David Gerard wrote:
What ways are there to include user-edited JavaScript in a wiki page?
[...]
You can't see it now, but it was someone including a JavaScript cryptocurrency miner in common.js!
Obviously this is not going to be a common thing, and common.js is closely watched. (The above edit was reverted in 7 minutes, and the user banned.)
But what are the ways to get user-edited JavaScript running on a MediaWiki, outside one's own personal usage? And what permissions are needed? I ask with threats like this in mind.
There's an old post of mine that documents some of the ways to inject site-wide JavaScript: https://lists.wikimedia.org/pipermail/wikimedia-l/2014-August/073787.html
I believe, as Brian notes in this thread, that most methods require having the "editinterface" user right so that you can edit wiki pages in the "MediaWiki" namespace. By default, this user right is assigned to the "sysop" user group, but if you search through https://noc.wikimedia.org/conf/InitialiseSettings.php.txt for the string "editinterface", you can see that on specific wikis such as fawiki, this user right has been assigned to additional user groups.
Jon Robson wrote:
It has always made me a little uneasy that there are wiki pages where JavaScript could potentially be injected into my page without my approval. To be honest if I had the option I would disable all site and user scripts for my account.
You could file a Phabricator task about this. We already specifically exempt certain pages, such as Special:UserLogin and Special:Preferences, from injecting custom JavaScript. We could potentially add a user preference to do what you're suggesting.
That said, you're currently executing thousands upon thousands of lines of code on your computer that you've never read or verified. If you're a standard computer user, you visit hundreds of Web sites per year that each execute thousands of lines of untrusted scripts that you've never read or verified. Of all the places you're likely to run into trouble, Wikimedia wikis are, in many ways, some of the safest. Given all of this code, your computer, as well as mine, are vulnerable to dozens of very real attacks at any time. And yet we soldier on without too much panic or worry.
Has this sort of thing happened before?
Salon.com recently prompted users with ad blocking software installed to voluntarily mine cryptocurrency: https://arstechnica.com/?p=1259653. This situation on fa.wikipedia.org was obviously involuntary. I don't know of any similar incidents. We have had wiki administrators inadvertently inject scripts with privacy issues, such as Google Analytics. These scripts have generally been promptly removed when noticed. On the other hand, pages such as https://status.wikimedia.org/ have been loading the same problematic scripts (Google Analytics and JavaScript from ajax.googleapis.com) for years and nobody seems to have cared enough yet.
Can we be sure there isn't a gadget, interface page that has this sort of code lurking inside? Do we have any detection measures in place?
A much surer bet is that at least some gadgets and other site-wide JavaScript have privacy issues and potentially security issues. It would be shocking if, across the hundreds of Wikimedia wikis, none of them did.
I think in the past Timo and maybe Alex Monk have done some surveying of public Wikimedia wikis using a browser or browser emulator to check if there are network requests being made to non-Wikimedia domains. As Lucas noted in this thread already, there are also tasks such as https://phabricator.wikimedia.org/T135963 that could be worked on, if there's sufficient interest.
MZMcBride