Have a security review of wikimetrics once we're ready for it.
UPDATE: review done, most issues are relatively quick and easy to fix
• ggellerman | |
Dec 4 2014, 9:46 PM |
F26637844: security-review-reports.tgz | |
Oct 19 2018, 8:02 PM |
Have a security review of wikimetrics once we're ready for it.
UPDATE: review done, most issues are relatively quick and easy to fix
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | None | T76726 EPIC: Productionizing Wikimetrics {dove} | |||
Resolved | sbassett | T76782 security review of Wikimetrics |
Umm, so this was filed in 2014. What is wikimetrics? Is it something that (still) needs a security review?
What is wikimetrics?
https://phabricator.wikimedia.org/project/profile/631/ links to https://www.mediawiki.org/wiki/Analytics/Wikimetrics links to https://metrics.wmflabs.org/
Yeah, pretty sure @Aklapper is correct and this is https://metrics.wmflabs.org/. I'm not sure if still based on https://github.com/rfaulkner/wikipedia_user_metrics or if it's a rewrite but seems likely that's the source origin. It runs on Cloud VPS for now and even has an appropriate privacy policy so that's nice. One issue I do have with it at the moment is that http://metrics.wikimedia.org/ redirects to https://metrics.wmflabs.org/. This is in violation of long standing policy to never redirect from a realm of high security to one of low security. i.e. if you get something on Cloud Services when you were led you to believe it was a *.wikimedia.org property that's improper. I'm looking to see if that's written down anywhere but it's been a long standing position of the Labs/Cloud Services team. I'm surfacing this issue in another place soon so I'm not concerned about it being addressed in this context. It may be useful for someone to lookover the oauth code since this is treated semi-official at least, but my guess is not high priority.
Hey all-
I was going to take a first crack at this. It probably makes sense to reach out to Dan as a first step to confirm the status of the tool. Seems to still be actively used/developed - last commit in May 2018: https://gerrit.wikimedia.org/g/analytics/wikimetrics/+/refs/heads/master. Github repo seems way out-of-date, so I'm guessing that's not really mirrored. It appears Wikimetrics replaced User_Metrics, which seems completely dead according to https://www.mediawiki.org/wiki/User_Metrics, along with the gerrit repo and pydoc on stat1.wikimedia.org no longer existing. I was going to focus on SA and general code-quality stuff. Looks like it's been Dockerized, which should aid in analysis/testing. Also might make sense to look at the deploy repo: https://github.com/wikimedia/analytics-wikimetrics-deploy
Got a response email from Dan/milimetric, tracking here:
- The tool is still actively used (metrics.wmflabs.org) - seems to be, just wanted to confirm.
Yes, but it's a very very low priority tool for our team (we work on at least 10 other projects that are higher priority). So if you have other more pressing reviews to do, keep this in mind. The userbase is very small, and the data it's accessing is all 100% public (since it runs on the cloud with only access to the public databases).
- That master would be a good branch to work from: https://gerrit.wikimedia.org/g/analytics/wikimetrics/+/refs/heads/master
Yep, that's the latest code.
I’d basically plan to get the Docker dev env spun up and run varying linter/sa tools against the code, poke around for config issues and maybe attempt some pen/dos attacks.
There are some problems getting the code working, as nobody's looked at it in a while. We filed some tasks but since it's low priority they're just sitting there: https://phabricator.wikimedia.org/T193783, https://phabricator.wikimedia.org/T193780
Docker fixes @ https://phabricator.wikimedia.org/T193780 (w/ https://gerrit.wikimedia.org/r/464059/), though flake8 tests failing, unrelated to my patch :/
Next: sec report template creation, doc, automated tests (might be gnarly) and manual code review.
Security Review Summary - October 2018
Overall, the current wikimetrics code (https://gerrit.wikimedia.org/g/analytics/wikimetrics/+/refs/heads/master) seems to be in good shape, even 4 years post-launch :) Many good things - a solid web framework (Flask) leveraging abstraction layers (Jinja for html templates, SqlAlchemy for ORM, etc.) and clean code. I've listed some items I found during my security review of the app - there's nothing I would consider critical, especially for a 4-year-old app behind oauth which apparently does not receive much traffic. Please let me know if there are any questions or if I can provide more clarity regarding any issues.
Vulnerable Python Packages
As reported by safety via requirements.txt:
Vulnerable JavaScript Libraries
As found via https://nvd.nist.gov/, https://snyk.io/vuln, etc:
Security Headers
Like many mw-related apps, wikimetrics doesn't fare very well here. Not a major issue, but could be iteratively improved upon within future wikimetrics releases: https://securityheaders.com/?q=https%3A%2F%2Fmetrics.wmflabs.org%2F&followRedirects=on
Python-Taint Findings
python-taint found untrusted user-data making its way unscathed to some database calls within wikimetrics/wikimetrics/controllers/demo.py. This would be fairly low risk since the two relevant endpoints and supplemental code can only be reached within the app's DEBUG mode, though it would be good to ensure these variables are properly-cleaned for a future wikimetrics release:
Backup/Temporary Files
Should be harmless, but could be cleaned up or archived:
HTTP Leaks
A few HTTP leaks from external js, though I understand this app falls under a different pp than other mw projects, so this may not be an issue:
Potential DoS With File Uploads
For the application route /cohorts/upload, I was able to reveal some basic signs of a potential DoS when working with larger files. I created some large data files with random bytes via dd and attempted to upload these files via my local Docker instance of wikimetrics. I noticed some general performance issues and errors after submission. I then attempted to submit a large data file (~ 300 Mb) against https://metrics.wmflabs.org/cohorts/upload and was able to temporarily exhaust nginx resources. Setting app.config['MAX_CONTENT_LENGTH'] within wikimetrics/configurables.py catches large upload files early and throws an exception.
Potential CSRF Issues
As noted within a couple of TODOs within the code, CSRF or some other mechanism could be implement within various JS file upload libraries to harden the app within:
Supplemental Materials
Please also find attached the output from a handful of Python-specific analysis tools I ran against wikimetrics. Where possible I attempted to configure these tools for certainty and specifically targeting performance and security issues: