Page MenuHomePhabricator
Create Task
Maniphest T296718

Remove `sync` scripts from mediawiki docker image used for wbstack/wikibase.cloud
Closed, ResolvedPublicSecurity
Actions

Description

Currently the scripts used for updating the Mediawiki code end up also being built into the docker image.

see: https://github.com/wbstack/mediawiki/tree/main/wbstack/sync

At the least this probably exposes a DDOS but perhaps also a more critical one since these scripts are able to modify files on disc.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Deutschland

Related Objects

Event Timeline

Tarrow created this task.Nov 30 2021, 10:27 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 30 2021, 10:27 AM
Addshore added a project: wbstack.Nov 30 2021, 10:31 AM
Tarrow added a project: Wikibase Federated Properties Deployment (Sprint 1).Nov 30 2021, 10:39 AM

This doesn't directly contribute to our sprint goal but should be picked up if there is nothing else to be done

Deniz_WMDE claimed this task.Nov 30 2021, 11:23 AM

This adds a .dockerignore file which excludes wbstack/sync from the build process.

T296718.patch179 BDownload

Tarrow moved this task from Sprint Backlog to Doing on the Wikibase Federated Properties Deployment (Sprint 1) board.Nov 30 2021, 1:17 PM
Deniz_WMDE added a comment.Nov 30 2021, 2:22 PM

fixed here https://github.com/wbstack/mediawiki/pull/157

Deniz_WMDE moved this task from Doing to Review on the Wikibase Federated Properties Deployment (Sprint 1) board.Nov 30 2021, 2:22 PM
Tarrow moved this task from Review to To Release on the Wikibase Federated Properties Deployment (Sprint 1) board.Nov 30 2021, 9:33 PM
Addshore moved this task from To Release to Done on the Wikibase Federated Properties Deployment (Sprint 1) board.Dec 3 2021, 4:36 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Dec 6 2021, 4:39 PM
sbassett mentioned this in T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Dec 6 2021, 4:41 PM
Tarrow closed this task as Resolved.Dec 7 2021, 12:37 PM
sbassett triaged this task as Low priority.Dec 21 2021, 3:36 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL