Page MenuHomePhabricator
Create Task
Maniphest T351657

Application Security Review Request : Matomo upgrade and its campaign reporter plugin
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:
Matomo is a web analytics platform that allows us to retain ownership of visitor data. It was previously known as Piwik.
It is in production use at: https://piwik.wikimedia.org and has 20 microsites configured for tracking.
We currently run version 3.14.1 in production, on the host: matomo1002.eqiad.wmnet currently running Debian buster.

We use binary packages for the core matomo codebase, published at: https://debian.matomo.org

The MarketingCampaignsReporting plugin allows Matomo users to measure the effectiveness of their marketing campaigns.
The plugin is published by the same authors as Matomo, but uses a different respository and is not distributed as part of the core Matomo codebase.
Description of how the tool will be used at WMF:
The primary users of Matomo are the WMF-Communications team - notably @SCampos-WMF and @Ospingou
We wish to upgrade our production instance of Matomo from version 3.14.1 to 4.15.1(tracked in T351552) in order to benefit from new features and security patches.

In addition to that, the team expects to make increased use of the TagManager (T349910) functionality to create and track specific capaigns. This plugin will allow the users to measure the effictiveness of these capaigns using the Matomo UI.

Dependencies
It is a PHP application that is enabled by means of the libapache2-mod-php plugin.

Has this project been reviewed before?
I believe that Piwik/Matomo was, but I am not certain whether the existing procedures were in place when piwik was first deployed.
One of the most relevant tickets seems to be this one: T116312
It looks like other version upgrades have been performed without a third-party code review.

The CampaignManagerReporting plugin has not been previoulsy reviewed.

Working test environment
We do not have a test environment for this at present, as it exists only in production.
We could feasibly create a deployment in wmcs for it.

Post-deployment
Data-Platform-SRE is the team responsible for its maintenance.

Details

Risk Rating
Low

Related Objects
Search...

Event Timeline

BTullis created this task.Nov 20 2023, 4:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 20 2023, 4:55 PM
Aklapper added a parent task: T351552: Upgrade matomo (piwik.wikimedia.org) to latest stable version.Nov 20 2023, 9:11 PM
BTullis mentioned this in T319013: Enable the Marketing Campaigns Reporting plugin for matomo.Nov 21 2023, 10:43 AM
BTullis added a parent task: T319013: Enable the Marketing Campaigns Reporting plugin for matomo.
sbassett moved this task from Incoming to Upcoming Quarter Planning Queue on the secscrum board.Nov 27 2023, 3:55 PM
sbassett subscribed.

@BTullis - We can likely get this scheduled for early next quarter (Jan 1, 2024 to Mar 31st, 2024)

BTullis added a comment.Dec 6 2023, 6:33 PM
In T351657#9359610, @sbassett wrote:

@BTullis - We can likely get this scheduled for early next quarter (Jan 1, 2024 to Mar 31st, 2024)

Thank you @sbassett, that would be much appreciated.

sbassett assigned this task to Mstyles.Jan 9 2024, 5:24 PM
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.
Mstyles added a comment.Jan 9 2024, 5:27 PM

@BTullis I'll be working on this review this quarter. Have there been any updates or changes I should know about?

BTullis added a comment.Feb 1 2024, 5:35 PM
In T351657#9447099, @Mstyles wrote:

@BTullis I'll be working on this review this quarter. Have there been any updates or changes I should know about?

Thanks @Mstyles - No, there haven't been any noteworthy changes to the way in which we run matomo.

We're hoping to be able to deploy the new version soon and to enable the Campaigns Reporting plugin shortly afterwards.
If you would like any further information, please don't hesitate to let me know.

Mstyles added a comment.Mar 6 2024, 8:45 AM

Security Review Summary - T351657 - Matomo Campaign Plugin- 2024-03-06

Reviewing Matomo Campaign plugin.
Overall, the current vendor code under consideration has an overall risk rating of: low.

The matomo plugin is nowhere as active as the main matomo repository in terms of development or contributions,
however any issues that come up seem to be addressed in a timely manner. The plugin is small, with only 37 php files as reported by
the code counter and there are no dependencies. I've given the plugin a low risk rating due to those factors. I did do a manual review of the
code and I didn't see any possible issues there either. I've included the static analysis findings for completeness.

General Security Information

Statistic/InfoValueRisk
Repository none
Relevant tag/branch5.x-dev none
Last commit reviewed (if relevant)4d03718 none
Recent contributions to code (6 months)23 medium
Active developers with > 10 commits5 low
Current overall usage24 stars, 21 forks high
Current open security issues0 none

Static Analysis Findings

  1. gitleaks returned no results. low risk
  2. whispers returned no results. low risk
  3. scan scan:latest returned no results low risk
  4. semgrep supply chain was run with no results low risk
  5. bearer returned no results low risk
  6. bandit returned no results low risk
  7. php-security-checker returned no results. low risk
  8. phpcs returned results with a few warnings included at the bottom for informational purposes low risk

phpcs results

FILE: /plugin-MarketingCampaignsReporting/config/config.php
----------------------------------------------------------------------------------
FOUND 0 ERRORS AND 8 WARNINGS AFFECTING 8 LINES
----------------------------------------------------------------------------------
 14 | WARNING | Function array_map() that supports callback detected
 21 | WARNING | Function array_map() that supports callback detected
 28 | WARNING | Function array_map() that supports callback detected
 35 | WARNING | Function array_map() that supports callback detected
 42 | WARNING | Function array_map() that supports callback detected
 49 | WARNING | Function array_map() that supports callback detected
 56 | WARNING | Function array_map() that supports callback detected
 63 | WARNING | Function array_map() that supports callback detected
----------------------------------------------------------------------------------


FILE: /plugin-MarketingCampaignsReporting/tests/System/TrackSeveralCampaignsTest.php
-----------------------------------------------------------------------------------------------------------
FOUND 0 ERRORS AND 1 WARNING AFFECTING 1 LINE
-----------------------------------------------------------------------------------------------------------
 38 | WARNING | Filesystem function dirname() detected with dynamic parameter
-----------------------------------------------------------------------------------------------------------


FILE: /plugin-MarketingCampaignsReporting/MarketingCampaignsReporting.php
------------------------------------------------------------------------------------------------
FOUND 0 ERRORS AND 1 WARNING AFFECTING 1 LINE
------------------------------------------------------------------------------------------------
 55 | WARNING | System program execution function exec() detected with dynamic parameter

I'll post the main Matomo review at the end of this week. That'll mostly be security recommendations.

SCampos-WMF added a comment.Mar 6 2024, 1:31 PM

Noted, thank you @Mstyles for working around the clock to get the plugin review completed on time for the launch of our upcoming campaign.

BTullis added a comment.Mar 6 2024, 1:34 PM
In T351657#9606411, @SCampos-WMF wrote:

Noted, thank you @Mstyles for working around the clock to get the plugin review completed on time for the launch of our upcoming campaign.

I second that. Many thanks @Mstyles. I will proceed to install the plugin on our current Matomo v3 instance, then wait to hear more about the Matomo v4 review.

sbassett closed this task as Resolved.Mar 8 2024, 5:35 PM
sbassett triaged this task as Medium priority.
sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.
sbassett added a project: SecTeam-Processed.
BTullis added a comment.Mar 8 2024, 6:04 PM

@sbassett Many thanks for the update - is the security review of matomo itself now complete, or is it no longer necessary?

@Mstyles wrote:

I'll post the main Matomo review at the end of this week. That'll mostly be security recommendations.

I notice that the latest version of Matomo is now 5.0.3 and our production instance is still stuck on 3.14.1 so it would be nice to know if we've got a clear path to upgrade. Thanks.

sbassett added a comment.Mar 8 2024, 6:06 PM
In T351657#9615918, @BTullis wrote:

@sbassett Many thanks for the update - is the security review of matomo itself now complete, or is it no longer necessary?

The review was completed above (T351657#9604851) and came in as low-risk, overall, which is automatically accepted by the WMF.

@Mstyles wrote:
I notice that the latest version of Matomo is now 5.0.3 and our production instance is still stuck on 3.14.1 so it would be nice to know if we've got a clear path to upgrade. Thanks.

It would be nice to know how significant a release this is. We should, at the very least, glance at the changelog and maybe diff the codebases a bit.

Mstyles reopened this task as Open.Mar 9 2024, 2:11 AM

I did do a review for the Matomo upgrade as well since that was requested. I'm reopening this ticket in case you have any questions.

Security Review Summary - T351657 - 2024-03-15

Overall, the current vendor code under consideration
has an overall risk rating of: medium.
Reviewing Matomo.

I think it's great that we are upgrading Matomo. It's a very privacy focused application with great security recomendations and a good security policy along with plenty of active contributors and maintainers. Both Matomo versions 4.xx and 5.xx come with a built in security plugin that I think we should enable if we're not already. Matomo also has a great security guide that we should try to follow as best as we can. There's also a great privacy guide and I just want to highlight the privacy recomendations from @sguebo.

Despite the excellent security support Matomo has, semgrep supply chain did report 10 reachable findings which elevated this project to a medium rating risk. The scan tool and npm audit also reported critical vulnerabilities which I didn't include in this report, but can attach later if needed. This means that your team is still okay to do the upgrade, but there is some cause for concern. The full semgrep report is located in this private paste for more details. Matomo v4.16.1 also had the same 10 reachable findings. Version 5.0.3 had 8 reachable findings, which wasn't much better. I think it's fine to stick with the planned 4.15.1 version upgrade.

Once Matomo is upgraded and the marketing campaign plugin is addded, I would like to come back and do a security review just to make sure things look good.

General Security Information

Statistic/InfoValueRisk
Repositoryhttps://github.com/matomo-org/matomo none
Relevant tag/branch4.15.1 none
Last commit reviewed (if relevant)c3b1fc3 none
Recent contributions to code (6 months)>100 low
Active developers with > 10 commits42 low
Current overall usage18.8k stars, 2.5k forks low
Current open security issues0 none

Vulnerable Packages
Snyk tested 54 dependencies for known issues, found 16 issues, 24 vulnerable paths. I only listed the ones below that had an upgrade option to fix
Npm audit returned 115 vulnerabilities (1 low, 72 moderate, 32 high, 10 critical)

VulnerabilityPackageServiceRemediationRisk
XSSjquerysnykUpgrade jquery@2.2.4 to jquery@3.5.0 to fix medium
XSSjquerysnykUpgrade jquery@2.2.4 to jquery@3.5.0 to fix medium
Prototype PollutionjquerysnykUpgrade jquery@2.2.4 to jquery@3.5.0 to fix medium
XSSjquerysnykUpgrade jquery@2.2.4 to jquery@3.5.0 to fix medium

Outdated Packages
As reported via npm outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentWantedLatest
@types/dotdotdot1.6.361.6.391.6.39
@types/jest26.0.2426.0.2429.5.12
@types/jquery3.5.63.5.293.5.29
@types/jqueryui1.12.161.12.211.12.21
@types/materialize-css1.0.111.0.141.0.14
@types/mousetrap1.6.81.6.151.6.15
@typescript-eslint/eslint-plugin4.29.34.33.07.1.1
@typescript-eslint/parser4.29.34.33.07.1.1
@vue/cli-plugin-babel4.5.134.5.195.0.8
@vue/cli-plugin-eslint4.5.134.5.195.0.8
@vue/cli-plugin-typescript4.5.134.5.195.0.8
@vue/cli-plugin-unit-jest4.5.134.5.195.0.8
@vue/cli-service4.5.134.5.195.0.8
@vue/compiler-sfc3.2.63.4.213.4.21
@vue/eslint-config-airbnb5.3.05.3.08.0.0
@vue/eslint-config-typescript7.0.07.0.012.0.0
abortcontroller-polyfill1.7.31.7.51.7.5
angular1.8.21.8.31.8.3
angular-animate1.8.21.8.31.8.3
angular-cookies1.8.21.8.31.8.3
angular-mocks1.8.21.8.31.8.3
angular-sanitize1.8.21.8.31.8.3
babel-loader8.2.28.3.09.1.3
chroma-js0.6.30.6.32.4.2
core-js3.16.33.36.03.36.0
css-loader6.2.06.10.06.10.0
dompurify2.3.32.4.73.0.9
eslint6.8.06.8.08.57.0
eslint-plugin-import2.24.22.29.12.29.1
eslint-plugin-vue7.16.07.20.09.22.0
iframe-resizer4.2.114.3.94.3.9
jquery2.2.42.2.43.7.1
jquery-ui-dist1.13.11.13.21.13.2
jquery.scrollto2.1.22.1.32.1.3
less4.1.24.2.04.2.0
less-loader7.3.07.3.012.2.0
nock13.1.413.5.413.5.4
sprintf-js1.1.21.1.31.1.3
ts-jest26.5.626.5.629.1.2
typescript4.3.54.9.55.4.2
vue3.2.63.4.213.4.21
vue-jest5.0.0-alpha.105.0.0-alpha.103.0.7

Outdated Packages
As reported via composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)
The lox/xhprof package used has been abandoned, but it is only used for testing and removed from official Matomo releases

PackageCurrentWantedDescription
composer/semver1.7.23.4.0Semver library that offers util...
lox/xhprofdev-master c64571fdev-master c64571fThis package has been abandoned
monolog/monolog1.27.12.9.2Sends your logs to files, socke...
phpstan/phpdoc-parser1.24.51.26.0PHPDoc parser with support for ...
tedivm/jshrinkv1.4.0v1.7.0Javascript Minifier built in PHP

Static Analysis Findings

  1. gitleaks returned 88 warnings, all in test directories so marking this as low risk
  2. scan scan:latest returned 4 vendor confirmed critical vulnerabilities. medium
  3. php-security-checker returned no results. low risk
  4. bandit returned no results low risk
  5. bearer returned 152 checks with 117 findings including 68 high medium
  6. semgrep supply chain was run with 10 reachable findings high
SCampos-WMF added a comment.Mar 26 2024, 11:15 PM

Thank you for the review @Mstyles, we will work on the upgrade once @BTullis is back, keeping in mind the items you have flagged.

Mstyles added a comment.Mar 27 2024, 11:20 PM

@SCampos-WMF thank you, I'll check back

BTullis closed this task as Resolved.Apr 15 2024, 10:54 AM

Thanks all for your input. We're curerntly proceeding to install matomo version 4.16.1 - which is the most recent version available on https://debian.matomo.org/ at present.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL