Page MenuHomePhabricator

sbassett (Scott Bassett)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Tuesday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (49 w, 4 d)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Recent Activity

Fri, Aug 23

sbassett added a comment to T229718: Security review for PageNotice extension.

The Security-Team is trying to get away from providing a "pass" or "thumbs up" for code during security reviews, as it assumes a level of accountability on our part which we cannot sustain. So we are adopting the more standard system of risk classification and risk ownership for our security reviews. This entails us performing a risk analysis during the review process and then assigning and communicating a level of risk to the requesters/owners of the code. The levels of risk we're using within our analyses are:

Fri, Aug 23, 3:11 PM · MediaWiki-extensions-PageNotice, Security-Team-Reviews

Thu, Aug 22

sbassett created P8964 Foundation wiki CSP.
Thu, Aug 22, 9:07 PM
sbassett created P8963 CentralNotice banner support CSP.
Thu, Aug 22, 9:06 PM
sbassett updated the language for P8962 Core CSP report-only from css to text.
Thu, Aug 22, 9:04 PM
sbassett updated the language for P8962 Core CSP report-only from php to css.
Thu, Aug 22, 9:04 PM
sbassett updated the language for P8962 Core CSP report-only from shell to php.
Thu, Aug 22, 9:03 PM
sbassett updated the language for P8962 Core CSP report-only from js to shell.
Thu, Aug 22, 9:03 PM
sbassett updated the language for P8962 Core CSP report-only from html to js.
Thu, Aug 22, 9:03 PM
sbassett created P8962 Core CSP report-only.
Thu, Aug 22, 9:03 PM
sbassett moved T227209: Security Review For Parsoid-PHP from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Thu, Aug 22, 2:41 PM · Restricted Project, Parsoid-PHP, Security-Team-Reviews
sbassett closed T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist as Resolved.

Backports complete in gerrit, resolving task for now.

Thu, Aug 22, 2:18 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security

Wed, Aug 21

sbassett changed the visibility for T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist.
Wed, Aug 21, 9:30 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett created T230951: Transfer ownership of mediawiki-security mailman list to Security Team.
Wed, Aug 21, 6:48 PM · Wikimedia-Mailing-lists, Operations
sbassett moved T216419: Security review - Wikibase Termbox Front End from Frozen to Archive on the Security-Team-Reviews board.
Wed, Aug 21, 3:29 PM · Restricted Project, Security-Team-Reviews
sbassett moved T216419: Security review - Wikibase Termbox Front End from Awaiting remediation to Frozen on the Security-Team-Reviews board.
Wed, Aug 21, 3:29 PM · Restricted Project, Security-Team-Reviews
sbassett closed T216419: Security review - Wikibase Termbox Front End as Resolved.

@WMDE-leszek @RazShuty - Just talked with @JBennett. Looks like everything is official re: risk ownership, so I'm going to resolve this task for now. Thanks everyone for all of the patience on working through this review and risk ownership assessment.

Wed, Aug 21, 3:29 PM · Restricted Project, Security-Team-Reviews
sbassett moved T227591: Security Concept Review for the machine vision middleware project from Awaiting remediation to Archive on the Security-Team-Reviews board.
Wed, Aug 21, 2:12 PM · Restricted Project, Machine vision, Product-Infrastructure-Team-Backlog, Security-Team-Reviews
sbassett closed T227591: Security Concept Review for the machine vision middleware project, a subtask of T226119: Build middleware to utilize machine vision API for structured data on commons depicts tag suggestion tool, as Resolved.
Wed, Aug 21, 2:11 PM · Epic, Machine vision, Product-Infrastructure-Team-Backlog
sbassett closed T227591: Security Concept Review for the machine vision middleware project as Resolved.

We're talking with them about what we're doing, and will follow up with them when we're code-complete.

Wed, Aug 21, 2:11 PM · Restricted Project, Machine vision, Product-Infrastructure-Team-Backlog, Security-Team-Reviews
sbassett moved T222806: Security Review for Vega 5 and Vega-Lite JavaScript Libraries from Frozen to Archive on the Security-Team-Reviews board.
Wed, Aug 21, 2:05 PM · Security-Team-Reviews, Upstream, JavaScript, Maps, Graphs
sbassett added a comment to T227209: Security Review For Parsoid-PHP.

Hey @ssastry - thanks for cutting the security review branch. @Reedy and I will plan to review that soon and reach out to @Arlolra with any questions.

Wed, Aug 21, 2:04 PM · Restricted Project, Parsoid-PHP, Security-Team-Reviews

Tue, Aug 20

sbassett triaged T230796: Deploy countermeasures to stop ongoing spambot attack at es.wikiquote 2019-08-20 [public task] as Normal priority.
Tue, Aug 20, 4:23 PM · Wikimedia-General-or-Unknown, Security-Team, Security
sbassett added a comment to T230796: Deploy countermeasures to stop ongoing spambot attack at es.wikiquote 2019-08-20 [public task].

@MarcoAurelio - +1'd both of these. I should be able to security-deploy these sometime today. Is it time to consider a project closure request?

Tue, Aug 20, 3:34 PM · Wikimedia-General-or-Unknown, Security-Team, Security
sbassett triaged T230805: Confirmation of flag assignment by other bureaucrats as Normal priority.
Tue, Aug 20, 2:47 PM · MediaWiki-User-management

Mon, Aug 19

sbassett moved T229718: Security review for PageNotice extension from Awaiting remediation to Archive on the Security-Team-Reviews board.
Mon, Aug 19, 2:02 PM · MediaWiki-extensions-PageNotice, Security-Team-Reviews
sbassett closed T229718: Security review for PageNotice extension, a subtask of T61245: Review the PageNotice extension for deployment, as Resolved.
Mon, Aug 19, 2:01 PM · MediaWiki-extensions-PageNotice, Wikimedia-extension-review-queue, Wikimedia-Extension-setup
sbassett closed T229718: Security review for PageNotice extension as Resolved.

Re number 6, there are already many avenues to deface the wiki if you have edit access to the MediaWiki: namespace. Editing MediaWiki:Sitenotice would have a similar effect as creating a page notice. I don't think the fact that this extension adds another avenue is of any special concern.

Mon, Aug 19, 2:01 PM · MediaWiki-extensions-PageNotice, Security-Team-Reviews

Sat, Aug 17

sbassett committed rEPNO212920de645a: Adding phan-taint-check support via extra field (authored by sbassett).
Adding phan-taint-check support via extra field
Sat, Aug 17, 11:09 PM

Fri, Aug 16

sbassett added a comment to T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist.

Update: CVE-2019-15124.

Fri, Aug 16, 9:43 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett removed a project from T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist: Patch-For-Review.
Fri, Aug 16, 7:59 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett lowered the priority of T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist from Unbreak Now! to High.
Fri, Aug 16, 7:51 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a comment to T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist.

Patch tested locally, worked fine. Deployed patch to wmf/1.34.0-wmf.17 and tested. I'll request another CVE for this one. Once I have the id, I'll make this task public and backport to master and supported release branches in gerrit.

Fri, Aug 16, 7:50 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett updated the task description for T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist.
Fri, Aug 16, 2:02 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security

Thu, Aug 15

sbassett added a project to T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist: Patch-For-Review.
Thu, Aug 15, 8:47 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a comment to T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist.

Proposed patch, same mitigation as T229541:

Thu, Aug 15, 8:46 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a comment to T230304: Ongoing spambot attack 2019-08-{10,11,.*}.

@Urbanecm - looks like other spambot incidents have been made public in the past, so I think it's fine to do so here. Nothing terribly secret on this particular task.

Thu, Aug 15, 8:38 PM · User-Urbanecm, Wikimedia-General-or-Unknown, Security
sbassett triaged T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist as Unbreak Now! priority.
Thu, Aug 15, 8:34 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett created T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist.
Thu, Aug 15, 8:32 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett removed a project from T230402: Exposed suppressed username via Special:Redirect: Patch-For-Review.
Thu, Aug 15, 7:26 PM · MW-1.31-release-notes, MW-1.33-notes, MW-1.32-notes, MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), User-Rxy, Vuln-Infoleak, MediaWiki-General, Security
sbassett changed the visibility for T230402: Exposed suppressed username via Special:Redirect.
Thu, Aug 15, 7:22 PM · MW-1.31-release-notes, MW-1.33-notes, MW-1.32-notes, MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), User-Rxy, Vuln-Infoleak, MediaWiki-General, Security
sbassett added a comment to T230402: Exposed suppressed username via Special:Redirect.

Deployed. Making task public. Backports already started in gerrit:

  1. https://gerrit.wikimedia.org/r/530440
  2. https://gerrit.wikimedia.org/r/530441
  3. https://gerrit.wikimedia.org/r/530443
Thu, Aug 15, 7:22 PM · MW-1.31-release-notes, MW-1.33-notes, MW-1.32-notes, MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), User-Rxy, Vuln-Infoleak, MediaWiki-General, Security
sbassett added a comment to T230402: Exposed suppressed username via Special:Redirect.

I'm deploying this now through gerrit. Will make this task public once deployed.

Thu, Aug 15, 6:25 PM · MW-1.31-release-notes, MW-1.33-notes, MW-1.32-notes, MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), User-Rxy, Vuln-Infoleak, MediaWiki-General, Security
sbassett closed T230304: Ongoing spambot attack 2019-08-{10,11,.*} as Resolved.

@Urbanecm - this seem fine for now. I see $wgAccountCreationThrottle is back to normal and @Praxidicae's AF filters are still in place on those 4 projects, correct? If this specific attack (hard to tell them apart, really) heats up again, we can reopen this task, but I'll resolve for now. As a note: we're (Security-Team) still working on some StopForumSpam issues and getting that deployed to beta soon, along with other mitigations which we hope will be more effective in stopping problematic account creations.

Thu, Aug 15, 2:39 PM · User-Urbanecm, Wikimedia-General-or-Unknown, Security
sbassett closed T230304: Ongoing spambot attack 2019-08-{10,11,.*}, a subtask of T230521: Users are unable to create more than 2 accounts per day, as Resolved.
Thu, Aug 15, 2:39 PM · User-Urbanecm, Collaboration-Community-Engagement, Security-Team

Wed, Aug 14

sbassett added a comment to T230402: Exposed suppressed username via Special:Redirect.

PS2 looks good to me. I can try to deploy this later today or tomorrow, since there's no train this week.

Wed, Aug 14, 6:43 PM · MW-1.31-release-notes, MW-1.33-notes, MW-1.32-notes, MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), User-Rxy, Vuln-Infoleak, MediaWiki-General, Security
sbassett added a comment to T230234: Sanitizer::stripAllTags() causing double-escape false positive from phan-taint-check.

@Daimona - Awesome, glad to hear that. Thanks!

Wed, Aug 14, 4:51 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), phan-taint-check-plugin
sbassett closed T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807) as Resolved.

I don't believe there's anything else to do here for now.

Wed, Aug 14, 3:10 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security

Tue, Aug 13

sbassett closed Restricted Task, a subtask of T193769: Thousands of failed login attempts (wrong password), as Resolved.
Tue, Aug 13, 10:21 PM · Security-Team
sbassett added a comment to T230234: Sanitizer::stripAllTags() causing double-escape false positive from phan-taint-check.

@Daimona - I'd be interested to hear @Bawolff's thoughts, but for now I've just submitted a patch for Sanitizer.php as you suggested. I think that's the easiest approach for now, unless it gets too noisy in CI, in which case we can revert. But I'd personally rather find more things than not :)

Tue, Aug 13, 10:09 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), phan-taint-check-plugin
sbassett renamed T230454: Javascript test failures for release-quibble-composer-mysql-hhvm-docker from Javascript exceptions for release-quibble-composer-mysql-hhvm-docker to Javascript test failures for release-quibble-composer-mysql-hhvm-docker.
Tue, Aug 13, 9:49 PM · Continuous-Integration-Infrastructure, Release-Engineering-Team (CI & Testing services)
sbassett created T230454: Javascript test failures for release-quibble-composer-mysql-hhvm-docker.
Tue, Aug 13, 9:48 PM · Continuous-Integration-Infrastructure, Release-Engineering-Team (CI & Testing services)
sbassett updated the task description for T230452: AbuseFilterParserTest::tearDown() must call parent::tearDown() exception within quibble-vendor-mysql-hhvm-docker.
Tue, Aug 13, 9:42 PM · AbuseFilter, Continuous-Integration-Infrastructure, Release-Engineering-Team (CI & Testing services)
sbassett created T230452: AbuseFilterParserTest::tearDown() must call parent::tearDown() exception within quibble-vendor-mysql-hhvm-docker.
Tue, Aug 13, 9:39 PM · AbuseFilter, Continuous-Integration-Infrastructure, Release-Engineering-Team (CI & Testing services)
sbassett created T230451: Class 'Wikibase\DataModel\Entity\ItemId' not found in various CI-related dockers.
Tue, Aug 13, 9:29 PM · Continuous-Integration-Infrastructure, Release-Engineering-Team (CI & Testing services)
sbassett added a comment to T230402: Exposed suppressed username via Special:Redirect.

@Rxy - a couple of thoughts:

  1. So this patch just prevents a Special:Redirect of the numerical user_id of a hidden user, correct? To note: hidden user user pages are still publicly-viewable if they exist (i.e. they don't display the User account "xxx" is not registered. error message. The intention here is to throw an error if anyone tries to Special:Redirect to them, correct?
  2. I'm not sure the hideuser permissions error message makes sense within this context:
You do not have permission to block a username, hiding it from the public...

as it seems to be more directed at users with that permission as opposed for someone trying to visit a redirect. I agree that's the right permission to check but I might recommend something like this for the actual error message:

throw new ErrorPageError( 'badaccess-group0', 'badaccess-group0' );

Otherwise, I think this seems fine and I can security-deploy it whenever, though honestly I'd view this more as a hardening measure that could probably be done in gerrit.

Tue, Aug 13, 7:18 PM · MW-1.31-release-notes, MW-1.33-notes, MW-1.32-notes, MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), User-Rxy, Vuln-Infoleak, MediaWiki-General, Security
sbassett updated the task description for T230402: Exposed suppressed username via Special:Redirect.
Tue, Aug 13, 2:50 PM · MW-1.31-release-notes, MW-1.33-notes, MW-1.32-notes, MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), User-Rxy, Vuln-Infoleak, MediaWiki-General, Security
sbassett updated the task description for T230402: Exposed suppressed username via Special:Redirect.
Tue, Aug 13, 2:49 PM · MW-1.31-release-notes, MW-1.33-notes, MW-1.32-notes, MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), User-Rxy, Vuln-Infoleak, MediaWiki-General, Security
sbassett triaged T230402: Exposed suppressed username via Special:Redirect as High priority.
Tue, Aug 13, 2:44 PM · MW-1.31-release-notes, MW-1.33-notes, MW-1.32-notes, MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), User-Rxy, Vuln-Infoleak, MediaWiki-General, Security

Mon, Aug 12

sbassett removed a project from T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807): Patch-For-Review.
Mon, Aug 12, 2:03 AM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett updated subscribers of T230304: Ongoing spambot attack 2019-08-{10,11,.*}.
Mon, Aug 12, 1:57 AM · User-Urbanecm, Wikimedia-General-or-Unknown, Security
sbassett updated subscribers of T230304: Ongoing spambot attack 2019-08-{10,11,.*}.

@MarcoAurelio, @Urbanecm:

  1. It's fine (imo) to file separate tasks like these for (potentially) new incidents. Though I'd personally prefer if we could consolidate or resolve older tasks so as not to have several open at once, as that can become a bit chaotic to manage.
  2. Hopefully T230245 gets resolved soon, though I'm honestly not sure it will make that much of a difference since our current captchas aren't very effective anyways. Some interested WMF folks are still working towards the best path forward for CAPTCHA.
  3. Thanks @Urbanecm for adjusting the new account creation throttles. I honestly wouldn't be opposed to making those even more restrictive or potentially even disabling new account creations for a period of time. Unfortunately, this and a handful of other measures are about all we can do from a configuration standpoint right now, outside of digging through logs and attempting to find IPs/UAs/GeoIPs we can block, which is a lot of work and difficult to guarantee there won't be a large number of false positives.
  4. @Reedy and I are still working to get StopForumSpam deployed to beta, which should help substantially, however the Security-Team is extremely short-staffed right now for a number of reasons and we don't have anything remotely like a 24/7 SOC.
Mon, Aug 12, 1:56 AM · User-Urbanecm, Wikimedia-General-or-Unknown, Security

Fri, Aug 9

sbassett added a comment to T227406: Release taint-check 2.0.2 and 2.1.0.

@Daimona - ah, ok. Yeah, I guess we can leave open for 2.1.0. Thanks.

Fri, Aug 9, 8:11 PM · phan-taint-check-plugin
sbassett added a comment to T230234: Sanitizer::stripAllTags() causing double-escape false positive from phan-taint-check.

Ok, that makes sense.

Fri, Aug 9, 8:10 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), phan-taint-check-plugin
sbassett added a comment to T227209: Security Review For Parsoid-PHP.

@ssastry - no problem, thanks for the update.

Fri, Aug 9, 7:26 PM · Restricted Project, Parsoid-PHP, Security-Team-Reviews
sbassett renamed T230234: Sanitizer::stripAllTags() causing double-escape false positive from phan-taint-check from Sanitizer::stripAllTags() causing double-escape false positive in phan-taint-check to Sanitizer::stripAllTags() causing double-escape false positive from phan-taint-check.
Fri, Aug 9, 7:21 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), phan-taint-check-plugin
sbassett triaged T230234: Sanitizer::stripAllTags() causing double-escape false positive from phan-taint-check as Normal priority.
Fri, Aug 9, 7:19 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), phan-taint-check-plugin
sbassett created T230234: Sanitizer::stripAllTags() causing double-escape false positive from phan-taint-check.
Fri, Aug 9, 7:19 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), phan-taint-check-plugin
sbassett added a comment to T227406: Release taint-check 2.0.2 and 2.1.0.

@Daimona - can we call this done? And resolve for now?

Fri, Aug 9, 7:01 PM · phan-taint-check-plugin
sbassett changed the visibility for T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807).
Fri, Aug 9, 6:23 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a comment to T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807).

@MarcoAurelio - no, was going to start that process now. Wanted to wait until we had a confirmed CVE id.

Fri, Aug 9, 5:59 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a comment to T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807).

Update: CVE-2019-14807

Fri, Aug 9, 5:54 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett updated subscribers of T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807).

Update (I was on vacation earlier this week, just getting back to this):

  1. After chatting w/ @MoritzMuehlenhoff, I've gone ahead and requested a CVE for this vulnerability. I'm not sure we've consistently done this in the past for various MediaWiki extensions (at least for deployed and/or bundled extensions), though I'd like to start doing this on a more consistent basis going forward, perhaps even training other foundation/community folks on the process.
  2. Once I receive confirmation from Mitre of the CVE id, I'll plan to make this task public and backport in gerrit to the 1.31, 1.32 and 1.33 release branches and master, per the current version lifecycle.
  3. I'm not certain any additional communication is warranted here. Posts to phame, wikitech-l, etc. potentially seem to be a little overkill for issues like this and not what's been done in the past. Perhaps the Security-Team should further discuss what might be appropriate messaging for these kinds of vulnerabilities.
Fri, Aug 9, 4:07 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett removed a project from T210329: CheckUsers have unlogged access to IP addresses via the AbuseFilter API: Patch-For-Review.
Fri, Aug 9, 3:34 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Privacy, AbuseFilter, Security

Thu, Aug 8

sbassett claimed T229718: Security review for PageNotice extension.
Thu, Aug 8, 8:59 PM · MediaWiki-extensions-PageNotice, Security-Team-Reviews
sbassett moved T229718: Security review for PageNotice extension from Backlog to Awaiting remediation on the Security-Team-Reviews board.
Thu, Aug 8, 8:59 PM · MediaWiki-extensions-PageNotice, Security-Team-Reviews
sbassett updated subscribers of T229718: Security review for PageNotice extension.

Hey @TTO and @Victar -

Thu, Aug 8, 8:59 PM · MediaWiki-extensions-PageNotice, Security-Team-Reviews
sbassett triaged T229718: Security review for PageNotice extension as Low priority.
Thu, Aug 8, 4:30 PM · MediaWiki-extensions-PageNotice, Security-Team-Reviews
sbassett triaged T230140: Security Review For MediaWiki REST API infrastructure as Normal priority.
Thu, Aug 8, 4:30 PM · Security-Team-Reviews
sbassett added a comment to T230124: AddThis gadgets are a violation of the privacy policy.

Are gadgets expected to fall under the standard Wikimedia privacy policy? I'm not seeing any specific privacy policy just for them, nor am I seeing any exceptional language for them within the standard privacy policy. Though gadgets are fairly similar to user scripts, which often call external resources, and which will indeed break once CSP is set to enforce (whenever that may be.)

Thu, Aug 8, 1:49 PM · Wikimedia-General-or-Unknown, Privacy
sbassett triaged T230124: AddThis gadgets are a violation of the privacy policy as Normal priority.
Thu, Aug 8, 1:42 PM · Wikimedia-General-or-Unknown, Privacy

Fri, Aug 2

sbassett moved T227591: Security Concept Review for the machine vision middleware project from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Fri, Aug 2, 10:18 PM · Restricted Project, Machine vision, Product-Infrastructure-Team-Backlog, Security-Team-Reviews
sbassett added a comment to T229285: Ensure submodule updates (for security patches) are committed in the MW directory under /srv/mediawiki-staging.

Pardon the confusion, but are we now wanting to do submodule updates for security deploys? There are currently two for php-1.34.0-wmf.16:

	modified:   extensions/CheckUser (new commits)
	modified:   extensions/MobileFrontend (new commits)
Fri, Aug 2, 9:55 PM · Release-Engineering-Team-TODO, Release-Engineering-Team (Deployment services)
sbassett added a comment to T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807).

@Reedy - ok, thanks. I removed it from T225152. I'll plan to backport in gerrit to master and any necessary MF release branches.

Fri, Aug 2, 9:16 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett removed a parent task for T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807): Unknown Object (Task).
Fri, Aug 2, 9:14 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett lowered the priority of T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807) from Unbreak Now! to High.

Update:

  1. Patch deployed and tested: the above URL no longer renders an XSS for me.
  2. Added this bug to the next security release tracking bug as a sub-task: T225152. I need to double-check w/ @Reedy how we normally do this for deployed extensions. I know that the security release tracking bug is the normal path towards requesting/issuing CVEs, but I know we sometimes just backport as necessary in gerrit for extensions. I'll keep this bug private until I know what to do here.
Fri, Aug 2, 9:08 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a parent task for T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807): Unknown Object (Task).
Fri, Aug 2, 8:58 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a comment to T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807).

Note: I plan to security-deploy @MaxSem's patch from T229541#5383474 this afternoon (Aug 2nd) and provide another update here.

Fri, Aug 2, 6:34 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett moved T227591: Security Concept Review for the machine vision middleware project from In Progress to Awaiting remediation on the Security-Team-Reviews board.
Fri, Aug 2, 5:06 PM · Restricted Project, Machine vision, Product-Infrastructure-Team-Backlog, Security-Team-Reviews
sbassett added a comment to T227591: Security Concept Review for the machine vision middleware project.

@Mholloway - from a high-level perspective, I think the Security-Team is fine with this and would assign a low risk for now, especially given the precedent of things like CX-cxserver. Some considerations:

  1. Has this been reviewed by WMF-Legal yet? I believe cx server went through a similar process; see Acceptance Criteria in T76185. This should probably happen prior to deployment.
  2. Some previous security reviews of the cx service (and related components) might be helpful to peruse at your leisure, as it's a close-ish parallel: T85686, T144467, T143185. Particularly the conversation starting at T143185#2632101, T144467#4795794 and T85686#958661. Mainly just as an idea of what we would look for during a more formal code review. Of course, the attack surface for this service would seem a bit smaller since we're talking about media metadata in a standard format that should not be easily manipulated by potential attackers, unlike the wikitext used by cx server.
  3. Though it wasn't formally noted, I assume every component of this will be using TLS.
  4. Even though some headers can be less critical for these types of services, I would strongly advise setting appropriate security headers, including a robust CSP for each component of this service.
  5. I'd also recommend getting this on the radar of the Performance-Team to see if they have any additional concerns or recommendations for best practices. It may also make sense to reach out to the Language-Team to see if they have run into any performance issues with their usage of the various 3rd party MTs for the cx server.
  6. Finally, once more code has been developed for this service (closer to production-ready), we can definitely perform a more formal security review if you'd like.
Fri, Aug 2, 5:05 PM · Restricted Project, Machine vision, Product-Infrastructure-Team-Backlog, Security-Team-Reviews

Thu, Aug 1

sbassett added a comment to T229541: Javascript injection in edit summary on mobile site (CVE-2019-14807).

Looking at this - the XSS only appears to render for me within the first URL. I assume the second URL was provided just to show the diff?

Thu, Aug 1, 2:03 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security

Wed, Jul 31

sbassett changed the visibility for T143185: Security review for Youdao MT for Content Translation.
Wed, Jul 31, 4:29 PM · User-Nikerabbit, Language-Q1-2016-17 Sprint 6, Security, ContentTranslation-Release10, Security-Team-Reviews, Security-Extensions, WorkType-NewFunctionality, Language-Engineering July-September 2016, ContentTranslation-CXserver, ContentTranslation
sbassett moved T227008: Draft golang security best practices documentation from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Wed, Jul 31, 3:50 PM · Restricted Project, Security-Team
sbassett moved T227591: Security Concept Review for the machine vision middleware project from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Wed, Jul 31, 3:50 PM · Restricted Project, Machine vision, Product-Infrastructure-Team-Backlog, Security-Team-Reviews
sbassett moved T227209: Security Review For Parsoid-PHP from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Wed, Jul 31, 3:50 PM · Restricted Project, Parsoid-PHP, Security-Team-Reviews
sbassett added a project to T227209: Security Review For Parsoid-PHP: Restricted Project.
Wed, Jul 31, 3:49 PM · Restricted Project, Parsoid-PHP, Security-Team-Reviews
sbassett added a project to T227591: Security Concept Review for the machine vision middleware project: Restricted Project.
Wed, Jul 31, 3:49 PM · Restricted Project, Machine vision, Product-Infrastructure-Team-Backlog, Security-Team-Reviews

Tue, Jul 30

sbassett moved T227820: (informal) Security Concept Review For LibUp 2.0 from In Progress to Archive on the Security-Team-Reviews board.
Tue, Jul 30, 5:58 PM · Restricted Project, LibUp, Security-Team-Reviews
sbassett moved T149869: Security review for PageForms from Frozen to Archive on the Security-Team-Reviews board.
Tue, Jul 30, 5:25 PM · Security, MediaWiki-extensions-Page_Forms, Security-Team-Reviews
sbassett closed T149869: Security review for PageForms, a subtask of T149749: Wikitech: Switch over from using extension SemanticForms to PageForms, as Resolved.
Tue, Jul 30, 5:24 PM · Cloud-Services, wikitech.wikimedia.org, Patch-For-Review, Wikimedia-Site-requests
sbassett closed T149869: Security review for PageForms as Resolved.

Resolving now per T149869#5357956.

Tue, Jul 30, 5:24 PM · Security, MediaWiki-extensions-Page_Forms, Security-Team-Reviews