Page MenuHomePhabricator
Create Task
Maniphest T355604

Deny request propagation from offending domains in dashboard
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

In order to deny request propagation down to the auth service coming from offending domains, we need to update the axios interceptor to block those domains.

Please refer to Investigations/Investigation: Create-user exploit

To do

  • Create an IaC variable for offending_domains domain_denylist (refer to malicious_ips_denylist as an example).
  • Pass this variable to the dashboard service. Use it in the axios interceptor to block the request from these domains.

QA / Acceptance criteria

  • On dev, set domain_denylist as ["abc.com"]. Using dashboard, perform sign up with email something@abc.com. Your request should be denied. Check the /ecs/auth_pr_wme log, you should not see a /create-user API call corresponding to your request.

Event Timeline

prabhat created this task.Jan 22 2024, 9:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 22 2024, 9:20 PM
HShaikh subscribed.Feb 22 2024, 5:16 PM

Would it be possbile to block signups from offending lists as part of the pre-signup lambda

prabhat added a comment.Feb 26 2024, 5:25 PM

We want to block the offending domain (related to the sign-up email) as early as possible in the flow.

The earliest we can do is at the dashboard level (/sign-up handler) in the axios interceptor middleware, that is responsible for propagating the request further to our auth service. The lambda comes later in the flow.

Here is the high-level flow:

User -> [dashboard] sign up handler [axios interceptor] -> [WAF] [CORS] Auth API server (/create-user endpoint) -> Send email for verification (using lambda)

JArguello-WMF set the point value for this task to 5.Mar 13 2024, 1:45 PM
JArguello-WMF moved this task from To Be Estimated/To Be Discussed to Estimated /Discussed on the Wikimedia Enterprise board.
JArguello-WMF moved this task from Estimated /Discussed to Sprint 57 on the Wikimedia Enterprise board.Mar 21 2024, 2:15 PM
JArguello-WMF edited projects, added Wikimedia Enterprise (Sprint 57); removed Wikimedia Enterprise.
JArguello-WMF triaged this task as High priority.Mar 21 2024, 2:19 PM
REsquito-WMF claimed this task.Mar 25 2024, 12:30 PM
REsquito-WMF moved this task from Next Up to In Progress on the Wikimedia Enterprise (Sprint 57) board.
REsquito-WMF added a comment.Mar 25 2024, 12:44 PM

I recommend we change this scope and address the issue in the backend API. That way we'll be secured regarding changes in public javascript, or direct api calls

REsquito-WMF added a comment.Mar 25 2024, 4:01 PM

after discussion with the team.

it will be done in two places, frontend and backend. Also will be created investigation ticket for WAF

REsquito-WMF moved this task from In Progress to MR on the Wikimedia Enterprise (Sprint 57) board.Mar 26 2024, 12:37 AM
REsquito-WMF moved this task from MR to QA on the Wikimedia Enterprise (Sprint 57) board.Tue, Apr 2, 6:35 PM
REsquito-WMF moved this task from QA to Done on the Wikimedia Enterprise (Sprint 57) board.Wed, Apr 3, 10:08 AM
JArguello-WMF closed this task as Resolved.Thu, Apr 11, 2:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL