Page MenuHomePhabricator

sbassett (Scott Bassett)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Tuesday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (70 w, 4 d)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Recent Activity

Thu, Jan 16

sbassett added a comment to T242661: Use _host- prefixed cookies for session cookies.

Hmm, the PHP_ENGINE cookie seems to have vanished after some cache-clearing and a few re-authentications on my end. The metawikiSession cookie is strange - it seems like Chrome thinks enwiki should have access to it, while Firefox does not. And Chrome's Developer Tools console has it under a different domain (meta.wikimedia.org) than Chris Pederick's Web Developer toolbar (en.wikipedia.org), which erratically lists it. Perhaps this is just an issue with Chrome or with the various developer tools within Chrome.

Thu, Jan 16, 11:03 PM · Security-Team, MediaWiki-Authentication-and-authorization, Security
sbassett updated subscribers of T240884: Standalone service to evaluate user-provided regular expressions.

One complicating factor here is that AbuseFilter and SpamBlacklist both don't have a clear maintainer.

Thu, Jan 16, 5:32 PM · User-Addshore, TechCom-RFC, Wikidata
sbassett added a comment to T240741: Security concept review for WikiUnit extension.

Thanks for the feedback, @Krinkle !

Thu, Jan 16, 5:29 PM · Performance-Team, Security Concept Review, Security-Team

Wed, Jan 15

sbassett added a comment to T242793: Add support for private wikis to pageviews API.

Are we comfortable with every page title on private wikis potentially being made public, such that allowing any user to publicly find and/or enumerate them (as Tool-Pageviews allows) wouldn't result in any Vuln-Infoleak s? I'm thinking there might be at least a few pages on officewiki where this might not be the case.

Wed, Jan 15, 10:47 PM · Pageviews-API, Analytics, Tool-Pageviews
sbassett added a comment to T242661: Use _host- prefixed cookies for session cookies.

Sounds like a good idea, and it looks like browser adoption is edging towards ubiquity. Just to clarify, assuming we're ignoring centralauth_Session for now, the session cookies I typically see being set on production wikis are:

  1. GeoIP
  2. {wikiID}wikiSession
  3. metawikiSession - oddly appears as an enwiki cookie, but not on other projects.
  4. PHP_ENGINE - I still have this checked as a beta pref on enwiki.
  5. thanks-thanked

And I assume a few others. Do we need to worry about these individually or would the envisioned implementation simply be to prepend __Host- to to the name value for any cookie without a specified expiration within all relevant setCookie() functions?

Wed, Jan 15, 9:44 PM · Security-Team, MediaWiki-Authentication-and-authorization, Security
sbassett renamed T242901: Get hardware quotes on equipment for Security log/evidence storage and dissemination from Get hardware quotes on equipment for Security log/evidence storage and dissimination to Get hardware quotes on equipment for Security log/evidence storage and dissemination.
Wed, Jan 15, 8:37 PM · Security-Team
sbassett added a comment to T242907: Convert security-readiness-reviews form from url parm to an actual form.

See the old param style, see the new phab actual form, go form go.

Wed, Jan 15, 8:29 PM · Security-Team
sbassett added a comment to T242907: Convert security-readiness-reviews form from url parm to an actual form.

I'm not sure on review security. Since this is a code review request and such. Is it best practice to restrict to Security-Team, Security, author, and subscribers?

Wed, Jan 15, 8:27 PM · Security-Team

Tue, Jan 14

sbassett closed T239063: https://annual.wikimedia.org/2014/ loads javascript from toolforge [possible privacy policy violation] as Resolved.

If they are static to a specific date, we should amend the text (as I mentioned before) to indicate that date - so something like "Number of edits across all databases in Wikimedia's servers as of 26 November 2019." and then remove the link that explains the live number count. Otherwise I fear someone may report that as a live number when it is now a historical number.

Tue, Jan 14, 11:45 PM · Security Readiness Reviews, Privacy Engineering, Security, Privacy
sbassett moved T227454: Allow $wgSFSIPListLocation to be a url and have proxy support from Backlog to In Progress on the user-sbassett board.
Tue, Jan 14, 10:42 PM · user-sbassett, MediaWiki-extensions-StopForumSpam
sbassett added a project to T227454: Allow $wgSFSIPListLocation to be a url and have proxy support: user-sbassett.
Tue, Jan 14, 10:42 PM · user-sbassett, MediaWiki-extensions-StopForumSpam
sbassett added a comment to T239680: CU 2.0: Persist the form state.

We proposed option #4 in case passing information in the URL and exposing it in the logs was deemed too large a risk; however, it sounds like this is not the case.

Tue, Jan 14, 6:40 PM · Security-Team, Patch-For-Review, CheckUser, Anti-Harassment (The Letter Song)
sbassett changed the status of T240741: Security concept review for WikiUnit extension from Open to Stalled.
Tue, Jan 14, 6:29 PM · Performance-Team, Security Concept Review, Security-Team
sbassett moved T240741: Security concept review for WikiUnit extension from In Progress to Watching on the Security-Team board.
Tue, Jan 14, 6:29 PM · Performance-Team, Security Concept Review, Security-Team
sbassett updated subscribers of T240741: Security concept review for WikiUnit extension.

Hey @Krinkle - we were wondering if you had any thoughts about the viability, potential redundancy and performance of this proposed extension. Thanks!

Tue, Jan 14, 6:28 PM · Performance-Team, Security Concept Review, Security-Team
sbassett reassigned T240869: Security Review For KaiOS Wikipedia app from sbassett to Reedy.

Reassigning to @Reedy - if you'd like to pair up on this and explore some automated approaches for the review, let me know!

Tue, Jan 14, 6:12 PM · Security Readiness Reviews, Inuka-Team
sbassett added projects to T242768: Remove checkPasswordCannotMatchUsername Password Policy check: Security-Team, Security Team AppSec.
Tue, Jan 14, 5:02 PM · Security Team AppSec, Security-Team, MediaWiki-General
sbassett created T242768: Remove checkPasswordCannotMatchUsername Password Policy check.
Tue, Jan 14, 5:01 PM · Security Team AppSec, Security-Team, MediaWiki-General
sbassett moved T241845: Create new password policy to check if a password is a substring of a username from In Progress to Done on the user-sbassett board.
Tue, Jan 14, 4:57 PM · MediaWiki-General, user-sbassett, Vuln-Infoleak, Security-Team, Security
sbassett moved T241845: Create new password policy to check if a password is a substring of a username from In Progress to Our Part Is Done on the Security-Team board.
Tue, Jan 14, 4:57 PM · MediaWiki-General, user-sbassett, Vuln-Infoleak, Security-Team, Security
sbassett moved T241845: Create new password policy to check if a password is a substring of a username from Operational issues to Done on the Security board.
Tue, Jan 14, 4:57 PM · MediaWiki-General, user-sbassett, Vuln-Infoleak, Security-Team, Security
sbassett changed the visibility for T241845: Create new password policy to check if a password is a substring of a username.
Tue, Jan 14, 4:56 PM · MediaWiki-General, user-sbassett, Vuln-Infoleak, Security-Team, Security
sbassett closed T241845: Create new password policy to check if a password is a substring of a username as Resolved.

Patch merged. Should ride this week's train. Will file follow-up task suggesting removal of checkPasswordCannotBeSubstringInUsername.

Tue, Jan 14, 4:56 PM · MediaWiki-General, user-sbassett, Vuln-Infoleak, Security-Team, Security
sbassett reopened T237805: Disable 2FA for User:EvanProdromou as "Open".

@eprodromou Hi! YGM. :)

Tue, Jan 14, 4:53 PM · Trust-and-Safety
sbassett closed T240502: Raw HTML in MobileFrontend as Resolved.
Tue, Jan 14, 4:50 PM · Readers-Web-Backlog (Kanbanana-2019-20-Q3), MobileFrontend, Security
sbassett closed T237805: Disable 2FA for User:EvanProdromou as Resolved.
Tue, Jan 14, 4:44 PM · Trust-and-Safety
sbassett added a project to T187846: Security Review of Office IT Internal Account Management Tool: Office-IT.
Tue, Jan 14, 4:32 PM · Office-IT, Security Readiness Reviews
sbassett added a comment to T232820: Security Concept Review For client side error logging js client.

Thanks for the feedback @sbassett, all good points! Since indeed the code turned out to be simpler than we initially expected no full security review seems needed. I'll ping you and/or @Reedy once the other points have been addressed

Tue, Jan 14, 4:28 PM · Security Concept Review, Security-Team
sbassett triaged T242661: Use _host- prefixed cookies for session cookies as Medium priority.
Tue, Jan 14, 4:24 PM · Security-Team, MediaWiki-Authentication-and-authorization, Security
sbassett moved T242661: Use _host- prefixed cookies for session cookies from Backlog / Other to Operational issues on the Security board.
Tue, Jan 14, 4:23 PM · Security-Team, MediaWiki-Authentication-and-authorization, Security
sbassett added a comment to T239680: CU 2.0: Persist the form state.

@Tchanders - are you proposing to pass the JWT around via POST or only the relevant data (likely the encrypted payload from the JWT option)? I suppose either would provide for a slightly smaller attack surface than sending any token/data as a GET param. Though using JWTs seems like it might be a bit cleaner, however I'm not sure if that also entails a reworking of the pager and filters as mentioned for option 4 in T239680#5772095.

Tue, Jan 14, 3:57 PM · Security-Team, Patch-For-Review, CheckUser, Anti-Harassment (The Letter Song)
sbassett added a comment to T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html.

@zhuyifei1999 - As a security-minded person, I tend to recommend requesting CVEs for pretty much all vulnerabilities, especially for FLOSS code. I'm not sure if Mitre would ever reject a request by deeming the application not noteworthy enough or something like that - I'm guessing Quarry probably isn't run outside of wmflabs? Regardless, the form should only take a few minutes to fill out, so if you have the cycles, I'd recommend doing that. And if a CVE ID is issued, we can update this tasks's title to include it.

Tue, Jan 14, 3:47 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security
sbassett added a project to T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html: Vuln-XSS.
Tue, Jan 14, 3:40 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security
sbassett closed T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html as Resolved.
Tue, Jan 14, 3:39 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security
sbassett lowered the priority of T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html from High to Medium.
Tue, Jan 14, 3:32 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security
sbassett added a comment to T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html.

Applied. https://quarry.wmflabs.org/run/424170/output/0/tsv https://quarry.wmflabs.org/run/424170/output/0/csv LGTM.
Shall we make the ticket public and put the patch on gerrit?

Tue, Jan 14, 3:32 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security

Mon, Jan 13

sbassett added a comment to T239680: CU 2.0: Persist the form state.

It would need to be passed in the URL because, as far as I know, it's impossible to to set the headers on a simple anchor element.

Mon, Jan 13, 10:56 PM · Security-Team, Patch-For-Review, CheckUser, Anti-Harassment (The Letter Song)
sbassett added a comment to T240472: Security review for the DiscussionTools extension.

Hi @sbassett , I've merged the tasks.

Mon, Jan 13, 10:38 PM · Security Readiness Reviews, Editing-team, DiscussionTools
sbassett updated subscribers of T232820: Security Concept Review For client side error logging js client.

AFAICT the code is basically ready to be merged, when does security review need to happen ?

Mon, Jan 13, 10:31 PM · Security Concept Review, Security-Team
sbassett updated subscribers of F31511343: T242355-ver2.patch.
Mon, Jan 13, 9:37 PM
sbassett added a comment to T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html.

Line 27: I don't see why using str.join() with only to items in the list, so I purpose content_type = mime_type + '; charset=utf-8'.
Otherwise +1

Mon, Jan 13, 9:37 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security
sbassett updated subscribers of F31511335: T242355.patch.
Mon, Jan 13, 9:27 PM
sbassett added a project to T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html: Patch-For-Review.
Mon, Jan 13, 9:25 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security
sbassett added a comment to T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html.

The following patch should fix this issue:

Mon, Jan 13, 9:25 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security
sbassett added a comment to T240472: Security review for the DiscussionTools extension.

@ppelberg - So this task and T242134 are not ostensibly the same thing? If they are, we can merge them. Only reason I'm asking is because there doesn't seem to be anything actionable on this task, so at the very least I would probably untag Security Readiness Reviews.

Mon, Jan 13, 7:47 PM · Security Readiness Reviews, Editing-team, DiscussionTools
sbassett moved T242058: Add some form of static analysis for package-lock.json from Incoming to Watching on the Security-Team board.
Mon, Jan 13, 4:41 PM · Security-Team, Continuous-Integration-Config, Security
sbassett moved T242058: Add some form of static analysis for package-lock.json from Backlog / Other to Other WMF team on the Security board.
Mon, Jan 13, 4:41 PM · Security-Team, Continuous-Integration-Config, Security

Fri, Jan 10

sbassett added a comment to T239680: CU 2.0: Persist the form state.

Further researching implementations similar to option 2, could the token be passed around in a response header as opposed to a url param? That would vastly reduce its exposure in various logs, etc.

Fri, Jan 10, 10:49 PM · Security-Team, Patch-For-Review, CheckUser, Anti-Harassment (The Letter Song)
sbassett added a comment to T240943: Security Concept Review For new CI.

We had a few initial comments and questions:

  1. General Comment 1: Security Concept Review s should never be considered a hard blocker of anything. Apologies if that hasn't been made clear within our documentation. If you/Releng feel you have some specific questions or concerns which are of critical importance and that only the Security-Team can address, feel free to let us know what those are.
  2. Scoping Question 1: Do you have a final candidate list of new technologies that will be introduced within the new CI/CD and what those technologies will replace within the existing system? It's unclear from the various pieces of documentation where Releng is at in their selection process and we'd like to have this narrowed down to as small a list as possible prior to any review.
  3. Scoping Question 2: Can you clarify the specifics of the testing and staging environments from the image promotion pipeline? Where will these environments exist and who will be the ostensible maintainers of said environments?
  4. Scoping Question 3: This comment within the task description - some K8s cluster, possibly hosted by a commercial provider - seems to imply the potential for SaaS/PaaS options. Is this still being considered? Can we get a sense of what systems and services would be candidates for such an option?
Fri, Jan 10, 8:00 PM · Needs Discussion, Security-Team, Release-Engineering-Team-TODO (2020-01 to 2020-03 (Q3)), Security Concept Review
sbassett added a comment to T239680: CU 2.0: Persist the form state.

We can do this, but there is a downside to 3rd parties:
We can bind it if you think it's necessary, but I wanted to highlight the downside of doing that, as it could prevent 3rd party wikis from pushing security fixes (from the library) quickly.

Fri, Jan 10, 6:58 PM · Security-Team, Patch-For-Review, CheckUser, Anti-Harassment (The Letter Song)

Thu, Jan 9

sbassett added a comment to T239680: CU 2.0: Persist the form state.

@Mooeypoo et al - a few initial security points/concerns for option 2:

  1. firebase/php-jwt seems like a mature, stable JWT lib, especially since WMF already deploys 5.0.0. And jwt.io even likes it. A minor nit might be pinning to a specific version within composer.json on the patch, since that tends to be a bit more secure and would match what would need to be in mediawiki/vendor.
  2. I noticed in the latest PS on the patch there was a TODO around setting an exp field in the payload. I'd strongly advise this be done and then the tokens properly invalidated after said expiry, otherwise I'd place a higher risk rating (medium+) for this option. I don't have enough experience with CU to know for certain, but it seems like there could be a theft/replay risk with folks who have both checkuser and checkuser-log rights and we'd want to minimize this attack surface as much as we can. I think we'd consider these to be very trusted users, but such assumptions aren't really part of a robust security model.
  3. It might be a good idea to programmatically check for the existence of the encryption algorithm as we do in core in addition to the $secret check within the TokenManager constructor.
  4. I'm not certain I love the way the IV seed is being created in the patch, though it's probably good enough for this application.
Thu, Jan 9, 11:22 PM · Security-Team, Patch-For-Review, CheckUser, Anti-Harassment (The Letter Song)
sbassett added a comment to T227454: Allow $wgSFSIPListLocation to be a url and have proxy support.

Update: after chatting w/ @Reedy a bit and having a look at the way ext:TorBlock (which ext:StopForumSpam borrows from in other places) does similar things within TorExitNodes.php, I'd like to model a patch for ext:StopForumSpan on what fetchExitNodesFromTorProject() and loadExitNodes() do by proxying out to an external URL (whichever SFS blacklist we want to use) and dumping it into WANObjectCache. I'd imagine this would also imply some work upon the better IPV6 support mentioned within T212528, particularly around serialization, which may or may not be needed as ext:TorBlock seems to just dump IPs into the cache. I'm guessing it might make sense to have this be a separate mode of operation from the existing code, as it's heavily tied to WMF production, which may not be appropriate for all users of ext:StopForumSpam, possibly controlled by a config variable.

Thu, Jan 9, 9:34 PM · user-sbassett, MediaWiki-extensions-StopForumSpam
sbassett triaged T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html as High priority.
Thu, Jan 9, 9:04 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security
sbassett moved T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html from Incoming to Watching on the Security-Team board.
Thu, Jan 9, 9:04 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security
sbassett moved T242355: Trivial Quarry XSS: Tabular data CSV / TSV are not escaped and sent as text/html from Backlog / Other to Other WMF team on the Security board.
Thu, Jan 9, 9:04 PM · Vuln-XSS, Cloud-Services, Security-Team, Quarry, Security
sbassett claimed T240869: Security Review For KaiOS Wikipedia app.
Thu, Jan 9, 4:49 PM · Security Readiness Reviews, Inuka-Team
sbassett moved T240869: Security Review For KaiOS Wikipedia app from Waiting to In Progress on the Security Readiness Reviews board.
Thu, Jan 9, 4:48 PM · Security Readiness Reviews, Inuka-Team
sbassett moved T240943: Security Concept Review For new CI from Back Orders to Watching on the Security-Team board.
Thu, Jan 9, 3:47 PM · Needs Discussion, Security-Team, Release-Engineering-Team-TODO (2020-01 to 2020-03 (Q3)), Security Concept Review
sbassett moved T240943: Security Concept Review For new CI from Incoming to In Progress on the Security Concept Review board.

First review initially scheduled for 2019-01-10.

Thu, Jan 9, 3:46 PM · Needs Discussion, Security-Team, Release-Engineering-Team-TODO (2020-01 to 2020-03 (Q3)), Security Concept Review
sbassett moved T242089: Consider keeping user entered URL and removing tracking parameters from Backlog / Other to Other WMF team on the Security board.
Thu, Jan 9, 3:44 PM · Privacy Engineering, Security, Citoid
sbassett removed a project from T239077: Define policy aspects of CSP on wiki: Security Readiness Reviews.

Removing Security Readiness Reviews since there's no actual review request within this task.

Thu, Jan 9, 3:25 PM · Privacy Engineering, Documentation, Privacy, Security-Team, ContentSecurityPolicy
sbassett moved T156757: Add examples of the three security review processes from Watching to Our Part Is Done on the Security-Team board.
Thu, Jan 9, 3:22 PM · Security Readiness Reviews, Security-Team, Documentation, Developer-Wishlist (2017)
sbassett closed T156757: Add examples of the three security review processes as Invalid.

I'm going to close this task as invalid for now, since the above discussions were related to a completely different set of security review policies which were superseded by a new SOP in February of 2019. The current SOP has continued to evolve and will likely evolve further as the Security-Team is in the process of revamping some of our intakes and workflows, which should hopefully wrap up Q3 of FY 2020. If there are still concerns over the current SOP, I would invite folks to first contribute their concerns on its talk page to keep pre-actionable discussion in a single, logical place.

Thu, Jan 9, 3:22 PM · Security Readiness Reviews, Security-Team, Documentation, Developer-Wishlist (2017)

Wed, Jan 8

sbassett moved T239680: CU 2.0: Persist the form state from Incoming to Watching on the Security-Team board.
Wed, Jan 8, 10:47 PM · Security-Team, Patch-For-Review, CheckUser, Anti-Harassment (The Letter Song)
sbassett added a project to T239680: CU 2.0: Persist the form state: Security-Team.
Wed, Jan 8, 10:47 PM · Security-Team, Patch-For-Review, CheckUser, Anti-Harassment (The Letter Song)
sbassett added a comment to T242163: Restore resolved security-team-reviews tasks.

@chasemp - Just checked a bunch of my old reviews and all of them look fine now. Hopefully we can figure out all of the weird edge-case ones that are still vanished into the aether.

Wed, Jan 8, 6:54 PM · Security-Team
sbassett renamed T240773: Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163) from Exposed HTML in WikibaseMediaInfo autocomplete suggestions to Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163).
Wed, Jan 8, 6:18 PM · Vuln-XSS, Security-Team, Structured-Data-Backlog (Current Work), Structured Data Engineering, WikibaseMediaInfo, Security
sbassett added a comment to T242242: Kerberos credentials for sbassett.

You can use the one that all the members of analytics-privatedata-users can access, sudoing as the analytics-privatedata users. We don't create per-user keytabs for the moment, we'll see in the future if needed..

Wed, Jan 8, 6:08 PM · Analytics
sbassett added a comment to T242242: Kerberos credentials for sbassett.

@elukey - thanks. Can I create a keytab for myself on stat1007 or does Analytics need to do that for me? Wasn't quite certain of the process from https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide#Run_a_recurrent_job_via_Cron_or_similar_without_kinit_every_day.

Wed, Jan 8, 5:37 PM · Analytics
sbassett updated the task description for T242242: Kerberos credentials for sbassett.
Wed, Jan 8, 5:18 PM · Analytics
sbassett created T242242: Kerberos credentials for sbassett.
Wed, Jan 8, 5:17 PM · Analytics
sbassett added a project to T242236: Problem connecting to database from stat1007.eqiad.wmnet: Analytics.
Wed, Jan 8, 4:54 PM · Analytics
sbassett updated the task description for T242236: Problem connecting to database from stat1007.eqiad.wmnet.
Wed, Jan 8, 4:52 PM · Analytics
sbassett added a comment to T237805: Disable 2FA for User:EvanProdromou.

@jrbs - this ever get resolved?

Wed, Jan 8, 4:05 PM · Trust-and-Safety

Tue, Jan 7

sbassett updated the task description for T242163: Restore resolved security-team-reviews tasks.
Tue, Jan 7, 10:48 PM · Security-Team
sbassett added a comment to T242163: Restore resolved security-team-reviews tasks.

Sure, most things here:

Tue, Jan 7, 10:47 PM · Security-Team
sbassett moved T182507: Extension:Cargo Lua Module does not escape query values leading to potential SQL injection. from External (Non-WMF) Issues to Done on the Security board.
Tue, Jan 7, 10:43 PM · Security, MediaWiki-extensions-Cargo
sbassett lowered the priority of T182507: Extension:Cargo Lua Module does not escape query values leading to potential SQL injection. from Medium to Lowest.
Tue, Jan 7, 10:43 PM · Security, MediaWiki-extensions-Cargo
sbassett updated the task description for T242163: Restore resolved security-team-reviews tasks.
Tue, Jan 7, 10:00 PM · Security-Team
sbassett created T242163: Restore resolved security-team-reviews tasks.
Tue, Jan 7, 9:59 PM · Security-Team
sbassett added a comment to T182507: Extension:Cargo Lua Module does not escape query values leading to potential SQL injection..

@Yaron_Koren - As the ostensible maintainer here, would you be ok with us making this task public as we traditionally do for any security issue that transitions into a "closed" state? While that technically involves exposing this not-fully-resolved security issue, it would probably be beneficial as a notice to anyone running the Cargo extension to be wary of this issue.

Tue, Jan 7, 9:54 PM · Security, MediaWiki-extensions-Cargo
sbassett moved T240773: Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163) from Watching to Our Part Is Done on the Security-Team board.
Tue, Jan 7, 9:40 PM · Vuln-XSS, Security-Team, Structured-Data-Backlog (Current Work), Structured Data Engineering, WikibaseMediaInfo, Security
sbassett moved T240773: Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163) from Other WMF team to Done on the Security board.
Tue, Jan 7, 9:40 PM · Vuln-XSS, Security-Team, Structured-Data-Backlog (Current Work), Structured Data Engineering, WikibaseMediaInfo, Security
sbassett changed the visibility for T240773: Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163).
Tue, Jan 7, 9:39 PM · Vuln-XSS, Security-Team, Structured-Data-Backlog (Current Work), Structured Data Engineering, WikibaseMediaInfo, Security
sbassett added a comment to T240773: Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163).

So it doesn't look like templates/search/PropertySuggestionsWidget.mustache+dom existed in REL1_34 or previous, so no backports necessary. I'm going make the task public now and request a CVE.

Tue, Jan 7, 9:39 PM · Vuln-XSS, Security-Team, Structured-Data-Backlog (Current Work), Structured Data Engineering, WikibaseMediaInfo, Security
sbassett reassigned T241950: XSS bug in Twinkle friendlytalkback gadget across many wikis from sbassett to Krenair.
Tue, Jan 7, 8:55 PM · Wikimedia-General-or-Unknown, Security-Team, Vuln-XSS, Security
sbassett closed T241950: XSS bug in Twinkle friendlytalkback gadget across many wikis as Resolved.
Tue, Jan 7, 8:54 PM · Wikimedia-General-or-Unknown, Security-Team, Vuln-XSS, Security
sbassett changed the visibility for T241950: XSS bug in Twinkle friendlytalkback gadget across many wikis.
Tue, Jan 7, 8:54 PM · Wikimedia-General-or-Unknown, Security-Team, Vuln-XSS, Security
sbassett moved T241950: XSS bug in Twinkle friendlytalkback gadget across many wikis from Watching to Our Part Is Done on the Security-Team board.
Tue, Jan 7, 8:53 PM · Wikimedia-General-or-Unknown, Security-Team, Vuln-XSS, Security
sbassett moved T241950: XSS bug in Twinkle friendlytalkback gadget across many wikis from External (Non-WMF) Issues to Done on the Security board.
Tue, Jan 7, 8:53 PM · Wikimedia-General-or-Unknown, Security-Team, Vuln-XSS, Security
sbassett lowered the priority of T240502: Raw HTML in MobileFrontend from High to Medium.
Tue, Jan 7, 6:37 PM · Readers-Web-Backlog (Kanbanana-2019-20-Q3), MobileFrontend, Security
sbassett changed the visibility for T240502: Raw HTML in MobileFrontend.
Tue, Jan 7, 6:37 PM · Readers-Web-Backlog (Kanbanana-2019-20-Q3), MobileFrontend, Security
sbassett added a comment to T240502: Raw HTML in MobileFrontend.

@Jdlrobson - it'd be nice to get backports to supported release branches completed - I can maybe get those started in gerrit now. I think we can make the task public now (since it's been patched and deployed within production) but I'd wait to resolve it if we can get the backports completed first.

Tue, Jan 7, 6:37 PM · Readers-Web-Backlog (Kanbanana-2019-20-Q3), MobileFrontend, Security
sbassett added a member for Security Readiness Reviews: Reedy.
Tue, Jan 7, 5:16 PM
sbassett moved T242126: Security Review For EventStreamConfig extension from Incoming to Our Part Is Done on the Security Readiness Reviews board.
Tue, Jan 7, 3:57 PM · Security Readiness Reviews, Event-Platform, Analytics
sbassett moved T242125: Security Review For EventStreamConfig extension from Incoming to Our Part Is Done on the Security Readiness Reviews board.
Tue, Jan 7, 3:57 PM · Analytics, Security Readiness Reviews
sbassett added a comment to T240338: LDAPAuthentication2 allows login with invalid password.

So the mw.org Extension template was updated in T241243. And LDAPAuthentication2's info box was changed to reflect that it only supports LTS versions. I understand that isn't anywhere close to a foolproof solution, but it's a place to quickly point anyone who has questions regarding "missing" release branches.

Tue, Jan 7, 3:48 PM · Vuln-Authn/Session, MediaWiki-extensions-LDAPProvider, MediaWiki-extensions-LDAPAuthentication2, Security

Mon, Jan 6

sbassett updated the task description for T241921: Fix Wikimedia captchas.
Mon, Jan 6, 9:45 PM · Security-Team, Stewards-and-global-tools, Security, ConfirmEdit (CAPTCHA extension), UX-Debt, Accessibility, Epic
sbassett added a comment to T240773: Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163).

Yes - not sure why gerritbot didn't pick it up, but here's the patch: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseMediaInfo/+/558203

Mon, Jan 6, 8:10 PM · Vuln-XSS, Security-Team, Structured-Data-Backlog (Current Work), Structured Data Engineering, WikibaseMediaInfo, Security
sbassett added a comment to T240773: Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163).

@matthiasmullie - Is there a gerrit patch set or security patch we could reference here? Backports to supported release branches or a CVE? The Security-Team can help with the latter if need be. Thanks.

Mon, Jan 6, 7:00 PM · Vuln-XSS, Security-Team, Structured-Data-Backlog (Current Work), Structured Data Engineering, WikibaseMediaInfo, Security