⚓ T123558 Security review for TextCat library

Status	Assigned	Task
Resolved	EBernhardson	T137158 Compile and then resolve issues with TextCat A/B test data
Declined	mpopov	T134320 Analyse results of TextCat A/B test
Resolved	EBernhardson	T130321 Disable Schema:Search, since it's outdated and redundant
Resolved	mpopov	T129564 Switch Desktop data collection for dashboards to use TestSearchSatisfaction2 instead of Search schema
Resolved	EBernhardson	T134319 Turn off TextCat A/B test on the English Wikipedia on or after May 23
Resolved	debt	T134318 Verify data pipeline for TextCat A/B test on English Wikipedia
Open	None	T118278 [EPIC] Improve Language Identification for use in Cirrus Search
Resolved	EBernhardson	T121542 Write and deploy an A/B Test on enwiki using TextCat for Language Identification
Resolved	EBernhardson	T124844 Add textcat to mediawiki vendor libs
Resolved	EBernhardson	T121543 Do an A/B Tests on Other Wikis with TextCat for Language Identification
Resolved	Smalyshev	T121538 Convert TextCat to PHP Library for Language Identification in Cirrus Search
Resolved	TJones	T123537 Generate wikitext-based and query-based language models for TextCat
Resolved	TJones	T123651 Decide which set of separators we have to use for TextCat ngrams
Resolved	• dpatrick	T123558 Security review for TextCat library

Smalyshev created this task.Jan 13 2016, 8:18 PM

Smalyshev raised the priority of this task from to Needs Triage.

Smalyshev updated the task description. (Show Details)

Smalyshev added projects: deprecated-security-team-reviews, Discovery-ARCHIVED, MediaWiki-Vendor.

Smalyshev subscribed.

Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptJan 13 2016, 8:18 PM

Smalyshev updated the task description. (Show Details)Jan 13 2016, 8:18 PM

Smalyshev set Security to None.

300 lines of php, should be a quick review.

Thanks, @csteipp!

Smalyshev added a parent task: T121538: Convert TextCat to PHP Library for Language Identification in Cirrus Search.Jan 14 2016, 6:50 PM

Smalyshev moved this task from Needs triage to Search on the Discovery-ARCHIVED board.Jan 15 2016, 10:10 PM

• csteipp moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Jan 22 2016, 12:08 AM

This has been reviewed. It looks good, generally, and seems to be quite an elegant solution. Only one minor issue was found:

General Observations

Positive
- Limited attack surface
- Code is well-documented and highly readable
Negative
- None
Neutral
- None

Issues

LOW

LM File Loading May Provide Vector for Malicious Code Execution
 - LM files are plain PHP. If the package is deployed directly from Github, ensure that any stock LM files are reviewed prior to use to ensure that malicious code has not been inserted.

Configuration Recommendations

None

Files

./catus.php

OK

./felis.php

OK

./lm2php.php

OK

./TextCat.php

LOW
- LM files loaded via `include()` may allow code execution

• dpatrick reassigned this task from • dpatrick to Smalyshev.Jan 22 2016, 8:05 PM

• dpatrick triaged this task as Medium priority.

• dpatrick subscribed.

Yes, I know the direct file loading is tricky, the reason it is so if because loading PHP file is the fastest way to load data into PHP, there's a lot of data to be loaded and using caching infrastructure of HHVM would be very beneficial. We do not yet have finalized the LM models, that's T123537. Once it is done, we'll ping you again.

Smalyshev added a parent task: T124844: Add textcat to mediawiki vendor libs.Jan 26 2016, 11:12 PM

TJones mentioned this in T121538: Convert TextCat to PHP Library for Language Identification in Cirrus Search.Jan 28 2016, 6:02 PM

@dpatrick language models now all updated.

Smalyshev reassigned this task from Smalyshev to • dpatrick.Feb 3 2016, 3:44 AM

The final version is here: https://gerrit.wikimedia.org/r/#/c/268028/

• dpatrick added a project: Security-Team.Feb 9 2016, 9:58 PM

• dpatrick moved this task from Incoming to Waiting on the Security-Team board.

• dpatrick moved this task from Waiting to Our Part Is Done on the Security-Team board.

Smalyshev closed this task as Resolved.Feb 11 2016, 7:34 PM

sbassett moved this task from Scheduled to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:27 PM

• chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:17 PM