Sorry to slightly sidetrack this discussion, but someone recently asked me if it were possible to modify a steward's user JS so that it granted them advanced rights like steward/checkuser/oversight. This of course is possible, but very rare since you need to be a sysop to edit these JS pages. The point this person was making to me however was that on smaller wikis it can be easy to become a sysop, and it's probable that by nature stewards will show up there occasionally, and that their own personal JS may not be closely watched. I told them not to worry about it, but if we really wanted to do something, we could make a steward's JS only be mutable by other stewards (or something).
Maybe something else to think about? ~Leon On Thu, Mar 15, 2018 at 5:46 PM, Eran Rosenthal <eranro...@gmail.com> wrote: > Lego already did a script to verify no external resources are loaded: > https://phabricator.wikimedia.org/T71519 > I think there is a Jenkins job running it on regular basis > > On Thu, Mar 15, 2018 at 6:30 AM, MZMcBride <z...@mzmcbride.com> wrote: > > > David Gerard wrote: > > >What ways are there to include user-edited JavaScript in a wiki page? > > > > > >[...] > > > > > >You can't see it now, but it was someone including a JavaScript > > >cryptocurrency miner in common.js! > > > > > >Obviously this is not going to be a common thing, and common.js is > > >closely watched. (The above edit was reverted in 7 minutes, and the > > >user banned.) > > > > > >But what are the ways to get user-edited JavaScript running on a > > >MediaWiki, outside one's own personal usage? And what permissions are > > >needed? I ask with threats like this in mind. > > > > There's an old post of mine that documents some of the ways to inject > > site-wide JavaScript: > > <https://lists.wikimedia.org/pipermail/wikimedia-l/2014- > August/073787.html > > > > > > > I believe, as Brian notes in this thread, that most methods require > having > > the "editinterface" user right so that you can edit wiki pages in the > > "MediaWiki" namespace. By default, this user right is assigned to the > > "sysop" user group, but if you search through > > <https://noc.wikimedia.org/conf/InitialiseSettings.php.txt> for the > string > > "editinterface", you can see that on specific wikis such as fawiki, this > > user right has been assigned to additional user groups. > > > > Jon Robson wrote: > > >It has always made me a little uneasy that there are wiki pages where > > >JavaScript could potentially be injected into my page without my > approval. > > >To be honest if I had the option I would disable all site and user > scripts > > >for my account. > > > > You could file a Phabricator task about this. We already specifically > > exempt certain pages, such as Special:UserLogin and Special:Preferences, > > from injecting custom JavaScript. We could potentially add a user > > preference to do what you're suggesting. > > > > That said, you're currently executing thousands upon thousands of lines > of > > code on your computer that you've never read or verified. If you're a > > standard computer user, you visit hundreds of Web sites per year that > each > > execute thousands of lines of untrusted scripts that you've never read or > > verified. Of all the places you're likely to run into trouble, Wikimedia > > wikis are, in many ways, some of the safest. Given all of this code, your > > computer, as well as mine, are vulnerable to dozens of very real attacks > > at any time. And yet we soldier on without too much panic or worry. > > > > >Has this sort of thing happened before? > > > > Salon.com recently prompted users with ad blocking software installed to > > voluntarily mine cryptocurrency: <https://arstechnica.com/?p=1259653>. > > This situation on fa.wikipedia.org was obviously involuntary. I don't > know > > of any similar incidents. We have had wiki administrators inadvertently > > inject scripts with privacy issues, such as Google Analytics. These > > scripts have generally been promptly removed when noticed. On the other > > hand, pages such as <https://status.wikimedia.org/> have been loading > the > > same problematic scripts (Google Analytics and JavaScript from > > ajax.googleapis.com) for years and nobody seems to have cared enough > yet. > > > > >Can we be sure there isn't a gadget, interface page that has this sort > of > > >code lurking inside? Do we have any detection measures in place? > > > > A much surer bet is that at least some gadgets and other site-wide > > JavaScript have privacy issues and potentially security issues. It would > > be shocking if, across the hundreds of Wikimedia wikis, none of them did. > > > > I think in the past Timo and maybe Alex Monk have done some surveying of > > public Wikimedia wikis using a browser or browser emulator to check if > > there are network requests being made to non-Wikimedia domains. As Lucas > > noted in this thread already, there are also tasks such as > > <https://phabricator.wikimedia.org/T135963> that could be worked on, if > > there's sufficient interest. > > > > MZMcBride > > > > > > > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
