Application Security Review Request : Extension:IPReputation
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	kostajh
	Mar 13 2024, 8:25 PM

Description

Project Information

Name of tool/project: Extension:IPReputation
Project home page: https://www.mediawiki.org/wiki/Extension:IPReputation
Name of team requesting review: @kostajh / Trust & Safety Product
Primary contact: @kostajh
Target date for deployment: as soon as possible
Link to code repository / patchset: https://gerrit.wikimedia.org/g/mediawiki/extensions/IPReputation
Link to scc output for general sizing of codebases (https://github.com/boyter/scc): https://phabricator.wikimedia.org/P58787

Description of the tool/project: Provide access for fetching, logging, and acting on IP reputation data.

Description of how the tool will be used at WMF: Enrich event logging events with IP reputation metadata; provide a low-level interface for other callers to the IP reputation database; provide IP reptuation as a signal to other tools like AbuseFilter; be a potential place where mitigations on bad actors based on IP reputation could be enacted.

Dependencies

List dependencies, or upstream projects that this project relies on.

iPoid-Service

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

The extension is currently https://gerrit.wikimedia.org/r/c/mediawiki/extensions/IPReputation/+/1010522 which is already deployed in production code (in CentralAuth) which was reviewed by other engineers at WMF already.

Working test environment

Please link or describe setup process for setting up a test environment.

Enable the extension, and set up an SSH tunnel to a deployment server (queries to ipoid should just work as the default URL config uses localhost:6035)

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

@kostajh and Trust and Safety Product Team

Details

Risk Rating: Low

Related Objects
Search...

Status	Subtype	Assigned	Task
			Restricted Task
Resolved		kostajh	T294511 2021 Security Team wikireplicas audit
Declined		None	T284948 Raw IPs of logged-out users disclosed in wiki-replicas
Resolved		Niharika	T324492 Temporary accounts - MVP
Resolved		kostajh	T357776 [Epic] Mitigate abilities to abuse temporary accounts
Stalled	Feature	None	T380917 Ability to configure a wiki to auto block open proxies
Stalled		None	T166817 Globally block identifiable open proxies
Resolved		Dreamy_Jazz	T354599 [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter
Resolved		kostajh	T360067 Deploy Extension:IPReputation
Resolved		sbassett	T360070 Application Security Review Request : Extension:IPReputation

Event Timeline

kostajh created this task.Mar 13 2024, 8:25 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2024, 8:25 PM

kostajh added a parent task: T360067: Deploy Extension:IPReputation.Mar 13 2024, 8:29 PM

kostajh mentioned this in T360067: Deploy Extension:IPReputation.

sbassett moved this task from Incoming to Upcoming Quarter Planning Queue on the secscrum board.Mar 13 2024, 9:09 PM

Bugreporter added a project: MediaWiki-extensions-IPReputation.Mar 14 2024, 1:17 AM

• Cleo_Lemoisson assigned this task to Mstyles.Apr 8 2024, 6:42 PM

• Cleo_Lemoisson moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.

Mstyles reassigned this task from Mstyles to sbassett.Apr 10 2024, 4:34 PM

Mstyles subscribed.

sbassett added a project: user-sbassett.Apr 10 2024, 4:47 PM

sbassett moved this task from Backlog to In Progress on the user-sbassett board.

Hey @kostajh - Just wanted to check in and see if ext:IPReputation is ready for review or if you're planning any large, meaningful development cycles soon (and I should wait a bit). Thanks.

In T360070#9707680, @sbassett wrote:

Hey @kostajh - Just wanted to check in and see if ext:IPReputation is ready for review or if you're planning any large, meaningful development cycles soon (and I should wait a bit). Thanks.

I think it is ready for review as is. Thanks!

Quick update on this: I plan to post the review next Monday or Tuesday (2024-06-16 or 2024-06-18). I haven't really found anything concerning at all.

Security Review Summary - T360070 - 2024-06-17
Last commit reviewed: be78eb0148

Summary

Overall, the current extension looks great and has an overall risk rating of: low.

Vulnerable Packages - Development
Risk: low

Vulnerability	Package	Service	Remediation	Risk
Missing Release of Resource afte...	inflight@1.0.6	snyk	[see advisory link]	medium
Regular Expression Denial of Ser...	underscore.string@3.3.5	snyk	[see advisory link]	high
CVE-2024-4067: CWE-1333, advisory link	micromatch	auditjs	[see advisory link]	medium

Outdated Packages
As reported via npm outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

Package	Current	Wanted	Latest	Depended By
eslint-config-wikimedia	0.28.0	0.28.0	0.28.2	IPReputation
grunt-eslint	24.3.0	24.3.0	25.0.0	IPReputation
grunt-stylelint	0.20.0	0.20.0	0.20.1	IPReputation
stylelint-config-wikimedia	0.17.1	0.17.1	0.17.2	IPReputation

As reported via composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

Package	Current	Latest	Notes
phpcsstandards/phpcsextra	1.1.2	1.2.1	A collection of sniffs and standards for use with PHP_CodeSniffer.
phpcsstandards/phpcsutils	1.0.9	1.0.12	A suite of utility functions for use with PHP_CodeSniffer
sabre/event	5.1.4	6.0.0	sabre/event is a library for lightweight event-based programming
squizlabs/php_codesniffer	3.8.1	3.10.1	PHP_CodeSniffer tokenizes PHP, JavaScript and CSS files and detects violations o...

General code health score
Risk: low.

The Wikimedia code health check tool returned a weighted risk score of 34.10 (which is low).

+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+
| Vuln Pkgs | Pkg Mgmt | Test Cov | SAST | Non-auto Cmts | Uniq Contribs | Contrib Conc | Lang Guides | Staff Supp | Task Backlog | Code Stew | Weighted Risk |
+===========+==========+==========+======+===============+===============+==============+=============+============+==============+===========+===============+
|         0 |        4 |        3 |    0 |            10 |            10 |            7 |           7 |         10 |            0 |         0 |         34.10 |
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+

sbassett closed this task as Resolved.Jun 17 2024, 9:58 PM

sbassett triaged this task as Low priority.

sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.

sbassett moved this task from In Progress to Done on the user-sbassett board.

Application Security Review Request : Extension:IPReputationClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Application Security Review Request : Extension:IPReputation
Closed, ResolvedPublic
Actions

Related Objects
Search...