This task involves the work of investigating the viability of adding logging to the Graph extension so that we can increase our:
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Declined | None | T346291 Re-enable the Graph Extension for use at all Wikimedia Wikis | |||
| Declined | None | T346414 [SPIKE] Investigate viability of adding logging to the Graph extension to detect security exploits |
I would suggest maybe defining a threat model for the extension before determining mitigation strategies like logging, as it would probably inform what is and isn't viable here. (Perhaps this has already been done privately)
The threat model is someone finding a browser bug or (more likely) a MediaWiki bug that can be used to break out the iframe sandbox, and performing a stored XSS using some Vega vulnerability. Or unsuccessfully attempting the same. (I guess the latter can be monitored via CSP reporting to some extent.)
@ppelberg - As @Bawolff suggests above and @Tgr further discusses, the Security-Team would be happy to help develop a formal threat-model for the ext:Graph infrastructure, if there is perceived value here. We have our own, internal process for this that typically leverages the STRIDE framework. We generally do recommend threat-modeling for more complex, potentially problematic systems, as it often serves as a means to elicit, formally document and plan mitigations for as many threats as possible.