-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Display of logo of the Reconciliation service a which column is reconciled against #6152
Conversation
…olumn name during schema building
74a54d2
to
d162c97
Compare
I'm a little worried about this one, should we trust reconciliation services to the extent that we inject content this way? It kinda defeats the sandboxing work done in other places. |
Thanks for bringing this up! We already include external images in the Wikibase selection dialog, so it wouldn't be a new threat, but it's still worth considering of course.
In general, I wonder if it would make sense to channel all calls to reconciliation services via the backend. It would have some latency consequences (for instance for suggest services) but perhaps it would be overall a good move:
But of course such a move is a pretty big task and I would say it's outside the scope of this issue/PR. |
There is a lot of attack surface here, first one could just point to a SVG image as SVG support <script> elements and (more importantly given browser-context) various "on" events. Secondly someone could inject something other than an image and do all kinds of nasty things. https://security.stackexchange.com/questions/135513/what-could-an-img-src-xss-do
It wouldn't be a new threat to users of the Wikibase extension to the rest of us it would be new(AFAIK). |
Yes I also thought about SVG, but as your link indicates, including an SVG image via
what are you thinking about? If it's not an image than the browser will not fall back on just including whatever is served there as HTML code, right? |
https://security.stackexchange.com/questions/135513/what-could-an-img-src-xss-do All the answers apply here not only the accepted one about SVG. |
Alright, so from what I can tell we are safe as long that we validate that the string is a valid URL with HTTP(S) protocol. We could additionally require that the host of the URL matches that of the reconciliation service, if we want to avoid triggering CSRF attacks on vulnerable services. Does that seem like an appropriate mitigation to you, or do you see other possible issues? |
@Abbe98 are you happy with the mitigation I proposed above? I would like to propose to @ayushrai206 that we go ahead with this, with the URL and host validation. |
I think passing the URL through |
Makes sense. Closing this PR in favor of #6156 then |
Fixes #4824
Changes proposed in this pull request: