Page MenuHomePhabricator
Create Task
Maniphest T120922

Security review of the ORES extension
Closed, ResolvedPublic
Actions

Description

Once the extension has been code reviewed and tested on staging, have it security reviewed before deployment to the main cluster.

http://git.wikimedia.org/summary/?r=mediawiki/extensions/ORES.git

Related Objects
Search...

Event Timeline

awight created this task.Dec 9 2015, 10:23 AM
awight claimed this task.
awight raised the priority of this task from to Medium.
awight updated the task description. (Show Details)
awight added a project: Machine-Learning-Team (Active Tasks).
awight added subscribers: Legoktm, Halfak, Ladsgroup and 3 others.
Ladsgroup added a project: MediaWiki-extensions-ORES.Dec 30 2015, 9:43 PM
Ladsgroup set Security to None.
awight added a parent task: T120923: Ask for consensus to enable and deploy ORES extension to production.Dec 30 2015, 9:56 PM
awight added a project: deprecated-security-team-reviews.
awight updated the task description. (Show Details)Dec 30 2015, 9:58 PM
csteipp subscribed.Dec 30 2015, 10:01 PM

Is this a different component from what we did in T110072: Security Review of Revscoring?

awight added a comment.Dec 30 2015, 10:04 PM

Yes, this is much simpler, happily. It's an ORES client which integrates with MediaWiki. Let me know if you'd like to see more documentation anywhere in the source code!

awight renamed this task from Request security review of the ORES extension to Security review of the ORES extension.Dec 30 2015, 10:04 PM
csteipp added a comment.Dec 30 2015, 11:48 PM

Cool. Please link to the code repo, any documentation about the project,
and a dev/demo setup if you have one. What is your timeline on this?

Ladsgroup added a comment.Dec 30 2015, 11:56 PM

Thank you for doing this: http://git.wikimedia.org/summary/?r=mediawiki/extensions/ORES.git

dpatrick subscribed.Jan 21 2016, 8:34 PM

Is there a test instance of this already installed and running?

dpatrick claimed this task.Jan 21 2016, 8:35 PM
Ladsgroup added a comment.Jan 21 2016, 10:37 PM

Hey, yes :)

csteipp moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Jan 22 2016, 12:08 AM
Ladsgroup moved this task from Parked to Backlog on the Machine-Learning-Team (Active Tasks) board.Jan 22 2016, 1:44 AM
dpatrick added a comment.Jan 22 2016, 7:07 PM

This looks good, you all. No issues found:

General Observations

  • Positive
    • Use of MWHttpRequest in Api.php verifies SSL certificate chain by default
    • Database access uses built-in MW methods to avoid SQL injection
    • No input from client-side used (aside from revision content)
    • No user-controlled input is re-displayed in the browser
  • Negative
    • None
  • Neutral
    • None

Issues

None

Configuration Recommendations

None

Files

./extension.json

OK

./includes/Api.php

OK

./includes/Cache.php

OK

./includes/FetchScoreJob.php

OK

./includes/Hooks.php

OK

./includes/Scoring.php

OK

./maintenance/CheckModelVersions.php

OK

./maintenance/PurgeScoreCache.php

OK

./sql/ores_classification.sql

OK

./sql/ores_model.sql

OK
dpatrick reassigned this task from dpatrick to awight.Jan 22 2016, 7:08 PM
Ladsgroup moved this task from Backlog to Completed on the Machine-Learning-Team (Active Tasks) board.Jan 24 2016, 5:23 PM
Ladsgroup moved this task from Backlog to Done on the MediaWiki-extensions-ORES board.Jan 25 2016, 4:36 AM
Reedy closed this task as Resolved.Feb 9 2016, 8:02 PM
Reedy subscribed.

Closing as done per above

sbassett moved this task from Scheduled to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:27 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL