Page MenuHomePhabricator
Create Task
Maniphest T299289

Unescaped messages in WikibaseMediaInfo
Closed, ResolvedPublicSecurity
Actions

Description

The following messages are used unescaped:

wikibasemediainfo-filepage-captions-title
wikibasemediainfo-filepage-structured-data-heading
wikibasemediainfo-filepage-caption-too-short
wikibasemediainfo-filepage-caption-too-long
wikibasemediainfo-filepage-caption-empty
wikibasemediainfo-time-timestamp-empty
wikibasemediainfo-time-timestamp-invalid
wikibasemediainfo-time-timestamp-formatted

the first two are used on every file page so the impact is quite high, but you need to be able to edit the messages so the risk is low.
Will upload a patch shortly.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Escape various messages in WikibaseMediaInfomediawiki/extensions/WikibaseMediaInfomaster+10 -12
Add escaped mock to mw helper object for qunit testsmediawiki/extensions/WikibaseMediaInfomaster+1 -0
Revert "Escape various messages in WikibaseMediaInfo"mediawiki/extensions/WikibaseMediaInfowmf/1.38.0-wmf.19+16 -14
Revert "Escape various messages in WikibaseMediaInfo"mediawiki/extensions/WikibaseMediaInfomaster+16 -14
Escape various messages in WikibaseMediaInfomediawiki/extensions/WikibaseMediaInfomaster+14 -16
Escape various messages in WikibaseMediaInfomediawiki/extensions/WikibaseMediaInfowmf/1.38.0-wmf.19+14 -16
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedNoneT2212 Some MediaWiki: messages not safe in HTML (tracking)
 ResolvedSecuritysbassettT299289 Unescaped messages in WikibaseMediaInfo

Event Timeline

Dylsss created this task.Jan 15 2022, 7:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 15 2022, 7:15 PM
Dylsss added a comment.EditedJan 15 2022, 7:20 PM

Patch below:

T299289.patch4 KBDownload

Dylsss added a project: WikibaseMediaInfo.Jan 15 2022, 7:22 PM
Dylsss added a subscriber: WikibaseMediaInfo.
Dylsss removed a subscriber: WikibaseMediaInfo.
Restricted Application added a project: Structured-Data-Backlog. · View Herald TranscriptJan 15 2022, 7:22 PM
Reedy moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Jan 24 2022, 4:58 PM
CBogen moved this task from Triage to Tracking on the Structured-Data-Backlog board.Jan 24 2022, 5:42 PM
sbassett added a parent task: T2212: Some MediaWiki: messages not safe in HTML (tracking).Jan 24 2022, 9:56 PM
sbassett changed the task status from Open to In Progress.Jan 24 2022, 9:58 PM
sbassett claimed this task.
sbassett moved this task from Security Patch To Deploy to In Progress on the Security-Team board.
sbassett added subscribers: gerritbot, sbassett.

Triaged during the Security-Team clinic this morning. Like other tasks related to this issue (which used to be more consistently tracked at T2212), this should just be able to go through gerrit, ideally merged on a Monday prior to the weekly train cut.

sbassett triaged this task as Medium priority.Jan 24 2022, 9:59 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed Risk Rating from N/A to Medium.
gerritbot added a comment.Jan 24 2022, 10:22 PM

Change 756709 had a related patch set uploaded (by SBassett; author: Dylsss):

[mediawiki/extensions/WikibaseMediaInfo@master] Escape various messages in WikibaseMediaInfo

https://gerrit.wikimedia.org/r/756709

gerritbot added a project: Patch-For-Review.Jan 24 2022, 10:22 PM
sbassett added a project: Vuln-XSS.Jan 24 2022, 10:26 PM
gerritbot added a comment.Jan 25 2022, 4:51 AM

Change 756709 merged by jenkins-bot:

[mediawiki/extensions/WikibaseMediaInfo@master] Escape various messages in WikibaseMediaInfo

https://gerrit.wikimedia.org/r/756709

sbassett added a comment.Jan 25 2022, 4:57 AM

So I merged a slightly uglier version of @Dylsss' patch that should function just the same, just to get this merged for wmf.19. Unfortunately, the original patch wasn't passing various qunit tests due to the escaped() method not being found on a few alleged mw.message objects - see previous failed jenkins jobs on the change set. It likely makes sense for someone more familiar with the WikibaseMediaInfo code to revisit these changes and optimize them a bit more, perhaps with ternary conditional statements like message.exists() ? message.escaped() : undefined, similar to other conditionals found elsewhere within the code.

Jdforrester-WMF added a project: MW-1.38-notes (1.38.0-wmf.20; 2022-01-31).Jan 25 2022, 2:44 PM
gerritbot added a comment.Jan 25 2022, 5:03 PM

Change 756994 had a related patch set uploaded (by SBassett; author: Dylsss):

[mediawiki/extensions/WikibaseMediaInfo@wmf/1.38.0-wmf.19] Escape various messages in WikibaseMediaInfo

https://gerrit.wikimedia.org/r/756994

gerritbot added a comment.Jan 25 2022, 5:53 PM

Change 756994 merged by jenkins-bot:

[mediawiki/extensions/WikibaseMediaInfo@wmf/1.38.0-wmf.19] Escape various messages in WikibaseMediaInfo

https://gerrit.wikimedia.org/r/756994

taavi subscribed.Jan 27 2022, 5:45 PM

@sbassett Hi, your modified patch doesn't seem to be working properly. The file information tab on Commons files is no longer visible:

image.png (371×748 px, 34 KB)

with the following error in the browser console:

TypeError: s.replace is not a function

This breakage was noted on the unofficial Discord server, copying AntiComposite's analysis here (with permission) if it makes fixing easier:

AntiComposite — Today at 19:27
https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/WikibaseMediaInfo/+/083c8409209ee03bc58c38574858de4b44b316ad%5E%21/resources/filepage/CaptionsPanel.js 
mw.message returns a mw.Message object, not a string. but mw.html.escape expects a string. it tries to do do s.replace, but mw.Message doesn't have a replace method. Probably best to use mw.message.escaped() instead of DIYing it. I'll put in a patch

AntiComposite — Today at 19:43
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseMediaInfo/+/756709/2..3
changeset 2 used mw.message.escaped(), changeset 3 changed that to the broken mw.html.escape(mw.message)
because mw.message.escaped was throwing TypeErrors in the tests...
brennen subscribed.Jan 27 2022, 5:49 PM

Thoughts on rolling back train or patching?

gerritbot added a comment.Jan 27 2022, 5:55 PM

Change 757484 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/WikibaseMediaInfo@master] Revert \"Escape various messages in WikibaseMediaInfo\"

https://gerrit.wikimedia.org/r/757484

sbassett added a comment.Jan 27 2022, 5:56 PM
In T299289#7657200, @brennen wrote:

Thoughts on rolling back train or patching?

I've created a revert ^ for now, which should test fine and then can be picked to wmf.19.

gerritbot added a comment.Jan 27 2022, 5:58 PM

Change 757485 had a related patch set uploaded (by Brennen Bearnes; author: SBassett):

[mediawiki/extensions/WikibaseMediaInfo@wmf/1.38.0-wmf.19] Revert \"Escape various messages in WikibaseMediaInfo\"

https://gerrit.wikimedia.org/r/757485

brennen added a comment.Jan 27 2022, 5:59 PM

Thanks. I can deploy that once tests finish.

gerritbot added a comment.Jan 27 2022, 6:12 PM

Change 757484 merged by jenkins-bot:

[mediawiki/extensions/WikibaseMediaInfo@master] Revert \"Escape various messages in WikibaseMediaInfo\"

https://gerrit.wikimedia.org/r/757484

Dylsss added a comment.Jan 27 2022, 6:32 PM

Maybe I'm missing something very obvious, but I am still not really sure why the tests were throwing errors on the original patch. When I tested the patch locally everything worked properly and fixed the XSS, and I didn't see any visible issues or errors in the console.

taavi added a comment.Jan 27 2022, 6:33 PM
In T299289#7657353, @Dylsss wrote:

Maybe I'm missing something very obvious, but I am still not really sure why the tests were throwing errors on the original patch. When I tested the patch locally everything worked properly and fixed the XSS, and I didn't see any visible issues or errors in the console.

Probably WikibaseMediaInfo's custom mocked stub for the mw object needs updating: https://gerrit.wikimedia.org/g/mediawiki/extensions/WikibaseMediaInfo/+/8d65ac3bb75fdcb0247e9756645a58cad46a0466/tests/node-qunit/support/helpers.js#57 (/me wonders if that's really the best way to implement that)

gerritbot added a comment.Jan 27 2022, 6:36 PM

Change 757485 merged by jenkins-bot:

[mediawiki/extensions/WikibaseMediaInfo@wmf/1.38.0-wmf.19] Revert \"Escape various messages in WikibaseMediaInfo\"

https://gerrit.wikimedia.org/r/757485

brennen added a comment.Jan 27 2022, 6:42 PM

Revert tested and appears working; deployed.

sbassett added a comment.EditedJan 27 2022, 6:52 PM

Thanks, @brennen. Sorry about that.

Regarding the bug, I'm pretty sure I meant to make those mw.msg calls instead, but got distracted and since it tested fine in gerrit, just merged it. I'd guess this approach would work as a quick fix, though obviously that isn't ideal.

In T299289#7657353, @Dylsss wrote:

Maybe I'm missing something very obvious, but I am still not really sure why the tests were throwing errors on the original patch. When I tested the patch locally everything worked properly and fixed the XSS, and I didn't see any visible issues or errors in the console.

Your patch absolutely should have worked fine as-is. There are many, many instances of mw.message( ... ).escaped() within other Wikimedia codebases. I'm guessing @Majavah's findings are the likely culprit. There probably just needs to be an escaped mock added here.

sbassett added a comment.EditedJan 27 2022, 7:12 PM
In T299289#7657463, @sbassett wrote:

Your patch absolutely should have worked fine as-is. There are many, many instances of mw.message( ... ).escaped() within other Wikimedia codebases. I'm guessing @Majavah's findings are the likely culprit. There probably just needs to be an escaped mock added here.

This appears to be the problem: testing locally with @Dylsss' first patch and adding an escaped property to the mw mock, the tests run fine. Gerrit patch coming soon for this issue, then we can likely send the first patch through gerrit as well.

gerritbot added a comment.Jan 27 2022, 7:13 PM

Change 757726 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/WikibaseMediaInfo@master] Add escaped mock to mw helper object for qunit tests

https://gerrit.wikimedia.org/r/757726

gerritbot added a comment.Jan 28 2022, 12:22 PM

Change 757726 merged by jenkins-bot:

[mediawiki/extensions/WikibaseMediaInfo@master] Add escaped mock to mw helper object for qunit tests

https://gerrit.wikimedia.org/r/757726

sbassett added a comment.Jan 28 2022, 6:41 PM

Thanks for the +2, @Majavah. I'm going to send up @Dylsss's original patch here, which should test fine now.

gerritbot added a comment.Jan 28 2022, 6:49 PM

Change 757954 had a related patch set uploaded (by SBassett; author: Dylsss):

[mediawiki/extensions/WikibaseMediaInfo@master] Escape various messages in WikibaseMediaInfo

https://gerrit.wikimedia.org/r/757954

gerritbot added a comment.Jan 31 2022, 7:38 PM

Change 757954 merged by jenkins-bot:

[mediawiki/extensions/WikibaseMediaInfo@master] Escape various messages in WikibaseMediaInfo

https://gerrit.wikimedia.org/r/757954

sbassett closed this task as Resolved.Mar 16 2022, 8:46 PM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits