54 PM

Change 673567 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OAuth@REL1_35] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/673567

gerritbot added a comment.Mar 19 2021, 8:09 PM

Change 673567 merged by jenkins-bot:
[mediawiki/extensions/OAuth@REL1_35] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/673567

gerritbot added a comment.Mar 19 2021, 9:07 PM

Change 673569 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OAuth@REL1_31] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/673569

gerritbot added a comment.Mar 19 2021, 9:14 PM

Change 673569 merged by jenkins-bot:
[mediawiki/extensions/OAuth@REL1_31] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/673569

Reedy added a parent task: Restricted Task.Mar 20 2021, 7:45 PM
Reedy renamed this task from OAuth doesn't validate length of oarc_grants JSON to OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON.Apr 2 2021, 1:17 AM
sbassett closed this task as Resolved.May 17 2021, 4:51 PM
sbassett assigned this task to Reedy.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett subscribed.

Looks to be completed with the above change sets merged?

sbassett removed a project: Patch-For-Review.May 17 2021, 4:51 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
Reedy reopened this task as Open.Mar 1 2022, 2:40 AM

The patch for oarc_oauth2_allowed_grants isn't actually finished

Reedy mentioned this in T302765: Stop using required and validators for same purpose.Mar 1 2022, 2:43 AM
sbassett moved this task from Our Part Is Done to In Progress on the Security-Team board.Apr 6 2022, 6:59 PM
Reedy added a comment.Dec 27 2022, 3:17 AM

Looks like rEOAUe5883c637fb7: Fix broken grant type field actually did some work towards this...

gerritbot added a comment.Jan 17 2023, 12:45 AM

Change 671658 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Make sure oarc_oauth2_allowed_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/671658

gerritbot added a comment.Jan 17 2023, 12:53 AM

Change 879997 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_39] Make sure oarc_oauth2_allowed_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/879997

gerritbot added a project: Patch-For-Review.Jan 17 2023, 12:53 AM
Reedy closed this task as Resolved.Jan 17 2023, 12:54 AM
ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.19; 2023-01-16).Jan 17 2023, 1:00 AM
gerritbot added a comment.Feb 9 2023, 2:30 AM

Change 879997 merged by jenkins-bot:

[mediawiki/extensions/OAuth@REL1_39] Make sure oarc_oauth2_allowed_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/879997

Maintenance_bot removed a project: Patch-For-Review.Feb 9 2023, 3:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL