Page MenuHomePhabricator

Most method information in taint-check has been lost by namespacing classes
Closed, ResolvedPublicSecurity


I'm filing this as a security task just in case.

As part of T166010, lots of classes have been moved around and namespaced. Taint-check hardcodes the taintedness information of many MW methods by FQSEN. This logic does not support class aliases, and the FQSENs in taint-check have not been updated. In practice, this means that taint-check no longer knows about "dangerous" methods in MediaWiki. Some hand-tested examples of this:

  • OutputPage::addHTML is no longer treated as outputting stuff
  • Same for other methods in OutputPage
  • WebRequest::getVal is no longer treated as returning a user-controlled value
  • Some for the other million getters in WebRequest
  • Data about which parameters are safe and which aren't in the various Html:: and Xml:: methods got lost

In practice, this means that XSS detection is pretty much disabled in CI.

Things that could be done:

  1. Adding the new FQSENs to taint-check
  2. Making taint-check read class aliases
  3. Moving the taintedness data to @param-taint and @return-taint annotations in core (T321806)

I believe 3. is the only correct long-term solution. 2. is probably good to have regardless of this (the question is whether it should respect phan's enable_class_alias_support config option). 1. could be done as a temporary measure while we migrate everything.

Another side effect of this bug is that unused suppressions may start appearing all over the place. r960135 is an example where taint-check no longer knows that $querypattern, coming from $request->getVal() is user-controlled. Others I've seen lately: r959874, r958027.


Risk Rating
Author Affiliation
Wikimedia Communities

Event Timeline

Daimona triaged this task as Unbreak Now! priority.Sep 23 2023, 1:50 AM
Daimona added a project: MediaWiki-General.

Tentatively setting priority to unbreak now. I will take a closer look tomorrow.

I'm working on this, but tagging T321806 in my patches.

One thing worth noting is that even without the hardcoded data, taint-check is sometimes able to infer whether a method is safe/unsafe on its own. However, whether that works in every specific case is bound to a number of factors like the depth of the call stack and possibly the order in which classes are analyzed. At any rate, that's not what we want for critical methods such as OutputPage::addHTML.

Also just realized that some of these have been broken for months. For instance, the Html class was namespaced in February.

My patches up to should be enough to address all the methods whose class was recently namespaced. I will continue working on T321806 and add annotations to the remaining methods, but that's not needed for this task.

Daimona renamed this task from Most method information in taint-check has been broken by namespacing classes to Most method information in taint-check has been lost by namespacing classes.Sep 23 2023, 5:59 PM

This was done, and now we have a test in MW core to make sure it won't happen again.

@sbassett Could you please make this public now?

Thanks for catching this and doing the cleanup @Daimona!

sbassett changed Author Affiliation from N/A to Wikimedia Communities.Sep 25 2023, 7:46 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett edited projects, added SecTeam-Processed; removed Security-Team.