Page MenuHomePhabricator
Create Task
Maniphest T182599

Make jenkins run phan-taint-check-plugin non-voting and then voting
Closed, ResolvedPublic
Actions

Description

As discussed in the parent bug, it would be cool if jenkins could run seccheck-fast-mwext in a non-voting manner for extensions. (Its expected there will be some false positives, but should be relatively small for extensions, and would allow authors to see what they are and fix them).

It would be also cool to run seccheck-mwext as a non-voting post-merge test (Since that check is really slow, taking over 3 minutes to run, but will detect things the other one wont, especially related to hooks).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Lets make phan-taint-check votingintegration/configmaster+20 -20
Run seccheck plugin as non-voting for all bundled extensionsintegration/configmaster+36 -1
Add mwext-php70-phan-seccheck-docker as experimentalintegration/configmaster+1 -0
Add job to run seccheck pluginintegration/configmaster+87 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Dec 11 2017, 3:59 PM
Legoktm added a project: Continuous-Integration-Config.Dec 11 2017, 5:54 PM
Legoktm claimed this task.Dec 19 2017, 12:33 AM

I'll take a stab at this.

Legoktm added a comment.Feb 5 2018, 6:05 AM

@Bawolff should we also have a job for MediaWiki core that runs seccheck-mw?

Legoktm added a comment.Feb 5 2018, 7:24 AM

I think I've mostly got the dockerization ready for this, do you have an example extension that should pass this, and one that fails (or a patch I can apply to the passing one to make it fail)?

Bawolff added a comment.Feb 5 2018, 5:16 PM
In T182599#3945143, @Legoktm wrote:

I think I've mostly got the dockerization ready for this, do you have an example extension that should pass this, and one that fails (or a patch I can apply to the passing one to make it fail)?

That's awesome. Thank you :D

Abusefilter master has about 17 failures currently when running seccheck-fast-mwext. The InputBox extension passes seccheck-fast-mwext

Bawolff added a comment.Feb 5 2018, 5:20 PM
In T182599#3945129, @Legoktm wrote:

@Bawolff should we also have a job for MediaWiki core that runs seccheck-mw?

Eventually yes. Right now there are a couple places in core that are very noisy for false positives (Talking in the hundreds), so I'm not sure its really needed now until that's fixed up a bit. I think extensions are definitely the a better place to concentrate on first.

gerritbot subscribed.Feb 5 2018, 8:40 PM

Change 408368 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[integration/config@master] Add job to run seccheck plugin

https://gerrit.wikimedia.org/r/408368

gerritbot added a project: Patch-For-Review.Feb 5 2018, 8:40 PM
gerritbot added a comment.Feb 7 2018, 2:55 AM

Change 408368 merged by jenkins-bot:
[integration/config@master] Add job to run seccheck plugin

https://gerrit.wikimedia.org/r/408368

gerritbot added a comment.Feb 7 2018, 3:00 AM

Change 408746 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[integration/config@master] Add mwext-php70-phan-seccheck-docker as experimental

https://gerrit.wikimedia.org/r/408746

gerritbot added a comment.Feb 7 2018, 3:09 AM

Change 408746 merged by jenkins-bot:
[integration/config@master] Add mwext-php70-phan-seccheck-docker as experimental

https://gerrit.wikimedia.org/r/408746

Legoktm added a comment.Feb 7 2018, 3:45 AM

After a bit of fiddling... https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker/5/console is the result against AbuseFilter. The checkstyle XML is also in a more human readable form at https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker/5/checkstyleResult/

For nearly all extensions, commenting "check experimental" will run the security check plugin. If that looks good, we can make it non-voting on most/all extensions? How do we know when to make it voting?

Also tbh a 3 minute job (seccheck-mwext) isn't that slow if we wanted to run the full mode against extensions pre-merge.

Legoktm added a project: MediaWiki-Platform-Team-Archived (MWPT-Q3-Jan-Mar-2018).Feb 7 2018, 3:47 AM
Legoktm moved this task from Ready to In Progress on the MediaWiki-Platform-Team-Archived (MWPT-Q3-Jan-Mar-2018) board.
Bawolff added a comment.Feb 8 2018, 2:09 AM
In T182599#3951542, @Legoktm wrote:

After a bit of fiddling... https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker/5/console is the result against AbuseFilter. The checkstyle XML is also in a more human readable form at https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker/5/checkstyleResult/

Awesome :D

For nearly all extensions, commenting "check experimental" will run the security check plugin. If that looks good, we can make it non-voting on most/all extensions? How do we know when to make it voting?

I would say for the next couple of weeks keep it non voting just in case of bugs in the plugin or something unexpected happens. But after an initial test period i would say we could make it voting as soon as it passes for an extension.

Also tbh a 3 minute job (seccheck-mwext) isn't that slow if we wanted to run the full mode against extensions pre-merge.

gerritbot added a comment.Feb 14 2018, 8:08 AM

Change 410397 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[integration/config@master] Run seccheck plugin as non-voting for all bundled extensions

https://gerrit.wikimedia.org/r/410397

Legoktm added a comment.Feb 14 2018, 8:23 AM

Results from running locally using the CI docker container:

  • Cite - pass
  • CiteThisPage - pass
  • ConfirmEdit - pass
  • Gadgets - pass
  • ImageMap - FAIL
  • InputBox - pass
  • Interwiki - pass
  • LocalisationUpdate - pass
  • Nuke - pass
  • ParserFunctions - pass
  • PdfHandler - pass
  • Poem - pass
  • Renameuser - FAIL
  • SpamBlacklist - FAIL
  • SyntaxHighlight_GeSHi - pass
  • TitleBlacklist - pass
  • WikiEditor - pass
gerritbot added a comment.Feb 14 2018, 8:25 AM

Change 410397 merged by jenkins-bot:
[integration/config@master] Run seccheck plugin as non-voting for all bundled extensions

https://gerrit.wikimedia.org/r/410397

Reedy added a comment.Feb 14 2018, 8:34 AM
In T182599#3970929, @Legoktm wrote:

Results from running locally using the CI docker container:

  • Cite - pass
  • CiteThisPage - pass
  • ConfirmEdit - pass
  • Gadgets - pass
  • ImageMap - FAIL
  • InputBox - pass
  • Interwiki - pass
  • LocalisationUpdate - pass
  • Nuke - pass
  • ParserFunctions - pass
  • PdfHandler - pass
  • Poem - pass
  • Renameuser - FAIL
  • SpamBlacklist - FAIL
  • SyntaxHighlight_GeSHi - pass
  • TitleBlacklist - pass
  • WikiEditor - pass

Any more details on the FAILs?

Legoktm added a comment.Feb 14 2018, 8:39 AM

P6693 seccheck ImageMap
1<checkstyle version="6.5">
2 <file name="./ImageMap_body.php">
3 <error line="83" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
4 <error line="86" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
5 <error line="100" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
6 <error line="105" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
7 <error line="113" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
8 <error line="121" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
9 <error line="144" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404; ./ImageMap_body.php +130)" source="SecurityCheck-XSS"/>
10 <error line="159" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
11 <error line="174" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
12 <error line="177" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
13 <error line="191" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +189)" source="SecurityCheck-XSS"/>
14 <error line="197" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +189; ./ImageMap_body.php +195)" source="SecurityCheck-XSS"/>
15 <error line="208" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
16 <error line="211" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
17 <error line="215" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
18 <error line="263" severity="warning" message="Outputting user controlled HTML from Parser tag hook \ImageMap::render (Caused by: ./ImageMap_body.php +404)" source="SecurityCheck-XSS"/>
19 </file>
20</checkstyle>

P6694 seccheck Renameuser
1<checkstyle version="6.5">
2 <file name="./maintenance/renameUserCleanup.php">
3 <error line="320" severity="error" message="Calling method \Wikimedia\Rdbms\Database::update() in \RenameUserCleanup::updateTable that outputs using tainted argument $updateCondsWithTime. (Caused by: ./maintenance/renameUserCleanup.php +319)" source="SecurityCheck-SQLInjection"/>
4 </file>
5</checkstyle>

P6695 seccheck SpamBlacklist
1<checkstyle version="6.5">
2 <file name="./maintenance/cleanup.php">
3 <error line="102" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./maintenance/cleanup.php +98)" source="SecurityCheck-XSS"/>
4 </file>
5</checkstyle>

Also you can just submit a dummy patch against the extensions and jenkins will run the job in the clean CI environment (e.g. https://gerrit.wikimedia.org/r/#/c/410195/ ) - I think my checkout is a few days behind.

Bawolff added a comment.Feb 15 2018, 1:53 PM

Ok, fixes for the failures at: https://gerrit.wikimedia.org/r/#/c/410876/ https://gerrit.wikimedia.org/r/#/c/410869/ and https://gerrit.wikimedia.org/r/#/c/410894/ (In particular, the ImageMap one was an actual issue, in that i18n error messages were being used as raw html)

However, Renameuser has a bunch of additional failures when run against the master branch of phan-taint-check. Basically RenameUserJob takes the table name and various column names for the sql queries from the job parameters, and since phan has no way of knowing if the job parameters are sane, this triggers sql injection warnings. Could probably be fixed by adding much $dbw->addIdentifierQuotes, or maybe we should just suppress errors on that method.

Legoktm renamed this task from Make jenkins run security-check-plugin non-voting to Make jenkins run phan-taint-check-plugin non-voting and then voting.Feb 15 2018, 8:29 PM
Legoktm closed subtask T187497: Set phan-taint-check plugin version in extensions themselves instead of hardcoding it in CI as Resolved.Feb 16 2018, 10:21 PM
CCicalese_WMF moved this task from In Progress to Watching on the MediaWiki-Platform-Team-Archived (MWPT-Q3-Jan-Mar-2018) board.Feb 27 2018, 2:47 AM
Legoktm reassigned this task from Legoktm to Bawolff.Feb 27 2018, 5:27 AM

@Bawolff let me know whenever you're ready to make this voting. According to https://tools.wmflabs.org/ci/last_run.html Renameuser is the only extension failing right now.

Legoktm added a project: MW-1.31-release.Apr 2 2018, 10:04 PM

I'd like to aim to get this implemented by 1.31 branching to show off these extensions as examples.

CCicalese_WMF edited projects, added MediaWiki-Platform-Team-Archived (MWPT-Q4-Apr-Jun-2018); removed MediaWiki-Platform-Team-Archived (MWPT-Q3-Jan-Mar-2018).Apr 4 2018, 6:52 PM
CCicalese_WMF moved this task from Ready to Watching on the MediaWiki-Platform-Team-Archived (MWPT-Q4-Apr-Jun-2018) board.Apr 4 2018, 6:55 PM
Jdforrester-WMF subscribed.Apr 9 2018, 10:56 PM
demon subscribed.Apr 26 2018, 8:50 PM
In T182599#4098733, @Legoktm wrote:

I'd like to aim to get this implemented by 1.31 branching to show off these extensions as examples.

What's the status?

Bawolff moved this task from Backlog to Wikimedia deployed on the phan-taint-check-plugin board.Apr 29 2018, 3:28 PM
Legoktm mentioned this in T192325: Setup phan for AbuseFilter.Apr 30 2018, 6:41 AM
gerritbot added a comment.May 4 2018, 8:16 PM

Change 431003 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[integration/config@master] Lets make phan-taint-check voting

https://gerrit.wikimedia.org/r/431003

gerritbot added a comment.May 5 2018, 2:26 AM

Change 431003 merged by jenkins-bot:
[integration/config@master] Lets make phan-taint-check voting

https://gerrit.wikimedia.org/r/431003

Legoktm added a comment.May 5 2018, 4:34 AM

I moved CategoryTree and Renameuser back to non-voting since they're still failing.

Legoktm added a comment.May 5 2018, 8:26 PM
In T182599#4162681, @demon wrote:
In T182599#4098733, @Legoktm wrote:

I'd like to aim to get this implemented by 1.31 branching to show off these extensions as examples.

What's the status?

We're close. I think Cite, CategoryTree, and Renameuser are the only ones that don't pass under 1.2.0.

Umherirrender closed this task as Resolved.May 18 2018, 8:11 PM
Umherirrender mentioned this in T195017: Renameuser extension does not pass phan-taint-check 1.2.0.
Umherirrender subscribed.

Created T195017 for Renameuser, T195009 and T195010 are there for Cite and CategoryTree

CCicalese_WMF moved this task from Watching to Done on the MediaWiki-Platform-Team-Archived (MWPT-Q4-Apr-Jun-2018) board.Jun 1 2018, 2:50 AM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:31 PM
sbassett moved this task from Wikimedia deployed to Done on the phan-taint-check-plugin board.Oct 15 2019, 6:55 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 15 2019, 7:18 PM
sbassett triaged this task as Medium priority.Oct 15 2019, 7:25 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits