Page MenuHomePhabricator
Files F58518236

T386826.patch
Urbanecm_WMF (Martin Urbanec / Urbanecm)
Actions

Authored By
Urbanecm_WMF
Feb 28 2025, 11:22 AM
Size
4 KB
Referenced Files
None
Subscribers
None

T386826.patch
View Options

From 0c2f5f180df70779a56ae5e8dff7148b8a51d4dd Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Fri, 28 Feb 2025 12:19:00 +0100
Subject: [PATCH] SECURITY: Validate mentor's weight is within the expected
range
This should not break any mentor list, as evidenced
by global search query on the task.
Bug: T386826
Change-Id: I1661ac92a43cb70f83e1e4804ab031971c0b57e2
---
i18n/mentorship/en.json | 1 +
i18n/mentorship/qqq.json | 1 +
.../Validation/StructuredMentorListValidator.php | 10 ++++++++++
3 files changed, 12 insertions(+)
diff --git a/i18n/mentorship/en.json b/i18n/mentorship/en.json
index 1af982a5a..0888ed840 100644
--- a/i18n/mentorship/en.json
+++ b/i18n/mentorship/en.json
@@ -171,6 +171,7 @@
"growthexperiments-mentor-list-missing-key": "Key <code>$1</code> is missing",
"growthexperiments-mentor-list-datatype-mismatch": "<code>$1</code> is expected to be <code>$2</code>, but is <code>$3</code>",
"growthexperiments-mentor-list-unexpected-key-mentor": "Mentor definition contains an unexpected key <code>$1</code>",
+ "growthexperiments-mentor-list-invalid-weight": "<code>$1</code> is expected to be one of: <code>$2</code>, but is <code>$3</code>",
"growthexperiments-mentor-writer-error-already-added": "Mentor $1 was already added to the mentor list",
"growthexperiments-mentor-writer-error-not-in-the-list": "Mentor $1 is not in the mentor list",
"growthexperiments-mentor-writer-error-anonymous-user": "Mentor $1 is not a registered user",
diff --git a/i18n/mentorship/qqq.json b/i18n/mentorship/qqq.json
index b8e2755ca..89374fadf 100644
--- a/i18n/mentorship/qqq.json
+++ b/i18n/mentorship/qqq.json
@@ -179,6 +179,7 @@
"growthexperiments-mentor-list-missing-key": "Error message displayed when a manual save of MediaWiki:GrowthMentors.json (configurable by <code>GEStructuredMentorList</code>) is invalid.",
"growthexperiments-mentor-list-datatype-mismatch": "Error message displayed when a manual save of MediaWiki:GrowthMentors.json (configurable by <code>GEStructuredMentorList</code>) is invalid.",
"growthexperiments-mentor-list-unexpected-key-mentor": "Error message displayed when a manual save of MediaWiki:GrowthMentors.json (configurable by <code>GEStructuredMentorList</code>) is invalid.",
+ "growthexperiments-mentor-list-invalid-weight": "Error message displayed when a manual save of MediaWiki:GrowthMentors.json (configurable by <code>GEStructuredMentorList</code>) is invalid.",
"growthexperiments-mentor-writer-error-already-added": "Error message displayed when a change to MediaWiki:GrowthMentors.json (configurable by <code>GEStructuredMentorList</code>) tries to add a mentor who is already added",
"growthexperiments-mentor-writer-error-not-in-the-list": "Error message displayed when a change to MediaWiki:GrowthMentors.json (configurable by <code>GEStructuredMentorList</code>) tries to remove/change a mentor who is not in the list",
"growthexperiments-mentor-writer-error-anonymous-user": "Error message displayed when a change to MediaWiki:GrowthMentors.json (configurable by <code>GEStructuredMentorList</code>) tries to remove/change a mentor who is not in the list",
diff --git a/includes/Config/Validation/StructuredMentorListValidator.php b/includes/Config/Validation/StructuredMentorListValidator.php
index 8a2719e48..e2d4d1b37 100644
--- a/includes/Config/Validation/StructuredMentorListValidator.php
+++ b/includes/Config/Validation/StructuredMentorListValidator.php
@@ -2,6 +2,7 @@
namespace GrowthExperiments\Config\Validation;
+use GrowthExperiments\MentorDashboard\MentorTools\IMentorWeights;
use GrowthExperiments\Mentorship\Provider\MentorProvider;
use InvalidArgumentException;
use StatusValue;
@@ -98,6 +99,15 @@ class StructuredMentorListValidator implements IConfigValidator {
gettype( $value )
);
}
+
+ if ( $key === 'weight' && !in_array( $value, IMentorWeights::WEIGHTS ) ) {
+ return StatusValue::newFatal(
+ 'growthexperiments-mentor-list-invalid-weight',
+ $key,
+ \FormatJson::encode( IMentorWeights::WEIGHTS ),
+ $value
+ );
+ }
}
// Code below assumes mentor declarations are syntactically correct.
--
2.39.3 (Apple Git-145)

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
19338847
Default Alt Text
T386826.patch (4 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits