Page MenuHomePhabricator
Create Task
Maniphest T168860

Security review for AdvancedSearch extension
Closed, ResolvedPublic
Actions

Assigned To
Reedy
Authored By
Tobi_WMDE_SW
Jun 26 2017, 1:16 PM
Tags
Referenced Files
F8793806: Screen Shot 2017-07-18 at 16.40.17.png
Jul 18 2017, 3:45 PM
F8793807: Screen Shot 2017-07-18 at 16.39.28.png
Jul 18 2017, 3:45 PM
F8793803: Screen Shot 2017-07-18 at 16.37.28.png
Jul 18 2017, 3:45 PM
F8793808: Screen Shot 2017-07-18 at 16.38.42.png
Jul 18 2017, 3:45 PM
Subscribers
Aklapper
Bawolff
Bmueller
gabriel-wmde
gerritbot
Lea_WMDE
MZMcBride
View All 11 Subscribers

Description

Project Information

Description of the tool/project

Creates an improved advanced search interface for MediaWiki and aims for a user-friendly integration of search keywords.

Description of how the tool will be used at WMF

If installed, the extension enhances Special:Search by an advanced parameters form and improves the way how to configure namespaces.
The extension should be available as a beta-feature at the beginning.

Dependencies

  • None

Has this project been reviewed before?

Only review inside the WMDE-TechWish.

Working test environment

wfLoadExtension( 'AdvancedSearch' );
  • After enabling the extension, go to Special:Search.

Post-deployment

WMDE-TechWish

Related Objects
Search...

Event Timeline

Tobi_WMDE_SW created this task.Jun 26 2017, 1:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 26 2017, 1:16 PM
Tobi_WMDE_SW updated the task description. (Show Details)Jun 26 2017, 1:18 PM
Tobi_WMDE_SW updated the task description. (Show Details)
Tobi_WMDE_SW added projects: Advanced-Search, TCB-Team (now WMDE-TechWish), deprecated-security-team-reviews.
Tobi_WMDE_SW added subscribers: Lea_WMDE, gabriel-wmde, Bmueller and 2 others.
Tobi_WMDE_SW moved this task from Proposed to Watching/Blocked/External on the WMDE-TechWish board.Jun 26 2017, 1:21 PM
Tobi_WMDE_SW mentioned this in T166665: Request security review for AdvancedSearch extension.
Tobi_WMDE_SW added a project: JavaScript.Jun 27 2017, 9:22 AM
Tobi_WMDE_SW updated the task description. (Show Details)Jul 4 2017, 3:06 PM
gabriel-wmde updated the task description. (Show Details)Jul 11 2017, 3:28 PM
dpatrick mentioned this in E644: Security review for AdvancedSearch extension.Jul 11 2017, 4:42 PM
Reedy subscribed.EditedJul 11 2017, 9:58 PM

Non security little things

If installed, the extension enhances Special:Search by an advanced parameters form and improves the way how to configure namespaces.

and also on https://www.mediawiki.org/wiki/Extension:AdvancedSearch

I'm struggling to grok that as a whole sentence. Configure namespaces? Configure them for what? (I'm presuming it doesn't mean configure namespaces akin to adding them etc in LocalSettings)

  • onSpecialSearchPowerBox hook subscriber is a noop, should be removed
  • Indenting in getBetaFeaturePreferences for info-link and discussion-link values, should either be on the same line, or should be an extra tab before =>
  • No COPYING/LICENCE file (but licence is in extension.json)
  • Vagrant role (should be good first task ) would be useful
  • Screenshot on https://www.mediawiki.org/wiki/Extension:AdvancedSearch is out of date
  • advancedsearch-field-or should be "these" not "those"
  • Has this extension had i18n review?
  • I noticed on Special:Search?uselang=qqx that a few messages didn't change to message keys. Having then found the javascript below, it's clear that these messages can't be localised. This need fixing before deployment on WMF wikis
	var i18n = {
		de: {
			'advanced-search': 'Erweiterte Suchoptionen:',

			// TODO Move these to i18n
			text: 'Seite enthält …',
			structure: 'Struktur',
			files: 'Dateien und Bilder'
		},
		en: {
			'advanced-search': 'Advanced parameters:',
			text: 'The page should include …',
			structure: 'Structure',
			// FIXME: Why does this need to mention both, like images are not files?
			files: 'Files and images'
		}
	};
  • 'The page should include …' - Should this be an ellipses? I don't think we use this syntax anywhere else
  • RL loader code that looks wrong module is defined for each file. Could be moved to ResourceFileModulePaths to save some duplication/words
MZMcBride subscribed.Jul 11 2017, 10:12 PM
Aklapper added a comment.Jul 11 2017, 11:38 PM

Non security little things

i18n: Also note that splitting strings like ("The page should include..." "this word") currently does not tell translators that the second string requires accusative declension when trying to translate the second string properly...

Reedy added a comment.Jul 12 2017, 12:12 AM
In T168860#3428486, @Aklapper wrote:

Non security little things

i18n: Also note that splitting strings like ("The page should include..." "this word") currently does not tell translators that the second string requires accusative declension when trying to translate the second string properly...

And should generally be avoided for sure!

https://www.mediawiki.org/wiki/Localisation#Avoid_fragmented_or_.27patchwork.27_messages

Reedy added a comment.Jul 12 2017, 12:24 AM

I guess also... "The page should include... Not this word" isn't very good english.

"The page should not include this word" obviously makes a lot more sense

"The page should include … Exactly this text:" doesn't really make sense. Include exactly this text? What do the other options do?

I wonder if these should also have tooltips with much more detailed information about what the options do... Or links

Lea_WMDE moved this task from Backlog to Doing (others) on the Advanced-Search board.Jul 12 2017, 10:49 AM
dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Jul 12 2017, 7:21 PM
Tobi_WMDE_SW added a comment.Jul 13 2017, 9:43 AM

@Reedy @Aklapper Thanks for your review so far! We'll follow up on it soon.

gerritbot subscribed.Jul 14 2017, 3:40 PM

Change 365261 had a related patch set uploaded (by Gabriel Birke; owner: Gabriel Birke):
[mediawiki/extensions/AdvancedSearch@master] Address some non-security issues from T168860

https://gerrit.wikimedia.org/r/365261

gerritbot added a project: Patch-For-Review.Jul 14 2017, 3:40 PM
gabriel-wmde mentioned this in rEASR62a8c7d1e787: Address some non-security issues from T168860.Jul 14 2017, 3:43 PM
gabriel-wmde mentioned this in rEASR056d52c53a8c: Address some non-security issues from T168860.Jul 17 2017, 4:37 PM
gerritbot added a comment.Jul 17 2017, 5:21 PM

Change 365261 merged by jenkins-bot:
[mediawiki/extensions/AdvancedSearch@master] Address some non-security issues from T168860

https://gerrit.wikimedia.org/r/365261

Reedy removed a project: Patch-For-Review.Jul 17 2017, 6:06 PM
Reedy added a comment.EditedJul 18 2017, 2:21 PM
In T168860#3428032, @Reedy wrote:

I think those are the only outstanding ones for the non security stuff

Vagrant roles added at https://gerrit.wikimedia.org/r/#/c/365964/

PHP code is obviously fine from a security PoV

Reedy added a comment.Jul 18 2017, 3:45 PM
	// TODO initialize with API call instead
	var templateModel = new mw.libs.advancedSearch.dm.MenuDataModel( {
		infoboxNature: 'Infobox Nature',
		infoboxArchitecture: 'Infobox Architecture',
		commonsLink: 'Link to Commons'
	} );

Specifically the last one there... Should that be i18n-ified? Not that any of them actually seem to be used anywhere?

	mw.loader.load( '//de.wikipedia.org/w/index.php?title=MediaWiki:Gadget-DeepCat.js&action=raw&ctype=text/javascript' );

Uh... what? Why? This doesn't feel very non WMF friendly among other things. Never mind any comments/similar explaining why it's there.

On Timeless skin... Things look rather broken in terms of layout of the subheadings

Screen Shot 2017-07-18 at 16.37.28.png (1×1 px, 122 KB)

On Vector/Monobook... There seems to be some control overlap below the "Search in:" header. Doesn't look the same as the "Advanced parameters:" header in collapsed/expanded states

Screen Shot 2017-07-18 at 16.38.42.png (1×1 px, 120 KB)

Screen Shot 2017-07-18 at 16.39.28.png (552×1 px, 89 KB)

Screen Shot 2017-07-18 at 16.40.17.png (696×1 px, 70 KB)

Reedy moved this task from Scheduled to In Progress on the deprecated-security-team-reviews board.Jul 18 2017, 3:56 PM
Reedy triaged this task as Medium priority.Jul 18 2017, 6:17 PM
gabriel-wmde added a comment.Jul 19 2017, 9:56 AM

@Reedy Thank you for pointing out two vestiges of the early demo prototype!

  • The templateModel variable is just a placeholder for an unfinished feature. This will be implemented in T165302 and the variable will be removed. No need to i18n the placeholder.
  • The loading of the DeepCat gadget will also be removed. Instead, DeepCat-like functionality will be implemented for all wikis that are indexed in CatGraph. See T165297 and T170533 .
gabriel-wmde mentioned this in T171070: Which skins are supported and which should be supported?.Jul 19 2017, 4:42 PM
Liuxinyu970226 subscribed.Jul 19 2017, 10:59 PM
Lea_WMDE edited projects, added WMDE-FUN-Team; removed WMDE-TechWish.Aug 9 2017, 11:12 AM
gabriel-wmde added a comment.Aug 16 2017, 1:33 PM

Could someone give an update on the status of the security review? I hope nobody is waiting for anything from our side.

Tobi_WMDE_SW moved this task from Incoming to Advanced Search on the TCB-Team (now WMDE-TechWish) board.Aug 23 2017, 10:32 AM
Tobi_WMDE_SW updated the task description. (Show Details)Sep 14 2017, 10:51 AM
Tobi_WMDE_SW added a subscriber: Bawolff.

@Bawolff @Reedy do you have any updates on this? We're aiming for a deployment as a beta feature in October or November 2017, so we should resolve any security review related issues rather soonish. Can you give a brief timeline for this?

Reedy moved this task from In Progress to Waiting on the deprecated-security-team-reviews board.Sep 21 2017, 10:57 PM
Reedy closed this task as Resolved.Sep 21 2017, 11:03 PM
Reedy claimed this task.

I blame Wikimania!

Looks like the scary arbitrary inclusion of js from dewiki is gone, so I don't see anything else that's outstanding at this point.

Probably worth enabling codesniffer (either version) so commits like https://github.com/wikimedia/mediawiki-extensions-AdvancedSearch/commit/2aa01dc9c3e367c7202a541c93cd1221ce989ee4 don't need to be made manually. PHP linting/

And then jslint/whatever we're using these days too

Oh PhpStorm is bitching about the * @return boolean on onSpecialPageBeforeExecute

Liuxinyu970226 unsubscribed.Sep 22 2017, 11:35 AM
Addshore added a parent task: T180140: Deploy AdvancedSearch extension on beta cluster.Nov 9 2017, 5:04 PM
Addshore mentioned this in T180128: Make AdvancedSearch a beta feature on de-wiki and ar-wiki.Nov 10 2017, 9:53 AM
Jayprakash12345 added a subtask: T180291: beta test AdvancedSearch in Arabic Wikipedia.Nov 12 2017, 9:29 PM
Reedy removed a subtask: T180291: beta test AdvancedSearch in Arabic Wikipedia.Nov 12 2017, 10:39 PM
Lea_WMDE mentioned this in T193181: Deploying AdvancedSearch.Apr 26 2018, 4:03 PM
gabriel-wmde mentioned this in rEASRb1f32a81a71c: Create change.Jun 8 2018, 9:59 PM
gabriel-wmde mentioned this in rEASR92351fc415b2: Create patch set 2.
sbassett moved this task from Waiting to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:21 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:16 PM
chasemp added a project: Application Security Reviews.Jan 8 2020, 4:40 PM
chasemp moved this task from Incoming to Our Part Is Done on the Application Security Reviews board.Jan 8 2020, 4:43 PM
chasemp added a project: secscrum.Mar 10 2020, 8:11 PM
chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM
thiemowmde removed a project: TCB-Team (now WMDE-TechWish).Jan 7 2022, 2:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits