Page MenuHomePhabricator
Create Task
Maniphest T350253

Application Security Review Request: Extension:ReportIncident
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:

The ReportIncident extension allows users to report incidents of harassment and abuse.

High-level summary:

  • There's a new link in the "Tools" menus for Vector and Minerva, with the label "Report"
  • When viewing an enabled namespace (by default, user talk namespace), there will be an overflow menu adjacent to comments and topics that allows the user to click "Report"
  • After clicking "Report", a form shows with one step of guidance, and a second step where the user can select a username to report
  • After pressing "Report", we POST the contents to an API endpoint managed by the extension
  • The extension sends an email containing the report contents to configured email addresses
    • The report is not saved in a DB currently

See T337566: [EPIC]: Incident Reporting System - Minimal Testable Product (MTP) for the relevant tasks.

Probably the main thing to review is XSS in the form, and that we've sufficiently secured the API endpoint. We have defined some anti-abuse measures (T348322) but it's possible we've missed things.

Description of how the tool will be used at WMF:

Deployed to pilot wikis in February 2024, then wider rollout.

Dependencies

List dependencies, or upstream projects that this project relies on.

Soft dependency on DiscussionTools for integrating the entrypoint to the reporting form.

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

No

Working test environment

Please link or describe setup process for setting up a test environment.

  • Use Patch Demo, and enable "ReportIncident" and optionally "Inbox" extension to see emails that the extension generates.
  • Visit any beta wiki as a logged-in user, look for the "Report" button in the tool menu, or in the overflow menu in DiscussionTools-enabled user talk pages

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

Trust and Safety Product Team @kostajh

Details

Risk Rating
Low
SubjectRepoBranchLines +/-
build: Update npm dependenciesmediawiki/extensions/ReportIncidentmaster+4 K -3 K
Customize query in gerrit

Related Objects
Search...

Event Timeline

kostajh created this task.Nov 1 2023, 12:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 1 2023, 12:13 PM
kostajh added a project: Trust and Safety Product Team.Nov 1 2023, 12:13 PM
kostajh updated the task description. (Show Details)Nov 1 2023, 12:16 PM
kostajh added a subscriber: Madalina.
Restricted Application added a subscriber: Masumrezarock100. · View Herald TranscriptNov 1 2023, 12:16 PM
kostajh added a parent task: T346057: [EPIC] Define Incident Reporting System MVP.Nov 1 2023, 12:17 PM
kostajh updated the task description. (Show Details)
kostajh added a subscriber: TAdeleye_WMF.Nov 1 2023, 12:19 PM
kostajh added a project: Incident-Reporting-System.Nov 6 2023, 11:12 AM
Restricted Application added a project: Trust and Safety Tools Team Backlog. · View Herald TranscriptNov 6 2023, 11:12 AM
kostajh mentioned this in T341337: Request a security readiness review of Incident-Reporting-System.Nov 6 2023, 11:12 AM
sbassett moved this task from Incoming to Upcoming Quarter Planning Queue on the secscrum board.Nov 6 2023, 10:24 PM
sbassett subscribed.

This will tentatively be scheduled for review during the next quarter (2024-01-01 through 2024-03-31).

kostajh added a comment.Nov 15 2023, 8:16 PM
In T350253#9310764, @sbassett wrote:

This will tentatively be scheduled for review during the next quarter (2024-01-01 through 2024-03-31).

Thanks! We're hoping to deploy to testwiki sometime in February 2024, and to two pilot wikis in March 2024. (cc @Madalina)

sbassett claimed this task.Jan 9 2024, 5:25 PM
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.
sbassett added a project: user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett added a comment.Jan 9 2024, 10:18 PM

Hey @kostajh - Is https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/ReportIncident/+/refs/heads/master fairly stable for review? Or do you anticipate more changes prior to the expected February deploy to testwiki?

kostajh added a comment.Jan 10 2024, 6:53 AM
In T350253#9448334, @sbassett wrote:

Hey @kostajh - Is https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/ReportIncident/+/refs/heads/master fairly stable for review? Or do you anticipate more changes prior to the expected February deploy to testwiki?

It's stable for review. We will make more changes in the next months, but we don't have a specific development plan for that yet.

sbassett added a comment.Jan 10 2024, 3:28 PM
In T350253#9448808, @kostajh wrote:

It's stable for review. We will make more changes in the next months, but we don't have a specific development plan for that yet.

The testwiki and other pilot deploys are still on schedule with the extension codebase as it exists now, correct?

Madalina added a comment.Jan 11 2024, 12:18 PM

Hi @sbassett,

I expect most of it will be the same but we will have some additional features. We're not currently planning any changes to the "Report" links, overflow menu or the ability to send an email to a configured email address.

We might be adding an extra step in the flow where users can indicate whether the incident experienced is an emergency or not. If the user indicates an emergency we will proceed with sending an email. If no emergency the user will be directed to a community help wiki page.

We will also be adding instrumentation.

In terms of timeline we'll probably need to push testwiki release to March and pilot release to late March/April.

I hope this helps. We're currently working on a document that details the high level additional features and timeline, I'll share it here when ready.

sbassett added a comment.Jan 11 2024, 4:31 PM
In T350253#9452918, @Madalina wrote:

I expect most of it will be the same but we will have some additional features. We're not currently planning any changes to the "Report" links, overflow menu or the ability to send an email to a configured email address.

We might be adding an extra step in the flow where users can indicate whether the incident experienced is an emergency or not. If the user indicates an emergency we will proceed with sending an email. If no emergency the user will be directed to a community help wiki page.

We will also be adding instrumentation.

Ok, it might make sense to wait a bit on this review until those features are at least a bit further along.

In terms of timeline we'll probably need to push testwiki release to March and pilot release to late March/April.

I hope this helps. We're currently working on a document that details the high level additional features and timeline, I'll share it here when ready.

Sounds good. Does it seem feasible that the aforementioned work you mentioned might be completed within a month or two? If so, then I think it's likely reasonable that this review could be completed this quarter.

Dreamy_Jazz mentioned this in T356190: ReportIncident REST API does not use a CSRF token.Jan 30 2024, 3:51 PM
sbassett added a comment.Mar 25 2024, 7:14 PM

Security Review Summary - T350253 - 2024-03-19
Last commit reviewed: 5839499579

Summary

Overall, the current state of the ReportIncident extension looks good and I'm assigning it an overall risk rating of low, for now. The only truly actionalbe items would be mitigating the reachable vulernability found within the two dev dependencies, if feasible.

Vulnerable Packages - Production
Risk: None, (no production packages)

Vulnerable Packages - Development
Risk: medium

VulnerabilityPackageServiceRemediationRisk
Missing Release of Resource afte...inflight@1.0.6snyk[see advisory link] medium
Incomplete List of Disallowed In...@babel/traverse@7.22.5snyk[see advisory link] critical
Missing Release of Resource afte...inflight@1.0.6snyk[see advisory link] medium
Regular Expression Denial of Ser...ansi-regex@2.1.1snyk[see advisory link] high
Missing Release of Resource afte...inflight@1.0.6snyk[see advisory link] medium
Regular Expression Denial of Ser...mocha@9.2.2snyk[see advisory link] high
Regular Expression Denial of Ser...semver@7.3.4snyk[see advisory link] high
Incomplete List of Disallowed In...babel-traverse@6.26.0snyk[see advisory link] critical
Prototype Pollutionjson5@0.5.1snyk[see advisory link] medium
Server-side Request Forgery (SSR...request@2.88.2snyk[see advisory link] medium
Cross-site Scripting (XSS)serialize-javascript@6.0.0snyk[see advisory link] medium
Prototype Pollutiontough-cookie@2.5.0snyk[see advisory link] medium

IMPORTANT: Unfortunately, semgrep supply chain found a vulnerable dependency that is reachable within ext:ReportIncident's dev dependencies (see: P58901). This is a dependency for @babel/preset-env@7.16.11 and jest@27.4.7, so perhaps merely bumping those versions to newer releases would mitigate the issue. Given vulnerability is for code execution, it would still be fairly sensitive even within a "dev" context.

Outdated Packages
As reported via npm outdated: None

As reported via composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentLatestDescription
phpcsstandards/phpcsextra1.1.21.2.1A collection of sniffs and standards for use with PHP_CodeSniffer.
phpcsstandards/phpcsutils1.0.91.0.10A suite of utility functions for use with PHP_CodeSniffer
psr/log2.0.03.0.0Common interface for logging libraries
sabre/event5.1.46.0.0sabre/event is a library for lightweight event-based programming
squizlabs/php_codesniffer3.8.13.9.0PHP_CodeSniffer tokenizes PHP, JavaScript and CSS files and detects violations o...
symfony/consolev5.4.36v7.0.4Eases the creation of beautiful and testable command line interfaces
symfony/stringv6.4.4v7.0.4Provides an object-oriented API to strings and deals with bytes, UTF-8 code poin...

Static Analysis Findings

  1. semgrep with various custom and well-known policies. The reported issues were either false-positives or low-risk. Risk: low.
  2. semgrep with some basic JavaScript sink-finding and PHP sink-finding rules. The reported issues were either false-positives or low-risk. Risk: low.
  3. bearer sast - no reported issues. Risk: low.
  4. lockfile-lint - no reported issues. Risk: low.
  5. gitleaks - no reported issues. Risk: low.
  6. git secrets - no reported issues. Risk: low.
  7. whispers - no reported issues. Risk: low.

Dynamic Application Scanning Findings
Risk: low.
A small bit of manual testing (on beta cluster enwiki) and code-review was performed. ext:ReportIncident primarily leverages MediaWiki's default authentication/authorization mechanisms, essentially requiring an unblocked, logged-in user with a confirmed email address, more than 0 edits and their account having existed for at least 3 hours to be able to submit incident reports. There is a single right, incidentreport, that is default-granted to all authenticated MediaWiki users, so anon users and temp users are not allowed to report incidents. The browser frontend is built with Vue and leverages the single rest API endpoint to submit its html form data. I was not able to find any obvious issues or problems from these manual tests, other than the REST API endpoint seemed to be failing via a direct curl request due to a 500 error on beta enwiki with what I believe was valid incident report submission data. But a similar request worked just fine through the web UI, which uses the same REST API endpoint, so there was likely something amiss with my curling.

HTTP and other protocol Leaks
Risk: None, (no credible leaks found).

General code health score
Risk: low.

  1. The Wikimedia code health check tool returned a weighted risk score of 27.90.
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+
| Vuln Pkgs | Pkg Mgmt | Test Cov | SAST | Non-auto Cmts | Uniq Contribs | Contrib Conc | Lang Guides | Staff Supp | Task Backlog | Code Stew | Weighted Risk |
+===========+==========+==========+======+===============+===============+==============+=============+============+==============+===========+===============+
|         2 |        4 |        0 |    0 |             5 |            10 |            4 |           7 |         10 |            0 |         0 |         27.90 |
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+

Policy Compliance
Risk: low.

  1. As noted within the code, it seems that, at some point, portions of various reported responses would be stored within MediaWiki's primary database. Given the potentially sensitive nature of these reports, Privacy Engineering should likely weigh in on such a feature.

Miscellanous Issues/Points of Discussion/Nits
Risk: low.

  1. As noted within T356190, there were some now-resolved CSRF issues regarding various REST API endpoints within this extension.
sbassett changed the task status from Open to In Progress.Mar 25 2024, 7:15 PM
sbassett triaged this task as Low priority.
sbassett moved this task from In Progress to Waiting on the secscrum board.
sbassett moved this task from In Progress to Done on the user-sbassett board.
gerritbot added a comment.Mar 28 2024, 1:32 PM

Change #1015330 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ReportIncident@master] build: Update npm dependencies

https://gerrit.wikimedia.org/r/1015330

gerritbot added a project: Patch-For-Review.Mar 28 2024, 1:32 PM
kostajh added a comment.Mar 28 2024, 1:35 PM
IMPORTANT: Unfortunately, semgrep supply chain found a vulnerable dependency that is reachable within ext:ReportIncident's dev dependencies (see: P58901). This is a dependency for @babel/preset-env@7.16.11 and jest@27.4.7, so perhaps merely bumping those versions to newer releases would mitigate the issue. Given vulnerability is for code execution, it would still be fairly sensitive even within a "dev" context.

I think these are addressed via https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ReportIncident/+/1015330

sbassett closed this task as Resolved.Mar 28 2024, 3:00 PM
sbassett moved this task from Waiting to Our Part Is Done on the secscrum board.
In T350253#9669194, @kostajh wrote:

I think these are addressed via https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ReportIncident/+/1015330

Yes, looks good. Semgrep supply chain no longer finds the reachable vulnerability for @babel/traverse and osv-scanner isn't seeing the vulnerability now either. I'm fine calling this task resolved for now, since this still comes in with a low overall risk and you just addressed the only real concern I had with the review.

gerritbot added a comment.Mar 28 2024, 6:13 PM

Change #1015330 merged by jenkins-bot:

[mediawiki/extensions/ReportIncident@master] build: Update npm dependencies

https://gerrit.wikimedia.org/r/1015330

kostajh mentioned this in rEREIa9300f305220: build: Update npm dependencies.Mar 28 2024, 6:13 PM
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.25; 2024-04-02).Mar 28 2024, 7:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL