Page MenuHomePhabricator
Create Task
Maniphest T71623

Graph extension security review
Closed, ResolvedPublic
Actions

Description

Please sec review https://www.mediawiki.org/wiki/Extension:Graph

Version: unspecified
Severity: normal

Details

Reference
bz69623

Related Objects

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:35 AM
bzimport added a project: MediaWiki-extensions-Other.
bzimport set Reference to bz69623.
Yurik created this task.Aug 15 2014, 7:23 PM
csteipp added a comment.Aug 15 2014, 9:25 PM

So far, I've found two issues in the Vega library makes this extension undeployable on public wikis:

  • Privacy violation with unrestricted xhr loads Anyone can put Something like <graph>{"width": 0, "height": 0, "data": [{"url": "//www.whatever.com/track.php"}] }</graph> and vega happily loads the url without user interaction.
  • Stored XSS through the "filter" config. You can put arbitrary javascript in in the filter test, and it gets executed.

On a wiki where only users with interface editing rights can edit the graph config, this is fine as it doesn't do anything beyond what raw html can do. But are these issues fixable, if you're intending to deploy this on public wikis?

csteipp added a comment.Sep 14 2014, 9:37 PM

The new vega library is an improvement, but I think there's a flaw in how they did the domain comparison:

return vg.config.domainWhiteList.some(function(d) {

return d === domain ||
  domain.lastIndexOf("."+d) === (domain.length - d.length - 1);

});

If "."+d doesn't exist in domain, lastIndexOf will return -1. So if d.length and domain.length are exactly the same length (but different), then -1 === -1, so the invalid domain would get through. I think you want to just take the substring of d which is the last domain.length characters, and then do a strict comparison.

Yurik added a comment.Sep 14 2014, 9:49 PM

thanks, good catch, fixing :)

Yurik added a comment.Sep 15 2014, 12:57 AM

Graph ext patch: https://gerrit.wikimedia.org/r/#/c/160369/

Upstream pull request: https://github.com/trifacta/vega/pull/217

csteipp added a comment.Sep 15 2014, 4:18 PM

Ok, the rest of it should be safe.

I would certainly encourage you to make the extension default to safe mode, and using the local wiki as the default whitelisted domain, so an admin has to explicitly enable insecure features. But since you're anxious to get this deployed, we can put it on wmf wikis as is, as long as we always configure the whitelist.

Yurik added a comment.Sep 17 2014, 10:52 PM

Chris, thanks, and the defaults have always been exactly as you describe - extension sets wgEnableGraphParserTag=false and wgGraphDataDomains=[] by default.

csteipp added a comment.Oct 3 2014, 11:27 PM

(In reply to Yuri Astrakhan from comment #6)

Chris, thanks, and the defaults have always been exactly as you describe -
extension sets wgEnableGraphParserTag=false and wgGraphDataDomains=[] by
default.

Sorry, what I meant was in js/graph.js, you have

if (vg.config.domainWhiteList) {
vg.config.safeMode = true;
}

I'm not sure any js engines interpret [] == false, but something like this would feel safer to me (more fail safe):

vg.config.safeMode = true;
if ( vg.config.domainWhiteList === false ) {
vg.config.safeMode = false;
}

Yurik added a comment.Oct 4 2014, 12:06 AM

Thx, please take a look at https://gerrit.wikimedia.org/r/#/c/164708/

Liuxinyu970226 edited projects, added: MediaWiki-extensions-Graph; removed: MediaWiki-extensions-Other.Sep 16 2018, 12:26 PM
sbassett mentioned this in T335051: Application Security Review Request : Vega 5 and related dependencies for ext:Graph.Apr 19 2023, 4:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits