Page MenuHomePhabricator
Create Task
Maniphest T360365

Application Security Review Request : New Plugins for Upcoming WMF & WEND Digital Annual Reports - WordPress
Open, Needs TriagePublic
Actions

Description

Following @Cleo_Lemoisson 's recommendation, we are requesting an Application Security review of the Annual Report Plugin, currently in development and targeted for completion by the end of March. We anticipate the security review to occur in Q4, once the plugin is fully deployed and operational.

Project Information

Name of tool/project

Name of team requesting review
External Comms, Integrated Marketing

Primary contact
@SCampos-WMF

Target date for deployment
March 31st, 2024

Link to code repository
https://github.com/wikimedia/wikimedia-wordpress-annual-report-plugin

Description of the project and the tools, and how they will be used at WMF
This plugin is intended for use in our forthcoming digital Annual Report, which will be published on both the wikimediafoundation.org and wikimediaendowment.org WordPress websites, using the annual report plugin.
Please be aware that due to our tight deadlines, we've integrated three external plugins to enhance storytelling and data visualization:

  • Ultimate Maps Plugin: to develop an interactive map that will allow readers to click on stories from around the world, see videos and read stories about the impact of Wikipedia and WMF projects.
  • Cool Timeline Pro Plugin: to develop a timeline on the Annual report to visually present the foundation's key achievements and milestones throughout the years.
  • CSS Animations for Gutenberg Blocks Plugin: to enhance the report's interactivity by incorporating animations.

Has this project been reviewed before?
No. It has already been reviewed by the Privacy team though, check here.

Working test environment
WMF: https://wikimediafoundation-org-preprod.go-vip.net/
WEND: https://wikimediaendowment-org-develop.go-vip.co/

Post-deployment
Please reach out to @SCampos-WMF or @Ospingou.

Please let me know if you need any additional information. Thank you in advance!

Details

Risk Rating
Low
Author Affiliation
WMF Communications Dept

Event Timeline

SCampos-WMF created this task.Mar 18 2024, 7:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 18 2024, 7:38 PM
sbassett moved this task from Incoming to Upcoming Quarter Planning Queue on the secscrum board.Mar 20 2024, 2:22 PM
Cleo_Lemoisson assigned this task to mmartorana.Apr 8 2024, 6:15 PM
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.Apr 8 2024, 6:15 PM
SCampos-WMF added a comment.Apr 18 2024, 9:33 PM

Hi @mmartorana, just wanted to flag that we ended up not using the Ultimate Maps Plugin, there is no need to review that one. Thank you!

mmartorana updated the task description. (Show Details)Apr 23 2024, 3:26 PM
mmartorana moved this task from In Progress to Our Part Is Done on the secscrum board.Thu, Jun 27, 4:43 PM

Security Review Summary - T360365 - 2024-06-27

Overall, the Wikimedia WordPress Annual Report plugin appears to be in good shape in terms of security. It has no vulnerable dependencies, and the reported vulnerable packages are only dev dependencies or transitive dependencies, which do not pose a security risk.
The static analysis findings appear to be either low risk or false positives.
I recommend addressing the minor leaks in the git history by ensuring the leaked tokens are inactive and, if possible, removing them from the git history altogether.

Both reviewed WordPress plugins do not seem to pose a significant risk if kept updated to the latest versions. However, since they are supported by only one or a few developers, it is advisable to exercise caution.

The overall risk rating is: low.

wikimedia-wordpress-annual-report-plugin

General Security Information

Statistic/InfoValueRisk
Repositorygithub none
Relevant tag/branchmaster none
Last commit reviewed (if relevant)53dc3d9 none

Vulnerable Packages - Development

VulnerabilityPackageServiceRemediationRisk
https://osv.dev/GHSA-grv7-fg5c-xmjgbraces@3.0.2osv[see advisory link][see advisory link]
https://osv.dev/GHSA-3h5v-q93c-6h6qws@7.5.9osv[see advisory link][see advisory link]
https://osv.dev/GHSA-3h5v-q93c-6h6qws@8.13.0osv[see advisory link][see advisory link]
https://osv.dev/GHSA-3h5v-q93c-6h6qws@8.16.0osv[see advisory link][see advisory link]
https://osv.dev/GHSA-3h5v-q93c-6h6qws@8.5.0osv[see advisory link][see advisory link]

Outdated Packages
As reported via npm outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageWantedLatest (Remediation)
countup.js2.8.02.8.0
lottie-web5.12.25.12.2
mapbox-gl3.4.03.4.0

As reported via composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentLatestDescription
automattic/vipwpcs2.0.03.0.1PHP_CodeSniffer rules (sniffs) to enforce WordPress VIP minimum coding conventio...
dealerdirect/phpcodesniffer-composer-installerv0.7.2v1.0.0PHP_CodeSniffer Standards Composer Installer Plugin
fig-r/psr2r-sniffer0.5.22.1.0Code-Sniffer, Auto-Fixer and Tokenizer for PSR2-R
phpcompatibility/phpcompatibility-paragonie1.3.21.3.3A set of rulesets for PHP_CodeSniffer to check for PHP cross-version compatibili...
phpcompatibility/phpcompatibility-wp2.1.42.1.5A ruleset for PHP_CodeSniffer to check for PHP cross-version compatibility issue...
squizlabs/php_codesniffer3.8.13.10.1PHP_CodeSniffer tokenizes PHP, JavaScript and CSS files and detects violations o...
wp-coding-standards/wpcs2.3.03.1.0PHP_CodeSniffer rules (sniffs) to enforce WordPress coding conventions

Static Analysis Findings
Risk:. low
semgrep found 5 issues:

.github/workflows/php.yml
   ❯❯❱ yaml.github-actions.security.run-shell-injection.run-shell-injection
          Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an  
          attacker to inject their own code into the runner. This would allow them to steal secrets and code. 
          `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
          an intermediate environment variable with `env:` to store the data and use the environment variable 
          in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".  
          Details: https://sg.run/pkzk                                                                        
                                                                                                              
           54┆ run: |
           55┆   git fetch origin ${{ github.base_ref }}:${{ github.base_ref }}
           56┆   git fetch origin ${{ github.head_ref }}:${{ github.head_ref }}
           57┆ 
                                         
    src/blocks/map/edit.js
   ❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
          User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
          that can lead to XSS vulnerabilities                                                                
          Details: https://sg.run/LwA9                                                                        
                                                                                                              
          115┆ markerDiv.innerHTML =
          116┆   feature.properties.point_count_abbreviated;
                                         
    src/blocks/map/view.js
   ❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
          User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
          that can lead to XSS vulnerabilities                                                                
          Details: https://sg.run/LwA9                                                                        
                                                                                                              
          262┆ markerDiv.innerHTML =
          263┆   feature.properties.point_count_abbreviated;
                                                                                  
    src/components/inner-block-slider/inner-block-single-display.js
   ❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
          User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
          that can lead to XSS vulnerabilities                                                                
          Details: https://sg.run/LwA9                                                                        
                                                                                                              
           51┆ styleRef.current.innerHTML = `#inner-block-display-single-${ parentBlockId } > *:not(:nth-
               child(${                                                                                  
           52┆   currentItemIndex + 1
           53┆ }) ) { display: none; }`;
                                               
    src/features/welcome-page.js
   ❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
          User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
          that can lead to XSS vulnerabilities                                                                
          Details: https://sg.run/LwA9                                                                        
                                                                                                              
           52┆ button.innerHTML = title;

bearer reported same issues as semgrep plus some low risk.
sh-scan reported no SAST issues and some vulnerable indirect dependencies therefore low risk.
lockfile-lint reported no issues low risk.
git-secrets reported false positives low risk.
whispers reported false positives low risk.
horusec reported false positives low risk.
snyk reported no issues. low risk.
gitleaks reported some findings. It appears these issues have been addressed in the latest commit, but the tokens are still visible in the Git history. To ensure security, the tokens should be deactivated, and the Git history should be rewritten to remove them completely. low risk (see raw output: P65530)

General code health score
Risk:.

  1. The Wikimedia code health check tool returned a weighted risk score of 23.
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+
| Vuln Pkgs | Pkg Mgmt | Test Cov | SAST | Non-auto Cmts | Uniq Contribs | Contrib Conc | Lang Guides | Staff Supp | Task Backlog | Code Stew | Weighted Risk |
+===========+==========+==========+======+===============+===============+==============+=============+============+==============+===========+===============+
|         0 |        0 |       10 |    0 |             0 |            10 |            3 |           0 |         10 |            0 |         0 |         23.00 |
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+

Scorecard score
4.8 / 10 medium
(see raw output: P65485)

cool timeline

Statistic/InfoValueRisk
Repositorywordpress none
Total number of reviews306 low
Code frequencyMonthly low
Recent contributions to code (6 months)9 low
Active developers1 high
Current overall usage20.000+ low
Disclosed Vulnerabilities3 low
Issues resolved in the last two months2 out of 2 low

blocks animation

Statistic/InfoValueRisk
Repositorywordpress none
Total number of reviews30 medium
Code frequencyMonthly low
Recent contributions to code (6 months)13 low
Active developers2 medium
Current overall usage50.000+ low
Disclosed Vulnerabilities0 none
Issues resolved in the last two monthsNot available none
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits