Just FYI: I applied all of the changes to staging, codfw and eqiad, but only deployed to security-landing-page: https://sal.toolforge.org/log/4GppbJEBFFSCpsJzN8fC

In T372527#10070069, @MusikAnimal wrote:

We're aiming for mid-late September, as discussed at T365525 and outlined at T366194. Does that work for you?

Eh, we could probably just replace "Start" with "Complete" in the task title.

In T356971#10055060, @Bawolff wrote:

We also need a patch to phan-taint-check to make sure the bew keynane is marked as xss risk.

In T372527#10066494, @TheresNoTime wrote:

Hi @sbassett — we're looking to start the process of deploying this to the beta cluster in preparation for the goal of this task (production deployment), and just wanted to check that we're okay to do so per your above message in T365525: Application Security Review Request : CommunityRequests Extension

Sounds good. Is this resolvable now?

Tagging Infrastructure-Foundations to get a definitive opinion on the matrix/server file mentioned above. I'm not sure why that would still be necessary when wikimediafoundation.org is a WP site fully-hosted at VIP/Automattic these days, but admittedly I don't have the ops knowledge to know for sure.

Any issues with making this task public, as I'm fairly certain we've confirmed that the original, reported issue is a false positive.

In T371569#10036720, @jhathaway wrote:

Our postfix servers have now been configured with the "long term fix", T370011, https://www.postfix.org/smtp-smuggling.html#back-ports

Our lists server has Exim4 4.96-15+deb12u4, which has a patch included to fix the attack vector according to https://security-tracker.debian.org/tracker/CVE-2023-51766

In T45646#10028555, @cscott wrote:

• We could also make a site-wide configuration variable for "copyright is raw html", and default it to false, and set it to true only for german wikipedia. That would allow us to incrementally improve our security footing without necessarily breaking german wiki or third parties which might rely on this.

In T367995#10013132, @Tgr wrote:

Do you mean the shared login domain specifically or the SUL3 project in general? (I'll file another security preview request about T363699: Determine and implement SUL 3 login handshake mechanism in a day or two, once I have PoC code. I think these are the two particularly security-sensitive parts of the project, the rest of the work is less interesting.)

In T336556#10016164, @Bawolff wrote:

Can this be public? It sounds like these issues were fixed, and in any case, the graph extension is dead at this point.

Just quickly running semgrep supply-chain against these codebases, it found that wikimedia/service-runner@master had two dependency vulnerabilities with undetermined reachability and that wikimedia/service-template-node@master had two dependency vulnerabilities with undetermined reachability and one with confirmed reachability.

In T370693#10017573, @Bawolff wrote:

So in essence, I was able to prefil the form based on user parameters, but not save. At a glance, it looks like i succesfully did the attack, but when i reloaded the page, my malicious value went away.

I'd also note that the Vega dependency was the primary reason we disabled ext:Graph (twice). And that while Vega's expressions layer has since been hardened, it likely still poses more risk for our use-cases than other options.

@aude service-template-node is indeed quite dated and fairly unmaintained. And it would be difficult to recommend it for new projects, from a security perspective. Sadly, I don't think there has been consensus on a replacement option. It would be nice to consolidate around something as having a dozen new frameworks that essentially do the same thing is not ideal. You might want to reach out to @tchin as they have been working on at least one replacement option (T360924, T362774, et al).

Hey @Tgr - I'd like to set up an initial threat-modeling/concept-review session (or two) for this work with you and any other relevant folks, this quarter. Are there any other technical folks that you're aware of who would likely be helpful during or interested in participating in such exercises? Thanks.