Page MenuHomePhabricator
Create Task
Maniphest T384244

CVE-2025-32079:Saving the right content to MediaWiki:GrowthMentors.json can take down the site
Closed, ResolvedPublicSecurity
Actions

Description

MediaWiki:GrowthMentors.json is a part of community configuration, meaning its content is processed on request. This means its content needs to be carefully validated on each read and write, to ensure its content meets the code authors' assumptions and to avoid any fatal errors (which would take the site down). For this file, the validation is supposed to be handled by StructuredMentorListValidator class, called from ConfigHooks.

Unfortunately, the validation is currently broken (as an unintended side effect of T383330: Deprecate calling legacy Community Configuration). This means it is possible to abuse write access to MediaWiki:GrowthMentors.json to take down the site for at least some of its users. An example page content that would do this is this:

{
	"Mentors": {
		"43912": {
			"weight": "tramvaj"
		}
	}
}

With this as the content, any user who has user ID 43912 as their mentor assigned will experience fatal errors that look like this:

[58aa3efe-af0c-96f0-bdd8-67655dc99d32] /w/api.php?action=query&meta=userinfo TypeError: Argument 4 passed to GrowthExperiments\Mentorship\Mentor::__construct() must be of the type int, string given, called in /srv/mediawiki/php-1.44.0-wmf.12/extensions/GrowthExperiments/includes/Mentorship/Provider/AbstractStructuredMentorProvider.php on line 90

Backtrace:

from /srv/mediawiki/php-1.44.0-wmf.12/extensions/GrowthExperiments/includes/Mentorship/Mentor.php(29)
#0 /srv/mediawiki/php-1.44.0-wmf.12/extensions/GrowthExperiments/includes/Mentorship/Provider/AbstractStructuredMentorProvider.php(90): GrowthExperiments\Mentorship\Mentor->__construct(MediaWiki\User\UserIdentityValue, null, string, string)
#1 /srv/mediawiki/php-1.44.0-wmf.12/extensions/GrowthExperiments/includes/Mentorship/Provider/AbstractStructuredMentorProvider.php(63): GrowthExperiments\Mentorship\Provider\AbstractStructuredMentorProvider->newFromMentorDataAndUserIdentity(array, MediaWiki\User\UserIdentityValue, MediaWiki\User\User)
#2 /srv/mediawiki/php-1.44.0-wmf.12/extensions/GrowthExperiments/includes/Mentorship/MentorPageMentorManager.php(134): GrowthExperiments\Mentorship\Provider\AbstractStructuredMentorProvider->newMentorFromUserIdentity(MediaWiki\User\UserIdentityValue, MediaWiki\User\User)
#3 /srv/mediawiki/php-1.44.0-wmf.12/extensions/GrowthExperiments/includes/Mentorship/MentorPageMentorManager.php(181): GrowthExperiments\Mentorship\MentorPageMentorManager->getMentorForUser(MediaWiki\User\User, string)
#4 /srv/mediawiki/php-1.44.0-wmf.12/extensions/GrowthExperiments/includes/HelpPanelHooks.php(273): GrowthExperiments\Mentorship\MentorPageMentorManager->getMentorForUserSafe(MediaWiki\User\User)
#5 /srv/mediawiki/php-1.44.0-wmf.12/extensions/GrowthExperiments/includes/HelpPanelHooks.php(197): GrowthExperiments\HelpPanelHooks->getMentorData(GrowthExperiments\Config\MediaWikiConfigReaderWrapper, MediaWiki\User\User, MediaWiki\Context\DerivativeContext, LanguageEn)
#6 /srv/mediawiki/php-1.44.0-wmf.12/includes/HookContainer/HookContainer.php(159): GrowthExperiments\HelpPanelHooks->onBeforePageDisplay(MediaWiki\Output\OutputPage, SkinApi)
#7 /srv/mediawiki/php-1.44.0-wmf.12/includes/HookContainer/HookRunner.php(991): MediaWiki\HookContainer\HookContainer->run(string, array, array)
#8 /srv/mediawiki/php-1.44.0-wmf.12/includes/Output/OutputPage.php(3198): MediaWiki\HookContainer\HookRunner->onBeforePageDisplay(MediaWiki\Output\OutputPage, SkinApi)
#9 /srv/mediawiki/php-1.44.0-wmf.12/includes/api/ApiFormatBase.php(349): MediaWiki\Output\OutputPage->output()
#10 /srv/mediawiki/php-1.44.0-wmf.12/includes/api/ApiMain.php(2240): MediaWiki\Api\ApiFormatBase->closePrinter()
#11 /srv/mediawiki/php-1.44.0-wmf.12/includes/api/ApiMain.php(1029): MediaWiki\Api\ApiMain->printResult(int)
#12 /srv/mediawiki/php-1.44.0-wmf.12/includes/api/ApiMain.php(953): MediaWiki\Api\ApiMain->handleException(TypeError)
#13 /srv/mediawiki/php-1.44.0-wmf.12/includes/api/ApiMain.php(915): MediaWiki\Api\ApiMain->executeActionWithErrorHandling()
#14 /srv/mediawiki/php-1.44.0-wmf.12/includes/api/ApiEntryPoint.php(153): MediaWiki\Api\ApiMain->execute()
#15 /srv/mediawiki/php-1.44.0-wmf.12/includes/MediaWikiEntryPoint.php(202): MediaWiki\Api\ApiEntryPoint->execute()
#16 /srv/mediawiki/php-1.44.0-wmf.12/api.php(44): MediaWiki\MediaWikiEntryPoint->run()
#17 /srv/mediawiki/w/api.php(3): require(string)
#18 {main}

This is because "tramvaj" (or any string) is not a valid value for mentor weight (only non-negative integers are valid in this context).

The expected failover behaviour when MediaWiki:GrowthMentors.json has invalid content is to behave as if there were no mentors (until someone fixes the invalid content manually).

Details

Risk Rating
Low
Author Affiliation
WMF Product
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Register CommunityStructuredMentorListValidatormediawiki/extensions/GrowthExperimentsmaster+80 -1
Customize query in gerrit

Related Objects

Event Timeline

Urbanecm_WMF created this task.Jan 20 2025, 4:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 20 2025, 4:44 PM
JJMC89 added a project: GrowthExperiments-EditGrowthConfig.Jan 20 2025, 4:48 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptJan 20 2025, 4:48 PM
Urbanecm_WMF added subscribers: Sgs, Michael, Cyndymediawiksim and 3 others.Jan 20 2025, 4:48 PM

Security-Team: This is a mild Vuln-DoS. It requires two conditions for it to work: the attacker must be an administrator, plus the victim must have a mentor assigned (and Help Panel enabled). All accounts created since the deployment of Growth features would be vulnerable. I filled it as a security issue out of caution; feel free to publish if you deem it appropriate.

Urbanecm_WMF added projects: GrowthExperiments-Mentorship, CommunityConfiguration-Adoption, Vuln-DoS.Jan 20 2025, 4:49 PM
Urbanecm_WMF removed a project: GrowthExperiments-EditGrowthConfig.Jan 20 2025, 4:51 PM
Urbanecm_WMF added a subscriber: JJMC89.

@JJMC89: This is not an issue in EditGrowthConfig (legacy Community Configuration), but in the way how we migrated mentorship to the CommunityConfiguration extension. Updated the tags accordingly.

Urbanecm_WMF mentioned this in T384246: Allow extensions to register their own validators.Jan 20 2025, 5:04 PM
JJMC89 unsubscribed.Jan 20 2025, 5:05 PM
Urbanecm_WMF added a comment.Jan 20 2025, 5:06 PM

There are two ways how we can fix this:

  1. Finish T367575 (currently marked as stalled)
  2. Register StructuredMentorListValidator as a validator with community configuration, and rely on CommunityConfiguration running the validator (instead of running it ourselves). Requires first finishing T384246.

Option 2 is quicker, and it requires relatively little changes, but option 1 is the end goal.

@Sgs @Michael Do you have any thoughts on this?

Michael added a comment.Jan 21 2025, 2:01 PM

As discussed with @Urbanecm_WMF, let's go with Option 2. It is faster for now to create that capability in principle as @internal in a public change, and then have us making use of it as part of this security change.

Urbanecm_WMF added a comment.EditedJan 21 2025, 4:15 PM

T384244.patch3 KBDownload

Option 2 implemented in the patch above. @Michael @Sgs please approve via Phab, then I can deploy. T384246 has the matching CommunityConfiguration patch in Gerrit (with no context).

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Jan 21 2025, 4:49 PM
sbassett changed Risk Rating from N/A to Low.
Urbanecm_WMF claimed this task.Jan 21 2025, 5:02 PM
Urbanecm_WMF triaged this task as High priority.
Urbanecm_WMF attached a referenced file: F58239732: T384244.patch. (Show Details)
Urbanecm_WMF edited projects, added Growth-Team (Current Sprint); removed Growth-Team.
Urbanecm_WMF moved this task from Incoming to Code Review on the Growth-Team (Current Sprint) board.
Michael added a comment.Jan 21 2025, 7:18 PM

I applied the patch locally and can confirm that it re-enables the previous validation. In particular, I can no longer save a string for the weight, or an integer for the username or message.

Some other mischief seems still possible (saving too long an intro message, etc.) but that does not seem security-relevant.

Thus, I'm giving my virtual +2 to the patch above.

Urbanecm_WMF mentioned this in T384445: Manual edits to MediaWiki:GrowthMentors.json allow mentors to set too long messages (longer than 240 characters).Jan 22 2025, 10:47 AM
Urbanecm_WMF added a comment.Jan 22 2025, 1:52 PM
In T384244#10481464, @Michael wrote:

Some other mischief seems still possible (saving too long an intro message, etc.) but that does not seem security-relevant.

Right. The previous code interpreted warnings as blocking, while the new code doesn't do that (instead, we have the validatePermissively concept). We can fix that later, I filled T384445 (privately for now) to ensure we do not forget that.

Urbanecm_WMF added a comment.EditedJan 22 2025, 1:57 PM
14:56 <urbanecm> !log Deployed security patch for T384244
14:56 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Deployed to production (including the corresponding CommunityConfiguration change).

Urbanecm_WMF added a subscriber: sbassett.Jan 22 2025, 1:58 PM

@sbassett Is it ok for us to backport this to Gerrit at this point? Or is there anything else your team would like to do first? For the record, GrowthExperiments is a regular extension (that is not a part of the release tarball).

Urbanecm_WMF moved this task from Code Review to QA on the Growth-Team (Current Sprint) board.Jan 22 2025, 2:17 PM
sbassett added a subscriber: gerritbot.Jan 24 2025, 4:45 PM
In T384244#10484015, @Urbanecm_WMF wrote:

@sbassett Is it ok for us to backport this to Gerrit at this point? Or is there anything else your team would like to do first? For the record, GrowthExperiments is a regular extension (that is not a part of the release tarball).

Yes. I'll add it for the next supplemental release as well. Thanks.

sbassett mentioned this in T382326: Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.6/1.43.1).Jan 24 2025, 4:50 PM
gerritbot added a comment.Jan 24 2025, 5:06 PM

Change #1114020 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Register CommunityStructuredMentorListValidator

https://gerrit.wikimedia.org/r/1114020

gerritbot added a project: Patch-For-Review.Jan 24 2025, 5:06 PM
gerritbot added a comment.Jan 24 2025, 7:48 PM

Change #1114020 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Register CommunityStructuredMentorListValidator

https://gerrit.wikimedia.org/r/1114020

Jdforrester-WMF added a project: MW-1.44-notes (1.44.0-wmf.14; 2025-01-28).Jan 24 2025, 9:33 PM
Urbanecm_WMF removed a project: Patch-For-Review.Jan 28 2025, 8:16 AM
Etonkovidova closed this task as Resolved.Jan 29 2025, 1:21 AM

Checked in beta cluster and testwiki wmf.14 - MediaWiki:GrowthMentors.json handles invalid input correctly, i.e. the input is not save, the error message is displayed to a user.

Etonkovidova awarded a token.Jan 29 2025, 1:22 AM
Urbanecm_WMF added a comment.Feb 3 2025, 9:58 PM
In T384244#10492949, @sbassett wrote:
In T384244#10484015, @Urbanecm_WMF wrote:

@sbassett Is it ok for us to backport this to Gerrit at this point? Or is there anything else your team would like to do first? For the record, GrowthExperiments is a regular extension (that is not a part of the release tarball).

Yes. I'll add it for the next supplemental release as well. Thanks.

Given the issue was fixed publicly, is it OK to publish the task at this point? It would allow us to publish & fix T384445 as well (which does not have security implications, but would enable anyone to guess the existence of this task as well).

sbassett added a comment.Feb 3 2025, 10:26 PM
In T384244#10519192, @Urbanecm_WMF wrote:

Given the issue was fixed publicly, is it OK to publish the task at this point?

Yes, totally fine.

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 3 2025, 10:47 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".
Urbanecm_WMF added a comment.Feb 3 2025, 10:47 PM
In T384244#10519218, @sbassett wrote:
In T384244#10519192, @Urbanecm_WMF wrote:

Given the issue was fixed publicly, is it OK to publish the task at this point?

Yes, totally fine.

Done. Thank you!

Xaosflux mentioned this in T386826: Placing unexpected data in MediaWiki:GrowthMentors.json causes internal errors.Feb 19 2025, 3:06 PM
Mstyles renamed this task from Saving the right content to MediaWiki:GrowthMentors.json can take down the site to CVE-2025-32079:Saving the right content to MediaWiki:GrowthMentors.json can take down the site.Apr 11 2025, 5:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits