Page MenuHomePhabricator

Security review major redesign of the TwoColConflict extension
Closed, ResolvedPublic

Description

Project Information

Description of the tool/project

The TwoColConflict extension provides an alternative view for the edit conflict resolution page. This security review is mainly for the major redesign of the interface of the extension. The interface is internally and in the code base called SplitTwoColConflict. The main aspects of the original interface were already reviewed before the original deployment in T149808 and reside in the code under InlineTwoColConflict.

Description of how the tool will be used at WMF

The extension is currently deployed globally as beta feature with the original InlineTwoColConflict UI. The new interface can be switched to via a config setting and should eventually replace the older interface, that then would be removed. - If activated it will show for users who enabled it, each time they run into an edit conflict using the standard wikitext editor.

Dependencies

  • None

Has this project been reviewed before?

Review of the original first version of the Extension can be found here: T149808 Apart from that, review was done inside WMDE-TechWish.

Working test environment

local version

wfLoadExtension( 'TwoColConflict' );
$wgTwoColConflictUseInline = false; // to use the new interface
  • After enabling the extension, try to produce an edit conflict and then see the new conflict-resolution view.

live version

The current master with the new interface enabled can also be found here:
https://tools.wmflabs.org/wmde-editconflict-test/core/

Post-deployment / activation

WMDE-TechWish

Event Timeline

FYI: We expect the backend PHP part to be ready in roughly one week and the JS functionality in about 3 weeks.

Reedy renamed this task from Security review major redesign of the TwoColConflcit extension to Security review major redesign of the TwoColConflict extension.Sep 15 2018, 1:24 AM
Reedy changed Risk Rating from N/A to default.

@Reedy since you're at least assigned to the task already, can you give a rough estimate on when this can be worked on from your side? - Just so that we can coordinate our further plans for the rollout. - Currently we're in the last steps of implementing the JS interaction.

Hey y'all, I assume you are busy, but I was wondering if there's any chance to get a guesstimation to when will this be done?

After a quick chat with @Reedy we can expect the review to happen during the next few working days.

Looks like GitHub is doing my job for me ;)

Screenshot 2018-10-20 at 16.16.15.png (228×2 px, 69 KB)

That's rather cryptic for people who don't have admin access to the https://github.com/wikimedia/mediawiki-extensions-TwoColConflict mirror (like most of us). Can you please share the details of this alert?

T204119 would be the appropriate task for that. TwoColConflict not listed on it though (but same issues)

"Access Denied: Restricted Task". Sorry, there is really nothing I can do if I'm not allowed to know what you know.

The only dependency the extension does have is (literally) PHP itself:

"require": {
	"php": ">=5.5.9"
}

All other dependencies (Phan, PHP Parallel Lint, Grunt stuff) are dev-only dependencies. Are these a problem for what this security review is about?

"Access Denied: Restricted Task". Sorry, there is really nothing I can do if I'm not allowed to know what you know.

Why don't you have security task access? It's also hard for me to know easily who and who does not have access to restricted tasks ;)

The only dependency the extension does have is (literally) PHP itself:

"require": {
	"php": ">=5.5.9"
}

All other dependencies (Phan, PHP Parallel Lint, Grunt stuff) are dev-only dependencies. Are these a problem for what this security review is about?

Gemfile and Gemfile.lock

Are these a problem for what this security review is about?

Nope. But they should be tidied up at some point regardless

Looks like GitHub is doing my job for me ;)

Screenshot 2018-10-20 at 16.16.15.png (228×2 px, 69 KB)

Should be fixed, see https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/TwoColConflict/+/469051/ - do you have any other issues to report or could we consider the review to be done with that ;-)

That github part was mostly due diligence :)

I looked over a lot of the code on Friday to some extent, with the intention of coming back to it over the weekend. Unfortunately, other events meant this didn't happen, and I'm probably going to be struggling for time in the next couple of weeks with a mixture of travel and conferences, and the other ongoing stuff.

I'm happy enough to unblock your deployment for later this week and let you get on with it