Page MenuHomePhabricator
Create Task
Maniphest T99355

Security review of Wikibase-Quality-Constraints - v1 branch
Closed, ResolvedPublic
Actions

Description

Please do a security review of Wikibase-Quality-Constraints
Thank you very much!

Gerrit:

Project

Repo: https://gerrit.wikimedia.org/r/#/admin/projects/mediawiki/extensions/WikidataQualityConstraints
Evaluated: f655fc3ea04d4c8b37f5a61a6b74ce258b024bb0
Dependencies:

  • wikibase/wikibase, wikibase/data-model, wikibase/quality
  • composer/installers

Review

Did we work with the team during the design phase? No

Data-flow diagram:

Architecture issues

  • (T101303) The update process is a manual ETL, and has to be run by a deployer for each data update. It's not clear why the database and tools need to live on the cluster.
  • The design behind FormatChecker makes the safety of the processing rely on the CSV not being hostile. Unless there's a way to indicate what needs to be in the regex and you build a known good regex, I'm not sure that check can be run in production. Also noted below as T101467.

Hardening

  • (T101305) Escape SQL input in the functions that interact with the DB
  • SpecialConstraintReport should use an HTMLForm, which will add csrf protection
  • (T101306) Use escaped() instead of text() when inserting messages into raw html
  • (T101308) Escape $entityId->getSerialization()
  • Document which function parameters are expected to be sanitized HTML, and when functions return HTML. If the safety of the returned HTML relies on an input parameter being properly sanitized, document that assumption.
  • (T101468 / T101469) CommonsLinkChecker: proxying user-controlled values is dangerous-- need to url encode any user controlled values, and the url needs to be https://. Need to check with ops that the url is accessible, I think you need to use the outbound proxy to access commons like that. Also, get_headers doesn't validate tls certificate, you need to use something that does.
  • UniqueValueChecker - if this isn't working, the class should be removed.

Vulnerabilities

  • T101341
  • (T101467) FormatChecker executes a regex from the Contstraint table-- stored regex DoS.

Non-security

  • The result messages are all hardcoded English-- those should be translatable.
  • The performance characteristics of this do not look good; you may want to work with @aaron to find better ways to do some of these things

Related Objects
Search...

Event Timeline

Tamslo created this task.May 16 2015, 11:03 AM
Tamslo raised the priority of this task from to Needs Triage.
Tamslo updated the task description. (Show Details)
Tamslo added projects: Wikibase-Quality, deprecated-security-team-reviews.
Tamslo added a parent task: T99354: Review and deploy Wikibase-Quality-Constraints on wikidata.org.
Tamslo added subscribers: Wikibase-Quality-Constraints, Aklapper.
Tamslo edited projects, added Wikibase-Quality-Constraints; removed Wikibase-Quality.May 16 2015, 11:11 AM
Tamslo set Security to None.
Lydia_Pintscher added a project: Wikidata.May 17 2015, 11:17 AM
Lydia_Pintscher subscribed.
Liuxinyu970226 subscribed.May 17 2015, 10:29 PM
csteipp added subscribers: Tamslo, csteipp.May 18 2015, 7:28 PM

@Tamslo, For each of these reviews (T99352, T99358, and T99355), can you link to the code repository for each? And can you provide a data-flow diagram (https://www.mediawiki.org/wiki/Security_for_developers/Architecture#Threat_modeling) for each as well? If you don't have them already, we can probably schedule an hour to draw them together at some point.

Tamslo updated the task description. (Show Details)May 20 2015, 1:25 PM
Tamslo updated the task description. (Show Details)
Tamslo added a comment.May 20 2015, 1:28 PM

@csteipp Done. We don't have such a diagram so far, scheduling an hour to draw them would be nice :)

Andreasburmeister moved this task from incoming to DOING on the Wikibase-Quality-Constraints board.May 24 2015, 7:22 PM
Andreasburmeister subscribed.May 27 2015, 2:25 PM
csteipp updated the task description. (Show Details)Jun 3 2015, 8:52 PM
csteipp added a comment.EditedJun 3 2015, 9:23 PM

DFD:

DFD-Ex:WikidataQualityConstraints.png (480×772 px, 33 KB)

csteipp updated the task description. (Show Details)Jun 4 2015, 12:06 AM
csteipp updated the task description. (Show Details)Jun 4 2015, 12:26 AM
csteipp updated the task description. (Show Details)Jun 4 2015, 11:47 PM
csteipp added a subscriber: aaron.
csteipp added a comment.Jun 4 2015, 11:53 PM

I'm done with the initial review. All the blockers need to get resolved before this is closed.

csteipp added a project: Security-Team.Jun 5 2015, 12:00 AM
csteipp moved this task from Incoming to In Progress on the Security-Team board.
csteipp moved this task from In Progress to Waiting on the Security-Team board.
soeren.oldag closed subtask T101306: Ex:WikidataQualityConstraints - (hardening) use escaped() instead of text() output when inserting messages into HTML as Resolved.Jun 5 2015, 9:34 AM
soeren.oldag closed subtask T101308: Ex:WikidataQualityConstraints - EntityId::getSerialization() is not guaranteed to be safe for HTML as Resolved.
soeren.oldag closed subtask T101305: Ex:WikidataQualityConstraints - (hardening) escape sql closer to the output. as Resolved.Jun 5 2015, 12:28 PM
csteipp reopened subtask T101308: Ex:WikidataQualityConstraints - EntityId::getSerialization() is not guaranteed to be safe for HTML as Open.Jun 5 2015, 5:12 PM
Lydia_Pintscher closed subtask T101303: Document architectural decisions for WikidataQuality extensions as Resolved.Jun 12 2015, 1:23 PM
Lydia_Pintscher moved this task from incoming to monitoring on the Wikidata board.Jun 12 2015, 1:31 PM
csteipp closed subtask T101468: Ex: WikibaseQualityConstraints - CommonsLinkChecker makes unsafe connections as Resolved.Jun 12 2015, 4:16 PM
csteipp closed subtask T101469: Ex: WikibaseQualityConstraints - CommonsLinkChecker should sanitize / escape user input in urls as Resolved.Jun 12 2015, 4:24 PM
csteipp closed subtask T101308: Ex:WikidataQualityConstraints - EntityId::getSerialization() is not guaranteed to be safe for HTML as Resolved.Jun 12 2015, 4:36 PM
Jonaskeutel closed subtask T101467: Ex: WikibaseQualityConstraints - remove or sanitize regex for FormatChecker as Resolved.Jun 18 2015, 4:59 PM
JanZerebecki subscribed.Jun 18 2015, 9:10 PM
Andreasburmeister added a comment.Jun 19 2015, 1:50 PM

Short clarification: Please review branch v1 on gerrit.

Tamslo added a project: Wikibase-Quality.Jun 19 2015, 2:43 PM
Tamslo moved this task from Backlog to Beyond our power on the Wikibase-Quality board.Jun 19 2015, 2:56 PM
Tamslo moved this task from DOING to incoming on the Wikibase-Quality-Constraints board.Jun 22 2015, 11:09 AM
csteipp renamed this task from Security review of Wikibase-Quality-Constraints to Security review of Wikibase-Quality-Constraints - v1 branch.Jun 22 2015, 8:24 PM
csteipp closed this task as Resolved.
csteipp claimed this task.
csteipp removed a subtask: Restricted Task.

OK, blockers have all been resolved for v1. We will need another review before violations are deployed.

csteipp moved this task from Waiting to Our Part Is Done on the Security-Team board.Jun 22 2015, 8:26 PM
Liuxinyu970226 unsubscribed.Jun 22 2015, 10:29 PM
JanZerebecki mentioned this in T103819: [Task] Security review of Wikibase-Quality-Constraints - master branch.Jun 25 2015, 10:55 AM
sbassett moved this task from Incoming to Done on the deprecated-security-team-reviews board.Apr 24 2019, 6:37 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:14 PM
Aklapper removed a subscriber: Wikibase-Quality-Constraints.May 16 2023, 10:25 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits