Lego already did a script to verify no external resources are loaded: https://phabricator.wikimedia.org/T71519 I think there is a Jenkins job running it on regular basis
On Thu, Mar 15, 2018 at 6:30 AM, MZMcBride <z...@mzmcbride.com> wrote: > David Gerard wrote: > >What ways are there to include user-edited JavaScript in a wiki page? > > > >[...] > > > >You can't see it now, but it was someone including a JavaScript > >cryptocurrency miner in common.js! > > > >Obviously this is not going to be a common thing, and common.js is > >closely watched. (The above edit was reverted in 7 minutes, and the > >user banned.) > > > >But what are the ways to get user-edited JavaScript running on a > >MediaWiki, outside one's own personal usage? And what permissions are > >needed? I ask with threats like this in mind. > > There's an old post of mine that documents some of the ways to inject > site-wide JavaScript: > <https://lists.wikimedia.org/pipermail/wikimedia-l/2014-August/073787.html > > > > I believe, as Brian notes in this thread, that most methods require having > the "editinterface" user right so that you can edit wiki pages in the > "MediaWiki" namespace. By default, this user right is assigned to the > "sysop" user group, but if you search through > <https://noc.wikimedia.org/conf/InitialiseSettings.php.txt> for the string > "editinterface", you can see that on specific wikis such as fawiki, this > user right has been assigned to additional user groups. > > Jon Robson wrote: > >It has always made me a little uneasy that there are wiki pages where > >JavaScript could potentially be injected into my page without my approval. > >To be honest if I had the option I would disable all site and user scripts > >for my account. > > You could file a Phabricator task about this. We already specifically > exempt certain pages, such as Special:UserLogin and Special:Preferences, > from injecting custom JavaScript. We could potentially add a user > preference to do what you're suggesting. > > That said, you're currently executing thousands upon thousands of lines of > code on your computer that you've never read or verified. If you're a > standard computer user, you visit hundreds of Web sites per year that each > execute thousands of lines of untrusted scripts that you've never read or > verified. Of all the places you're likely to run into trouble, Wikimedia > wikis are, in many ways, some of the safest. Given all of this code, your > computer, as well as mine, are vulnerable to dozens of very real attacks > at any time. And yet we soldier on without too much panic or worry. > > >Has this sort of thing happened before? > > Salon.com recently prompted users with ad blocking software installed to > voluntarily mine cryptocurrency: <https://arstechnica.com/?p=1259653>. > This situation on fa.wikipedia.org was obviously involuntary. I don't know > of any similar incidents. We have had wiki administrators inadvertently > inject scripts with privacy issues, such as Google Analytics. These > scripts have generally been promptly removed when noticed. On the other > hand, pages such as <https://status.wikimedia.org/> have been loading the > same problematic scripts (Google Analytics and JavaScript from > ajax.googleapis.com) for years and nobody seems to have cared enough yet. > > >Can we be sure there isn't a gadget, interface page that has this sort of > >code lurking inside? Do we have any detection measures in place? > > A much surer bet is that at least some gadgets and other site-wide > JavaScript have privacy issues and potentially security issues. It would > be shocking if, across the hundreds of Wikimedia wikis, none of them did. > > I think in the past Timo and maybe Alex Monk have done some surveying of > public Wikimedia wikis using a browser or browser emulator to check if > there are network requests being made to non-Wikimedia domains. As Lucas > noted in this thread already, there are also tasks such as > <https://phabricator.wikimedia.org/T135963> that could be worked on, if > there's sufficient interest. > > MZMcBride > > > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
