Page MenuHomePhabricator

Request to install Extension:Upload Wizard on id-internal.wikimedia.org
Closed, DeclinedPublic

Description

id-internal.wikimedia.org is the internal wiki of Wikimedia Indonesia, where we uploaded legal documents of the organizations and invoices which consists of private data of our members. In order to maintain that the data is updated, we need to do a lot of migration from the documents that already scanned and located in our local computers to be uploaded to the sites, and most of the time, we need to done it in bulk. Therefore, we need to install Extension:Upload Wizard on id-internal.wikimedia.org.

Event Timeline

@Fexpr: In the future, please follow https://meta.wikimedia.org/wiki/Requesting_wiki_configuration_changes when requesting such site configuration changes. Thanks!

Change 788812 had a related patch set uploaded (by Stang; author: Stang):

[operations/mediawiki-config@master] id_internalwikimedia: Enable extension UploadWizard

https://gerrit.wikimedia.org/r/788812

Stang changed the task status from Open to Stalled.May 4 2022, 8:40 AM

Per comment on Gerrit, UploadWizard need to be verified if it is safe before deploy, as id_internalwikimedia is a private site.

Stang changed the task status from Stalled to Open.May 8 2022, 12:13 AM
Stang added a project: Security-Team.

I'm not sure if it's an appropriate tag but IMO this task needs attention from security team.

@mmartorana is looking into this, but I'd note that, per the patch above, ext:Upload_Wizard already appears enabled in Wikimedia production on rowiki, testwiki, commonswiki, donatewiki and foundationwiki. I don't see any sort of recent application security review within Phabricator for it though.

Hi,

The Extension:Upload_Wizard has not undergone any manual security review, and since it is an extension that may present a large subset of risky vulnerabilities, we would like to review it before approving the deployment in other wikis.

Unfortunately, we are now in the process of performing reviews already booked, so we expect to review this next quarter.

Let me know if you have any additional enquires.

Stang changed the task status from Open to Stalled.May 24 2022, 3:15 PM

Thanks for the reply! Is a separate task needed to be created for the review of extension Upload Wizard?

Hi,

Yes, you should file a new request using this form and we will triage it for next quarter's appsec reviews. You can also find additional information of the appsec review process.

Let me know if you need help.

sbassett triaged this task as Low priority.
sbassett removed a project: Patch-For-Review.
Stang changed the task status from Resolved to Declined.EditedJul 17 2022, 6:46 PM
Stang removed Stang as the assignee of this task.
Stang removed a project: Wikimedia-Site-requests.
Stang subscribed.

Change status to Declined since this extension is not actually deployed (on id_internalwikimedia), and seems I failed to gather enough information when filling a form to request for security review of UploadWizard. Anyone who willing to process in the future please feel free to reopen this task.

The extension *is* actually deployed already, e.g. on donatewiki, so I'm curious why it would require a security review for a sixth deployment - is this a hard requirement documented somewhere (link welcome), e g. based on some code complexity criteria?

Per https://gerrit.wikimedia.org/r/c/788812, the only reason is "id_internalwikimedia is a private wiki".

The extension *is* actually deployed already, e.g. on donatewiki, so I'm curious why it would require a security review for a sixth deployment - is this a hard requirement documented somewhere (link welcome), e g. based on some code complexity criteria?

Since the extension apparently never had a security review of any kind (unless someone can point me to a review in Phabricator or elsewhere), it seemingly bypassed that requirement. The requirement piece is documented within this section of the "writing an extension for deployment" documentation. If that is not deemed forceful enough to be considered a requirement, I'm happy to change the language so that it is. We also talk about this topic within the Application Security Review SOP in a round-about way, within the what type of project triggers a review and how are these requests prioritized sections.

Change 788812 abandoned by Stang:

[operations/mediawiki-config@master] id_internalwikimedia: Enable extension UploadWizard

Reason:

per task

https://gerrit.wikimedia.org/r/788812