CVE-2024-34504: IPInfo REST APIs are not safe from CSRF attacks
Closed, ResolvedPublic2 Estimated Story PointsSecurity
Actions

Assigned To

Authored By

	Dreamy_Jazz
	Jan 30 2024, 2:12 PM

Description

The IP Info extension provides REST APIs that can provide information about IP addresses. These APIs provide information that is not public and access to this information causes a log event to be created.

I cannot see a CSRF token in the REST APIs and the ::requireSafeAgainstCsrf method is not overridden to return true. This suggests that the REST APIs are not safe from CSRF attacks, in similar thinking to T355558.

Details

Risk Rating: Low
Author Affiliation: WMF Technology Dept

Subject	Repo	Branch	Lines +/-
Make second successful request to REST API return a good promise	mediawiki/extensions/IPInfo	REL1_39	+32 -14
Make second successful request to REST API return a good promise	mediawiki/extensions/IPInfo	REL1_41	+32 -14
Make second successful request to REST API return a good promise	mediawiki/extensions/IPInfo	REL1_40	+32 -14
Make second successful request to REST API return a good promise	mediawiki/extensions/IPInfo	master	+32 -14
SECURITY: Use CSRF token in IPInfo REST APIs	mediawiki/extensions/IPInfo	master	+97 -19
SECURITY: Use CSRF token in IPInfo REST APIs	mediawiki/extensions/IPInfo	REL1_40	+104 -23
SECURITY: Use CSRF token in IPInfo REST APIs	mediawiki/extensions/IPInfo	REL1_41	+104 -23
SECURITY: Use CSRF token in IPInfo REST APIs	mediawiki/extensions/IPInfo	REL1_39	+218 -40

Customize query in gerrit

Related Objects

Mentioned In: T353904: Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1)
T310393: IP Info log can be used to deanonymize user
Mentioned Here: rEIPIfc40803ba0fb: Localisation updates from https://translatewiki.net.
T354436: 1.42.0-wmf.18 deployment blockers
T310393: IP Info log can be used to deanonymize user

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 30 2024, 2:12 PM

Dreamy_Jazz added projects: Trust and Safety Product Team, IP Info.Jan 30 2024, 2:12 PM

Dreamy_Jazz updated the task description. (Show Details)Jan 30 2024, 2:16 PM

Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)).

Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Jan 31 2024, 7:45 PM

Dreamy_Jazz claimed this task.Jan 31 2024, 8:31 PM

Dreamy_Jazz set the point value for this task to 2.

Dreamy_Jazz added a comment.Feb 3 2024, 12:43 AM

This comment was removed by Dreamy_Jazz.

Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Feb 3 2024, 12:43 AM

Proposed patch:

T356183.patch7 KBDownload

Dreamy_Jazz added a project: Patch-For-Review.Feb 3 2024, 12:51 AM

In T356183#9510883, @Dreamy_Jazz wrote:

Proposed patch:

T356183.patch7 KBDownload

CR+1 - code looks good to me. I think this is likely fine to deploy for now.

Thanks @Dreamy_Jazz and @sbassett

I won't be able to deploy this today, but if @Tchanders agrees with this I could deploy this tommorrow and see what happens.

In T356183#9514358, @Dreamy_Jazz wrote:

I won't be able to deploy this today, but if @Tchanders agrees with this I could deploy this tommorrow and see what happens.

That should be fine if you want to do it during the backport window or just sometime before or after the train. Would likely be best to have you quickly test on a debug server or post-deploy.

The patch looks good to me, and works on local testing - happy to +2.

It occurs to me that this is a breaking change for anyone who is using the API directly. Should we give them a heads up somehow? Alternatively I don't mind considering direct use of the API unsupported (it's very tailored to the UI anyway), in which case maybe we can document this on https://www.mediawiki.org/wiki/Extension:IPInfo or somewhere.

...Oh, the patch didn't apply cleanly to the latest master (I had to add a couple of lines manually) though it didn't look like there were actually conflicts. Just mentioning in case it needs a rebase.

In T356183#9518332, @Tchanders wrote:

...Oh, the patch didn't apply cleanly to the latest master (I had to add a couple of lines manually) though it didn't look like there were actually conflicts. Just mentioning in case it needs a rebase.

The old patch from T356183#9510883 seems to apply fine to wmf/1.42.0-wmf.16 but not master and wmf/1.42.0-wmf.17.

git diff origin/wmf/1.42.0-wmf.16..origin/wmf/1.42.0-wmf.17 -- src/Rest/Handler/IPInfoHandler.php shows some minor formatting/line-count changes, but as you noted, no substantive conflicts.

Patch with minor merge conflicts addressed that should now apply to master and wmf/1.42.0-wmf.17:

01-T356183-rev2.patch7 KBDownload

In T356183#9519296, @sbassett wrote:

Patch with minor merge conflicts addressed that should now apply to master and wmf/1.42.0-wmf.17:

01-T356183-rev2.patch7 KBDownload

This doesn't apply to production due to a missing line of code. I've applied the following to wmf/1.42.0-wmf.17:

01-T356183-rev2.patch7 KBDownload

I've deployed the security patches to both wmf.17 and wmf.16.

Now this is deployed on production, we can go ahead and upload this to Gerrit as the IP Info extension is not bundled.

Dreamy_Jazz added subscribers: gerritbot, STran, kostajh and 3 others.Feb 7 2024, 10:30 AM

Change 998327 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/IPInfo@master] SECURITY: Use CSRF token in IPInfo REST APIs

https://gerrit.wikimedia.org/r/998327

Change 998322 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/IPInfo@REL1_41] SECURITY: Use CSRF token in IPInfo REST APIs

https://gerrit.wikimedia.org/r/998322

Change 998324 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/IPInfo@REL1_40] SECURITY: Use CSRF token in IPInfo REST APIs

https://gerrit.wikimedia.org/r/998324

Change 998367 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/IPInfo@REL1_39] SECURITY: Use CSRF token in IPInfo REST APIs

https://gerrit.wikimedia.org/r/998367

Tchanders mentioned this in T310393: IP Info log can be used to deanonymize user.Feb 7 2024, 3:06 PM

Change 998367 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@REL1_39] SECURITY: Use CSRF token in IPInfo REST APIs

https://gerrit.wikimedia.org/r/998367

Change 998322 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@REL1_41] SECURITY: Use CSRF token in IPInfo REST APIs

https://gerrit.wikimedia.org/r/998322

Change 998324 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@REL1_40] SECURITY: Use CSRF token in IPInfo REST APIs

https://gerrit.wikimedia.org/r/998324

Change 998327 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@master] SECURITY: Use CSRF token in IPInfo REST APIs

https://gerrit.wikimedia.org/r/998327

When this is made public we can also make T310393: IP Info log can be used to deanonymize user public too as that task is also about the same issue of not having a CSRF token.

@Dreamy_Jazz wrote:

01-T356183-rev2.patch7 KBDownload

This doesn't apply to production due to a missing line of code. I've applied the following to wmf/1.42.0-wmf.17:

01-T356183-rev2.patch7 KBDownload

Huh, strange. Not sure what happened there.

I've deployed the security patches to both wmf.17 and wmf.16.

Thanks.

When this is made public we can also make T310393: IP Info log can be used to deanonymize user public too as that task is also about the same issue of not having a CSRF token.

We can make it public now.

sbassett triaged this task as Low priority.Feb 7 2024, 8:40 PM

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett changed Risk Rating from N/A to Low.

Suggested QA steps (designed for a local wiki):

Install the IP Info extension, if required
Add the following to your LocalSettings.php

$wgGroupPermissions['sysop']['ipinfo'] = true;
$wgGroupPermissions['sysop']['ipinfo-view-full'] = true;
$wgGroupPermissions['sysop']['ipinfo-view-log'] = true;
$wgGroupPermissions['*']['move'] = true;

While logged out (and not using a temporary account) make a few testing edits and move a page
Log into an account with the sysop group
Go to Special:Preferences and check the preference under the IP Information section
Open the history page for the page you edited in step 3
Open Developer tools and go to the Network tab
Click on the information icon next to the IP address (as shown below):

Verify that a dropdown menu appears
Go to the Network tab and find a request where the name / title is an integer followed by ?dataContext=popup such as in the following image (the full URL should be something like rest.php/ipinfo/v0/revision/335?dataContext=popup&language=en-gb)

Click on this request and go to the Payload tab
Verify that the Request payload includes a token such as the following:

Load Special:Log
Click on the information icon next to the IP address used to move the page
Verify that a dropdown menu appears
Go to the Network tab and find a request where the name / title is an integer followed by ?dataContext=popup such as in the following image (the full URL should be something like rest.php/ipinfo/v0/log/335?dataContext=popup&language=en-gb)

Click on this request and go to the Payload tab
Make sure that the Request Payload includes a token such as in the following:

Load the contributions page of one of the IP addresses used to make the edit (it is fine if only one IP address was used)
Open the IP Information section
Verify that no error occurs
In the Network tab find the request with the name / title that includes ?dataContext=infobox such as the following (the URL should be something like rest.php/ipinfo/v0/revision/339?dataContext=infobox&language=en-gb):

Click on this and find the Request Payload and verify that a token is present such as in the following screenshot:

sbassett mentioned this in T353904: Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1).Feb 7 2024, 8:42 PM

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.18; 2024-02-13).Feb 7 2024, 10:01 PM

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Feb 12 2024, 8:33 PM

Noting I dropped the security patch from this task from the train this week (1.42.0-wmf.18), still applied to previous weeks.

Patch was failing to apply, presumably because it's now merged in master. If this is incorrect, please let me know/flag someone on the blocker task for this week: T354436

In T356183#9536504, @thcipriani wrote:

Noting I dropped the security patch from this task from the train this week (1.42.0-wmf.18), still applied to previous weeks.

Patch was failing to apply, presumably because it's now merged in master. If this is incorrect, please let me know/flag someone on the blocker task for this week: T354436

Yes, this is correct. Thanks.

Oops, I missed that this was in "Needs QA". Leaving open for now.

Dreamy_Jazz removed a project: Patch-For-Review.Feb 14 2024, 7:29 PM

@Dreamy_Jazz I applied the below patch to rest.js to make it fail the first request but not the second, which I can confirm when looking at the browser's network tab. However, the popups and infoboxes still shows "The IP information could not be retrieved."

T356183_fail_first.patch518 BDownload

In T356183#9550359, @dom_walden wrote:

@Dreamy_Jazz I applied the below patch to rest.js to make it fail the first request but not the second, which I can confirm when looking at the browser's network tab. However, the popups and infoboxes still shows "The IP information could not be retrieved."

T356183_fail_first.patch518 BDownload

I can re-produce this too. It seems that I had misunderstood that the fail handler couldn't override the success status of the promise and when testing I had relied on seeing the network tab have a successful response for the second request. I will make a follow-up and thanks for finding this.

Moving back to 'In Progress' while I work on a follow-up to fix this.

Change 1004121 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/IPInfo@master] Make second successful request to REST API return a good promise

https://gerrit.wikimedia.org/r/1004121

gerritbot added a project: Patch-For-Review.Feb 16 2024, 2:22 PM

Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Feb 16 2024, 2:22 PM

Change 1004121 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@master] Make second successful request to REST API return a good promise

https://gerrit.wikimedia.org/r/1004121

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Feb 16 2024, 5:56 PM

ReleaseTaggerBot edited projects, added MW-1.42-notes (1.42.0-wmf.19; 2024-02-20); removed MW-1.42-notes (1.42.0-wmf.18; 2024-02-13).Feb 16 2024, 6:00 PM

Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Piano (Feb 19th - 1st March)); removed Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)).Feb 20 2024, 12:04 PM

Dreamy_Jazz moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Piano (Feb 19th - 1st March)) board.

I see that a CSRF token is sent with the API request. If I try to make the API request with a different or no token, it returns an error:

{"errorKey":"rest-badtoken","messageTranslations":{"en":"The CSRF token provided is invalid."},"httpCode":403,"httpReason":"Forbidden"}

In T356183#9550359, @dom_walden wrote:

@Dreamy_Jazz I applied the below patch to rest.js to make it fail the first request but not the second, which I can confirm when looking at the browser's network tab. However, the popups and infoboxes still shows "The IP information could not be retrieved."

I cannot reproduce this bug anymore, either with the popup or infobox.

Test environment: local docker IP Info 0.0.0 (fc40803) 07:38, 20 February 2024.

In T356183#9559206, @dom_walden wrote:
I see that a CSRF token is sent with the API request. If I try to make the API request with a different or no token, it returns an error:
{"errorKey":"rest-badtoken","messageTranslations":{"en":"The CSRF token provided is invalid."},"httpCode":403,"httpReason":"Forbidden"}
In T356183#9550359, @dom_walden wrote:

@Dreamy_Jazz I applied the below patch to rest.js to make it fail the first request but not the second, which I can confirm when looking at the browser's network tab. However, the popups and infoboxes still shows "The IP information could not be retrieved."

I cannot reproduce this bug anymore, either with the popup or infobox.

Test environment: local docker IP Info 0.0.0 (fc40803) 07:38, 20 February 2024.

Thanks for the thorough QA testing.

Dreamy_Jazz reopened this task as Open.Feb 20 2024, 4:24 PM

Change 1005077 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/IPInfo@REL1_41] Make second successful request to REST API return a good promise

https://gerrit.wikimedia.org/r/1005077

Change 1005078 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/IPInfo@REL1_40] Make second successful request to REST API return a good promise

https://gerrit.wikimedia.org/r/1005078

Change 1005079 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/IPInfo@REL1_39] Make second successful request to REST API return a good promise

https://gerrit.wikimedia.org/r/1005079

Dreamy_Jazz closed this task as Resolved.Feb 20 2024, 4:26 PM

Change 1005078 merged by jenkins-bot: