[HOME PAGE] [STORES] [CLASSICISTRANIERI.COM] [FOTO] [YOUTUBE CHANNEL]


Bug 69623 – Graph extension security review

Last modified: 2014-10-04 00:06:41 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
First Last Prev Next    This bug is not in your last search results.
Bug 69623 - Graph extension security review
Graph extension security review
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
Other (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Chris Steipp
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-08-15 19:23 UTC by Yuri Astrakhan
Modified: 2014-10-04 00:06 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Yuri Astrakhan 2014-08-15 19:23:19 UTC 
Please sec review https://www.mediawiki.org/wiki/Extension:Graph
Comment 1 Chris Steipp 2014-08-15 21:25:42 UTC 
So far, I've found two issues in the Vega library makes this extension undeployable on public wikis:

* Privacy violation with unrestricted xhr loads Anyone can put Something like <graph>{"width": 0, "height": 0, "data": [{"url": "//www.whatever.com/track.php"}] }</graph> and vega happily loads the url without user interaction.

* Stored XSS through the "filter" config. You can put arbitrary javascript in in the filter test, and it gets executed.

On a wiki where only users with interface editing rights can edit the graph config, this is fine as it doesn't do anything beyond what raw html can do. But are these issues fixable, if you're intending to deploy this on public wikis?
Comment 2 Chris Steipp 2014-09-14 21:37:34 UTC 
The new vega library is an improvement, but I think there's a flaw in how they did the domain comparison:

return vg.config.domainWhiteList.some(function(d) {
   return d === domain ||
     domain.lastIndexOf("."+d) === (domain.length - d.length - 1);
});

If "."+d doesn't exist in domain, lastIndexOf will return -1. So if d.length and domain.length are exactly the same length (but different), then -1 === -1, so the invalid domain would get through. I think you want to just take the substring of d which is the last domain.length characters, and then do a strict comparison.
Comment 3 Yuri Astrakhan 2014-09-14 21:49:19 UTC 
thanks, good catch, fixing :)
Comment 4 Yuri Astrakhan 2014-09-15 00:57:21 UTC 
Graph ext patch: https://gerrit.wikimedia.org/r/#/c/160369/

Upstream pull request: https://github.com/trifacta/vega/pull/217
Comment 5 Chris Steipp 2014-09-15 16:18:49 UTC 
Ok, the rest of it should be safe.

I would certainly encourage you to make the extension default to safe mode, and using the local wiki as the default whitelisted domain, so an admin has to explicitly enable insecure features. But since you're anxious to get this deployed, we can put it on wmf wikis as is, as long as we always configure the whitelist.
Comment 6 Yuri Astrakhan 2014-09-17 22:52:00 UTC 
Chris, thanks, and the defaults have always been exactly as you describe - extension sets wgEnableGraphParserTag=false and wgGraphDataDomains=[] by default.
Comment 7 Chris Steipp 2014-10-03 23:27:43 UTC 
(In reply to Yuri Astrakhan from comment #6)
> Chris, thanks, and the defaults have always been exactly as you describe -
> extension sets wgEnableGraphParserTag=false and wgGraphDataDomains=[] by
> default.

Sorry, what I meant was in js/graph.js, you have 

if (vg.config.domainWhiteList) {
	vg.config.safeMode = true;
}

I'm not sure any js engines interpret [] == false, but something like this would feel safer to me (more fail safe):

vg.config.safeMode = true;
if ( vg.config.domainWhiteList === false ) {
	vg.config.safeMode = false;
}
Comment 8 Yuri Astrakhan 2014-10-04 00:06:41 UTC 
Thx, please take a look at https://gerrit.wikimedia.org/r/#/c/164708/
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links
Contents Listing Alphabetical by Author:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Unknown Other

Contents Listing Alphabetical by Title:
# A B C D E F G H I J K L M N O P Q R S T U V W Y Z Other

Medical Encyclopedia

Browse by first letter of topic:

A-Ag Ah-Ap Aq-Az B-Bk Bl-Bz C-Cg Ch-Co
Cp-Cz D-Di Dj-Dz E-Ep Eq-Ez F G
H-Hf Hg-Hz I-In Io-Iz J K L-Ln
Lo-Lz M-Mf Mg-Mz N O P-Pl Pm-Pz
Q R S-Sh Si-Sp Sq-Sz T-Tn To-Tz
U V W X Y Z 0-9

Biblioteca - SPANISH

Biblioteca Solidaria - SPANISH

Bugzilla

Ebooks Gratuits

Encyclopaedia Britannica 1911 - PDF

Project Gutenberg: DVD-ROM 2007

Project Gutenberg ENGLISH Selection

Project Gutenberg SPANISH Selection

Standard E-books

Wikipedia Articles Indexes

Wikipedia for Schools - ENGLISH

Wikipedia for Schools - FRENCH

Wikipedia for Schools - SPANISH

Wikipedia for Schools - PORTUGUESE

Wikipedia 2016 - FRENCH

Wikipedia HTML - CATALAN

Wikipedia Picture of the Year 2006

Wikipedia Picture of the Year 2007

Wikipedia Picture of the Year 2008

Wikipedia Picture of the Year 2009

Wikipedia Picture of the Year 2010

Wikipedia Picture of the Year 2011