Page MenuHomePhabricator
Create Task
Maniphest T356190

ReportIncident REST API does not use a CSRF token
Closed, ResolvedPublic1 Estimated Story PointsSecurity
Actions

Assigned To
Dreamy_Jazz
Authored By
Dreamy_Jazz
Jan 30 2024, 3:49 PM
Tags
Referenced Files
F41736334: image.png
Feb 1 2024, 12:07 AM
F41736365: image.png
Feb 1 2024, 12:07 AM
F41736340: image.png
Feb 1 2024, 12:07 AM
F41735266: image.png
Jan 31 2024, 5:15 PM
F41735256: image.png
Jan 31 2024, 5:15 PM
F41735253: image.png
Jan 31 2024, 5:15 PM
F41735085: image.png
Jan 31 2024, 5:15 PM
F41732538: T356190.patch
Jan 30 2024, 10:36 PM
Subscribers
Aklapper
Djackson-ctr
dom_walden
Dreamy_Jazz
gerritbot
GMikesell-WMF
kostajh
View All 11 Subscribers

Description

The Incident-Reporting-System extension provides a REST API used to make incident reports. These reports are made via a POST request and cause an email to be sent with the contents of the report after validation and rate limiting.

However, this REST API does not validate a CSRF token and nor does it require that the user making the request use a session that is safe from CSRF (such as OAuth).

Details

Risk Rating
Medium
Author Affiliation
WMF Product
SubjectRepoBranchLines +/-
SECURITY: Use a CSRF token in the ReportIncident REST APImediawiki/extensions/ReportIncidentREL1_41+13 -3
SECURITY: Use a CSRF token in the ReportIncident REST APImediawiki/extensions/ReportIncidentmaster+48 -6
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Jan 30 2024, 3:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 30 2024, 3:49 PM
Dreamy_Jazz added projects: Incident-Reporting-System, Trust and Safety Product Team, Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)).Jan 30 2024, 3:49 PM

This extension is currently waiting for an application security review in T350253: Application Security Review Request: Extension:ReportIncident.

Dreamy_Jazz added a comment.Jan 30 2024, 10:36 PM

Proposed patch (passes on my local environment):

T356190.patch8 KBDownload

This extension is not deployed on production, so once this has been given a +2 we can upload this to gerrit and submit it through CI (the tests passed for me locally, but I can't be sure they will pass in CI until it has been publicly uploaded).

Dreamy_Jazz moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Jan 30 2024, 10:37 PM
Dreamy_Jazz added subscribers: kostajh, Tchanders, STran, Madalina.
Dreamy_Jazz set the point value for this task to 1.Jan 30 2024, 11:41 PM
kostajh added a comment.Jan 31 2024, 8:28 AM
In T356190#9500529, @Dreamy_Jazz wrote:

Proposed patch (passes on my local environment):

T356190.patch8 KBDownload

This extension is not deployed on production, so once this has been given a +2 we can upload this to gerrit and submit it through CI (the tests passed for me locally, but I can't be sure they will pass in CI until it has been publicly uploaded).

Virtual +2, but I also think this could be handled in Gerrit publicly, as the extension isn't in production.

Dreamy_Jazz added a comment.Jan 31 2024, 12:01 PM

From T333569#8742962:

... anything within the supplemental release can be made public and have backports performed once the issue has been patched in Wikimedia production

Therefore, I think uploading this to Gerrit and giving it a +2 is fine as this extension is not deployed on WMF production (therefore it cannot be patched there) and is not bundled.

Dreamy_Jazz added a subscriber: gerritbot.Jan 31 2024, 12:03 PM
gerritbot added a comment.Jan 31 2024, 12:22 PM

Change 994693 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/ReportIncident@REL1_41] SECURITY: Use a CSRF token in the ReportIncident REST API

https://gerrit.wikimedia.org/r/994693

gerritbot added a project: Patch-For-Review.Jan 31 2024, 12:22 PM
gerritbot added a comment.Jan 31 2024, 12:31 PM

Change 994687 merged by jenkins-bot:

[mediawiki/extensions/ReportIncident@master] SECURITY: Use a CSRF token in the ReportIncident REST API

https://gerrit.wikimedia.org/r/994687

Dreamy_Jazz added a comment.Jan 31 2024, 12:42 PM

Given the virtual +2 I uploaded the patch to Gerrit and made a small change to allow the selenium tests to pass. I then backported it and +2'd that backport.

Dreamy_Jazz claimed this task.Jan 31 2024, 12:43 PM
Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.
Dreamy_Jazz added subscribers: Djackson-ctr, dom_walden, GMikesell-WMF.
gerritbot added a comment.Jan 31 2024, 12:46 PM

Change 994693 merged by jenkins-bot:

[mediawiki/extensions/ReportIncident@REL1_41] SECURITY: Use a CSRF token in the ReportIncident REST API

https://gerrit.wikimedia.org/r/994693

Dreamy_Jazz mentioned this in rEREI7385e5e84b20: SECURITY: Use a CSRF token in the ReportIncident REST API.Jan 31 2024, 12:49 PM
Dreamy_Jazz mentioned this in rEREI5c61bb68a0ff: SECURITY: Use a CSRF token in the ReportIncident REST API.
Dreamy_Jazz removed a project: Patch-For-Review.Jan 31 2024, 1:19 PM
Dreamy_Jazz added a project: MW-1.42-notes (1.42.0-wmf.17; 2024-02-06).
sbassett subscribed.Jan 31 2024, 4:30 PM
In T356190#9501219, @kostajh wrote:

Virtual +2, but I also think this could be handled in Gerrit publicly, as the extension isn't in production.

Yes, the Security-Team would consider this low risk.

Dreamy_Jazz added a comment.Jan 31 2024, 5:15 PM

Suggested QA steps for a local wiki (let me know if you would like steps for patchdemo wikis):

  1. Install Incident-Reporting-System extension, if required
  2. Verify that you have $wgReportIncidentRecipientEmails, $wgReportIncidentEmailFromAddress, and $wgReportIncidentDeveloperMode = true; defined in your LocalSettings.php. If not, you can add the following:
$wgReportIncidentRecipientEmails = [ 'test@example.com' ];
$wgReportIncidentEmailFromAddress = 'no-reply@example.com';
$wgReportIncidentDeveloperMode = true;
  1. Login to an account and go to an existing user talk page
  2. Click Report in the Tools menu
  3. Open up Developer Tools (F12) and open the network tab
  4. Fill out the form and press submit. Ensure that the request is successful (and if not fix the errors to address this).
  5. Find the successful request in the network tab. On Chrome this should be the last request and the name of the request should be report and will look something like the below screenshot:

image.png (93×1 px, 9 KB)

  1. Click on the request and find the request body (on Chrome this is called Payload). Ensure that a token key is present with a defined string value. For example the token is surrounded by a red box in the below screenshot:

image.png (210×1 px, 26 KB)

  1. Right click on the request and click "Copy as fetch" (in the Copy sub-menu on Chrome)
  2. To go the browser console and paste from your clipboard. This should look something like the following:

image.png (514×1 px, 58 KB)

  1. Modify add characters to the string that is wrapped in the characters \" after \"token\". For example, on my wiki this means that the text in the console now looks like:

image.png (520×1 px, 59 KB)

  1. Run this command and go back to the network tab
  2. Find the last request in that window and open it.
  3. Verify that the response to the request is the following:
{
    "errorKey": "rest-badtoken",
    "messageTranslations": {
        "en": "The CSRF token provided is invalid."
    },
    "httpCode": 403,
    "httpReason": "Forbidden"
}
Djackson-ctr added a comment.Feb 1 2024, 12:07 AM

I have verified that the new code has been implemented and is functioning and displaying as expected...

Thank you @Dreamy_Jazz.

image.png (459×1 px, 248 KB)

image.png (256×617 px, 33 KB)

image.png (273×976 px, 57 KB)

Djackson-ctr moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Feb 1 2024, 12:09 AM
kostajh closed this task as Resolved.Feb 1 2024, 5:53 AM
Dreamy_Jazz added a comment.Feb 1 2024, 1:27 PM

@kostajh should this task be made public before this is marked as resolved?

kostajh added a comment.Feb 1 2024, 1:42 PM
In T356190#9506065, @Dreamy_Jazz wrote:

@kostajh should this task be made public before this is marked as resolved?

I am not sure if it matters.

sbassett added a comment.Feb 1 2024, 4:14 PM
In T356190#9506108, @kostajh wrote:
In T356190#9506065, @Dreamy_Jazz wrote:

@kostajh should this task be made public before this is marked as resolved?

I am not sure if it matters.

It's fine to make this task public now. I'd agree that the order of resolving vs. making public doesn't really matter.

sbassett triaged this task as Medium priority.Feb 1 2024, 4:14 PM
sbassett changed Author Affiliation from N/A to WMF Product.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett moved this task from Incoming to Watching on the Security-Team board.
PatchDemoBot added a comment.Feb 13 2024, 1:02 AM

Test wiki created on Patch demo by DJacksonA using patch(es) linked to this task:
https://patchdemo.wmflabs.org/wikis/2868537a3b/w

sbassett mentioned this in T350253: Application Security Review Request: Extension:ReportIncident.Mar 25 2024, 7:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL