Change Details

TL;DR: some i18n messages used as HTML; imported nightly from translatewiki, but not automatically deployed to query.wikidata.org The Wikidata Query Service UI (`wikidata/query/gui` in Gerrit) uses the “//x// results in //y// ms” message directly as HTML: ```lang=js,name=wikibase/queryService/ui/ResultView.js $( '#response-summary' ).html( wikibase.queryService.ui.i18n.getMessage( 'wdqs-app-resultbrowser-response-summary', '$1 results in $2 ms', [ api.getResultLength(), api.getExecutionTime() ] ) ); ``` If the message (either the English source or a translation) is edited to contain a `<script>` tag, the contents will be executed as soon as a query result is shown (which, for embed.html, is as soon as the page loads). To reproduce this issue, clone the repository, run `npm install`, apply a patch similar to ```lang=diff diff --git a/i18n/en.json b/i18n/en.json index e588694..f91a1b4 100644 --- a/i18n/en.json +++ b/i18n/en.json @@ -67 +67 @@ - "wdqs-app-resultbrowser-response-summary": "$1 {{PLURAL:$1|result|results}} in $2 ms", + "wdqs-app-resultbrowser-response-summary": "$1 {{PLURAL:$1|result|results}} in $2 ms<script>alert('hi')</script>", ``` then run `npm run start` and in the resulting browser window enter any query (e. g. `ASK{}`) and run it (e. g. pressing Ctrl+Enter, or clicking the blue “play” button). Translations are imported from translatewiki.net by l10n-bot every night; however, they are not deployed automatically. (There is also a Jenkins job that rejects l10n-bot changes that appear to add HTML, which should prevent the automatic translation.) First, a corresponding update to the `wikidata/query/gui-deploy` repository needs to be built – this is supposed to happen automatically, but is currently broken due to T235651. Then, that update needs to be merged, and then the `gui` submodule of the `wikidata/query/deploy` needs to be updated to point to the new build (with another Gerrit change), and this change needs to be deployed (with `scap`). (This process is subject to change in T235639.) In theory, those reviews can detect the malicious message, but in practice I don’t think we expect actual code review to take place in those stages.

TL;DR: some i18n messages used as HTML; imported nightly from translatewiki, but not automatically deployed to query.wikidata.org The Wikidata Query Service UI (`wikidata/query/gui` in Gerrit) uses the “//x// results in //y// ms” message directly as HTML: ```lang=js,name=wikibase/queryService/ui/ResultView.js $( '#response-summary' ).html( wikibase.queryService.ui.i18n.getMessage( 'wdqs-app-resultbrowser-response-summary', '$1 results in $2 ms', [ api.getResultLength(), api.getExecutionTime() ] ) ); ``` If the message (either the English source or a translation) is edited to contain a `<script>` tag, the contents will be executed as soon as a query result is shown (which, for embed.html, is as soon as the page loads). To reproduce this issue, clone the repository, run `npm install`, apply a patch similar to ```lang=diff diff --git a/i18n/en.json b/i18n/en.json index e588694..f91a1b4 100644 --- a/i18n/en.json +++ b/i18n/en.json @@ -67 +67 @@ - "wdqs-app-resultbrowser-response-summary": "$1 {{PLURAL:$1|result|results}} in $2 ms", + "wdqs-app-resultbrowser-response-summary": "$1 {{PLURAL:$1|result|results}} in $2 ms<script>alert('hi')</script>", ``` then run `npm run start` and in the resulting browser window enter any query (e. g. `ASK{}`) and run it (e. g. pressing Ctrl+Enter, or clicking the blue “play” button). Translations are imported from translatewiki.net by l10n-bot every night; however, they are not deployed automatically. (There is also a Jenkins job that rejects l10n-bot changes that appear to add HTML, which should prevent the automatic import.) First, a corresponding update to the `wikidata/query/gui-deploy` repository needs to be built – this is supposed to happen automatically, but is currently broken due to T235651. Then, that update needs to be merged, and then the `gui` submodule of the `wikidata/query/deploy` needs to be updated to point to the new build (with another Gerrit change), and this change needs to be deployed (with `scap`). (This process is subject to change in T235639.) In theory, those reviews can detect the malicious message, but in practice I don’t think we expect actual code review to take place in those stages.

TL;DR: some i18n messages used as HTML; imported nightly from translatewiki, but not automatically deployed to query.wikidata.org The Wikidata Query Service UI (`wikidata/query/gui` in Gerrit) uses the “//x// results in //y// ms” message directly as HTML: ```lang=js,name=wikibase/queryService/ui/ResultView.js $( '#response-summary' ).html( wikibase.queryService.ui.i18n.getMessage( 'wdqs-app-resultbrowser-response-summary', '$1 results in $2 ms', [ api.getResultLength(), api.getExecutionTime() ] ) ); ``` If the message (either the English source or a translation) is edited to contain a `<script>` tag, the contents will be executed as soon as a query result is shown (which, for embed.html, is as soon as the page loads). To reproduce this issue, clone the repository, run `npm install`, apply a patch similar to ```lang=diff diff --git a/i18n/en.json b/i18n/en.json index e588694..f91a1b4 100644 --- a/i18n/en.json +++ b/i18n/en.json @@ -67 +67 @@ - "wdqs-app-resultbrowser-response-summary": "$1 {{PLURAL:$1|result|results}} in $2 ms", + "wdqs-app-resultbrowser-response-summary": "$1 {{PLURAL:$1|result|results}} in $2 ms<script>alert('hi')</script>", ``` then run `npm run start` and in the resulting browser window enter any query (e. g. `ASK{}`) and run it (e. g. pressing Ctrl+Enter, or clicking the blue “play” button). Translations are imported from translatewiki.net by l10n-bot every night; however, they are not deployed automatically. (There is also a Jenkins job that rejects l10n-bot changes that appear to add HTML, which should prevent the automatic translationimport.) First, a corresponding update to the `wikidata/query/gui-deploy` repository needs to be built – this is supposed to happen automatically, but is currently broken due to T235651. Then, that update needs to be merged, and then the `gui` submodule of the `wikidata/query/deploy` needs to be updated to point to the new build (with another Gerrit change), and this change needs to be deployed (with `scap`). (This process is subject to change in T235639.) In theory, those reviews can detect the malicious message, but in practice I don’t think we expect actual code review to take place in those stages.