Security

This page aims at listing the specific things that a developer should be careful with to avoid introducing new vulnerabilities in scripts and extensions. All security topic related to administration of the wiki is located in the security page of the administrator guide.

Scripting and Escaping

The first vulnerability in scripts is the user inputs: any input that a user can provide could possibly be an open door to an attack. Either XSS when the content is output in an HTML context, or XWiki syntax injection when the syntax is injected, e.g., in a Velocity macro where parsing of the output is enabled (the default). XWiki syntax injection almost always allows executing macros with the rights of the script's author and as this author frequently has the programming right, this gives an attacker the ability to execute arbitrary code. It doesn't matter where in the output the user's input is used. Regardless if it is in a parameter, an HTML macro or a verbatim syntax, by including the respective closing syntax, user input can always close whatever syntax it is part of. The nested script macro protection is no protection against attacks. By putting the nested script macro, e.g., inside an async macro, the nested script macro protection can easily be circumvented as the async macro has its own parsing context.

So in order to mitigate this, developers should always ensure to use the proper escaping mechanism. The most important ways to escape content are:

• $services.rendering.escape($content, 'xwiki/2.1') for XWiki syntax
• $escapetool.xml($content) for HTML output. This can also be used in an HTML macro and escapes {, thereby preventing the closing of the HTML macro through user input.

Make sure you always test if escaping actually protects against attacks by writing appropriate tests.

xwiki/2.0 and xwiki/2.1 syntaxes

Link label

In XWiki syntax 2.0 and 2.1 the link is parsed in two passes, each pass having its own escaping:

• the global link is first parsed with the label being just one big string
• then the label is parsed on its own

What this means in practice is that when you need to escape something in the link label you need to escape it twice. For example if you want to print something that may contains wiki syntax as a link label you could do for example in Velocity:

  #set ($userContent = '{{mymacro/}}')
  #set ($escapedLabel = $services.rendering.escape($services.rendering.escape($userContent, 'xwiki/2.1'), 'xwiki/2.1'))
  [[label $escapedLabel>>Main.WebHome]]

Verbatim

It's impossible to properly escape content to put in verbatim syntax in syntaxes xwiki/2.0 and xwiki/2.1.

The simplest for this kind of use case is generally to use something like:

(%class="code"%)(((
  $services.rendering.escape($doc.content, 'xwiki/2.1')
)))

Code macro

It's impossible to properly escape content to put in code macro in syntaxes xwiki/2.0 and xwiki/2.1.

There are several alternatives if you need to highlight user input:

  return new org.xwiki.rendering.block.MacroBlock("code", ["language": "xml"], userInput, false)

Translations

Translation values are often inserted in content that follows a specific syntax (wiki content, HTML, etc.), which means the translation is often re-parsed for this content syntax. Treat every translation value as untrusted and escape it when you render it for two reasons:

• Privilege escalation. A translation value can contain injection ({{groovy}}, {{html}}, ...). Registering a translation that affects other users requires elevated rights (GLOBAL scope needs Programming Right, WIKI scope needs Wiki Admin Right). A USER scope translation only needs Script Right, but that is still dangerous: a user with only Script Right can register such a
  translation, and if it is then rendered in a request handled for a user who has Admin or Programming rights, the injected macro executes with those rights. In other words, leaving a translation value unescaped turns Script Right into a path to Admin/Programming Right.
• Broken display. A translation value may legitimately contain characters that are conflicting with the syntax of the context in which it's inserted (*, [[, <, ...). Unless escaped, it might break the display of the whole content around the translation.

Use the {{translation}} macro when you can

The best in terms of performance and security is to use the {{translation}} macro. The reason is that in that case the translation is not parsed but directly inserted into the XDOM.

{{velocity}}
#set ($txparameters = [$userinput, 42])
{{translation key="some.translation" scriptParameters="txparameters"/}}
{{/velocity}}

{{velocity}}
#wikiTranslation('some.translation', [$userinput, 42])
{{/velocity}}

When you cannot use the {{translation}} macro

So when you are not in a wiki context, or when you're coding for an older version of XWiki (i.e. before 16.10.18,17.10.9,18.4.0RC1) for which passing translation parameters to the {{translation}} macro is too complex (you'd need to escape each parameter separately), do the following:

• Escape the entire #render output. This protects against both injection through translation value and through translation parameters:

    {{html}}
      $escapetool.xml($services.localization.render('myapp.key', [$param]))
    {{/html}}
  
    ## To be used only for older XWiki versions, see above. For new versions, use the translation macro.
    $services.rendering.escape($services.localization.render('myapp.key', [$param]), 'xwiki/2.1'))

• Do not rely on translations containing specific syntax (wiki markup, HTML, etc). Aside from making it much more complex for contributors to translate it, it makes it impossible to properly escape it. To wrap translated text in a link or other markup, build the markup in your (trusted) code and put the escaped translation inside it. For example, in the case of a link, having only the link label in the translation:

    {{html}}
      <a href="$link">$esapetool.xml($services.localization.render('myapp.linkLabel', [$param]))</a>
    {{/html}}
  
    ## Link label requires double escaping in xwiki/2.1 syntax, see the "Link label" section for more details
    ## To be used only for older XWiki versions, see above. For new versions, use the translation macro.
    [[$services.rendering.escape($services.rendering.escape($services.localization.render('myapp.linkLabel', [$param]), 'xwiki/2.1'))>>$target]]

• When you cannot escape the whole result (which should be avoided, as mentioned above), at least escape the parameters that might come from user input before passing them to #render.

HTML

While $escapetool.xml($content) is enough for escaping user input/untrusted text that is simply displayed, this is not necessarily the case for values that are used in attributes that have special meaning like the target of a link. There, even a fully escaped string could be interpreted as a script when the user clicks on it. In XWiki syntax, all attributes are automatically validated, but this is not the case for HTML in HTML macros with script right or Velocity templates. You can use $services.html.isAttributeSafe($htmlElement, $attributeName, $attributeValue) to check if a certain attribute with a certain value is safe according to the HTML cleaning configuration. This returns false for script-URLs on links for example. See also the section on HTTP requests and redirects for extra precautions that you should take if the user doesn't expect to land on a different domain when clicking on a link/button, like a "Cancel" button.

Restricted Mode in Macros

As explained in details in the documentation for writing macros, the Macro Transformation Context can be set in "Restricted Mode" and in your macro should respect this parameter (by checking macroContext.getTransformationContext().isRestricted()) and either not execute at all or execute in a restricted mode.

Protect against XXE attacks

Always follow the OWASP recommendations to protect against XXE attacks when parsing XML.

Right Checks in Script Services

Any code that is exposed as a script service needs to check the rights of the context author, i.e., the user who wrote the script, in addition to the context user, i.e., the user that is accessing the script. Currently, the only easy way to check rights of the context author is to check script or programming right using a contextual authorization manager. It takes important context information into account like if permissions have been dropped. In addition to that, all right checks that are done for the context user should be duplicated for the context author to ensure that no CSRF attacks are possible, i.e., there is no way to, e.g., write a script that executes a dangerous action as soon as a user with more rights accesses the document. It needs to be taken care that if permissions have been dropped, the context author cannot be trusted and thus no dangerous actions must be performed and no sensitive information must be disclosed.

If the script service exposes information or executes actions without further right checks, it must check for programming right of the context author.

Note that context author rights are currently not consistently enforced in XWiki, in particular there is no such concept in JavaScript. This is an area for future improvements, new code should still take context author rights into account.

Returning Data in Script Services

When returning any object in a script service, ensure that all its methods properly check access rights and don't allow modifying data without proper access right checks. Use wrapper objects to add right checks or hide dangerous methods. For example, returning an XWikiDocument is not safe as it allows modifying author information and executing the content with the new author.

Executing Code or XWiki Syntax

If possible, it should be avoided to introduce new code that directly executes (Velocity) code or XWiki syntax with transformations. Instead, existing APIs should be used, e.g., displaying a text area property instead of manually parsing the content of the property. If this should still be necessary, it is of utmost importance to:

• Check that the author of the code has script right. Make sure you check the content author if the code is in the content of the document and the effective metadata author if the code is in an XObject.
• Execute the code or transformations with the correct author in context. In Java, AuthorExecutor should be used for this. There is no way to do this in Velocity. There are hacks like dropPermissions but they are prone to security vulnerabilities and should thus be avoided.

Safe Evaluation of Objects

HTTP Requests and Redirects

Whenever the user is redirected to a URL or HTTP requests are performed on the server side, extra care is needed to avoid introducing an open redirect or server side request forgery (SSRF) vulnerability. While the perfect mitigation is to simply never use user-provided data in redirects and HTTP requests, this is sometimes not possible, in particular if backwards-compatibility needs to be maintained. For this reason, XWiki provides the possibility for admins to configure a list of trusted domains and methods to validate a URL - both in Java and as a script service that can be used in Velocity. Note that there are differences in URL parsing that can be exploited, as the validation might see one domain, but the browser actually uses a different domain. For this reason, the provided method parseToSafeURI doesn't just validate the passed URL but instead returns the parsed URL to ensure that the URL is interpreted as validated.

The same that applies to redirections also applies to URLs that are used on buttons in the UI where the user doesn't expect to land on a different domain/website, like "Cancel" buttons. There, in addition to unexpected/malicious target websites, XSS is also a topic. For this purpose, the #getSanitizedURLAttributeValue macro has been introduced that both checks if the attribute is safe, i.e., not a script-URL, and if it is linking to a trusted domain (or the current domain). You can find an example use in restore.vm.