Page MenuHomePhabricator
Create Task
Maniphest T302772

Application Security Review Request : Codex
Closed, ResolvedPublic
Actions

Assigned To
mmartorana
Authored By
Catrope
Mar 1 2022, 4:18 AM
Tags
Referenced Files
F35309585: deepscan.txt
Jul 6 2022, 4:18 PM
F35302629: mw-js-sec-sniff-output.txt
Jul 6 2022, 4:18 PM
F35296835: semgrep-output.txt
Jul 6 2022, 4:18 PM
Subscribers
Aklapper
AnneT
Catrope
Cleo_Lemoisson
DAbad
DannyS712
egardner
View All 14 Subscribers

Description

Project Information

Description of the tool/project: Library of reusable UI components written in Vue, for use in MediaWiki and related software

Description of how the tool will be used at WMF: Initially, this will be used to gradually replace the various ad-hoc Vue-based component libraries that currently exist (such as WVUI) as Codex grows and achieves feature parity with them. Long-term, Codex is intended to be the main UI component library used for frontend development in the wikiverse, centralizing design decisions about

Current status: Codex is still under active development, and will continue to be for quite some time. Codex is available as a ResourceLoader module in MediaWiki, but is not currently used in any deployed code. This security review request is for the initial deployment (planned for Q4), where we plan to use Codex to power the search bar in Vector (which currently uses WVUI). After the initial deployment, development of Codex will continue, and we plan to continuously deploy updates and new components as they are developed.

Dependencies

  • The only runtime dependency is Vue.js (currently version 3.2.27)
  • There are many devDependencies, see the package.json files in the repository (both in the root directory and in each of the packages/*/ directories)

Has this project been reviewed before?
No

Working test environment
https://doc.wikimedia.org/codex/main/ has demos of each component. Codex is also available (but currently unused) in MediaWiki. Steps to demo in MediaWiki are outlined in T299143#7784434.

Post-deployment
The Design-System-Team is responsible for Codex and will continue to actively develop it after the initial deployment. The engineers on the DST are @Catrope, @AnneT and @egardner . The engineering manager is @NHillard-WMF. @DAbad is functioning as interim technical product manager.

Details

Risk Rating
Low
Author Affiliation
WMF Product
SubjectRepoBranchLines +/-
build: Update netlify-cli to v10.10.2design/codexmain+4 K -6 K
Build: Update netlify-cli, update minimist vulnerabilitydesign/codexmain+2 K -2 K
Customize query in gerrit

Related Objects
Search...

Event Timeline

Catrope created this task.Mar 1 2022, 4:18 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 1 2022, 4:18 AM
Catrope added a comment.Mar 1 2022, 4:25 AM

The Codex repo is a monorepo with four packages, managed as NPM workspaces. Two of these packages are currently published on NPM. The releases of these two packages on NPM are then embedded in MediaWiki via foreign-resources.yaml.

  • The packages/codex/ directory is published to NPM as @wikimedia/codex
  • The packages/codex-icons/ directory is published to NPM as @wikimedia/codex-icons
  • The packages/codex-design-tokens/ directory is not yet published to NPM, but will be in the future, as @wikimedia/codex-design-tokens
  • The packages/codex-docs/ directory is not published to NPM. It powers the documentation website at https://doc.wikimedia.org/codex/main .

Note that each of these packages has its own package.json file, with its own dependencies and (mostly) devDependencies. The codex package imports and embeds code from the codex-icons and codex-design-tokens packages. If you need any guidance navigating the repository or have any other questions, feel free to ask.

Catrope added projects: Codex, Design-Systems-team-20200324-20220422 (Design Systems Team FY2021-22 Kanban Board).Mar 2 2022, 5:22 PM
sbassett subscribed.Mar 8 2022, 11:42 PM

Thanks, @Catrope. Backlogging for now and will plan to schedule a review for Q4 2022 (April to June).

sbassett moved this task from Incoming to Back Orders on the secscrum board.Mar 8 2022, 11:42 PM
DannyS712 subscribed.Mar 9 2022, 1:07 AM
Catrope mentioned this in T286835: Port RelatedArticles to Codex.Mar 9 2022, 6:03 PM
Krinkle subscribed.Mar 9 2022, 6:26 PM
Jdlrobson added a parent task: T246493: [EPIC] Deploy NearbyPages everywhere.Mar 9 2022, 7:24 PM
egardner mentioned this in T300573: Upgrade Vue.js development version in web team extensions / skins.Mar 11 2022, 10:34 PM
Catrope updated the task description. (Show Details)Mar 23 2022, 10:35 PM

Thanks @sbassett . I promised I would update the anticipated deployment date with something more detailed than just "some time in Q4", and I have now done that. We expect to be ready to deploy Codex in production in mid-May.

sbassett assigned this task to mmartorana.Apr 5 2022, 5:03 PM
sbassett moved this task from Back Orders to In Progress on the secscrum board.
mmartorana moved this task from In Progress to Waiting on the secscrum board.May 10 2022, 2:10 PM
Catrope updated the task description. (Show Details)May 17 2022, 6:59 PM
Catrope added a subscriber: NBaca-WMF.
ldelench_wmf subscribed.May 26 2022, 1:36 PM
ldelench_wmf added projects: Design-System-Team, Foundational Technology Requests.Jun 1 2022, 4:01 PM
mmartorana moved this task from Waiting to In Progress on the secscrum board.Jun 7 2022, 2:45 PM
Catrope added a parent task: T310241: Migrate QuickSurveys from WVUI to Codex.Jun 9 2022, 12:40 AM
Catrope mentioned this in T310243: Deprecate WVUI in favor of Codex.Jun 9 2022, 12:46 AM
Catrope added a parent task: T303558: Typeahead search deployment: Use CdxTypeaheadSearch in Vector.Jun 9 2022, 12:50 AM
Catrope added a parent task: T310240: Remove Vue version of GlobalWatchlist with its WVUI dependency.
Catrope added a parent task: T300595: Migrate NearbyPages from WVUI to Codex.
Catrope added a parent task: T286835: Port RelatedArticles to Codex.
ldelench_wmf moved this task from Inbox to Following on the Design-System-Team board.Jun 13 2022, 3:17 PM
ldelench_wmf updated the task description. (Show Details)Jun 17 2022, 1:07 PM
ldelench_wmf added a subscriber: DAbad.
ldelench_wmf updated the task description. (Show Details)Jun 27 2022, 1:29 PM
ldelench_wmf added subscribers: Cleo_Lemoisson, LGoto, ovasileva.Jun 27 2022, 1:38 PM

Hi @mmartorana ! We are nearing consensus with the Web team on a July 19-21 train deployment for Codex so that we can release the TypeaheadSearch component to production (epic: T297025).

We're wondering if you have a target completion date for this security review? This will help us better understand whether we need to consider other dates or figure out a backup plan. Thanks so much - let me know if a synchronous discussion would be helpful here and I'll be glad to set one up.

cc @LGoto @Cleo_Lemoisson @ovasileva @DAbad @NHillard-WMF

mmartorana added a comment.Jun 28 2022, 5:45 PM

Hi @ldelench_wmf - unfortunately this review is going to run a little bit over, but it will be posted no later than 15th of July.

Let me know if you need additional information.

mmartorana changed the task status from Open to In Progress.Jun 28 2022, 5:45 PM
mmartorana triaged this task as High priority.
ldelench_wmf mentioned this in Design-System-Team (Design-System-Sprint).Jul 5 2022, 3:50 PM
mmartorana added a comment.Jul 6 2022, 4:18 PM

Security Review Summary - T302772 - 2022-07-06
Last commit reviewed: 001f592399e37464ef2cd8f2c65d1141ac4316e0

Summary

Overall, the current codex codebase looks pretty good from a basic, application security standpoint. There are just a few vulnerable dependencies, and some really minor cleanness and security issues in the code.
The overall risk rating is low.

Vulnerable Packages - Production

snyk returned no results. low risk
auditjs returned no results. low risk
osv-detector returned no additional results. low risk

VulnerabilityPackageNotesServiceRemediationRisk
Got allows a redirect to a UNIX socketgotnetlify-cli/node_modules/gotnpm auditadvisory link medium
Insufficient Granularity of Access Control in JSDomjsdomnetlify-cli/node_modules/jsdomnpm auditadvisory link medium

Vulnerable Packages - Development

VulnerabilityPackageNotesServiceRemediationRisk
Prototype Pollution in minimistminimistnetlify-cli/node_modules/minimistnpm auditadvisory link critical
Regular expression denial of service in glob-parentglob-parentcpy/node_modules/glob-parentnpm auditadvisory link high
Regular Expression Denial of Service in ansi2htmlansi2htmlnetlify-cli/node_modules/ansi2htmlnpm auditadvisory link high
Inefficient Regular Expression Complexity in chalk/ansi-regexansi-regexnetlify-cli/node_modules/ansi2htmlnpm auditadvisory link high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirectsfollow-redirectsnode_modules/follow-redirectsnpm auditadvisory link medium

Outdated Packages
npm outdated returned no results. low risk

Static Analysis Findings
deepscan generated results which I've included as supplemental files at the end of this review. Most of them are false positive. low risk
snyk code returned no results. low risk
mw_js_sec_sniff returned false positives. low risk
gitleaks returned false positives. low risk
whispers returned false positives. low risk
lockfile-lint returned false positives. low risk
sast-scan returned no results, outside of the previously-mentioned vulnerable dev/indirect sub-dependencies. low risk

The following semgrep policies generated results, which I've included as supplemental files at the end of this review:

  1. p/security-audit
  2. p/ci
  3. p/secrets
  4. p/supply-chain
  5. p/insecure-transport
  6. p/owasp-top-ten
  7. p/r2c-ci
  8. p/jwt
  9. p/xss
  10. p/javascript
  11. p/typescript
  12. p/nodejsscan
  13. p/nodejs
  14. p/clientside-js
  15. p/nodejsscan

The general summary of the above tools and policy results are:

  1. In packages/codex/src/components/icon/Icon.test.ts user controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities. low risk
  2. In packages/codex/src/components/icon/Icon.vue dynamically rendering arbitrary HTML can be dangerous because it can easily lead to XSS vulnerabilities. low risk
  3. In packages/codex/src/utils/stringHelpers.ts RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression. low risk
  4. In packages/codex-docs/docgen.config.js possible writing outside of the destination, make sure that the target path is nested in the intended destination. low risk
  5. In packages/codex-docs/docs/templates/methods.js user controlled data in a HTML string may result in XSS. low risk
  6. In packages/codex-icons/buildIconsJson.js a variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system. low risk

Supplemental Materials
Please see attached:

  1. semgrep-output.txt3 KBDownload
  2. mw-js-sec-sniff-output.txt610 KBDownload
  3. deepscan.txt2 KBDownload
mmartorana moved this task from In Progress to Our Part Is Done on the secscrum board.Jul 6 2022, 4:19 PM
mmartorana moved this task from Our Part Is Done to Waiting on the secscrum board.
gerritbot added a comment.Jul 11 2022, 6:54 PM

Change 812928 had a related patch set uploaded (by Eric Gardner; author: Eric Gardner):

[design/codex@main] Build: Update netlify-cli, update minimist vulnerability

https://gerrit.wikimedia.org/r/812928

gerritbot added a project: Patch-For-Review.Jul 11 2022, 6:54 PM
gerritbot added a comment.Jul 11 2022, 7:41 PM

Change 812928 merged by jenkins-bot:

[design/codex@main] Build: Update netlify-cli, update minimist vulnerability

https://gerrit.wikimedia.org/r/812928

Maintenance_bot removed a project: Patch-For-Review.Jul 11 2022, 8:31 PM
gerritbot added a comment.Jul 19 2022, 9:11 PM

Change 815381 had a related patch set uploaded (by Catrope; author: Catrope):

[design/codex@main] build: Update netlify-cli to v10.10.2

https://gerrit.wikimedia.org/r/815381

gerritbot added a project: Patch-For-Review.Jul 19 2022, 9:11 PM
Catrope closed this task as Resolved.Jul 19 2022, 9:55 PM
In T302772#8056180, @mmartorana wrote:

Security Review Summary - T302772 - 2022-07-06
Last commit reviewed: 001f592399e37464ef2cd8f2c65d1141ac4316e0

Summary

Overall, the current codex codebase looks pretty good from a basic, application security standpoint. There are just a few vulnerable dependencies, and some really minor cleanness and security issues in the code.
The overall risk rating is low.

Thank you!

Vulnerable Packages - Production

snyk returned no results. low risk
auditjs returned no results. low risk
osv-detector returned no additional results. low risk

VulnerabilityPackageNotesServiceRemediationRisk
Got allows a redirect to a UNIX socketgotnetlify-cli/node_modules/gotnpm auditadvisory link medium
Insufficient Granularity of Access Control in JSDomjsdomnetlify-cli/node_modules/jsdomnpm auditadvisory link medium

The jsdom vulnerability is being addressed in https://gerrit.wikimedia.org/r/815381 (upgrading netlify-cli to a newer version that pulls in a newer version of jsdom). The got vulnerability is also due to a netlify-cli dependency, but upgrading to the latest version of netlify-cli didn't fix this. npm audit suggests fixing this by downgrading netlify-cli to 2.37.0 (three years old, eight major versions ago) which is not an option.

Vulnerable Packages - Development

VulnerabilityPackageNotesServiceRemediationRisk
Prototype Pollution in minimistminimistnetlify-cli/node_modules/minimistnpm auditadvisory link critical
Regular expression denial of service in glob-parentglob-parentcpy/node_modules/glob-parentnpm auditadvisory link high
Regular Expression Denial of Service in ansi2htmlansi2htmlnetlify-cli/node_modules/ansi2htmlnpm auditadvisory link high
Inefficient Regular Expression Complexity in chalk/ansi-regexansi-regexnetlify-cli/node_modules/ansi2htmlnpm auditadvisory link high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirectsfollow-redirectsnode_modules/follow-redirectsnpm auditadvisory link medium

The minimist vulnerability was addressed by https://gerrit.wikimedia.org/r/812928 . The ansi2html vulnerability is being addressed in https://gerrit.wikimedia.org/r/815381 . The others (glob-parent, ansi-regex, follow-redirects) are due to outdated dependencies upstream in netlify-cli, and npm audit fix is unable to fix them other than through the same unhelpful downgrade it suggests for got above. We'll have to wait for upstream and its dependencies to address these. Thankfully netlify-cli is only used in a CI job.

The general summary of the above tools and policy results are:

  1. In packages/codex/src/components/icon/Icon.test.ts user controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities. low risk

This is in a test file, so users can't run it, and the data is static (not user-controlled).

  1. In packages/codex/src/components/icon/Icon.vue dynamically rendering arbitrary HTML can be dangerous because it can easily lead to XSS vulnerabilities. low risk

Agreed, this is a real risk, but in the context of this code it's a low risk.

  1. In packages/codex/src/utils/stringHelpers.ts RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression. low risk

This constructs a RegExp with user input, but escapes that user input first, and does not allow the user to make the RegExp's execution run longer.

  1. In packages/codex-docs/docgen.config.js possible writing outside of the destination, make sure that the target path is nested in the intended destination. low risk

This builds paths based on existing file names, not used input, so this should be fine.

  1. In packages/codex-docs/docs/templates/methods.js user controlled data in a HTML string may result in XSS. low risk

This file generates HTML-like Markdown syntax, and as far as I can tell all input data (which is not directly user-controlled, but extracted from other source files) is escaped.

  1. In packages/codex-icons/buildIconsJson.js a variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system. low risk

This file can only be run from the command line, and the variable in question is __dirname (the directory where the file lives), so that seems fine.

Closing this task as we've mitigated everything that can reasonably be mitigated. For some of these vulnerable dependencies in netlify-cli we'll unfortunately have to wait for upstream (or their upstream) to address them.

gerritbot added a comment.Jul 20 2022, 2:32 PM

Change 815381 merged by jenkins-bot:

[design/codex@main] build: Update netlify-cli to v10.10.2

https://gerrit.wikimedia.org/r/815381

Maintenance_bot removed a project: Patch-For-Review.Jul 20 2022, 3:30 PM
sbassett moved this task from Waiting to Our Part Is Done on the secscrum board.Jul 25 2022, 5:20 PM
mmartorana added a comment.Aug 30 2022, 10:21 AM

Hi @Catrope - thanks for fixing the issues.

I agree with your analysis of the semgrep findings.

Let me know if you need anything else.

Jdrewniak mentioned this in T327807: Application Security Review Request : Vector 2022.Jan 24 2023, 6:37 PM
Catrope mentioned this in T328163: Application Security Review Request : VueTest extension (proposed for beta cluster deployment only).Jan 27 2023, 7:40 PM
Jdforrester-WMF removed a parent task: T310240: Remove Vue version of GlobalWatchlist with its WVUI dependency.Apr 27 2023, 1:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits