Page MenuHomePhabricator
Create Task
Maniphest T293369

Security Readiness Review For Wikipedia Preview Wordpress plugin
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:

This is a thin integration layer over Wikipedia-Preview to make it available within Wordpress.

Description of how the tool will be used at WMF:

Currently used on the diff blog and may be enabled on wikimediafoundation.org but the primary users are external partners who run news or education websites.

Dependencies

List dependencies, or upstream projects that this project relies on.

  • wikipedia-preview
  • wordpress UI framework
  • wikimedia/language-data (to be merged soon)

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

The first version was reviewed and approved by Automattic but they don't want to review subsequent updates.

Working test environment

Please link or describe setup process for setting up a test environment.

The best way we found to setup a test environment is by using the localwp app. You can create a Wordpress site with a few clicks and then clone the plugin repo into the site's plugins directory.

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

Inuka / @SBisson

Event Timeline

SBisson created this task.Oct 14 2021, 1:45 PM
Restricted Application added a project: secscrum. · View Herald TranscriptOct 14 2021, 1:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Aklapper added a project: Wikipedia-Preview.Oct 14 2021, 3:10 PM
Restricted Application added a project: Inuka-Team. · View Herald TranscriptOct 14 2021, 3:10 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.Oct 19 2021, 3:56 PM
sbassett added subscribers: Varnent, sbassett.Oct 19 2021, 4:00 PM

Hey @SBisson, @Varnent -

Thanks for filing this bug. I think there may still be a question as to whether the Security-Team actually needs to review this or not - we should be able to make that decision soon after a bit more consideration. If we do perform the review this quarter, it will likely go to our incoming appsec engineer who is supposed to onboard with us this November. Thanks.

SBisson moved this task from Backlog to Watching on the Inuka-Team board.Oct 20 2021, 5:57 PM
sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.Nov 4 2021, 7:49 PM
sbassett assigned this task to mmartorana.Nov 16 2021, 5:02 PM
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.
sbassett added a comment.Nov 16 2021, 5:06 PM

Our newest appsec engineer, @mmartorana, will be working on this review for this quarter (Q2 2021 - October through December).

sbassett triaged this task as Medium priority.Nov 16 2021, 5:06 PM
mmartorana added a comment.Jan 7 2022, 6:26 PM

Security Review Summary - T293369 - 2022-01-07
Last commit reviewed: 4583e736243d46857d982c16be0850112db892b1

Overall, the Wikipedia Preview Wordpress plugin v1.2.0, looks good from a security point of view and is compliant with the Wordpress policies, with an overall risk rating of: low.

Vulnerable Packages - Production

VulnerabilityPackageNotesServiceRemediationRisk
Regular Expression Denial of Service (ReDoS)ansi-regexadvisory linknpm auditUpgrade ansi-regex to version 6.0.1, 5.0.1 or higher. medium

Vulnerable Packages - Development

VulnerabilityPackageNotesServiceRemediationRisk
Regular Expression Denial of Service (ReDoS)glob-parentadvisory linknpm auditUpgrade glob-parent to version 5.1.2 or higher. high
Prototype Pollutionjson-schemaadvisory linknpm auditUpgrade json-schema to version 0.4.0 or higher. low
Inefficient Regular Expression Complexitynth-checkadvisory linknpm auditUpgrade nth-check to version 2.0.1 or higher. low

Outdated Packages
As reported via npm outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentWantedLatest
@wordpress/block-editor6.2.06.2.08.0.12
@wordpress/components14.2.014.2.019.1.6
@wordpress/compose5.0.35.0.75.0.7
@wordpress/data6.1.16.1.56.1.5
@wordpress/edit-post5.0.35.0.195.0.19
@wordpress/element3.2.03.2.04.0.4
@wordpress/eslint-plugin9.2.09.3.09.3.0
@wordpress/i18n4.2.34.2.44.2.4
@wordpress/plugins4.0.34.0.74.0.7
@wordpress/rich-text4.2.04.2.05.0.7
@wordpress/scripts17.1.017.1.019.2.2
wikipedia-preview1.4.01.4.01.4.1

Static Analysis Findings
Some potential vulnerabilities/anti-patterns have been found through Semgrep.

  1. In src/link/preview.js, we can find the method: dangerouslySetInnerHTML which is considered risky as it may expose users to XSS attacks. https://sg.run/rAx6
66:					<div
67:						className="wikipediapreview-edit-preview"
68:						dangerouslySetInnerHTML={ { __html: previewHtml } }
69:					></div>
  1. In src/link/api.js, user controlled data in a tmp is an anti-pattern that can lead to XSS vulnerabilities. https://sg.run/70Zv
107:	tmp.innerHTML = html;
  1. In src/link/inline.js, "ref" usage has been detected; refs give direct DOM access and may create a possibility for XSS. https://sg.run/v0dX
30:	const inputRef = createRef();
--------------------------------------------------------------------------------
98:						<TextControl
99:							className={ `wikipediapreview-edit-inline-search-input ${
100:								langCodeAdjustment ? 'lang-code-adjustment' : ''
101:							}` }
102:							ref={ inputRef }
103:							value={ title }
104:							onChange={ setTitle }
105:							onFocus={ () => setFocused( true ) }
106:							onBlur={ () => setFocused( false ) }
107:							placeholder={ __(

Risk: low.

mmartorana closed this task as Resolved.Jan 7 2022, 6:27 PM
mmartorana moved this task from In Progress to Our Part Is Done on the secscrum board.
SBisson added a comment.Jan 7 2022, 7:04 PM

Thank you @mmartorana

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL