Using 1.3.0.
The following code looks safe but reports issues:
Maybe it is enough to make Title::getArticleID safe, but that looks already returning int
protected function getNewslettersWithNewsletterMainPage( $newNewsletterName ) {
$dbr = wfGetDB( DB_REPLICA );
return $dbr->selectRowCount(
'nl_newsletters',
'*',
$dbr->makeList( [
'nl_name' => $newNewsletterName,
$dbr->makeList(
[
'nl_main_page_id' => $this->content->getMainPage()->getArticleID(),
'nl_active' => 1
], LIST_AND )
], LIST_OR )
);
}<?xml version="1.0" encoding="ISO-8859-15"?>
<checkstyle version="6.5">
<file name="./includes/content/NewsletterDataUpdate.php">
<error line="31" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectRowCount() in \NewsletterDataUpdate::getNewslettersWithNewsletterMainPage that outputs using tainted argument $[arg #3]. (Caused by: ../../includes/Title.php +3535; ../../includes/Title.php +3528; ../../includes/Title.php +3532)" source="SecurityCheck-SQLInjection"/>
</file>
</checkstyle>