Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-30458: Parsoid

An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a <meta> tag, bypassing sanitization steps, and potentially allowing for XSS.

CVE
#xss#web#mac#nodejs#js#git#java

Wikimedia Foundation project

Parsoid

Parsoid word logo.svg

A bidirectional runtime wikitext parser. Converts back and forth between wikitext and HTML/XML DOM with RDFa.

Group:

Parsing, Readers

Start:

Oct 2011

Team members:

C. Scott Ananian, Arlo Breault, Shannon Bailey, Isabelle Hurbain-Palatin

Lead:

Subramanya Sastry

Artist’s impression of the Parsoid HTML5 + RDFa wiki runtime

Parsoid is a library that allows for converting back and forth between wikitext and HTML. The original application was written in JavaScript (using Node.js) and started running on the Wikimedia cluster in December 2012. In 2019, Parsoid was ported to PHP, and the PHP version replaced the JS version on the Wikimedia cluster in December 2019. Parsoid is being integrated into core MediaWiki, with the goal of eventually replacing MediaWiki’s current native parser.

Parsoid (the PHP version) has been natively bundled with MediaWiki since version 1.35, released in September 2020. For non-Wikimedia installations, Parsoid/JS was supported until the end-of-life of MediaWiki 1.31 (LTS) in September 2021.

Technical details[edit]

Parsoid is an application which can translate back and forth between MediaWiki’s wikitext syntax and an equivalent HTML/RDFa document model with enhanced support for automated processing and rich editing.

It has been under development by a team at the Wikimedia Foundation since 2012. It is currently used extensively by VisualEditor, Flow, Content Translation and other applications.

Parsoid is intended to provide flawless back-and-forth conversion, i.e. to avoid information loss and also prevent "dirty diffs".

On Wikimedia wikis, for several applications, Parsoid is currently proxied behind RESTBase, which stores the HTML translated by Parsoid. It is expected that RESTBase will eventually be replaced with a cache more tightly integrated with MediaWiki.

For more on the overall project, see this blog post from March 2013. To read about the HTML model being used, see MediaWiki DOM spec.

Parsoid was originally structured as a web service and written in JavaScript, making use of Node.js. A tech talk from February 2019 (slides) and blog post describes the porting process. The Parsoid extension API is currently under active development; a tech talk from August 2020 describes this work.

GitHub Repository: https://github.com/wikimedia/parsoid

Usage[edit]

  • Releases - List of releases made for parsoid
  • /API - for the web API
  • MediaWiki DOM spec - to make sense of the HTML that you get from the API, designed to be useful as a future storage format
  • /LanguageConverter - notes on Parsoid’s implementation of mw:LanguageConverter
  • /Known differences with Core Parser output

Installation[edit]

In MediaWiki 1.35 LTS Parsoid/PHP is included in the bundle and loaded automatically by Visual Editor. No configuration necessary if used on a single server.

If you are a developer working on 1.36, explicitly loading Parsoid is required since August 24, 2020 (the auto-load hack was removed in 1.36-wmf.6). Add to LocalSettings.php:

wfLoadExtension( 'Parsoid’, ‘vendor/wikimedia/parsoid/extension.json’ );

This is expected to change for the release of 1.36.

Development[edit]

Development happens in the Parsoid Git repository. Code review happens in Gerrit. See Gerrit/Getting started to set up an account for yourself.

If you use the MediaWiki-Vagrant development environment using a virtual machine, you can simply add the role visualeditor to it and it will set up a working Parsoid along with Extension:VisualEditor. (This may have been broken by the switch to Parsoid/PHP: T258940)

Note that the most-recently released version of Parsoid is written in PHP, and installation of Parsoid/PHP is what is described below. This is what you should use if you are running MediaWiki 1.35 or later. Check Parsoid/JS if you are running the old version of Parsoid written in JavaScript, and used for MW 1.34 and earlier.

Linking a developer checkout of Parsoid[edit]

In a standard MediaWiki installation, Parsoid code is bundled in two different ways: first, Parsoid is included from MediaWiki as a composer library, wikimedia/parsoid. This contains the main codebase, but does not contain the REST API used by VisualEditor and RESTBase. In order to enable the REST API, the extension code included in the Parsoid library can be loaded with a call to wfLoadExtension(...) in your LocalSettings.php.

For development purposes you usually want to use a git checkout of Parsoid, and not the version bundled in MediaWiki core as a composer library.

The following lines added to LocalSettings.php allow use of a git checkout of Parsoid (optionally), load the Parsoid REST API with wfLoadExtension (rather than using the version bundled in VisualEditor) and manually do the Parsoid configuration which is usually done by VisualEditor:

$PARSOID_INSTALL_DIR = 'vendor/wikimedia/parsoid’; # bundled copy #$PARSOID_INSTALL_DIR = '/my/path/to/git/checkout/of/Parsoid’;

// For developers: ensure Parsoid is executed from $PARSOID_INSTALL_DIR, // (not the version included in mediawiki-core by default) // Must occur *before* wfLoadExtension() if ( $PARSOID_INSTALL_DIR !== ‘vendor/wikimedia/parsoid’ ) { AutoLoader::$psr4Namespaces += [ // Keep this in sync with the “autoload” clause in // $PARSOID_INSTALL_DIR/composer.json ‘Wikimedia\\Parsoid\\’ => "$PARSOID_INSTALL_DIR/src", ]; }

wfLoadExtension( 'Parsoid’, “$PARSOID_INSTALL_DIR/extension.json” );

# Manually configure Parsoid $wgVisualEditorParsoidAutoConfig = false; $wgParsoidSettings = [ ‘useSelser’ => true, ‘rtTestMode’ => false, ‘linting’ => false, ]; $wgVirtualRestConfig[‘modules’][‘parsoid’] = [ // URL to the Parsoid instance. // If Parsoid is not running locally, you should change $wgServer to match the non-local host // While using Docker in macOS, you may need to replace $wgServer with http://host.docker.internal:8080 ‘url’ => $wgServer . $wgScriptPath . '/rest.php’, // Parsoid "domain", see below (optional, rarely needed) // ‘domain’ => 'localhost’, ];

These lines are not necessary for most users of VisualEditor, who can use auto-configuration and the bundled Parsoid code included in MediaWiki 1.35 and VisualEditor, but they will be required for most developers.

If you’re serving MediaWiki with Nginx, you’ll need to also add something like this to your server conf:

location /rest.php/ { try_files $uri $uri/ /rest.php?$query_string; }

To test proper configuration, visit {$wgScriptPath}/rest.php/{$domain}/v3/page/html/Main%20Page where $domain is the hostname in your $wgCanonicalServer. (Note that production WMF servers do not expose the Parsoid REST api to the external network.)

Running the tests[edit]

To run all parser tests and mocha tests:

The parser tests have quite a few options now which can be listed using php bin/parserTests.php --help. If you have the environment variable MW_INSTALL_DIR pointing to a configured MediaWiki installation, you can run some additional tests with:

$ composer phan-integrated

Converting simple wikitext[edit]

You can convert simple wikitext snippets from the command line using the parse.php script in the bin/ directory:

echo ‘Foo’ | php bin/parse.php

The parse script has a lot of options. php bin/parse.php --help gives you information about this.

Debugging Parsoid (for developers)[edit]

See Parsoid/Debugging for debugging tips.

Continuous Integration[edit]

As of October 2021

Parsoid is always available as a library since it is a composer dependency of MediaWiki core. But two pieces are not enabled:

  • Parsoid ServiceWiring
  • Parsoid’s external REST api

The test runner Quibble would enable it if it detects mediawiki/services/parsoid.git has been cloned as part of the build. In which case it:

  • points the autoloader for Wikimedia\Parsoid to the cloned code (effectively replacing the version installed by composer)
  • Load the extension wfLoadExtension( 'Parsoid', '/path/to/cloned/repo' );

The ServiceWiring should be enabled in MediaWiki starting with 1.38.

The REST API would theorically never get merged in MediaWiki: a) it has never been exposed to the public in production, it is an internal API used by RESTBase which is going away; b) it never has been security audited and c) it is redundant with the enterprise MediaWiki API. The solution will be for VisualEditor to invoke Parsoid directly via the VisualEditor Action API which would save a round trip through the REST API.

Loading the extension is thus a hack which enables using interfaces subject to change and which we don’t really want people to use yet.

For most purposes, parsoid should thus not be added as a CI dependency, the only exception as of October 2021 is the Disambiguator MediaWiki extension.

Loading parsoid as an extension let us run MediaWiki integration test jobs against mediawiki/services/parsoid.git (such as Quibble, apitesting) and ensure Parsoid and MediaWiki work together.

An extension may be able to write tests with Parsoid even when the repository has not been cleaned. Since it is a composer dependency of MediaWiki core the MediaWiki\Parsoid namespace is available, but the service wiring part is not (it is extension/src in the Parsoid repository and exposed as the \MWParsoid namespace). The ParsoidTestFileSuite.php code would only run the parser tests if Parsoid has been loaded (which should be the default with MediaWiki 1.38).

For CI, Parsoid is tested against the tip of mediawiki, whereas mediawiki is tested with the composer dependency. In case of a breaking change, the Parsoid change get merged first (which breaks its CI but not MediaWiki one) and MediaWiki get adjusted when Parsoid is updated. It is thus a one way change.

Release build[edit]

For MediaWiki release builds, we have an integration of Parsoid ServiceWiring into VisualEditor in order to have VisualEditor work without further configuration (beside a wfLoadExtension( 'VisualEditor' )). The release build also enables the REST API and hook everything us so that parsoid works out of the box. This is done by copying a bit of parsoid code into VisualEditor which is not in the master branch of VisualEditor since that would be obsolete as soon as Parsoid is updated. Instead the code is maintained in two places.

Technical documents[edit]

  • /Internals: documentation about Parsoid internals with links to other details.
  • PHP Porting notes and help-wanted tasks
  • Parsoid deployment agenda on Wikimedia cluster (code normally deployed every Monday and Wednesday between 1pm - 1:30pm PST)
  • /Round-trip testing: The round-trip testing setup we are using to test the wikitext -> HTML DOM -> wikitext round-trip on actual Wikipedia content.
  • /Visual Diffs Testing: Info about visual diff testing for comparing Parsoid’s html rendering with php parser’s html rendering + a testreduce setup for doing mass visual diff tests.
  • /limitations: Limitations in Parsoid, mainly contrived templating (ab)uses that don’t matter in practice. Could be extended to be similar to the preprocessor upgrade notes (Might need updating)
  • /Bibliography: Bibliography of related literature

Links for Parsoid developers[edit]

  • See Parsoid/Debugging for debugging tips.
  • Upgrading or adding packages to Parsoid
  • See these instructions for syncing Parsoid’s copy of parser tests to/from core
  • Parsoid has a limited library interface for invoking it programatically.
  • Tech Talk about Retargeting extensions to work with Parsoid

Links for Parsoid deployers (to the Wikimedia cluster)[edit]

  • Parsoid/Deployments
  • RT testing commits (useful to check regressions and fixes)
  • Deployment instructions for Parsoid
  • Kibana dashboard
  • Grafana dashboard for wt2html metrics
  • Grafana dashboard for html2wt metrics
  • Grafana dashboard for non-200 responses
  • Prometheus breakdown for the Parsoid cluster on eqiad
  • Prometheus breakdown for the Parsoid cluster on codfw
  • Jenkins Job Builder docs for updating jenkins jobs

See also[edit]

  • API
  • RESTBase: a caching / storing API proxy for page HTML translated by Parsoid
  • Quarterly review meetings of the Parsoid team: April 2015, January 2015 (earlier)
  • Future/Parser plan: Early (now relatively old) design ideas and issues
  • Special:PrefixIndex/Parsoid/: Parsoid-related pages on this wiki
  • Extension:ParsoidBatchAPI
  • parsoid-jsapi: a high-level interface for extraction and transformation of wikitext, similar to the mwparserfromhell API.
  • Alternative parsers

External links[edit]

  • Source code (GitHub mirror)
  • JS Documentation (old version of Parsoid)
  • PHP Documentation
  • Parsoid on the Wikimedia Commons

Contact[edit]

If you need help or have questions/feedback, you can contact us in #mediawiki-parsoid connect or the wikitext-l mailing list. If all that fails, you can also contact us by email at parsing-team at the wikimedia.org domain.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907