[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Page MenuHomePhabricator
Create Task
Maniphest T262963

Security Readiness Review For geoip2/geoip2
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:
This package provides an API for the GeoIP2 web services and databases. The API also works with the free GeoLite2 databases.

Description of how the tool will be used at WMF:
As part of the IP Info extension, we would like to use MaxMind's proprietary dataset. The format they provide is a pre-indexed single-file database which can be queried easily using the geoip2/geoip2 library which is their official PHP library.

Dependencies

Has this project been reviewed before?
Not that we are aware of.

Working test environment
TBD

Post-deployment
Anti-Harassment

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedSTranT298955 Return different data from IPInfo api based on context [M]
 ResolvedSTranT300825 IPInfo logger should queue a logging job instead of writing directly
 OpenNoneT139810 RFC: Overhaul the CheckUser extension
 ResolvedNiharikaT236225 [Epic] CheckUser 2.0 Improvements
ResolvedNiharikaT237593 [Epic] CheckUser 2.0: Compare
 StalledNoneT179459 Enhance blocking in AbuseFilter
 StalledNoneT179454 AbuseFilter range blocks should be smarter
 DeclinedNoneT175160 Identify the source of WHOIS data, the retrieval method, and update frequency
 OpenNoneT174388 LoginNotify should inform users of the IP address of failed login attempts to their account
 DeclinedNoneT152114 Show provider and country for IPs in Special:RangeContributions
 ResolvedFeatureNoneT18068 New page: Special:Whois / Special:AboutIP
 OpenNoneT174553 Create a mechanism that allows fetching geolocation and subnet data for IP addresses
 OpenNoneT285977 IP Info
 ResolvedNiharikaT287648 Reviews and deployment
 ResolvedTchandersT260597 Deploy IP Info extension to all wikis (as a beta feature)
 ResolvedNiharikaT261372 Replace mock data returned from API endpoint with live data
 Resolved AGueyteT306212 Remove AdHocDebug logging for investigating duplicate log entries
 ResolvedSTranT296480 Enable the ipinfo instrument in production
 ResolvedSTranT304438 Enable IP Info instrumentation in testwiki
 Resolved AGueyteT307493 Update IPInfo disclaimer per Legal
 ResolvedNiharikaT292755 Epic: IP Info access
 ResolvedSTranT292842 Log when the user's access level changes
 ResolvedNiharikaT263756 Create a table to store which users have access to IPInfo, and the timestamp when access was granted [L]
 ResolvedTchandersT264795 Decide how we want to store how we log which users have access to IP Info [8 hours]
 InvalidNoneT291827 Create IPInfo access manager
 InvalidNoneT291854 Create revoke user access maintenance script
 InvalidNoneT296186 Create a group that revokes all ipinfo* rights
 ResolvedSTranT264150 User needs to request access to IP information [L]
 ResolvedSTranT291582 Implement condition agreements in Special:Preferences [M]
 ResolvedSpikephuedxT291583 [SPIKE] Check that IPInfo-related user properties aren't replicated to publicly accessible databases [8H]
 ResolvedSTranT294658 Create a log entry when the RevisionHandler is called
 Resolved TThoabalaT294657 Create a log entry when the LogHandler is called
 ResolvedphuedxT294680 IP Info: Create a logger function to be used in both the popup and accordion presenters [M]
 DeclinedTchandersT296184 Automatically promote users to the group that grants basic rights
 ResolvedSTranT296085 Create a group that grants basic ipinfo* rights
 ResolvedSTranT296499 Grant certain groups the ipinfo-view-full right
 ResolvedTchandersT260598 Deploy IP Info extension to test.wikipedia.org
 ResolvedTchandersT260599 Deploy IP Info extension to beta cluster
 ResolvedsbassettT262963 Security Readiness Review For geoip2/geoip2
 ResolvedDec 15 2020TchandersT266136 Update CI config once geoip2 is available
 ResolvedTchandersT269475 Add geoip2/geoip2 library to mediawiki/vendor
 ResolvedTchandersT260602 Complete the necessary reviews for the IP Info extension
 InvalidNoneT260601 Remove the static mock data from the popup and make a request to the API endpoint for dynamic mock data
 ResolvedSep 22 2020TchandersT260603 Create an API endpoint that accepts a log id or revision id and returns mock data about the IP address
 ResolvedSep 22 2020TchandersT260604 Display a popup with fixed mock data for an IP address on the specified page(s)
 ResolvedTchandersT260605 Add IP Info extension to translatewiki.net
 ResolveddbarrattT260607 Deploy the IP Info extension to The Good Place
 ResolvedTchandersT260609 Create a basic extension.json file and a new wikipage for the IP Info extension
 ResolveddbarrattT260611 Request a repository for the IP Info Extension
 ResolvedTchandersT260610 Request the necessary reviews of the IP Info extension
 ResolvedsbassettT260822 Security review of IP Info extension
 ResolvedNiharikaT260821 Performance review of IP Info extension
 InvalidNoneT270347 Remove 'ipinfo' right from administrators on the Beta Cluster
 StalledNoneT309318 Can global sysops have ipinfo-view-full and ipinfo-view-log access?
 ResolvedSecurityUrbanecmT309411 sysop access to ipinfo logs can leak IP addresses that sysops should not have access to
 ResolvedUrbanecmT309928 Remove `ipinfo-view-log` from sysops

Event Timeline

dbarratt created this task.Sep 15 2020, 6:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 15 2020, 6:21 PM
dbarratt updated the task description. (Show Details)Sep 15 2020, 6:22 PM
chasemp subscribed.Sep 15 2020, 6:29 PM

We already use maxmind in production in a few places and have a subscription. The geoip2 lib for python seems in use, but I don't see the PHP libs.

The question would be, are these packaged in debian?

Huji added a parent task: T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses.Sep 15 2020, 7:14 PM
Huji subscribed.

@chasemp does https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/417474 help to know the PHP lib better?

dbarratt mentioned this in T260821: Performance review of IP Info extension.Sep 15 2020, 8:30 PM
Gilles subscribed.Sep 16 2020, 8:33 AM
In T262963#6463951, @chasemp wrote:

The question would be, are these packaged in debian?

I believe we bring PHP libraries into MediaWiki and extensions with composer.

chasemp edited projects, added Application Security Reviews; removed Security-Team.Sep 16 2020, 1:17 PM
In T262963#6465475, @Gilles wrote:
In T262963#6463951, @chasemp wrote:

The question would be, are these packaged in debian?

I believe we bring PHP libraries into MediaWiki and extensions with composer.

I had Alternatively, we could create a new web service in production that our extension could make a request to (from PHP). lingering in my brain when I made the packaging comment. Which was confusing on my part as I was doing a bit of a drive-by here.

Typically, the policy for established (and esp large) FLOSS project inclusion has been a cursory review and opinion from the appsec contingent within the security team as part of the Readiness SOP. Note this SOP usually requires a template for requesting service that involves more info than is here. I'll let those folks decide what's appropriate in this case.

I added that tag this should get noticed in the weekly triage.

Restricted Application added a project: secscrum. · View Herald TranscriptSep 16 2020, 1:17 PM
dbarratt added a comment.Sep 16 2020, 2:43 PM
In T262963#6466170, @chasemp wrote:

I had Alternatively, we could create a new web service in production that our extension could make a request to (from PHP). lingering in my brain when I made the packaging comment. Which was confusing on my part as I was doing a bit of a drive-by here.

Apologies if that was confusing. I was thinking it may be more secure to create some sort of "microservice" that would accept an IP address (over the local network from MediaWiki) and return information about that IP address. It obviously wouldn't do any sort of access control (other than only being accessible over the local network). That could isolate the third party code away from MediaWiki.

On the flip side, if it's better to add the library to MediaWiki, that works too! :)

sbassett changed the task status from Open to Stalled.Sep 16 2020, 4:10 PM
sbassett triaged this task as Low priority.
sbassett moved this task from Incoming to Back Orders on the secscrum board.
Niharika moved this task from Untriaged to Tracking work by others on the Anti-Harassment board.Sep 16 2020, 4:13 PM
Jcross subscribed.Sep 17 2020, 6:23 PM

Hi @dbarratt - we'd appreciate it if you could please provide all of the information requested on our RFS form located here: https://phabricator.wikimedia.org/maniphest/task/edit/form/79/ We are here to answer any questions and additional information regarding our process is available here: https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews

Thank you!

dbarratt renamed this task from Security review of geoip2/geoip2 to Security Readiness Review For geoip2/geoip2.Sep 17 2020, 6:34 PM
dbarratt added a project: Security.
dbarratt updated the task description. (Show Details)
dbarratt added a subscriber: Tchanders.
Niharika mentioned this in T264905: Switching mock data in IP Info for live data.Oct 7 2020, 3:54 PM
Tchanders added a comment.Oct 21 2020, 1:34 PM

Thanks @Jcross, it looks like we've added the information to this task description. Do you need anything else from us before the review can go ahead?

It would also be great to have an estimate on when security would be able to look at this - thanks!

Tchanders mentioned this in T266136: Update CI config once geoip2 is available.Oct 21 2020, 2:24 PM
dbarratt updated the task description. (Show Details)Oct 22 2020, 8:40 PM
sbassett claimed this task.Oct 28 2020, 4:24 PM
sbassett added a project: user-sbassett.
sbassett moved this task from Back Orders to In Progress on the secscrum board.
Jcross added a comment.Oct 28 2020, 5:14 PM

Hi @Tchanders - we've moved this ticket to In Progress and I believe we are planning on having feedback for you in the next two weeks. Please let us know if you have any questions as we move forward. Thanks!

Tchanders mentioned this in T260822: Security review of IP Info extension.Nov 2 2020, 1:17 PM
sbassett moved this task from Backlog to In Progress on the user-sbassett board.Nov 16 2020, 4:02 PM
Tchanders added a parent task: T260599: Deploy IP Info extension to beta cluster.Dec 1 2020, 4:14 PM
dbarratt unsubscribed.Dec 1 2020, 4:27 PM
Tchanders added a subscriber: STran.Dec 1 2020, 6:50 PM
sbassett added a comment.Dec 2 2020, 10:31 PM

Apologies for the delay on this - I hope to have this review completed by this Friday. So far I haven't seen anything extremely concerning within the geoip2 package.

sbassett changed the task status from Stalled to Open.Dec 3 2020, 8:42 PM
sbassett updated the task description. (Show Details)
sbassett added a comment.EditedDec 3 2020, 10:49 PM

Security Review Summary - T262963 - 2020-11-03

Overall, the current vendor code under consideration looks to be very good, which makes sense given that it's from maxmind, an organization whose components are already used within various Wikimedia production infrastructures. I would currently assign an overall risk rating of: low for this package.

geoip2/geoip2

General Security Information

Statistic/InfoValueRisk
Repositoryhttps://github.com/maxmind/GeoIP2-php none
Relevant tagv2.11.0 none
Last commit reviewed (if relevant)d01be5894a none
Recent contributions to code (6 months)21 low
Active developers with > 10 commits5 low
Current overall usage1700 stars, 222 forks low
Current open security issues0 none
Methods for reporting security issuesnone medium

Vulnerable Packages

  1. None found via composer security:check, snyk: low risk

Policy Compliance

  1. I'm assuming that since maxmind is already used within production (as @chasemp noted above) in a few different ways (though not currently at the MediaWiki application layer), that WMF-Legal would be fine with this additional use case.

General Issues

  1. In analyzing and manually reviewing the code, I did not find any major security weaknesses or vulnerabilities, though I would note that:
    1. At this point, given the number of disparate things using maxmind's databases within production, it might make sense to eventually consolodate such requirements into a centralized service. Of course that's well beyond the scope of this project and might involve more complication and frustration than any benefit provided.
    2. I'll likely have more things to say about this package's usage within the IPInfo extension, but I'll plan to keep those issues contextually isolated to the review of that extension (T260822).
sbassett closed this task as Resolved.Dec 3 2020, 10:49 PM
sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.
sbassett moved this task from In Progress to Done on the user-sbassett board.
Tchanders mentioned this in T269475: Add geoip2/geoip2 library to mediawiki/vendor.Dec 4 2020, 8:14 PM
Tchanders added a comment.Dec 4 2020, 11:50 PM

Thank you @sbassett!

Niharika added a parent task: T287648: Reviews and deployment.Jul 28 2021, 11:34 PM
Niharika moved this task from Backlog to Closed on the IP Info board.Aug 8 2022, 8:02 PM
sbassett mentioned this in T318854: Application Security Review Request : d3.js.Oct 17 2022, 3:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits