Page MenuHomePhabricator
Create Task
Maniphest T298504

i18n XSS audit in GrowthExperiments
Closed, ResolvedPublicSecurity
Actions

Description

Steps to reproduce:

  1. set MediaWiki:Growthexperiments-homepage-suggestededits-tasktype-machine-description to <script>alert('xss')</script>
  2. visit Special:Homepage on desktop (or visit it on mobile and then click on the "Suggested edits" box)

(via TaskTypeSelectionWidget)

Same for growthexperiments-homepage-suggestededits-pageviews (via SuggestedEditCardWidget); only on desktop (and for certain tasks).

Same for growthexperiments-addlink-summary-column-header-linked, growthexperiments-addlink-summary-column-header-suggestion and growthexperiments-addlink-summary-title (via AddLinkSaveDialog); seen when opening an Add Link task from the homepage and opening the save dialog.

Steps to reproduce:

  1. set MediaWiki:Growthexperiments-homepage-suggested-edits-header to <img src="http://example.com" onerror="alert('xss')" />
  2. visit Special:Homepageon mobile
  3. click on the box with <img src... on top

Details

Risk Rating
Low
Author Affiliation
WMF Product
SubjectRepoBranchLines +/-
SECURITY: Fix several i18n XSS issues in suggested editsmediawiki/extensions/GrowthExperimentswmf/1.38.0-wmf.17+7 -7
SECURITY: Fix several i18n XSS issues in suggested editsmediawiki/extensions/GrowthExperimentsmaster+7 -7
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Jan 4 2022, 7:16 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 4 2022, 7:16 AM
Tgr added projects: Vuln-XSS, GrowthExperiments-Homepage, Growth-Team (Sprint 0 (Growth Team)).Jan 4 2022, 7:17 AM
Tgr moved this task from Incoming to Ready for Development on the Growth-Team (Sprint 0 (Growth Team)) board.
Tgr updated the task description. (Show Details)Jan 4 2022, 7:22 AM
Tgr added a comment.Jan 4 2022, 7:26 AM

Also growthexperiments-homepage-suggestededits-pageviews (via SuggestedEditCardWidget). Probably not worth creating a new task for each message.

Tgr added a comment.Jan 4 2022, 8:53 AM

Also growthexperiments-addlink-summary-column-header-linked, growthexperiments-addlink-summary-column-header-suggestion and growthexperiments-addlink-summary-title (via AddLinkSaveDialog).

Tgr renamed this task from i18n XSS in GrowthExperiments TaskTypeSelectionWidget to i18n XSS audit in GrowthExperiments .Jan 4 2022, 9:11 AM
Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)
Tgr merged a task: Restricted Task.Jan 4 2022, 9:13 AM
Tgr added a comment.Jan 4 2022, 9:20 AM

T298504.patch4 KBDownload

Tgr moved this task from Ready for Development to Code Review on the Growth-Team (Sprint 0 (Growth Team)) board.Jan 4 2022, 9:25 AM
Urbanecm_WMF added a comment.Jan 5 2022, 12:30 AM
In T298504#7595146, @Tgr wrote:

T298504.patch4 KBDownload

LGTM.

sbassett added a project: SecTeam-Processed.Jan 5 2022, 9:15 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett subscribed.
In T298504#7597442, @Urbanecm_WMF wrote:
In T298504#7595146, @Tgr wrote:

T298504.patch4 KBDownload

LGTM.

+1. Do we want to be extra-careful and security-deploy this patch? Or can it get merged later on a Monday for the week's train? We've definitely done the latter for several msg-related XSS vulns like this in the past. I personally feel that's fairly low-risk, given the need for an attacker to either be able to edit pages under the MediaWiki namespace or push/merge patches to this extension's repo.

Tgr added a comment.Jan 6 2022, 5:56 AM
In T298504#7600043, @sbassett wrote:

Do we want to be extra-careful and security-deploy this patch? Or can it get merged later on a Monday for the week's train? We've definitely done the latter for several msg-related XSS vulns like this in the past. I personally feel that's fairly low-risk, given the need for an attacker to either be able to edit pages under the MediaWiki namespace or push/merge patches to this extension's repo.

I'm happy to follow whatever is considered best practice (agreed it's low-risk) - will merge next Monday then.

Tgr moved this task from Code Review to Test in Production | Watching on the Growth-Team (Sprint 0 (Growth Team)) board.Jan 9 2022, 5:49 AM
Tgr added a comment.Jan 11 2022, 8:42 AM

Merged & backported to wmf.17 (missed the branch cut first due to some CI shenanigans): rEGREc7ae734fb063: SECURITY: Fix several i18n XSS issues in suggested edits Also includes the fix for T298019: i18n XSS in GrowthExperiments suggested edits pager (CVE-2022-28326). I think this task is done.

sbassett added a comment.Jan 11 2022, 3:18 PM
In T298504#7611936, @Tgr wrote:

Merged & backported to wmf.17 (missed the branch cut first due to some CI shenanigans): rEGREc7ae734fb063: SECURITY: Fix several i18n XSS issues in suggested edits Also includes the fix for T298019: i18n XSS in GrowthExperiments suggested edits pager (CVE-2022-28326). I think this task is done.

Thanks. I suppose this and the related task can be resolved and made public, since the related patches are in gerrit.

Tgr closed this task as Resolved.Jan 11 2022, 5:56 PM
Tgr claimed this task.
In T298504#7613004, @sbassett wrote:

Thanks. I suppose this and the related task can be resolved and made public, since the related patches are in gerrit.

Resolved. I don't think I have the right to make them public.

sbassett triaged this task as Low priority.Jan 11 2022, 6:15 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL