Page MenuHomePhabricator

Application Security Review Request : Codex
Closed, ResolvedPublic

Description

Project Information

Description of the tool/project: Library of reusable UI components written in Vue, for use in MediaWiki and related software

Description of how the tool will be used at WMF: Initially, this will be used to gradually replace the various ad-hoc Vue-based component libraries that currently exist (such as WVUI) as Codex grows and achieves feature parity with them. Long-term, Codex is intended to be the main UI component library used for frontend development in the wikiverse, centralizing design decisions about

Current status: Codex is still under active development, and will continue to be for quite some time. Codex is available as a ResourceLoader module in MediaWiki, but is not currently used in any deployed code. This security review request is for the initial deployment (planned for Q4), where we plan to use Codex to power the search bar in Vector (which currently uses WVUI). After the initial deployment, development of Codex will continue, and we plan to continuously deploy updates and new components as they are developed.

Dependencies

  • The only runtime dependency is Vue.js (currently version 3.2.27)
  • There are many devDependencies, see the package.json files in the repository (both in the root directory and in each of the packages/*/ directories)

Has this project been reviewed before?
No

Working test environment
https://doc.wikimedia.org/codex/main/ has demos of each component. Codex is also available (but currently unused) in MediaWiki. Steps to demo in MediaWiki are outlined in T299143#7784434.

Post-deployment
The Design-System-Team is responsible for Codex and will continue to actively develop it after the initial deployment. The engineers on the DST are @Catrope, @AnneT and @egardner . The engineering manager is @NHillard-WMF. @DAbad is functioning as interim technical product manager.

Event Timeline

The Codex repo is a monorepo with four packages, managed as NPM workspaces. Two of these packages are currently published on NPM. The releases of these two packages on NPM are then embedded in MediaWiki via foreign-resources.yaml.

  • The packages/codex/ directory is published to NPM as @wikimedia/codex
  • The packages/codex-icons/ directory is published to NPM as @wikimedia/codex-icons
  • The packages/codex-design-tokens/ directory is not yet published to NPM, but will be in the future, as @wikimedia/codex-design-tokens
  • The packages/codex-docs/ directory is not published to NPM. It powers the documentation website at https://doc.wikimedia.org/codex/main .

Note that each of these packages has its own package.json file, with its own dependencies and (mostly) devDependencies. The codex package imports and embeds code from the codex-icons and codex-design-tokens packages. If you need any guidance navigating the repository or have any other questions, feel free to ask.

Thanks, @Catrope. Backlogging for now and will plan to schedule a review for Q4 2022 (April to June).

Thanks @sbassett . I promised I would update the anticipated deployment date with something more detailed than just "some time in Q4", and I have now done that. We expect to be ready to deploy Codex in production in mid-May.

Hi @mmartorana ! We are nearing consensus with the Web team on a July 19-21 train deployment for Codex so that we can release the TypeaheadSearch component to production (epic: T297025).

We're wondering if you have a target completion date for this security review? This will help us better understand whether we need to consider other dates or figure out a backup plan. Thanks so much - let me know if a synchronous discussion would be helpful here and I'll be glad to set one up.

cc @LGoto @Cleo_Lemoisson @ovasileva @DAbad @NHillard-WMF

Hi @ldelench_wmf - unfortunately this review is going to run a little bit over, but it will be posted no later than 15th of July.

Let me know if you need additional information.

mmartorana changed the task status from Open to In Progress.Jun 28 2022, 5:45 PM
mmartorana triaged this task as High priority.

Security Review Summary - T302772 - 2022-07-06
Last commit reviewed: 001f592399e37464ef2cd8f2c65d1141ac4316e0

Summary

Overall, the current codex codebase looks pretty good from a basic, application security standpoint. There are just a few vulnerable dependencies, and some really minor cleanness and security issues in the code.
The overall risk rating is low.

Vulnerable Packages - Production

snyk returned no results. low risk
auditjs returned no results. low risk
osv-detector returned no additional results. low risk

VulnerabilityPackageNotesServiceRemediationRisk
Got allows a redirect to a UNIX socketgotnetlify-cli/node_modules/gotnpm auditadvisory link medium
Insufficient Granularity of Access Control in JSDomjsdomnetlify-cli/node_modules/jsdomnpm auditadvisory link medium

Vulnerable Packages - Development

VulnerabilityPackageNotesServiceRemediationRisk
Prototype Pollution in minimistminimistnetlify-cli/node_modules/minimistnpm auditadvisory link critical
Regular expression denial of service in glob-parentglob-parentcpy/node_modules/glob-parentnpm auditadvisory link high
Regular Expression Denial of Service in ansi2htmlansi2htmlnetlify-cli/node_modules/ansi2htmlnpm auditadvisory link high
Inefficient Regular Expression Complexity in chalk/ansi-regexansi-regexnetlify-cli/node_modules/ansi2htmlnpm auditadvisory link high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirectsfollow-redirectsnode_modules/follow-redirectsnpm auditadvisory link medium

Outdated Packages
npm outdated returned no results. low risk

Static Analysis Findings
deepscan generated results which I've included as supplemental files at the end of this review. Most of them are false positive. low risk
snyk code returned no results. low risk
mw_js_sec_sniff returned false positives. low risk
gitleaks returned false positives. low risk
whispers returned false positives. low risk
lockfile-lint returned false positives. low risk
sast-scan returned no results, outside of the previously-mentioned vulnerable dev/indirect sub-dependencies. low risk

The following semgrep policies generated results, which I've included as supplemental files at the end of this review:

  1. p/security-audit
  2. p/ci
  3. p/secrets
  4. p/supply-chain
  5. p/insecure-transport
  6. p/owasp-top-ten
  7. p/r2c-ci
  8. p/jwt
  9. p/xss
  10. p/javascript
  11. p/typescript
  12. p/nodejsscan
  13. p/nodejs
  14. p/clientside-js
  15. p/nodejsscan

The general summary of the above tools and policy results are:

  1. In packages/codex/src/components/icon/Icon.test.ts user controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities. low risk
  2. In packages/codex/src/components/icon/Icon.vue dynamically rendering arbitrary HTML can be dangerous because it can easily lead to XSS vulnerabilities. low risk
  3. In packages/codex/src/utils/stringHelpers.ts RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression. low risk
  4. In packages/codex-docs/docgen.config.js possible writing outside of the destination, make sure that the target path is nested in the intended destination. low risk
  5. In packages/codex-docs/docs/templates/methods.js user controlled data in a HTML string may result in XSS. low risk
  6. In packages/codex-icons/buildIconsJson.js a variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system. low risk

Supplemental Materials
Please see attached:

Change 812928 had a related patch set uploaded (by Eric Gardner; author: Eric Gardner):

[design/codex@main] Build: Update netlify-cli, update minimist vulnerability

https://gerrit.wikimedia.org/r/812928

Change 812928 merged by jenkins-bot:

[design/codex@main] Build: Update netlify-cli, update minimist vulnerability

https://gerrit.wikimedia.org/r/812928

Change 815381 had a related patch set uploaded (by Catrope; author: Catrope):

[design/codex@main] build: Update netlify-cli to v10.10.2

https://gerrit.wikimedia.org/r/815381

Security Review Summary - T302772 - 2022-07-06
Last commit reviewed: 001f592399e37464ef2cd8f2c65d1141ac4316e0

Summary

Overall, the current codex codebase looks pretty good from a basic, application security standpoint. There are just a few vulnerable dependencies, and some really minor cleanness and security issues in the code.
The overall risk rating is low.

Thank you!

Vulnerable Packages - Production

snyk returned no results. low risk
auditjs returned no results. low risk
osv-detector returned no additional results. low risk

VulnerabilityPackageNotesServiceRemediationRisk
Got allows a redirect to a UNIX socketgotnetlify-cli/node_modules/gotnpm auditadvisory link medium
Insufficient Granularity of Access Control in JSDomjsdomnetlify-cli/node_modules/jsdomnpm auditadvisory link medium

The jsdom vulnerability is being addressed in https://gerrit.wikimedia.org/r/815381 (upgrading netlify-cli to a newer version that pulls in a newer version of jsdom). The got vulnerability is also due to a netlify-cli dependency, but upgrading to the latest version of netlify-cli didn't fix this. npm audit suggests fixing this by downgrading netlify-cli to 2.37.0 (three years old, eight major versions ago) which is not an option.

Vulnerable Packages - Development

VulnerabilityPackageNotesServiceRemediationRisk
Prototype Pollution in minimistminimistnetlify-cli/node_modules/minimistnpm auditadvisory link critical
Regular expression denial of service in glob-parentglob-parentcpy/node_modules/glob-parentnpm auditadvisory link high
Regular Expression Denial of Service in ansi2htmlansi2htmlnetlify-cli/node_modules/ansi2htmlnpm auditadvisory link high
Inefficient Regular Expression Complexity in chalk/ansi-regexansi-regexnetlify-cli/node_modules/ansi2htmlnpm auditadvisory link high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirectsfollow-redirectsnode_modules/follow-redirectsnpm auditadvisory link medium

The minimist vulnerability was addressed by https://gerrit.wikimedia.org/r/812928 . The ansi2html vulnerability is being addressed in https://gerrit.wikimedia.org/r/815381 . The others (glob-parent, ansi-regex, follow-redirects) are due to outdated dependencies upstream in netlify-cli, and npm audit fix is unable to fix them other than through the same unhelpful downgrade it suggests for got above. We'll have to wait for upstream and its dependencies to address these. Thankfully netlify-cli is only used in a CI job.

The general summary of the above tools and policy results are:

  1. In packages/codex/src/components/icon/Icon.test.ts user controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities. low risk

This is in a test file, so users can't run it, and the data is static (not user-controlled).

  1. In packages/codex/src/components/icon/Icon.vue dynamically rendering arbitrary HTML can be dangerous because it can easily lead to XSS vulnerabilities. low risk

Agreed, this is a real risk, but in the context of this code it's a low risk.

  1. In packages/codex/src/utils/stringHelpers.ts RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression. low risk

This constructs a RegExp with user input, but escapes that user input first, and does not allow the user to make the RegExp's execution run longer.

  1. In packages/codex-docs/docgen.config.js possible writing outside of the destination, make sure that the target path is nested in the intended destination. low risk

This builds paths based on existing file names, not used input, so this should be fine.

  1. In packages/codex-docs/docs/templates/methods.js user controlled data in a HTML string may result in XSS. low risk

This file generates HTML-like Markdown syntax, and as far as I can tell all input data (which is not directly user-controlled, but extracted from other source files) is escaped.

  1. In packages/codex-icons/buildIconsJson.js a variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system. low risk

This file can only be run from the command line, and the variable in question is __dirname (the directory where the file lives), so that seems fine.

Closing this task as we've mitigated everything that can reasonably be mitigated. For some of these vulnerable dependencies in netlify-cli we'll unfortunately have to wait for upstream (or their upstream) to address them.

Change 815381 merged by jenkins-bot:

[design/codex@main] build: Update netlify-cli to v10.10.2

https://gerrit.wikimedia.org/r/815381

Hi @Catrope - thanks for fixing the issues.

I agree with your analysis of the semgrep findings.

Let me know if you need anything else.