Page MenuHomePhabricator
Create Task
Maniphest T345379

Add CSP for Fundraiseup on DonateWiki
Closed, ResolvedPublic
Actions

Description

@Pcoombe added FRUP javascript to the DonateWiki page and seems there are some errors due to CSP.

Seems the required link is: 'https://fndrsp.net/tb'

[Report Only] Refused to connect to 'https://fndrsp.net/tb' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikifunctions.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Details

SubjectRepoBranchLines +/-
Allow FundraiseUp scripts in Donatewiki CSPoperations/mediawiki-configmaster+5 -0
Customize query in gerrit

Related Objects

Event Timeline

Damilare created this task.Aug 31 2023, 4:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 31 2023, 4:20 PM
Dwisehaupt subscribed.Aug 31 2023, 4:27 PM

Is this to be added on donate wiki or payments wiki? If it is donate wiki then this needs to go to the prod group since we don't have access to the CSP for that side.

Pcoombe added a comment.Aug 31 2023, 5:22 PM

It's on donate wiki. We'll also need at least cdn.fundraiseup.com and static.fundraiseup.com. Probably safest to just add *.fundraiseup.com

On looking a bit more, it turns out this is actually report only so the connections can be made. However we will probably want to add exceptions anyway to avoid the report spam.

AKanji-WMF closed this task as Resolved.Sep 5 2023, 8:13 PM
AKanji-WMF claimed this task.
AKanji-WMF moved this task from Triage to Next on the Fundraising-Backlog board.
AKanji-WMF subscribed.

Closing after discussion in triage; this is on donatewiki

Dwisehaupt moved this task from Triage to Done on the fundraising-tech-ops board.Sep 7 2023, 6:53 PM
Ejegg reopened this task as Open.Sep 15 2023, 9:33 PM
Ejegg edited projects, added Fundraising Tech - Chaos Crew; removed fundraising-tech-ops.
Ejegg added subscribers: sguebo_WMF, Reedy, Ejegg.

This was closed by fr-tech-ops because it's not on their server. Reopening it to associate a mediawiki-config gerrit patch and get sign-off from Security team for the addition to the CSP (I'm assuming they already approved the actual integration while I was on sabbatical). @sguebo_WMF and @Reedy please let me know if I should tag any Security people not named Sam.

gerritbot added a comment.Sep 15 2023, 9:37 PM

Change 957983 had a related patch set uploaded (by Ejegg; author: Ejegg):

[operations/mediawiki-config@master] Allow FundraiseUp scripts in Donatewiki CSP

https://gerrit.wikimedia.org/r/957983

gerritbot added a project: Patch-For-Review.Sep 15 2023, 9:37 PM
Ejegg added a comment.Sep 15 2023, 9:43 PM

@Pcoombe I've put up a mediawiki-config patch for review to add fndrsp.net and *.fundraiseup.com.

Adding a custom CSP for donatewiki is also be an opportunity to lock down the CSP a bit further than the current settings, which allow for loading scripts from basically any foundation-controlled domain (and therefore a lot of user content). Do we want to remove anything from that default-src list in the task description?

Ejegg added a subscriber: sbassett.Sep 18 2023, 3:16 PM
Ejegg moved this task from Backlog to Being Reviewed on the Fundraising Tech - Chaos Crew board.Sep 18 2023, 8:08 PM
AKanji-WMF moved this task from Next to DRI Backlog on the Fundraising-Backlog board.Sep 18 2023, 8:27 PM
Pcoombe added a comment.Sep 19 2023, 4:47 PM

Thanks @Ejegg. I don't think there's a need to remove any of the other sites.

sbassett added a subscriber: JFishback_WMF.Sep 19 2023, 4:50 PM
In T345379#9170890, @Ejegg wrote:

... and get sign-off from Security team for the addition to the CSP (I'm assuming they already approved the actual integration while I was on sabbatical). @sguebo_WMF and @Reedy please let me know if I should tag any Security people not named Sam.

Per our Slack conversation, I don't believe this happened. I believe this went through a brief legal review, but the Privacy Engineering and Security Team AppSec teams were not informed that we needed to review anything.

Ejegg added subscribers: ERoden-WMF, aranyap, Aprum, KHurd-WMF.Sep 19 2023, 5:33 PM

HI @Sbasset, I just heard from @ERoden-WMF that the initial security review was done by @Aprum / @aranyap . I see @JFishback_WMF and @KHurd-WMF CC'ed on those communications as well. I hope that helps!

aranyap added a subscriber: samuelguebo.Sep 20 2023, 7:34 AM

Hi @Ejegg thanks for bringing this to our attention. I initially conducted a privacy review for Fundraise Up and deemed it to be a low risk for the particular use-case that was specified by @ERoden-WMF . As for any additional integrations, I'll need to consult with @JFishback_WMF and @samuelguebo to determine whether this needs further review. I'll update here once I get more info. Thanks!

Ejegg added a comment.Sep 20 2023, 2:12 PM

Hi @aranyap, we're still talking about the same use case - only loading the Fundraise Up scripts for people who choose to donate. So this ticket is limited to just changing the CSP headers on donatewiki, no other foundation sites.

KHurd-WMF added a comment.Sep 20 2023, 4:09 PM

You both are correct @Ejegg and @sbassett, a review was done, but not this type of review. I'll explain.

The scripts were not reviewed and are not a part of security reviews for potential new vendors.

The ticket that is being referred to is the security review that is completed for all new vendors and renewal contracts with vendors. It includes a vendor review (review of security posture, SOC 2 Type II certifications, ISO 27001 certifications, etc.) and a privacy review (which includes checking for what kind of data will be used/collected, does it include PII, etc.). Script reviews are never a part of this type of review.

From what I understand, to get a script review, a team would need to enter a Phab ticket and tag the Security Team AppSec team for review.

Hope this makes sense and please correct me, if I'm wrong.

Ejegg added projects: Application Security Reviews, Security.Sep 20 2023, 6:19 PM

OK @KHurd-WMF , I'm adding the recommended tags here.

Restricted Application added a project: secscrum. · View Herald TranscriptSep 20 2023, 6:19 PM
Aklapper removed a project: Security.Sep 20 2023, 6:53 PM

to get a script review, a team would need to enter a Phab ticket and tag the Security Team AppSec team for review.

Per steps linked from https://phabricator.wikimedia.org/tag/application_security_reviews/ this should be a separate (sub)task by filling out the form, I'd say.

Ejegg added a comment.Sep 21 2023, 6:16 PM

Application Security Review ticket submitted at https://phabricator.wikimedia.org/T347104

sbassett moved this task from Incoming to Upcoming Quarter Planning Queue on the secscrum board.Sep 26 2023, 4:18 PM
sbassett removed projects: Application Security Reviews, secscrum.Sep 27 2023, 4:46 PM
Pcoombe added a comment.Sep 28 2023, 8:35 AM

Hi, given the comment at https://phabricator.wikimedia.org/T347104#9197120 that the security review could be non-blocking, is it possible to proceed with the CSP change?

sbassett added a comment.Sep 28 2023, 2:33 PM
In T345379#9205751, @Pcoombe wrote:

Hi, given the comment at https://phabricator.wikimedia.org/T347104#9197120 that the security review could be non-blocking, is it possible to proceed with the CSP change?

Sure, we can review the CSP change on gerrit - I've already left some comments on the change set.

MSuijkerbuijk_WMF subscribed.Sep 28 2023, 5:41 PM
MSuijkerbuijk_WMF added a comment.Oct 9 2023, 2:21 PM

Hi @sbassett -- I'm following up on Peter's note, is there an update to the CSP change? Thanks

sbassett added a comment.Oct 10 2023, 4:24 PM

@MSuijkerbuijk_WMF - I've left a comment on the change set: https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/957983/4#message-ee7001efb7d41824b5572d8bc604327f211cab91

MSuijkerbuijk_WMF added a comment.Oct 10 2023, 5:19 PM

@sbassett Thanks for your prompt answer, I have a follow up question: when does the production config deploy happen? Is this also under your team? Apologies for the ignorance, I'm looking at how to help coordinating.

Ejegg added subscribers: Lgruwell-WMF, greg.EditedOct 10 2023, 6:00 PM

@MSuijkerbuijk_WMF it sounds like @sbassett wants @greg and @Lgruwell-WMF to acknowledge that the security department has assessed FundraiseUp's code as high risk, and confirm they want to move forward with it.

@greg and @Lgruwell-WMF do you want to weigh in here?

Regarding the actual vendor code, I'd believe we'd need to rate that as high risk for now, given some of the issues with the vendor, which Greg and Lisa would need to accept.

Ejegg moved this task from Being Reviewed to Pending Deployment on the Fundraising Tech - Chaos Crew board.Oct 10 2023, 7:12 PM
greg added a subscriber: acooper.Oct 12 2023, 7:55 PM

I spoke with @acooper today and we are comfortable moving forward with this change after receiving the policy and assessment documents from FundraiseUp. This is now a medium risk instead of high.

gerritbot added a comment.Oct 12 2023, 8:14 PM

Change 957983 merged by jenkins-bot:

[operations/mediawiki-config@master] Allow FundraiseUp scripts in Donatewiki CSP

https://gerrit.wikimedia.org/r/957983

Stashbot added a comment.Oct 12 2023, 8:15 PM

Mentioned in SAL (#wikimedia-operations) [2023-10-12T20:15:12Z] <dr0ptp4kt@deploy2002> Started scap: Backport for [[gerrit:957983|Allow FundraiseUp scripts in Donatewiki CSP (T345379)]]

Stashbot added a comment.Oct 12 2023, 8:16 PM

Mentioned in SAL (#wikimedia-operations) [2023-10-12T20:16:27Z] <dr0ptp4kt@deploy2002> dr0ptp4kt and ejegg: Backport for [[gerrit:957983|Allow FundraiseUp scripts in Donatewiki CSP (T345379)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Oct 12 2023, 8:22 PM

Mentioned in SAL (#wikimedia-operations) [2023-10-12T20:22:53Z] <dr0ptp4kt@deploy2002> Finished scap: Backport for [[gerrit:957983|Allow FundraiseUp scripts in Donatewiki CSP (T345379)]] (duration: 07m 40s)

greg moved this task from Pending Deployment to Done on the Fundraising Tech - Chaos Crew board.Oct 12 2023, 8:27 PM

Deployed, verified I see the frup domains listed in our CSP header response.

Maintenance_bot removed a project: Patch-For-Review.Oct 12 2023, 8:30 PM
Pcoombe added a comment.Oct 16 2023, 2:23 PM

Also verified that there's no more CSP report messages in the browser console. Thanks everyone!

greg triaged this task as High priority.Oct 17 2023, 4:51 PM
sguebo_WMF unsubscribed.Oct 17 2023, 5:13 PM
XenoRyet closed this task as Resolved.Oct 23 2023, 7:40 PM
XenoRyet set Final Story Points to 4.
Dwisehaupt moved this task from Done to Completed 20231010 - 20231024 on the Fundraising Tech - Chaos Crew board.Oct 26 2023, 11:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL