Page MenuHomePhabricator
Create Task
Maniphest T125589

Allow each tool to have its own subdomain for browser sandbox/cookie isolation
Closed, ResolvedPublic
Actions

Assigned To
aborrero
Authored By
Bawolff
Feb 2 2016, 10:27 PM
Tags
Referenced Files
None
Subscribers
01tonythomas
aborrero
Aklapper
Bawolff
bd808
Bstorm
coren
View All 32 Subscribers
Tokens
"Love" token, awarded by aborrero."Love" token, awarded by dbarratt."Like" token, awarded by He7d3r."Orange Medal" token, awarded by Krinkle."Love" token, awarded by MichaelSchoenitzer.

Description

Lots of tool labs tools are of varying quality. It is highly like that many of them have XSS vulnrabilities. I think it might be prudent to give each one a separate domain (So instead of tools.wmflabs.org/tool-name do tool-name.tools.wmflabs.org). This would make it much more difficult to steal cookies, etc from other tools, if someone got an xss (Of course this doesn't eliminate everything (see e.g. https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-zheng.pdf but it does make exploiting that sort of thing that much harder. )

I have no idea how difficult a thing this would be to do

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
Restricted Task
 ResolvedaborreroT125589 Allow each tool to have its own subdomain for browser sandbox/cookie isolation
 ResolvedyuvipandaT130649 Procure *.tools.wmflabs.org certificate
Unknown Object (Task)
 ResolvedaborreroT234617 Toolforge. introduce new domain toolforge.org
 ResolvedKrenairT235252 Toolforge: SSL support for new domain toolforge.org
 ResolvedNoneT235304 Create a service account to manage toolforge.org. from acme-chief
 ResolvedAndrewT235303 Update authoratiative nameservers for the toolforge.org domain to point to Designate
 ResolvedaborreroT244473 Toolforge: both domains in parallel and OAuth
 ResolvedaborreroT254857 Toolforge: domain migration: track down missing OAuth grants
 ResolvedaborreroT168677 Add new Cloud Services domains to public suffix list
 Declined BstormT245572 Update Grid Engine and grid_configurator.py for the new domain names
 ResolvedaborreroT247236 Toolforge: introduce a system to preserve old tools.wmflabs.org URLs
 Resolvedbd808T247432 Preserve the ability to make interwiki links to Toolforge tools under the host based routing scheme
 ResolvedBUG REPORTbd808T257104 https://iw.toolforge.org breaks when not given any values
 Resolved BstormT249390 Regression in webservice 0.65 in argument and config parsing
 ResolvedUrbanecmT249815 maps: whitelist/reduce ratelimit from requests with toolforge.org referrer
ResolvedaborreroT249843 Toolforge.org: k8s canonical temporal redirect uses HTTP 301
 Resolvedbd808T245804 Reassign base URLs for toolinfo records' web service links
 Resolvedbd808T254640 Default lighttpd config created by `webservice` breaks serving files starting with the same string as the tool's name under `--canonical`
 ResolvedtaaviT257386 Fix the proxy behavior for Kubernetes on toolsbeta
 ResolvedBUG REPORTDannyS712T257481 Refill results page returning '404 - Not Found'
 ResolvedBUG REPORTCyberpower678T257471 Refill stuck at 'Submitting your task...'
 ResolvedBUG REPORTParaT257576 toolserver.org/~para/ coordinate redirection tools return 404 error
 Resolvedbd808T262072 Update Cloud Services Terms of use to cover toolforge.org and wmcloud.org and subdomains thereof
 OpenNoneT285364 Audit wmf-config and add toolforge.org as needed where tools.wmflabs.org is used

Event Timeline

Bawolff created this task.Feb 2 2016, 10:27 PM
Bawolff raised the priority of this task from to Needs Triage.
Bawolff updated the task description. (Show Details)
Bawolff added projects: Security-Team, Toolforge.
Bawolff subscribed.
Restricted Application added a project: Cloud-Services. · View Herald TranscriptFeb 2 2016, 10:27 PM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript
Bawolff set Security to None.Feb 2 2016, 10:28 PM
Bawolff added subscribers: csteipp, dpatrick.
valhallasw subscribed.Feb 2 2016, 10:30 PM

It requires a *.tools.wmflabs.org ssl certificate, but otherwise there's no technical reason why this would not be possible.

As for other (non-tools.wmflabs.org) domains -- that's somewhat more involved, because it requires more than a single new certificate. See T122403 for that.

valhallasw renamed this task from consider making individual tools on tool labs have their own domain to consider making individual tools on tool labs have their own X.tools.wmflabs.org subdomain.Feb 2 2016, 10:31 PM
Krenair subscribed.Feb 2 2016, 10:39 PM
Bawolff added a comment.Feb 2 2016, 10:41 PM
In T125589#1991932, @valhallasw wrote:

It requires a *.tools.wmflabs.org ssl certificate, but otherwise there's no technical reason why this would not be possible.

As for other (non-tools.wmflabs.org) domains -- that's somewhat more involved, because it requires more than a single new certificate. See T122403 for that.

I think tools is the project where this sort of thing would get the most benefit.

yuvipanda subscribed.Feb 2 2016, 10:46 PM

The only problem would be that we already have advertised in some places login.tools.wmflabs.org, but that can be moved.

I'll put in a procurement ticket for a new *. ssl cert.

scfc subscribed.Feb 3 2016, 12:43 AM

I think many (most?) tools are not coded in a way that they can be served from https://$tool.tools.wmflabs.org/ and https://tools.wmflabs.org/$tool/ at the same time, and I think that is impossible to correctly automatically map one to the other (e. g. fixing absolute links in the served pages themselves as well).

So if we go down this road, webservice should have a new option --with-subdomain (or a better name) that sets a flag in the proxy forward entry and the service.manifest file and uses a lighttpd configuration, etc. that expects subdomain URLs. The proxy would implement the logic:

  • https://tools.wmflabs.org/$tool/$path:
    • If --with-subdomain is set for $tool:
      • Redirect permanently to https://$tool.wmflabs.org/$path with an explanation why.
    • Else:
      • Serve as usual.
  • https://$tool.wmflabs.org/$path:
    • If --with-subdomain is set for $tool:
      • Serve as (then) usual.
    • Else:
      • Return an error page with information for maintainers on how to enable subdomain hosting for their tool.
zhuyifei1999 subscribed.Feb 3 2016, 5:31 AM
valhallasw added a comment.Feb 3 2016, 5:42 PM

We could potentially:

  • redirect //tools.wmflabs.org/$tool/$path to //$tool.tools.wmflabs.org/$tool/$path,
  • redirect //$tool.tools.wmflabs.org to //$tool.tools.wmflabs.org//$tool.

unless some flag is specified, but I'm also fine with making it fully opt-in.

scfc added a comment.Feb 3 2016, 6:46 PM

I do remember thinking about this last night/this morning and finding another issue that needed to be addressed, but I forgot what the issue was :-(. I believe it was something in the direction of Cross-origin resource sharing, i. e. if there are gadgets, etc. on wikis that are configured to be able to interact with tools.wmflabs.org, but not necessarily *.tools.wmflabs.org.

tom29739 subscribed.Mar 12 2016, 5:33 PM
yuvipanda created subtask T130649: Procure *.tools.wmflabs.org certificate.Mar 22 2016, 6:02 PM
Ricordisamoa subscribed.Mar 22 2016, 6:35 PM
yuvipanda closed subtask T130649: Procure *.tools.wmflabs.org certificate as Resolved.Mar 24 2016, 11:23 PM
He7d3r subscribed.Apr 16 2016, 5:15 PM
valhallasw triaged this task as Lowest priority.May 27 2016, 12:40 PM
valhallasw moved this task from Backlog to Ready to be worked on on the Toolforge board.
Krinkle renamed this task from consider making individual tools on tool labs have their own X.tools.wmflabs.org subdomain to Allow tools to have their own X.tools.wmflabs.org subdomain.Nov 30 2016, 1:50 AM
Krinkle renamed this task from Allow tools to have their own X.tools.wmflabs.org subdomain to Allow tools to have their own ".tools.wmflabs.org" subdomain.
Matthewrbowker subscribed.Nov 30 2016, 2:15 AM
Krinkle subscribed.Dec 2 2016, 2:43 AM
In T125589#1992011, @yuvipanda wrote:

The only problem would be that we already have advertised in some places login.tools.wmflabs.org, but that can be moved.

Also checker.tools.wmflabs.org.

zhuyifei1999 added a parent task: Restricted Task.Feb 8 2017, 10:22 AM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:44 PM
Anomie subscribed.Jun 8 2017, 1:32 PM
zhuyifei1999 mentioned this in T166595: register oawiki.org (or oabot.org).Jul 19 2017, 10:34 AM
MichaelSchoenitzer awarded a token.Sep 27 2017, 1:05 AM
MichaelSchoenitzer subscribed.
Krinkle awarded a token.Sep 27 2017, 3:57 PM
Krinkle unsubscribed.
He7d3r awarded a token.Oct 2 2017, 4:36 PM
bd808 mentioned this in T163019: Allow tool's maintainers to force HTTPS for their tool.Oct 15 2017, 8:55 PM
bd808 mentioned this in T175767: Investigation: Figure out the database tables for grant metrics.Oct 24 2017, 11:48 PM
Krenair mentioned this in T102367: Migrate tools.wmflabs.org to https only (and set HSTS).Dec 30 2017, 2:54 AM
bd808 mentioned this in T186055: Custom mod_alias config not allowed for tools due to default lighttpd configuration.Feb 1 2018, 5:28 AM
bd808 subscribed.Mar 13 2018, 6:17 PM

We own the domain toolforge.org and moving to that may be easier than using the existing tools.wmflabs.org root. Let's Encrypt wildcard certs are possible now: https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

I would be very interested in a project to figure out how to use $TOOL.toolforge.org as the default hostname for webservices exposed from the Toolforge Kubernetes cluster. This could give us a chance to implement a better ingress for the cluster, make TLS required (T102367), and fix the URL namespacing issue all together.

bd808 renamed this task from Allow tools to have their own ".tools.wmflabs.org" subdomain to Allow each tool to have its own subdomain for browser sandbox/cookie isolation.Mar 14 2018, 5:43 PM
bd808 removed a project: Cloud-Services.
dbarratt awarded a token.Mar 27 2018, 4:29 AM
Bawolff edited projects, added acl*security; removed Security-Team.Sep 4 2018, 3:47 PM
Quiddity subscribed.Dec 9 2018, 2:15 AM
LucasWerkmeister subscribed.Jan 4 2019, 12:01 AM

May I suggest that the priority of this task be increased somewhat? Without going into too much detail – until this task is fixed, no Toolforge tool can fully protect itself against attacks from other tools. (Sufficiently privileged users can see e. g. T211424 for some more details on possible attacks, though I doubt it’s the only relevant task.)

As a tool author, I would already be very happy with a purely opt-in solution, and we can worry about making it the default for Kubernetes-hosted tools, requiring TLS, etc. later.

zhuyifei1999 added a comment.Jan 4 2019, 3:22 AM
In T125589#4854125, @LucasWerkmeister wrote:

Sufficiently privileged users can see e. g. T211424 for some more details on possible attacks, though I doubt it’s the only relevant task.

If I guessed what T211424 is about correctly, T157450 should describe the somewhat-general case. It's linked as the parent task of this task.

Are we supposed to have a CNAME of *.tools.wmflabs.org, or are we going to assign each tool's DNS entries individually? I think after DNS works, we can start playing with domainproxy and see how that will work.

LucasWerkmeister added a comment.Jan 14 2019, 12:48 AM

Yep, that’s the same case (thanks for adding me as a subscriber). Good to know that this issue isn’t “lowest” priority because the ramifications were unknown, but rather in spite of them being known for years…

I think a record for *.tools.wmflabs.org (or *.toolforge.org, to avoid conflicts with login.tools.wmflabs.org and other existing subdomains) would be enough, there’s no need to make the (non-)existence of a tool known via DNS IMHO. But I’m not sure why you’re suggesting a CNAME record – should tools.wmflabs.org be the canonical name?

bd808 mentioned this in T216706: Adopt cloud.wikimedia.org as top-level domain for cloud-services.Feb 22 2019, 12:03 AM
Bstorm subscribed.Feb 22 2019, 12:06 AM
GTirloni added a project: cloud-services-team (Kanban).Mar 22 2019, 1:57 PM
bd808 mentioned this in T226052: Google OAuth verification for tools require domain verification.Jul 1 2019, 5:54 PM
bd808 mentioned this in T228500: Toolforge: evaluate ingress mechanism.Jul 19 2019, 10:22 PM
01tonythomas subscribed.Aug 28 2019, 6:27 PM
01tonythomas added a comment.Nov 17 2019, 5:51 PM

Ping on this one again, and I see action going on at https://phabricator.wikimedia.org/T215531 which is great! However, do we have an approximate ETA on when we would finish the migration ?

bd808 added a comment.Nov 17 2019, 9:34 PM
In T125589#5669714, @01tonythomas wrote:

Ping on this one again, and I see action going on at https://phabricator.wikimedia.org/T215531 which is great! However, do we have an approximate ETA on when we would finish the migration ?

Per https://www.mediawiki.org/wiki/Wikimedia_Technology/Goals/2019-20_Q2#Technical_Engagement -- we are hoping to have a new Kubernetes cluster deployed in Toolforge on or before 2019-12-31. Full migration of existing workloads to this cluster and removal of the legacy cluster will follow in FY19/20 Q3 (2020-01-01 - 2020-03-31). Giving a more concrete timeline is work that we are tracking in T237784: Document migration plans and timelines.

bd808 added a subtask: T234617: Toolforge. introduce new domain toolforge.org.Dec 20 2019, 4:01 AM
bd808 raised the priority of this task from Lowest to Medium.Jan 1 2020, 6:23 PM
bd808 merged a task: Restricted Task.
bd808 added subscribers: sbassett, Samwilson, Matanya and 4 others.
chasemp added a project: Security.Feb 10 2020, 10:59 PM
MZMcBride subscribed.Feb 16 2020, 8:16 AM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
bd808 added a comment.May 9 2020, 3:45 PM

This is possible now! See https://wikitech.wikimedia.org/wiki/News/Toolforge.org for instructions on migrating your tool during the opt-in period. Follow along on T234617: Toolforge. introduce new domain toolforge.org for further information.

bd808 merged a task: T67891: Session cookies (and data) being shared between web services cause issues.Jun 1 2020, 4:16 AM
bd808 added subscribers: coren, Nemo_bis, JanZerebecki and 2 others.
bd808 mentioned this in T254693: Same origin policy access between tools deliberately broken by toolforge.org migration.Jun 8 2020, 5:37 PM
bd808 closed this task as Resolved.Jul 10 2020, 10:43 PM
bd808 assigned this task to aborrero.
bd808 added a subscriber: aborrero.

All Toolforge tools now have unique hostnames in the form $TOOL.toolforge.org! This is honestly a huge step forward in the security of webservices running on Toolforge. Big thanks from me to @aborrero for leading the project to introduce this feature and to all of the Toolforge maintainers who helped us find problems during and after the opt-in period.

aborrero awarded a token.Jul 14 2020, 9:12 AM
aborrero closed subtask T234617: Toolforge. introduce new domain toolforge.org as Resolved.
Aklapper removed subscribers: Anomie, dpatrick.Oct 16 2020, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL