Page MenuHomePhabricator
Create Task
Maniphest T149808

Security review for TwoColConflict extension
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project

The TwoColConflict extension provides an alternative two-column view for the edit conflict resolution page. It highlights differences between the editor's and the conflicting change directly in the textfield for an easy possibility to copy and paste desired pieces of the text and resolving the conflict.

Description of how the tool will be used at WMF

If installed, whenever an edit conflict is happening while using the standard wikitext editor, the extension will show a new two-column conflict resolution view. You will see your version of the text on the one side and the conflicting version on the other. Differences between those versions are highlighted and you can copy and paste desired text passages to adjust the version that should be saved.
The extension should be available as a beta-feature at the beginning.

Dependencies

Has this project been reviewed before?

Only review inside the WMDE-TechWish. Implementation of the main requirements is still ongoing and is tracked in T143823, T149720 and T149721.

Working test environment

wfLoadExtension( 'TwoColConflict' );
  • After enabling the extension, try to produce an edit conflict and then see the new conflict-resolution view.

Post-deployment

WMDE-TechWish

Details

SubjectRepoBranchLines +/-
Various minor fixes related to the security reviewmediawiki/extensions/TwoColConflictmaster+7 -6
Use Message::parse instead of Message::__toStringmediawiki/extensions/TwoColConflictmaster+3 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tobi_WMDE_SW created this task.Nov 2 2016, 3:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 2 2016, 3:02 PM
Tobi_WMDE_SW moved this task from Proposed to Watching/Blocked/External on the WMDE-TechWish board.Nov 2 2016, 3:02 PM
Tobi_WMDE_SW moved this task from Incoming to Edit Conflict Handling on the TCB-Team (now WMDE-TechWish) board.
Tobi_WMDE_SW updated the task description. (Show Details)Nov 3 2016, 9:48 AM
Legoktm subscribed.Nov 3 2016, 7:23 PM

Is there a task tracking the deployment of this extension to Wikimedia production?

Addshore added a parent task: T33235: [DO NOT USE] Extensions awaiting code review to be deployed on Wikimedia wikis (tracking) [superseded by #wikimedia-extension-review-queue].Nov 7 2016, 3:54 PM
Addshore added a parent task: T150184: Deploy TwoColConflict extension to production.Nov 7 2016, 4:14 PM
Addshore added a project: User-Addshore.Nov 7 2016, 4:24 PM
Tobi_WMDE_SW removed a parent task: T33235: [DO NOT USE] Extensions awaiting code review to be deployed on Wikimedia wikis (tracking) [superseded by #wikimedia-extension-review-queue].Nov 15 2016, 10:20 AM
Tobi_WMDE_SW added a comment.Nov 15 2016, 10:22 AM

@Legoktm yes, it's now tracked in T150184.

Tobi_WMDE_SW added a comment.Dec 8 2016, 12:42 PM

The extension is now in a state where security review could start already. Is there an estimate how long it would take approximately?

Addshore moved this task from Unsorted 💣 to Watching 👀 on the User-Addshore board.Dec 13 2016, 7:49 PM
dpatrick mentioned this in E434: Security review for TwoColConflict extension.Dec 21 2016, 2:46 AM
Nemo_bis subscribed.Jan 5 2017, 10:13 AM
Bawolff subscribed.Jan 9 2017, 7:48 AM

Security review of TwoColConflict ext version 4194077ff44a5 (Jan 6, 2016)

Overall the extension is good. I would prefer that html be constructed via the Html class instead of using string concatenation, but in most cases (one exception) this extension uses string concatenation safely for constructing Html.

Major issues

  • In getUnifiedText() '<span mw-twocolconflict-diffchange-title-pseudo="' . $this->context->msg( 'twoColConflict-diffchange-own-title' ) The ->parse() format of Message class is not meant to be used in the context of html attributes. This could lead to XSS if someone registered the username User:"onmouseover="doEvil()"d=" (for the foreign-title case). Please either use ->escaped() format when using messages in a context like this, or better yet don't manually construct the HTML attributes but use Html::element()/Html::rawElement().

Minor issues

  • line 101, 102 of TwoColConflictPage (and other locations) - When using a Message object, please explicitly set ->parse() instead of relying on implicit ->__toString(). This just makes stuff much clearer.

Non-security

[This is just random comments and feedback I had when I was reading the code. This is not really part of the review. Feel free to ignore whatever you disagree with]

  • wrapWikiMsg in TwoColConflictPage::addExplainConflictHeader - Doesn't matter, but you don't need to call ->msg() here, most people just do [ 'twoColConflict-explainconflict', $buttonLabel ].
  • TwoColConflictPage::getUnifiedDiffText() - Wouldn't it be better if mw-twocolconflict-diffchange-title-pseudo was data-mw-twocolconflict-diffchange-title-pseudo?
  • On the edit conflict view, the html seems unbalanced causing the page footer to be messed up. Maybe there is an unclosed <div> somewhere.
  • MW Javascript coding conventions usually require that you make the $ be an argument to the immediately invoked function, where it is passed as jQuery.
  • The javascript seems to not work (?)
  • in getCollapsedText - htmlspecialchars is preferred over htmlentities unless you've got some specific reason you need it.
  • Comment on trimWhiteSpaces is kind of misleading (I wouldn't consider whitespace a non-printing character, and the function does not remove other non-printing characters)
  • The cursor is not a text selector on the diff screen.
  • I can't seem to select the text of the other user's version.
  • I'm a little worried about this interfering with other extensions that override the EditForm (Not sure if any currently deployed extensions do that, but its possible future extensions might for special content models). Maybe the hook should only override the edit form in the event of a conflict, and otherwise allow default behaviour. (Not really sure about that)
  • What about Custom Content models that override the diff behaviour (e.g. Wikidata)? Does it really make sense to override conflict handling for them?
Bawolff moved this task from Incoming to Waiting on the deprecated-security-team-reviews board.Jan 9 2017, 7:48 AM
Tobi_WMDE_SW added a comment.Jan 9 2017, 3:09 PM

@Bawolff thank you so much for doing the review!
We're going to tackle your points in upcoming days.

Addshore added a parent task: T154927: Deploy TwoColConflict extension to beta.Jan 9 2017, 10:19 PM
Reedy subscribed.Jan 9 2017, 10:36 PM
						case 'add':
							$output[] = '<div class="mw-twocolconflict-diffchange-own">' .
								'<div class="mw-twocolconflict-diffchange-title">' .
							    '<span mw-twocolconflict-diffchange-title-pseudo="' .
								$this->context->msg( 'twoColConflict-diffchange-own-title' ) .
							    '" unselectable="on">' . // used by IE9
							    '</span>' .
								'</div>';
							$output[] = $changeSet['new'] . '</div>';
							break;
						case 'delete':
							$output[] = '<div class="mw-twocolconflict-diffchange-foreign">' .
								'<div class="mw-twocolconflict-diffchange-title">' .
							    '<span mw-twocolconflict-diffchange-title-pseudo="' .
								$this->context->msg(
									'twoColConflict-diffchange-foreign-title',
									$lastUser
								) .
							    '" unselectable="on">' . // used by IE9
							    '</span>' .
								'</div>';
							$output[] = $changeSet['old'] . '</div>';
							break;

Mixed tabs and spaces

greg subscribed.Jan 9 2017, 11:08 PM

The review is done, right? (So this should be closed and any issues should be filed as separate tasks)

Addshore closed this task as Resolved.Jan 9 2017, 11:09 PM
Addshore claimed this task.

We will file tasks for the other issues outlined in the next days!

Bawolff added a comment.Jan 9 2017, 11:10 PM
In T149808#2929331, @greg wrote:

The review is done, right? (So this should be closed and any issues should be filed as separate tasks)

I guess so. Sometimes we seem to close the review when its done, othertimes we seem to only after all issues are fixed. I'm not sure what the official way is.

greg added a comment.Jan 9 2017, 11:26 PM

I guess semantically/contextualized processes would be: Keep it open, file sub-tasks for the issues identified/that need to be resolved before "ready", and resolve it when those are closed.

That way this task, which blocks the deploy to Beta, is clearly the representative of security readiness.

gerritbot subscribed.Jan 9 2017, 11:29 PM

Change 331414 had a related patch set uploaded (by Addshore):
Use Message::parse instead of Message::__toString

https://gerrit.wikimedia.org/r/331414

gerritbot added a project: Patch-For-Review.Jan 9 2017, 11:29 PM
Addshore mentioned this in rESCCa3bcd24c54c8: Use Message::parse instead of Message::__toString.Jan 9 2017, 11:30 PM
Addshore added a comment.Jan 9 2017, 11:30 PM

Main issue patched in https://gerrit.wikimedia.org/r/#/c/331404/
Other issue linked above.

Only pending things are non security related in https://phabricator.wikimedia.org/T149808#2927471 and we will slowly look at these.

gerritbot added a comment.Jan 12 2017, 10:10 AM

Change 331414 merged by jenkins-bot:
Use Message::parse instead of Message::__toString

https://gerrit.wikimedia.org/r/331414

gerritbot added a comment.Jan 16 2017, 5:46 PM

Change 332348 had a related patch set uploaded (by WMDE-Fisch):
Various minor fixes related to the security review

https://gerrit.wikimedia.org/r/332348

WMDE-Fisch mentioned this in rESCCe61d01595594: Various minor fixes related to the security review.Jan 16 2017, 5:46 PM
WMDE-Fisch mentioned this in rESCC0b08c81e2972: Various minor fixes related to the security review.Jan 16 2017, 5:51 PM
gerritbot added a comment.Jan 17 2017, 11:42 AM

Change 332348 merged by jenkins-bot:
Various minor fixes related to the security review

https://gerrit.wikimedia.org/r/332348

Addshore moved this task from Watching 👀 to Closing ✔️ on the User-Addshore board.Jan 17 2017, 2:27 PM
Quiddity added a project: Two-Column-Edit-Conflict-Merge.Jan 25 2017, 8:56 PM
Tobi_WMDE_SW moved this task from Watching/Blocked/External to Demoed on the WMDE-TechWish board.Jan 26 2017, 1:24 PM
Tobi_WMDE_SW removed a project: WMDE-TechWish.Jun 7 2017, 12:01 PM
WMDE-Fisch mentioned this in T202295: Security review major redesign of the TwoColConflict extension.Aug 20 2018, 3:03 PM
sbassett moved this task from Waiting to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:23 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:12 PM
thiemowmde removed a project: TCB-Team (now WMDE-TechWish).Jan 7 2022, 3:27 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL