Page MenuHomePhabricator
Create Task
Maniphest T326946

CVE-2020-36649: Bundled PapaParse copy in VisualEditor has known ReDos
Closed, ResolvedPublicSecurity
Actions

Description

(Note it's a CVE-2020 ID, but it was only published in 2023):

VisualEditor bundles a copy of PapaParse (lib/ve/lib/papaparse/papaparse.js).

There was a report about a ReDoS vulnerability for it: https://github.com/mholt/PapaParse/issues/777
The fix is https://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621

We should include the patch (or upgrade to 5.3.0, didn't study the other changes between 5.1.0 and 5.3.0)

Details

Risk Rating
Low
Author Affiliation
WMF Technology Dept
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

MoritzMuehlenhoff created this task.Jan 13 2023, 11:30 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 13 2023, 11:30 AM
MoritzMuehlenhoff added a project: VisualEditor.Jan 13 2023, 11:30 AM
sbassett added a project: Vuln-VulnComponent.Jan 13 2023, 3:24 PM
matmarex added subscribers: matmarex, Esanders, DLynch, dchan.Jan 13 2023, 11:32 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Jan 17 2023, 5:18 PM
sbassett added a project: SecTeam-Processed.
sbassett added a subscriber: Reedy.
Esanders added a comment.Jan 17 2023, 5:32 PM

Everything appears to work fine with an upgrade to 5.3.2. Do I need to prepare it as a security patch, or just submit it normally?

sbassett subscribed.Jan 17 2023, 5:43 PM
In T326946#8531743, @Esanders wrote:

Everything appears to work fine with an upgrade to 5.3.2. Do I need to prepare it as a security patch, or just submit it normally?

Does that basically just involve building the new version for VE's lib directory and maybe updating some READMEs? If so, I would think that could just go through gerrit and maybe get picked to 1.40.0-wmf.19 today? Unless @Reedy et al would prefer we keep this a bit more secure and get it deployed via a security patch and officially track it for the next security release.

Reedy added a comment.Jan 17 2023, 6:27 PM

How/where does VE actually use this code? Is it (trivially/unlikely/impossible) to execute code in the PapaParse library that would be run through that regex?

Just helps gauge the potential way of going around it.

For example, if VE never executes that code (which can happen with larger libraries and dependancies), it's could be done as a trivial lib bump in Gerrit.

But if it's a critical code path in VE, and it's used everywhere all the time, we might want to be more cautious.

As it's a CSV parser, I'm guessing it's probably somewhere in between. Likely not executed much, but it would be possible to exploit the ReDos as the code can be/is used when CSV stuff is in play?

Looks like we're using the same version (at least) back to REL1_35, so the backport should be relatively trivial (though submodule bumps etc make it a little more involved... But there's scripts in the repos to help).

DLynch added a comment.Jan 17 2023, 6:45 PM

I think it's only used in ve.ui.DSVFileTransferHandler, so it'll only trigger when an upload actually happens. I.e. you'd actually need to get someone to drag-drop a malicious file onto a VE window before this could be exploited.

Reedy added a comment.Jan 18 2023, 9:34 AM

Presumably that’s when they’re uploading a csv to turn into a table or similar?

Esanders added a comment.Jan 26 2023, 2:26 PM

Yes, if you drag a drop a CSV file into VE it will convert it into a table automatically.

Esanders added a comment.Jan 26 2023, 2:26 PM
In T326946#8531783, @sbassett wrote:
In T326946#8531743, @Esanders wrote:

Everything appears to work fine with an upgrade to 5.3.2. Do I need to prepare it as a security patch, or just submit it normally?

Does that basically just involve building the new version for VE's lib directory and maybe updating some READMEs?

Yes

Esanders added a comment.Jan 26 2023, 2:30 PM

patch.diff14 KBDownload

Esanders added a comment.Jan 26 2023, 2:30 PM

Happy to push this publicly or let it be dealt with securely.

MoritzMuehlenhoff added a comment.Jan 26 2023, 2:33 PM
In T326946#8561100, @Esanders wrote:

Yes, if you drag a drop a CSV file into VE it will convert it into a table automatically.

In this case we don't really have any security impact, right? This essentially means that if someone uploads a botched CSV, they'd slow down their own browser tab/VE session for a bit, but nothing more.

sbassett added a comment.Jan 26 2023, 10:26 PM
In T326946#8561128, @MoritzMuehlenhoff wrote:

In this case we don't really have any security impact, right? This essentially means that if someone uploads a botched CSV, they'd slow down their own browser tab/VE session for a bit, but nothing more.

It's very low-risk, for sure. I'd personally be fine with it going through gerrit unless anyone has serious objections.

matmarex added a comment.Jan 26 2023, 11:30 PM

Doing it in public on Gerrit sounds okay to me.

Can we make this task public as well?

Reedy added a comment.Jan 27 2023, 6:35 AM
In T326946#8563433, @matmarex wrote:

Can we make this task public as well?

I can't see why not...

Would be good to note in the commit summary the CVE number (for traceability), along with why we consider it low risk (so people don't have to read the task for info).

MoritzMuehlenhoff added a comment.Jan 27 2023, 11:03 AM
In T326946#8563433, @matmarex wrote:

Doing it in public on Gerrit sounds okay to me.

Can we make this task public as well?

+1 to handling on Gerrit and opening the task.

matmarex added a comment.Jan 27 2023, 11:58 AM

Okay, can you make this task public? ;) I don't have the permissions.

sbassett triaged this task as Medium priority.Jan 27 2023, 2:17 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett added a subscriber: gerritbot.
matmarex added a project: Editing-team (Kanban Board).Jan 27 2023, 3:29 PM
gerritbot added a comment.Jan 30 2023, 10:31 AM

Change 884839 had a related patch set uploaded (by Esanders; author: Esanders):

[VisualEditor/VisualEditor@master] Update papaparse to 5.3.2

https://gerrit.wikimedia.org/r/884839

gerritbot added a project: Patch-For-Review.Jan 30 2023, 10:31 AM
gerritbot added a comment.Jan 30 2023, 4:12 PM

Change 884839 merged by jenkins-bot:

[VisualEditor/VisualEditor@master] Update papaparse to 5.3.2

https://gerrit.wikimedia.org/r/884839

gerritbot added a comment.Jan 30 2023, 4:16 PM

Change 884925 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/VisualEditor@master] Update VE core submodule to master (6ed9b00f1)

https://gerrit.wikimedia.org/r/884925

gerritbot added a comment.Jan 30 2023, 4:16 PM

Change 884505 had a related patch set uploaded (by Reedy; author: Esanders):

[VisualEditor/VisualEditor@REL1_39] Update papaparse to 5.3.2

https://gerrit.wikimedia.org/r/884505

gerritbot added a comment.Jan 30 2023, 4:17 PM

Change 884926 had a related patch set uploaded (by Reedy; author: Esanders):

[VisualEditor/VisualEditor@REL1_38] Update papaparse to 5.3.2

https://gerrit.wikimedia.org/r/884926

gerritbot added a comment.Jan 30 2023, 4:17 PM

Change 884927 had a related patch set uploaded (by Reedy; author: Esanders):

[VisualEditor/VisualEditor@REL1_35] Update papaparse to 5.3.2

https://gerrit.wikimedia.org/r/884927

gerritbot added a comment.Jan 30 2023, 4:21 PM

Change 884505 merged by jenkins-bot:

[VisualEditor/VisualEditor@REL1_39] Update papaparse to 5.3.2

https://gerrit.wikimedia.org/r/884505

gerritbot added a comment.Jan 30 2023, 4:21 PM

Change 884926 merged by jenkins-bot:

[VisualEditor/VisualEditor@REL1_38] Update papaparse to 5.3.2

https://gerrit.wikimedia.org/r/884926

gerritbot added a comment.Jan 30 2023, 4:22 PM

Change 884927 merged by jenkins-bot:

[VisualEditor/VisualEditor@REL1_35] Update papaparse to 5.3.2

https://gerrit.wikimedia.org/r/884927

gerritbot added a comment.Jan 30 2023, 4:32 PM

Change 884925 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@master] Update VE core submodule to master (6ed9b00f1)

https://gerrit.wikimedia.org/r/884925

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.21; 2023-01-30).Jan 30 2023, 5:00 PM
gerritbot added a comment.Jan 30 2023, 5:01 PM

Change 884537 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/VisualEditor@master] Update VE core submodule to origin/REL1_35

https://gerrit.wikimedia.org/r/884537

gerritbot added a comment.Jan 30 2023, 5:02 PM

Change 884538 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/VisualEditor@master] Update VE core submodule to origin/REL1_38

https://gerrit.wikimedia.org/r/884538

gerritbot added a comment.Jan 30 2023, 5:03 PM

Change 884539 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/VisualEditor@master] Update VE core submodule to origin/REL1_39

https://gerrit.wikimedia.org/r/884539

gerritbot added a comment.Jan 30 2023, 5:19 PM

Change 884540 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/VisualEditor@REL1_39] Update VE core submodule to origin/REL1_39

https://gerrit.wikimedia.org/r/884540

gerritbot added a comment.Jan 30 2023, 5:19 PM

Change 884539 abandoned by Reedy:

[mediawiki/extensions/VisualEditor@master] Update VE core submodule to origin/REL1_39

Reason:

https://gerrit.wikimedia.org/r/884539

gerritbot added a comment.Jan 30 2023, 5:21 PM

Change 884541 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/VisualEditor@REL1_38] Update VE core submodule to origin/REL1_38

https://gerrit.wikimedia.org/r/884541

gerritbot added a comment.Jan 30 2023, 5:21 PM

Change 884538 abandoned by Reedy:

[mediawiki/extensions/VisualEditor@master] Update VE core submodule to origin/REL1_38

Reason:

https://gerrit.wikimedia.org/r/884538

gerritbot added a comment.Jan 30 2023, 5:22 PM

Change 884542 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/VisualEditor@REL1_35] Update VE core submodule to origin/REL1_35

https://gerrit.wikimedia.org/r/884542

gerritbot added a comment.Jan 30 2023, 5:23 PM

Change 884537 abandoned by Reedy:

[mediawiki/extensions/VisualEditor@master] Update VE core submodule to origin/REL1_35

Reason:

https://gerrit.wikimedia.org/r/884537

gerritbot added a comment.Jan 30 2023, 5:30 PM

Change 884541 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@REL1_38] Update VE core submodule to origin/REL1_38

https://gerrit.wikimedia.org/r/884541

gerritbot added a comment.Jan 30 2023, 5:30 PM

Change 884540 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@REL1_39] Update VE core submodule to origin/REL1_39

https://gerrit.wikimedia.org/r/884540

gerritbot added a comment.Jan 30 2023, 5:31 PM

Change 884542 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@REL1_35] Update VE core submodule to origin/REL1_35

https://gerrit.wikimedia.org/r/884542

Maintenance_bot removed a project: Patch-For-Review.Jan 30 2023, 5:31 PM
matmarex added a comment.Jan 30 2023, 6:11 PM

Thanks for the backports @Reedy, looks like that's all.

matmarex moved this task from Incoming to Ready for Sign Off on the Editing-team (Kanban Board) board.Jan 30 2023, 6:11 PM
sbassett added a parent task: T325840: Tracking bug for MediaWiki 1.35.10/1.38.6/1.39.3.Feb 13 2023, 4:24 PM
sbassett mentioned this in T325840: Tracking bug for MediaWiki 1.35.10/1.38.6/1.39.3.
ppelberg closed this task as Resolved.Feb 18 2023, 2:02 AM
ppelberg claimed this task.
Reedy reassigned this task from ppelberg to Esanders.Mar 29 2023, 1:31 PM
Reedy added a subscriber: ppelberg.
Reedy renamed this task from CVE-2020-36649: PapaParse copy in VisualEditor to CVE-2020-36649: Bundled PapaParse copy in VisualEditor has known ReDos.Mar 30 2023, 10:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits