Page MenuHomePhabricator
Create Task
Maniphest T347220

Most method information in taint-check has been lost by namespacing classes
Closed, ResolvedPublicSecurity
Actions

Description

I'm filing this as a security task just in case.

As part of T166010, lots of classes have been moved around and namespaced. Taint-check hardcodes the taintedness information of many MW methods by FQSEN. This logic does not support class aliases, and the FQSENs in taint-check have not been updated. In practice, this means that taint-check no longer knows about "dangerous" methods in MediaWiki. Some hand-tested examples of this:

  • OutputPage::addHTML is no longer treated as outputting stuff
  • Same for other methods in OutputPage
  • WebRequest::getVal is no longer treated as returning a user-controlled value
  • Some for the other million getters in WebRequest
  • Data about which parameters are safe and which aren't in the various Html:: and Xml:: methods got lost

In practice, this means that XSS detection is pretty much disabled in CI.

Things that could be done:

  1. Adding the new FQSENs to taint-check
  2. Making taint-check read class aliases
  3. Moving the taintedness data to @param-taint and @return-taint annotations in core (T321806)

I believe 3. is the only correct long-term solution. 2. is probably good to have regardless of this (the question is whether it should respect phan's enable_class_alias_support config option). 1. could be done as a temporary measure while we migrate everything.

Another side effect of this bug is that unused suppressions may start appearing all over the place. r960135 is an example where taint-check no longer knows that $querypattern, coming from $request->getVal() is user-controlled. Others I've seen lately: r959874, r958027.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities

Related Objects
Search...

Event Timeline

Daimona created this task.Sep 23 2023, 1:49 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 23 2023, 1:49 AM
Daimona triaged this task as Unbreak Now! priority.Sep 23 2023, 1:50 AM
Daimona added a project: MediaWiki-General.

Tentatively setting priority to unbreak now. I will take a closer look tomorrow.

Daimona added a parent task: T166010: The Great Namespaceization Effort.Sep 23 2023, 1:50 AM
Daimona added a subtask: T321806: Move hardcoded taintedness data from taint-check to annotations in MW core.Sep 23 2023, 12:21 PM
Daimona claimed this task.Sep 23 2023, 12:59 PM

I'm working on this, but tagging T321806 in my patches.

Daimona added a comment.Sep 23 2023, 2:42 PM

One thing worth noting is that even without the hardcoded data, taint-check is sometimes able to infer whether a method is safe/unsafe on its own. However, whether that works in every specific case is bound to a number of factors like the depth of the call stack and possibly the order in which classes are analyzed. At any rate, that's not what we want for critical methods such as OutputPage::addHTML.

Daimona added a comment.Sep 23 2023, 3:22 PM

Also just realized that some of these have been broken for months. For instance, the Html class was namespaced in February.

Daimona added a project: Patch-For-Review.Sep 23 2023, 4:32 PM

My patches up to https://gerrit.wikimedia.org/r/c/mediawiki/core/+/960173 should be enough to address all the methods whose class was recently namespaced. I will continue working on T321806 and add annotations to the remaining methods, but that's not needed for this task.

Daimona renamed this task from Most method information in taint-check has been broken by namespacing classes to Most method information in taint-check has been lost by namespacing classes.Sep 23 2023, 5:59 PM
Jdforrester-WMF added a subscriber: Jdforrester-WMF.Sep 25 2023, 3:07 PM
Daimona closed this task as Resolved.Sep 25 2023, 4:04 PM

This was done, and now we have a test in MW core to make sure it won't happen again.

Daimona added a subscriber: sbassett.Sep 25 2023, 4:04 PM

@sbassett Could you please make this public now?

Daimona removed a project: Patch-For-Review.Sep 25 2023, 7:39 PM
matmarex added a subscriber: matmarex.Sep 25 2023, 7:44 PM

Thanks for catching this and doing the cleanup @Daimona!

sbassett changed Author Affiliation from N/A to Wikimedia Communities.Sep 25 2023, 7:46 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett edited projects, added SecTeam-Processed; removed Security-Team.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL