Page MenuHomePhabricator
Create Task
Maniphest T123594

Security review of the ImageTweaks extension ahead of production deployment
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project

ImageTweaks is a new extensions developed by WMF engineers in the Multimedia team to provide on-wiki media editing tools. Still under development, but likely most of the code will be (client-side) JavaScript image file reading, manipulation and writing for then uploading through one of the usual tools into the upload pipeline for Commons.

Description of how the tool will be used at WMF

Production deployment of the extension at first for logged-in users on Commons for file manipulation, initially as a Beta Feature, then for all users. Plausibly, later for all users for in-article non-destructive image modification without needing to upload near-duplicate versions of files.

Dependencies

List dependencies, or upstream projects that this project relies on

Has this project been reviewed before?

please link to tasks or wiki pages of previous reviews
Nope.

Working test environment

please link or describe setup process for setting up a test environment

Post-deployment

name of team responsible for tool/project after deployment and primary contact
Multimedia still. :-)

Related Objects
Search...

Event Timeline

Jdforrester-WMF created this task.Jan 13 2016, 11:28 PM
Jdforrester-WMF raised the priority of this task from to Medium.
Jdforrester-WMF updated the task description. (Show Details)
Jdforrester-WMF added projects: deprecated-security-team-reviews, Multimedia, ImageTweaks.
Jdforrester-WMF added subscribers: Jdforrester-WMF, MarkTraceur, Prtksxna, matmarex.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJan 13 2016, 11:28 PM
csteipp moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Apr 5 2016, 11:55 PM
csteipp added a project: Security-Team.Apr 7 2016, 12:16 AM
csteipp moved this task from Incoming to Ready on the Security-Team board.
MarkTraceur mentioned this in T126492: Security review for MediaWiki extension ImageTweaks.Apr 13 2016, 11:07 PM
MarkTraceur added a subscriber: csteipp.Apr 13 2016, 11:09 PM

@csteipp we just spoke about the extension's current state, and though it's not going to be deployed pending Thumbor deployment and configuration for our use, we are confident that the current state of the codebase includes the lion's share of the code that will be present upon deployment, so we're comfortable asking for the security review now. Thanks!

dpatrick claimed this task.Apr 18 2016, 5:13 PM
dpatrick set Security to None.
dpatrick added a comment.Apr 18 2016, 5:26 PM

General Observations

Excellent developer documentation in client-side code.

Issues

No issues found.

Files

./ApiImageTweaks.php

OK

./extension.json

OK

./ImageTweaks.hooks.php

OK

./ImageTweaks.php

OK

./includes/HTMLImageDisplayField.php

NOTE
- line 68, TODO item for server-side validation

./includes/UploadFromLocalFile.php

OK

./includes/UploadFromRequest.php

OK

./node_modules/caman-dist-only/dist/caman.full.js

OK (partially reviewed; DOM XSS sinks and file I/O only)

./resources/lib/ExifRestorer.js

OK

./resources/src/caman.fix.js

NOTE
- ensure that when upstream fix lands, this code is removed and the dependency is updated

./resources/src/caman.flip.js

OK

./resources/src/imageeditor.js

OK

./resources/src/imagetool.js

OK

./resources/src/imagetweaks.bootstrap.js

OK
dpatrick moved this task from Ready to Our Part Is Done on the Security-Team board.May 9 2016, 6:15 PM
dpatrick moved this task from Scheduled to Waiting on the deprecated-security-team-reviews board.Jun 29 2016, 5:29 PM
Jdforrester-WMF added a parent task: T141317: Provide a beta feature of ImageTweaks.Jul 25 2016, 10:41 PM
MarkTraceur raised the priority of this task from Medium to High.Dec 5 2016, 10:04 PM
MarkTraceur moved this task from Untriaged to Next up on the Multimedia board.
MarkTraceur raised the priority of this task from High to Needs Triage.Dec 6 2016, 5:55 PM
MarkTraceur triaged this task as Medium priority.
MarkTraceur moved this task from Next up to Tracking on the Multimedia board.
MarkTraceur unsubscribed.Jan 27 2017, 10:16 PM
MarkTraceur subscribed.Jan 27 2017, 10:38 PM
Bawolff closed this task as Resolved.Jun 27 2017, 12:21 PM
Bawolff subscribed.

As far as I understand, there is nothing more to do on this bug, so I'm closing resolved.

sbassett moved this task from Waiting to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:23 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits