User:CSteipp (WMF)/ISec Audit

= Setup =

Vagrant

 * Setup MediaWiki Vagrant
 * Use 1024M memory (the default). Less than this and VisualEditor breaks.
 * Enable roles: centralauth visualeditor pdfhandler svg parserfunctions checkuser echo flow multimediaviewer proofreadpage timedmediahandler
 * Add checkuser group to Admin user
 * Add to a file "tiffhandling.php" in settings.d/

Image
(download link)

= Priorities =
 * 1) Our wikitext -> html parsing
 * 2) * Allowing users to edit wikitext and display their edits as html is probably the most basic feature of MediaWiki. The code is mostly in includes/parser/. We assume that any possible wikitext, when parsed to html, is safe from:
 * 3) *# executing javascript
 * 4) *# loading external resources that could be used to track readers
 * 5) * The functionality of the parser can be extended with parser functions, allowing editors to use html-like syntax that calls extension code to process the input. In the vagrant config, the parserfunctions role with adds ParserFunctions. We distribute the ParserFunctions extension with the basic MediaWiki tarball, so those functions should be carefully looked at as well.
 * 6) * If time allows (probably after Mediaviewer is done), assessing the lua template engine (Scribunto extension) would also be helpful. It returns wikitext which is parsed to html, but we would like to make sure the lua engine (luasandbox) can't be used to attack the host.
 * 7) Upload, processing, and display of images/files (especially the handling of more obscure formats like svg, and Pdf/DjVu)
 * 8) * By default, MediaWiki handles png, jpg, and gif files. The upload handling is in includes/upload/, and the handling of parsing and converting different formats is handled by code in includes/media/. The vagrant roles above add extensions and some config flags to setup file handling very similar to WMF sites:
 * 9) ** timedmediahandler (ogg, ogv, oga, flac, wav, webm) - Add extensions MwEmbedSupport and TimedMediaHandler. Converts files using ffmpeg, and displays them using a variety of techniques.
 * 10) ** svg (svg) - enable core's SVG processing. Uses rsvg, which is what the WMF uses in production.
 * 11) ** proofreadpage (djvu) - enables core's DjVu processing, which relies on ddjvu, djvudump, djvutext, etc.
 * 12) ** pdfhandler (pdf) - Adds extension PdfHandler. Processing is almost identical to core's djvu handling, but uses ghostscript and imagemagick for processing
 * 13) ** settings.d/tiffhandling.php (tiff) - enable core's tiff handling
 * 14) * On WMF wikis, images are served from a separate domain (upload.wikimedia.org), and use OpenStack's Swift for file storage. That is hard to emulate in vagrant, so it uses the default handling (images served from the same domain, and use the local filesystem for storage). This is probably easier to exploit, but we want to fix any issues in the default handling too.
 * 15) * If time allows,
 * 16) ** It would also be nice to look at img_auth, which is our way of serving images on private wikis.
 * 17) ** The vagrant image has InstantCommons enabled, which allows including local references to images from commons.wikimedia.org.
 * 18) VisualEditor extension
 * 19) * This is the wysiwyg editor written by the WMF. It delivers a javascript editor for the user to edit the article text (in html), then translates the final html back into wikitext using the parsoid node.js service. The wikitext is then saved in a normal fashion, and users see the html that was parsed from the saved wikitext.
 * 20) * It would be most helpful for this portion of the assessment to focus on the javascript editor and the parsoid service, since wikitext->html parsing is covered in #1.
 * 21) CentralAuth extension (our authentication and single sign-on extension)
 * 22) * Initially, the WMF added new wikis, and users could sign up for new accounts on each. This lead to some users creating the same username on lots of wikis, and some identical usernames used by different users on different wikis. The CentralAuth extension was written to allow users to:
 * 23) Track accounts with the same username on different wikis, all owned by the same person, by unifying them into a "global account"
 * 24) Allow users to login to any wiki using their global username and password, as long as their isn't an existing local user with the same username.
 * 25) Automatically create their user on a new wiki if they don't exist there already when they login. If a user is logged in globally and visits a wiki where she doesn't have an account, the local account will be created automatically also.
 * 26) * For the assessment, focus on the password handling, session management, single sign-on and autologin protocols
 * 27) * In vagrant, enabling https is difficult, so this image will not have $wgSecureLogin like we use in production. Assume that in most cases, the login form and logged-in sessions are via https.
 * 28) CheckUser extension (the extension that handles all of the User<->IP mapping for edits by logged in users, which we use for spam investigations mostly)
 * 29) * For the assessment, the focus should be on can unauthorized users get access to the User-IP mappings
 * 30) Mediaviewer - a lightbox viewer for images
 * 31) * Added with the vagrant multimediaviewer role
 * 32) Echo extension - notification messages for users
 * 33) Flow extension - the conversation/collaboration tool that is replacing Talk pages.
 * 34) * This extension is under active development, but would still be good to assess.

In the audit, we're hoping to cover 1-5. Others extensions will be audited as time allows.

= Security Properties = See What are we trying to protect? for a list of security properties and objectives for MediaWiki.

For this assessment, we're less interested in failures in spam/vandalism mitigation and DoS attacks in general. Although WMF sites get a constant stream of DoS attacks and spam, we're able to mitigate them to an acceptable level with small config changes and volunteer effort.

Also note that we've specifically decided not to protect a few things:
 * For a default wiki install, we do not attempt to protect the user names of site users. The list of all username is available at Special:ListUsers, and the edit history and Special:Log show the usernames of users who edited or created accounts. Private wikis can restrict access to all but a few pages to prevent usernames from being displayed, and when possible MediaWiki will attempt to support wikis that wish to keep these private. However, this is not guaranteed, and shouldn't be counted on by private wikis.
 * Except on private wikis, all content is assumed to be publicly accessible. See also Security_issues_with_authorization_extensions.

= Background =
 * A good, although slightly dated description of MediaWiki's architecture: The Architecture of Open Source Applications vol. II. That should help the auditors understand core vs extensions, and how some of the major components are put together.