Page MenuHomePhabricator
Create Task
Maniphest T195017

Renameuser extension does not pass phan-taint-check 1.2.0
Closed, ResolvedPublic
Actions

Description

<checkstyle version="6.5">
  <file name="./maintenance/renameUserCleanup.php">
    <error line="320" severity="error" message="Calling method \Wikimedia\Rdbms\Database::update() in \RenameUserCleanup::updateTable that outputs using tainted argument $updateCondsWithTime. (Caused by: ./maintenance/renameUserCleanup.php +319)" source="SecurityCheck-SQLInjection"/>
  </file>
</checkstyle>
In T182599#3975418, @Bawolff wrote:

However, Renameuser has a bunch of additional failures when run against the master branch of phan-taint-check. Basically RenameUserJob takes the table name and various column names for the sql queries from the job parameters, and since phan has no way of knowing if the job parameters are sane, this triggers sql injection warnings. Could probably be fixed by adding much $dbw->addIdentifierQuotes, or maybe we should just suppress errors on that method.

Related Objects
Search...

Event Timeline

Umherirrender created this task.May 18 2018, 8:11 PM
Umherirrender triaged this task as Medium priority.
Umherirrender mentioned this in T182599: Make jenkins run phan-taint-check-plugin non-voting and then voting.
Vvjjkkii renamed this task from Renameuser extension does not pass phan-taint-check 1.2.0 to 6pcaaaaaaa.Jul 1 2018, 1:09 AM
Vvjjkkii raised the priority of this task from Medium to High.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from 6pcaaaaaaa to Renameuser extension does not pass phan-taint-check 1.2.0.Jul 2 2018, 4:52 AM
CommunityTechBot lowered the priority of this task from High to Medium.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
CommunityTechBot added a subscriber: Aklapper.
Bawolff closed this task as Resolved.Jul 5 2018, 6:33 PM
Bawolff claimed this task.

Not sure what this is about, but after https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Renameuser/+/410876/ and https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Renameuser/+/424495/ seems like it works fine.

Locally, it also seems like it works fine with current master of phan-taint-check

sbassett moved this task from Backlog to Done on the phan-taint-check-plugin board.Oct 15 2019, 7:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits