Page MenuHomePhabricator

taint-checks for CentralAuth failing
Closed, ResolvedPublic

Description

https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker/5799/console as of version 1.3.0

<?xml version="1.0" encoding="ISO-8859-15"?>
<checkstyle version="6.5">
  <file name="./includes/CentralAuthGroupMembershipProxy.php">
    <error line="22" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthGroupMembershipProxy::__construct that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/CentralAuthHooks.php">
    <error line="383" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthHooks::onSpecialPasswordResetOnSubmit that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="571" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthHooks::doCentralLoginRedirect that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="572" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthHooks::doCentralLoginRedirect that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="573" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthHooks::doCentralLoginRedirect that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="620" severity="warning" message="Calling method \CentralAuthUser::getMasterInstanceByName() in \closure_a93be2a8a1b5 that outputs using tainted argument $username. (Caused by: ./includes/CentralAuthUser.php +160) (Caused by: ./includes/CentralAuthHooks.php +618)" source="SecurityCheck-XSS"/>
    <error line="1462" severity="warning" message="Calling method \CentralAuthUser::getInstanceByName() in \CentralAuthHooks::onSessionCheckInfo that outputs using tainted argument $name. (Caused by: ./includes/CentralAuthUser.php +132) (Caused by: ./includes/CentralAuthHooks.php +1460)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/CentralAuthIdLookup.php">
    <error line="35" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthIdLookup::lookupCentralIds that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="72" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthIdLookup::lookupUserNames that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/CentralAuthUser.php">
    <error line="120" severity="warning" message="Calling method \CentralAuthUser::getInstanceByName() in \CentralAuthUser::getInstance that outputs using tainted argument $[arg #1]. (Caused by: ./includes/CentralAuthUser.php +132) (Caused by: ../../includes/user/User.php +2454; ../../includes/changes/RecentChange.php +349; ../../includes/user/User.php +401; ../../includes/changes/RecentChange.php +349; ../../includes/user/User.php +401)" source="SecurityCheck-XSS"/>
    <error line="146" severity="warning" message="Calling method \CentralAuthUser::getMasterInstanceByName() in \CentralAuthUser::getMasterInstance that outputs using tainted argument $[arg #1]. (Caused by: ./includes/CentralAuthUser.php +160) (Caused by: ../../includes/user/User.php +2454; ../../includes/changes/RecentChange.php +349; ../../includes/user/User.php +401; ../../includes/changes/RecentChange.php +349; ../../includes/user/User.php +401)" source="SecurityCheck-XSS"/>
    <error line="288" severity="warning" message="Calling method \CentralAuthUser::getInstanceByName() in \CentralAuthUser::newFromId that outputs using tainted argument $name. (Caused by: ./includes/CentralAuthUser.php +132) (Caused by: ./includes/CentralAuthUser.php +280)" source="SecurityCheck-XSS"/>
    <error line="309" severity="warning" message="Calling method \CentralAuthUser::getMasterInstanceByName() in \CentralAuthUser::newMasterInstanceFromId that outputs using tainted argument $name. (Caused by: ./includes/CentralAuthUser.php +160) (Caused by: ./includes/CentralAuthUser.php +301)" source="SecurityCheck-XSS"/>
    <error line="324" severity="warning" message="Calling method \CentralAuthUser::__construct() in \CentralAuthUser::newFromRow that outputs using tainted argument $[arg #1]. (Caused by: ./maintenance/fixStuckGlobalRename.php +35)" source="SecurityCheck-XSS"/>
    <error line="1445" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUser::queueAdminUnattachJob that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="1447" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUser::queueAdminUnattachJob that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="1449" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUser::queueAdminUnattachJob that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="1472" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUser::adminDelete that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="1743" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUser::doCrosswikiSuppression that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="1744" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUser::doCrosswikiSuppression that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="1753" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUser::doCrosswikiSuppression that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="1755" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUser::doCrosswikiSuppression that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="1925" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUser::canAuthenticate that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="2464" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324; ./includes/CentralAuthUser.php +2464; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324; ../../inclu...)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/CentralAuthUtils.php">
    <error line="265" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUtils::scheduleCreationJobs that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/GlobalRename/GlobalRenameUser.php">
    <error line="219" severity="warning" message="Calling method \LocalRenameUserJob::__construct() in \GlobalRenameUser::getJob that outputs using tainted argument $params. (Caused by: ./includes/LocalRenameJob/LocalRenameUserJob.php +42) (Caused by: ./includes/GlobalRename/GlobalRenameUser.php +205; ./includes/GlobalRename/GlobalRenameUser.php +219)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/GlobalRename/GlobalUserMerge.php">
    <error line="84" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::addLogEntry that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="86" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::addLogEntry that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="103" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::merge that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="114" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::merge that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="116" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::merge that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="159" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::setRenameStatuses that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="160" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::setRenameStatuses that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="162" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::setRenameStatuses that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="171" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::setRenameStatuses that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="195" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::getJob that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="195" severity="warning" message="Calling method \LocalUserMergeJob::__construct() in \GlobalUserMerge::getJob that outputs using tainted argument $[arg #2]. (Caused by: ./includes/LocalRenameJob/LocalUserMergeJob.php +13) (Caused by: ./includes/GlobalRename/GlobalUserMerge.php +195; ./includes/GlobalRename/GlobalUserMerge.php +195)" source="SecurityCheck-XSS"/>
    <error line="198" severity="warning" message="Calling method \CentralAuthUser::getName in \GlobalUserMerge::getJob that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/GlobalRename/GlobalUserMergeLogger.php">
    <error line="37" severity="warning" message="Calling method \CentralAuthUser::getName in \closure_14cc18b5b7ff that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/LocalRenameJob/LocalRenameUserJob.php">
    <error line="173" severity="warning" message="Calling method \LocalPageMoveJob::__construct() in \LocalRenameUserJob::movePages that outputs using tainted argument $[arg #2]. (Caused by: ./includes/LocalRenameJob/LocalPageMoveJob.php +29) (Caused by: ./includes/LocalRenameJob/LocalRenameUserJob.php +157; ./includes/LocalRenameJob/LocalRenameUserJob.php +173)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/api/ApiDeleteGlobalAccount.php">
    <error line="42" severity="warning" message="Calling method \CentralAuthUser::getName in \ApiDeleteGlobalAccount::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="48" severity="warning" message="Calling method \CentralAuthUser::getName in \ApiDeleteGlobalAccount::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="49" severity="warning" message="Calling method \CentralAuthUser::getName in \ApiDeleteGlobalAccount::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/api/ApiQueryGlobalUserInfo.php">
    <error line="68" severity="warning" message="Calling method \CentralAuthUser::getName in \ApiQueryGlobalUserInfo::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/api/ApiSetGlobalAccountStatus.php">
    <error line="43" severity="warning" message="Calling method \CentralAuthUser::getName in \ApiSetGlobalAccountStatus::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="44" severity="warning" message="Calling method \CentralAuthUser::getName in \ApiSetGlobalAccountStatus::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="72" severity="warning" message="Calling method \CentralAuthUser::getName in \ApiSetGlobalAccountStatus::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="73" severity="warning" message="Calling method \CentralAuthUser::getName in \ApiSetGlobalAccountStatus::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="81" severity="warning" message="Calling method \CentralAuthUser::getName in \ApiSetGlobalAccountStatus::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="82" severity="warning" message="Calling method \CentralAuthUser::getName in \ApiSetGlobalAccountStatus::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/session/CentralAuthSessionProvider.php">
    <error line="212" severity="warning" message="Calling method \CentralAuthUser::getInstanceByName() in \CentralAuthSessionProvider::refreshSessionInfo that outputs using tainted argument $name. (Caused by: ./includes/CentralAuthUser.php +132) (Caused by: ./includes/session/CentralAuthSessionProvider.php +207)" source="SecurityCheck-XSS"/>
    <error line="331" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthSessionProvider::persistSession that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="336" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthSessionProvider::persistSession that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="337" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthSessionProvider::persistSession that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/specials/RenameQueueTablePager.php">
    <error line="176" severity="warning" message="Calling method \CentralAuthUser::getName in \RenameQueueTablePager::formatValue that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="177" severity="warning" message="Calling method \CentralAuthUser::getName in \RenameQueueTablePager::formatValue that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="179" severity="warning" message="Calling method \CentralAuthUser::getName in \RenameQueueTablePager::formatValue that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="180" severity="warning" message="Calling method \CentralAuthUser::getName in \RenameQueueTablePager::formatValue that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/specials/SpecialCentralAuth.php">
    <error line="94" severity="warning" message="Calling method \CentralAuthUser::getInstanceByName() in \SpecialCentralAuth::execute that outputs using tainted argument $[arg #1]. (Caused by: ./includes/CentralAuthUser.php +132) (Caused by: ./includes/specials/SpecialCentralAuth.php +50)" source="SecurityCheck-XSS"/>
    <error line="94" severity="warning" message="Calling method \CentralAuthUser::getMasterInstanceByName() in \SpecialCentralAuth::execute that outputs using tainted argument $[arg #1]. (Caused by: ./includes/CentralAuthUser.php +160) (Caused by: ./includes/specials/SpecialCentralAuth.php +50)" source="SecurityCheck-XSS"/>
    <error line="95" severity="warning" message="Calling method \CentralAuthUser::getMasterInstanceByName() in \SpecialCentralAuth::execute that outputs using tainted argument $[arg #1]. (Caused by: ./includes/CentralAuthUser.php +160) (Caused by: ./includes/specials/SpecialCentralAuth.php +50)" source="SecurityCheck-XSS"/>
    <error line="96" severity="warning" message="Calling method \CentralAuthUser::getInstanceByName() in \SpecialCentralAuth::execute that outputs using tainted argument $[arg #1]. (Caused by: ./includes/CentralAuthUser.php +132) (Caused by: ./includes/specials/SpecialCentralAuth.php +50)" source="SecurityCheck-XSS"/>
    <error line="336" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralAuth::getInfoFields that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="337" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralAuth::getInfoFields that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="383" severity="warning" message="Calling method \OutputPage::addHTML() in \SpecialCentralAuth::showWikiLists that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./includes/specials/SpecialCentralAuth.php +374; ./includes/specials/SpecialCentralAuth.php +118)" source="SecurityCheck-XSS"/>
    <error line="385" severity="warning" message="Calling method \OutputPage::addHTML() in \SpecialCentralAuth::showWikiLists that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./includes/specials/SpecialCentralAuth.php +375; ./includes/specials/SpecialCentralAuth.php +128)" source="SecurityCheck-XSS"/>
    <error line="851" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralAuth::showLogExtract that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/specials/SpecialCentralAutoLogin.php">
    <error line="158" severity="warning" message="Calling method \SpecialCentralAutoLogin::doFinalOutput() in \SpecialCentralAutoLogin::execute that outputs using tainted argument $json. (Caused by: ./includes/specials/SpecialCentralAutoLogin.php +643) (Caused by: ./includes/specials/SpecialCentralAutoLogin.php +151)" source="SecurityCheck-XSS"/>
    <error line="399" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralAutoLogin::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="400" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralAutoLogin::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="478" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralAutoLogin::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="501" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralAutoLogin::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="503" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralAutoLogin::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="515" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralAutoLogin::execute that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="591" severity="warning" message="Calling method \Xml::encodeJsCall() in \SpecialCentralAutoLogin::execute that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Xml::encodeJsCall)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./includes/specials/SpecialCentralLogin.php">
    <error line="110" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralLogin::doLoginStart that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="120" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralLogin::doLoginStart that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="138" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralLogin::doLoginStart that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="139" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralLogin::doLoginStart that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="140" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralLogin::doLoginStart that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="242" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialCentralLogin::doLoginComplete that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/specials/SpecialGlobalGroupPermissions.php">
    <error line="702" severity="warning" message="Calling method \CentralAuthUser::getMasterInstanceByName() in \SpecialGlobalGroupPermissions::invalidateRightsCache that outputs using tainted argument $[arg #1]. (Caused by: ./includes/CentralAuthUser.php +160)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/specials/SpecialGlobalRenameQueue.php">
    <error line="278" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialGlobalRenameQueue::doViewRequest that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="280" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialGlobalRenameQueue::doViewRequest that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="281" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialGlobalRenameQueue::doViewRequest that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="288" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialGlobalRenameQueue::doViewRequest that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="300" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialGlobalRenameQueue::doViewRequest that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/specials/SpecialGlobalUserMerge.php">
    <error line="204" severity="warning" message="Calling method \CentralAuthUser::getName in \closure_63834ceca99e that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/specials/SpecialMergeAccount.php">
    <error line="109" severity="warning" message="Calling method \CentralAuthUser::getInstanceByName() in \SpecialMergeAccount::execute that outputs using tainted argument $[arg #1]. (Caused by: ./includes/CentralAuthUser.php +132) (Caused by: ./includes/specials/SpecialMergeAccount.php +60)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/specials/SpecialMultiLock.php">
    <error line="314" severity="warning" message="Calling method \OutputPage::addHTML() in \SpecialMultiLock::showUserTable that outputs using tainted argument $rowtext. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./includes/specials/SpecialMultiLock.php +304; ./includes/specials/SpecialMultiLock.php +306; ./includes/specials/SpecialMultiLock.php +313; ./includes/specials/SpecialMultiLock.php +314)" source="SecurityCheck-XSS"/>
    <error line="333" severity="warning" message="Calling method \CentralAuthUser::getName in \SpecialMultiLock::getUserTableRow that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./maintenance/migrateStewards.php">
    <error line="55" severity="warning" message="Calling method \CentralAuthUser::__construct() in [no method] that outputs using tainted argument $user. (Caused by: ./maintenance/fixStuckGlobalRename.php +35) (Caused by: ./maintenance/migrateStewards.php +46)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./tests/phpunit/CentralAuthUserTest.php">
    <error line="23" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUserTest::testGetInstance that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="39" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUserTest::testNewUnattached that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./tests/phpunit/CentralAuthUserUsingDatabaseTest.php">
    <error line="22" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUserUsingDatabaseTest::testBasicAttrs that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
    <error line="89" severity="warning" message="Calling method \CentralAuthUser::getName in \CentralAuthUserUsingDatabaseTest::testNewFromId that is always unsafe  (Caused by: ./includes/CentralAuthUser.php +590; ./maintenance/fixStuckGlobalRename.php +35; ./maintenance/forceRenameUsers.php +144; ./includes/CentralAuthUser.php +324)" source="SecurityCheck-XSS"/>
  </file>
</checkstyle>

Details

Related Gerrit Patches:
mediawiki/extensions/CentralAuth : masterAdd phan taint-check plugin
integration/config : masterlayout: Add seccheck for CentralAuth
mediawiki/extensions/CentralAuth : masterSpecialMultiLock: Fix phan-taint-check-plugin errors
mediawiki/extensions/CentralAuth : masterFix phan-taint-check-plugin issues in CentralAuthHooks

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 8 2018, 6:27 PM

Yeah, some of these are false positives (especially migrateStewards). The others need further investigation. Most likely though they are i18n messages not being escaped.

MarcoAurelio triaged this task as Normal priority.Mar 10 2018, 12:32 PM
Bawolff removed a subscriber: Ejegg.Mar 13 2018, 10:17 AM

Change 459402 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/extensions/CentralAuth@master] Fix phan-taint-check-plugin issues in CentralAuthHooks

https://gerrit.wikimedia.org/r/459402

Change 459402 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] Fix phan-taint-check-plugin issues in CentralAuthHooks

https://gerrit.wikimedia.org/r/459402

Change 459408 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/extensions/CentralAuth@master] SpecialMultiLock: Fix phan-taint-check-plugin errors

https://gerrit.wikimedia.org/r/459408

Here's where we are after my patches:

<checkstyle version="6.5">
  <file name="./includes/CentralAuthUser.php">
    <error line="288" severity="warning" message="Calling method \CentralAuthUser::getInstanceByName() in \CentralAuthUser::newFromId that outputs using tainted argument $name. (Caused by: ./includes/CentralAuthUser.php +132) (Caused by: ./includes/CentralAuthUser.php +280)" source="SecurityCheck-XSS"/>
    <error line="309" severity="warning" message="Calling method \CentralAuthUser::getMasterInstanceByName() in \CentralAuthUser::newMasterInstanceFromId that outputs using tainted argument $name. (Caused by: ./includes/CentralAuthUser.php +160) (Caused by: ./includes/CentralAuthUser.php +301)" source="SecurityCheck-XSS"/>
    <error line="324" severity="warning" message="Calling method \CentralAuthUser::__construct() in \CentralAuthUser::newFromRow that outputs using tainted argument $[arg #1]. (Caused by: ./maintenance/fixStuckGlobalRename.php +35)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/specials/SpecialCentralAutoLogin.php">
    <error line="591" severity="warning" message="Calling method \Xml::encodeJsCall() in \SpecialCentralAutoLogin::execute that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Xml::encodeJsCall) (Caused by: ./includes/CentralAuthHooks.php +1230)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./maintenance/migrateStewards.php">
    <error line="55" severity="warning" message="Calling method \CentralAuthUser::__construct() in [no method] that outputs using tainted argument $user. (Caused by: ./maintenance/fixStuckGlobalRename.php +35) (Caused by: ./maintenance/migrateStewards.php +46)" source="SecurityCheck-XSS"/>
  </file>
</checkstyle>

AFAICT the CentralAuthuser and migrateStewards ones are false positives.

The SpecialCentralAutoLogin one is interesting, the code is:

			// And for good measure, add the edge login HTML images to the page.
			$script .= "\n" . Xml::encodeJsCall( "jQuery( 'body' ).append", [
				CentralAuthHooks::getEdgeLoginHTML()
			] );

\Xml::encodeJsCall() is hardcoded as the second argument being self::ESCAPES_HTML...and while that's true, it's also irrelevant to whether it is being double escaped or not. Should I suppress it? (if so, it should be refactored into a smaller function so we don't have to suppress the entire execute()).

Anomie added a subscriber: Anomie.Sep 10 2018, 3:21 PM

\Xml::encodeJsCall() is hardcoded as the second argument being self::ESCAPES_HTML...and while that's true, it's also irrelevant to whether it is being double escaped or not. Should I suppress it? (if so, it should be refactored into a smaller function so we don't have to suppress the entire execute()).

Xml::encodeJsCall() escapes its $args as JSON, not HTML directly, and outputs a snippet of JavaScript code. I don't know if "escapes HTML" is all that accurate; complaining about double encoding when safed HTML is passed in certainly isn't.

In theory someone might do something like

$data = htmlspecialchars( '<b>not</b> HTML' );
$call = Xml::encodeJsCall( 'some.method', [ [ 'arg' => $data ] ] );
$elt = Html::element( 'span', [ 'onclick' => $call ], 'Click here!' );

producing

<span onclick="some.method({&quot;foo&quot;:&quot;\u0026lt;b\u0026gt;not\u0026lt;/b\u0026gt; HTML&quot;});">Click here!</span>

It's not double encoding that $data is passed to Xml::encodeJsCall() or that $call is passed to Html::element(), although it sounds like phan will complain about both if it thinks Xml::encodeJsCall() is dealing with HTML.

Xml::encodeJsCall() escapes its $args as JSON, not HTML directly, and outputs a snippet of JavaScript code. I don't know if "escapes HTML" is all that accurate;

There's a bunch of compromises in the plugin related to how JS escaping and HTML escaping work together, due to some limitations in the intelligence of the plugin.

In theory someone might do something like
$data = htmlspecialchars( '<b>not</b> HTML' );
$call = Xml::encodeJsCall( 'some.method', [ [ 'arg' => $data ] ] );
$elt = Html::element( 'span', [ 'onclick' => $call ], 'Click here!' );

Well, I would argue that's bad practise (escaping should happen when the data is used, in the example, it should happen in javascript). But you're right that it isn't double escaping. So I think I agree that it makes sense to have Xml::encodeJsCall to no longer care about double escaping.

Well, I would argue that's bad practise (escaping should happen when the data is used, in the example, it should happen in javascript).

Replace it with something like $data = Html::element( 'span', [ 'class' => $class ], $userInput ); if you want. Or $msg->parse() for that matter.

Change 522897 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/CentralAuth@master] [WIP] Add phan taint-check plugin

https://gerrit.wikimedia.org/r/522897

Change 522911 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[integration/config@master] layout: Add seccheck for CentralAuth

https://gerrit.wikimedia.org/r/522911

Daimona claimed this task.Jul 14 2019, 1:44 PM
Daimona added a subscriber: Daimona.

Now passing with taint-check 2.0.2.

Change 522911 merged by jenkins-bot:
[integration/config@master] layout: Add seccheck for CentralAuth

https://gerrit.wikimedia.org/r/522911

Mentioned in SAL (#wikimedia-releng) [2019-07-15T15:37:04Z] <James_F> Zuul: [CentralAuth] Add seccheck T189227

Change 522897 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] Add phan taint-check plugin

https://gerrit.wikimedia.org/r/522897

Jdforrester-WMF closed this task as Resolved.Jul 15 2019, 6:15 PM