Page MenuHomePhabricator

Security review of the ORES extension
Closed, ResolvedPublic

Description

Once the extension has been code reviewed and tested on staging, have it security reviewed before deployment to the main cluster.

http://git.wikimedia.org/summary/?r=mediawiki/extensions/ORES.git

Event Timeline

awight created this task.Dec 9 2015, 10:23 AM
awight claimed this task.
awight raised the priority of this task from to Normal.
awight updated the task description. (Show Details)
awight added subscribers: Legoktm, Halfak, Ladsgroup and 3 others.
awight updated the task description. (Show Details)Dec 30 2015, 9:58 PM

Is this a different component from what we did in T110072: Security Review of Revscoring?

Yes, this is much simpler, happily. It's an ORES client which integrates with MediaWiki. Let me know if you'd like to see more documentation anywhere in the source code!

awight renamed this task from Request security review of the ORES extension to Security review of the ORES extension.Dec 30 2015, 10:04 PM

Cool. Please link to the code repo, any documentation about the project,
and a dev/demo setup if you have one. What is your timeline on this?

Is there a test instance of this already installed and running?

This looks good, you all. No issues found:

General Observations

  • Positive
    • Use of MWHttpRequest in Api.php verifies SSL certificate chain by default
    • Database access uses built-in MW methods to avoid SQL injection
    • No input from client-side used (aside from revision content)
    • No user-controlled input is re-displayed in the browser
  • Negative
    • None
  • Neutral
    • None

Issues

None

Configuration Recommendations

None

Files

./extension.json

OK

./includes/Api.php

OK

./includes/Cache.php

OK

./includes/FetchScoreJob.php

OK

./includes/Hooks.php

OK

./includes/Scoring.php

OK

./maintenance/CheckModelVersions.php

OK

./maintenance/PurgeScoreCache.php

OK

./sql/ores_classification.sql

OK

./sql/ores_model.sql

OK
Reedy closed this task as Resolved.Feb 9 2016, 8:02 PM
Reedy added a subscriber: Reedy.

Closing as done per above