Page MenuHomePhabricator
Create Task
Maniphest T201109

Raw HTML message in ProofreadPage
Closed, ResolvedPublic
Actions

Description

			$indexlink = Linker::link( $nt, $out->msg( 'proofreadpage_source' )->text(),
						[ 'title' => $out->msg( 'proofreadpage_source_message' )->text() ] );

The deprecated Linker does not escape the text - if you switch to LinkRenderer then it will do it for you (or use ->escaped() ).

phan-taint-check-plugin is complaining about two potential SQLi's but my quick look made it seem like they were false positives. (A more thorough look would be appreciated)

<checkstyle version="6.5">
  <file name="./ProofreadPage.body.php">
    <error line="523" severity="warning" message="Calling method \Linker::link() in \ProofreadPage::prepareArticle that outputs using tainted argument $[arg #2]. (Caused by: ../../includes/Linker.php +113)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/Page/ProofreadPageDbConnector.php">
    <error line="37" severity="error" message="Calling method \Wikimedia\Rdbms\Database::select() in \ProofreadPage\Page\ProofreadPageDbConnector::queryCount that outputs using tainted argument $[arg #1]. (Caused by: ../../includes/libs/rdbms/database/Database.php +1638) (Caused by: ./includes/Page/ProofreadPageDbConnector.php +35; ./includes/Page/ProofreadPageDbConnector.php +37)" source="SecurityCheck-SQLInjection"/>
    <error line="37" severity="error" message="Calling method \Wikimedia\Rdbms\Database::select() in \ProofreadPage\Page\ProofreadPageDbConnector::queryCount that outputs using tainted argument $[arg #2]. (Caused by: ../../includes/libs/rdbms/database/Database.php +1638) (Caused by: ./includes/Page/ProofreadPageDbConnector.php +35; ./includes/Page/ProofreadPageDbConnector.php +37)" source="SecurityCheck-SQLInjection"/>
  </file>
</checkstyle>

Details

SubjectRepoBranchLines +/-
Uses LinkRenderer instead of the deprecated Linker classmediawiki/extensions/ProofreadPagemaster+15 -9
Customize query in gerrit

Related Objects

Event Timeline

Legoktm created this task.Aug 2 2018, 10:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 2 2018, 10:03 PM
Legoktm added a project: ProofreadPage.Aug 2 2018, 10:03 PM
Legoktm added a subscriber: Tpt.
Tpt added a comment.Aug 3 2018, 7:19 AM

I also checked about the potential SQLi and I don't see how it could happen. All "conds" arguments are key-values where the key is a string so should be properly escaped. More values seems to always be an integer or an array of DBKey obtained by using the Title::getDBKey method. The error are maybe raised because the query is constructed in a different class than the one where the execution is called.

Tpt added a comment.Aug 4 2018, 3:03 PM

I have just made a change that uses LinkRender instead of Linker and, so, should fix the possible XSS injection https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/ProofreadPage/+/450398/

Legoktm closed this task as Resolved.Aug 20 2018, 1:31 AM
Legoktm assigned this task to Tpt.

The SQLi false positive is tracked as T201806: Using multi dimensions array in Database::select shows false positive on taint-check-plugin.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 20 2018, 1:31 AM
sbassett moved this task from Wikimedia deployed to Done on the phan-taint-check-plugin board.Oct 15 2019, 6:53 PM
sbassett triaged this task as Medium priority.Oct 15 2019, 7:42 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits