Security review for Cognate Extension
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Addshore
	Oct 25 2016, 11:06 AM

Description

Project Information

Name of tool/project: Cognate (mediawiki extension)
Project home page: https://www.mediawiki.org/wiki/Extension:Cognate
Name of team requesting review: WMDE
Primary contact: WMDE / @Addshore
Target date for deployment: Unknown
Link to code repository / patchset: https://gerrit.wikimedia.org/r/#/projects/mediawiki/extensions/Cognate,dashboards/default
Programming Language(s) Used: PHP

Description of the tool/project

An extension to provide automatic inter language links for Wiktionary projects

Description of how the tool will be used at WMF

The extension will be deployed to all Wiktionary sites

Dependencies

List dependencies, or upstream projects that this project relies on

None

Has this project been reviewed before?

please link to tasks or wiki pages of previous reviews

Only regular CR

Working test environment

please link or describe setup process for setting up a test environment

Labs test environment (which you can be given access to)

http://enwiktionary-cognate.wmflabs.org
http://dewiktionary-cognate.wmflabs.org
http://frwiktionary-cognate.wmflabs.org

The extension require a multi wiki setup.

Post-deployment

name of team responsible for tool/project after deployment and primary contact

WMDE / Wikidata / @Lydia_Pintscher

Details

Subject	Repo	Branch	Lines +/-
Switch to sha256 hash	mediawiki/extensions/Cognate	master	+15 -15
Adjust index on pages table	mediawiki/extensions/Cognate	master	+1 -1
Add note about interwiki lang link assumption to README	mediawiki/extensions/Cognate	master	+5 -0
populateCognatePages use mw db layer for IN query	mediawiki/extensions/Cognate	master	+1 -1

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open	Feature	None	T13996 A way to select which parts of Wiktionary articles to show
Open	Feature	None	T14213 Following a link to a language entry in Wiktionary should display only that entry
Open	Feature	None	T13998 A way to show only those languages on Wiktionary that the user is interested in
Open	Feature	None	T38881 Wiktionary needs usable API
Open		None	T31229 Extension to provide access via the dict protocol
Resolved		Lydia_Pintscher	T146637 Wikidata 2016 Q4 goals
Resolved		Lydia_Pintscher	T150179 Wikidata 2017 Q1 goals
Open		None	T109579 [Epic] Give more sister projects access to Wikidata
Resolved		Lydia_Pintscher	T986 Use structured data on Wiktionary
Resolved		Lydia_Pintscher	T988 Phase 1: Represent Wiktionary lexicon using structured data
Resolved		Lydia_Pintscher	T987 [Story] Phase 0: Automate interwiki language links for Wiktionary
Resolved		Lydia_Pintscher	T169708 Wikidata 2017 Q3 goals
Resolved		Lydia_Pintscher	T150178 Wikidata 2017 Q2 goals
Resolved		Lydia_Pintscher	T159316 Enable arbitrary access on English Wiktionary
Resolved		aude	T158323 enable sitelinks on Wikidata for Wiktionary pages outside main namespace (phase 1)
Resolved		Addshore	T150182 Deploy Cognate extension to production
Resolved		Addshore	T156241 Deploy Cognate extension to beta
Resolved		Addshore	T149082 Security review for Cognate Extension
Resolved		Addshore	T150404 Use hashes to identify matching page titles in Cognate DB schema
Resolved		Addshore	T156238 Use HTMLCacheUpdateJob in Cognate extension
Resolved		Addshore	T156239 Cognate - Make PageContentSaveComplete check for redirect state changes & only act when they (or page creation) happens
Resolved		Addshore	T156240 Stop writes on hash conflicts & log that they occour
Resolved		aude	T158324 Enable phase 1 for Wiktionary at beta cluster
Resolved		None	T158325 Enable phase 1 for Wiktionary at test Wikidata
Open		None	T166765 Investigate the case of custom namespaces

Event Timeline

Addshore created this task.Oct 25 2016, 11:06 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 25 2016, 11:06 AM

Addshore added a project: User-Addshore.Oct 25 2016, 11:06 AM

Addshore moved this task from Unsorted 💣 to Active 🚁 on the User-Addshore board.

Addshore moved this task from Active 🚁 to Watching 👀 on the User-Addshore board.

Addshore added a project: WMDE-TechWish.Oct 25 2016, 2:38 PM

Addshore moved this task from Proposed to Watching/Blocked/External on the WMDE-TechWish board.

Lydia_Pintscher added a parent task: T150182: Deploy Cognate extension to production.Nov 7 2016, 3:52 PM

Addshore updated the task description. (Show Details)Nov 10 2016, 9:14 AM

Added T150404 as a blocked, since that should be merged before the security review. I plan to do this this week.

Addshore closed subtask T150404: Use hashes to identify matching page titles in Cognate DB schema as Resolved.Dec 11 2016, 3:58 PM

• dpatrick mentioned this in E431: Security review for Cognate Extension.Dec 21 2016, 12:13 AM

• dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.

Security review of Cognate extension (As of a187d934b8c6)

Normal issues

Use sha256 (or some other modern hash) instead of md5. Even in contexts where the attacks against it is not important we should be phasing out md5.

Issues of unclear severity

64-bits is not enough for collision resistance against a malicious adversary. If I have my math right (It is very possible that I mixed this up) There are 5 million (~2^22) titles on enwiktionary. 2^64/2^22 = 2^42. Based on googling, a 4 GPU system can do roughly 2^33 hashes/second. 2^42/2^33 = 2^11 seconds ~ half an hour to find a collision. So a vandal could make malicious page titles that collide with titles on enwiktionary, for the purpose of vandalism via the lang links. I'm not sure how serious an issue this is. Its clearly a lot more work for less disruption than most forms of vandalism, but it could be confusing to users who wouldn't understand what's going on.

I think it may be an acceptable risk, but users should be consulted about the possibility before the extension is enabled. The risk should also be documented.

Alternatively the risk could be prevented by using autoincrement ids (would require storing both the normalized and raw title though) or by increasing the size of the hash to 128 bits (e.g. Having two BIG INT fields and joining on both). A different alternative might be using an hmac with a secret key (that may be annoying to tool labs users).

Minor issues

line 68 of populateCognatePages.php Its preferred to use the MW DB abstraction layer instead of hand constructing sql where possible (instead of "page_namespace IN " . ..., do "page_namespace" => $namespaces).

Non-security issues

CacheUpdateJob doesn't update page_touched. More generally shouldn't this use built-in HTMLCacheUpdateJob for forward compatibility with any future changes to how caching works in MediaWiki? Also this would allow core's deduplication code to be used.
- At one point I thought that this would be unnecessary, since the language links from this extension are generated on every (non-varnish cached) view (as opposed to stored in parser cache). However it actually is necessary since MW will give 304 not modified responses based on page_touched.
This assumes that all sites have same interwiki structure for language links or things will break. This is fine since its true on wiktionary, however I think this requirement should be clearly documented.
The indexe on cognatePages for the queries from selectLinkDetailsForPage, selectSitesForPage seem to be not quite right. I think the index should be (cpga_title, cpga_namespace, cpga_sites).
I assume this is not using the LinkUpdates related hooks because it only wants to deal with new pages not edits (?) However it seems that this still triggers on all edits. Perhaps it should look at the EDIT_NEW flag in the onPageSaveComplete hook to avoid some unnecessary database interaction.

Change 334031 had a related patch set uploaded (by Addshore):
populateCognatePages use mw db layer for IN query

https://gerrit.wikimedia.org/r/334031

gerritbot added a project: Patch-For-Review.Jan 25 2017, 8:42 AM

Change 334032 had a related patch set uploaded (by Addshore):
Add note about interwiki lang link assumption to README

https://gerrit.wikimedia.org/r/334032

Change 334033 had a related patch set uploaded (by Addshore):
Adjust index on pages table

https://gerrit.wikimedia.org/r/334033

Addshore mentioned this in rECOG37d9c1175826: populateCognatePages use mw db layer for IN query.Jan 25 2017, 8:50 AM

Addshore mentioned this in rECOG7398ea131bf1: Add note about interwiki lang link assumption to README.

Addshore mentioned this in rECOG3e7396105f9c: Adjust index on pages table.

In T149082#2966632, @Bawolff wrote:

I assume this is not using the LinkUpdates related hooks because it only wants to deal with new pages not edits (?) However it seems that this still triggers on all edits. Perhaps it should look at the EDIT_NEW flag in the onPageSaveComplete hook to avoid some unnecessary database interaction.

Cognate needs to know when pages are edited to determine if the redirect state has changed:

redirect -> regular page = needs to be added to the db
regular page -> redirect = needs to be removed from the db

If I had both the new and the last content then I would be able to check the redirect state of each and only act where needed here.
I'll have a further look.

Change 334041 had a related patch set uploaded (by Addshore):
Switch to sha256 hash

https://gerrit.wikimedia.org/r/334041

Addshore mentioned this in rECOG634f78d2917a: Switch to sha256 hash.Jan 25 2017, 10:20 AM

Addshore created subtask T156238: Use HTMLCacheUpdateJob in Cognate extension.Jan 25 2017, 10:22 AM

Addshore created subtask T156239: Cognate - Make PageContentSaveComplete check for redirect state changes & only act when they (or page creation) happens.

Addshore created subtask T156240: Stop writes on hash conflicts & log that they occour.Jan 25 2017, 10:25 AM

Everything from the security review now either has a patch linked to this ticket or a subtask has been created.

In response to the issue with hash conflicts, pages that create duplicate hashes will simply not be written to the database / ignored, thus it should not be an attack vector in terms of vandalism.
I have created a sub task to confirm this, and add some logging when conflicts do happen (if they do) and add some extra testing in the area.

Addshore added a parent task: T156241: Deploy Cognate extension to beta.Jan 25 2017, 10:35 AM

Change 334031 merged by jenkins-bot:
populateCognatePages use mw db layer for IN query

https://gerrit.wikimedia.org/r/334031

Change 334032 merged by jenkins-bot:
Add note about interwiki lang link assumption to README

https://gerrit.wikimedia.org/r/334032

Change 334033 merged by jenkins-bot:
Adjust index on pages table

https://gerrit.wikimedia.org/r/334033

Change 334041 merged by jenkins-bot:
Switch to sha256 hash

https://gerrit.wikimedia.org/r/334041

In T149082#2968137, @Addshore wrote:

In T149082#2966632, @Bawolff wrote:

I assume this is not using the LinkUpdates related hooks because it only wants to deal with new pages not edits (?) However it seems that this still triggers on all edits. Perhaps it should look at the EDIT_NEW flag in the onPageSaveComplete hook to avoid some unnecessary database interaction.

Cognate needs to know when pages are edited to determine if the redirect state has changed:

redirect -> regular page = needs to be added to the db

regular page -> redirect = needs to be removed from the db

If I had both the new and the last content then I would be able to check the redirect state of each and only act where needed here.
I'll have a further look.