Page MenuHomePhabricator

Add phan-taint-check-plugin to SecurePoll extension
Closed, ResolvedPublic

Description

SecurePoll extension has many scripts in global scope and using echo at many places makes it complicated to add taint-check.

<?xml version="1.0" encoding="ISO-8859-15"?>
<checkstyle version="6.5">
  <file name="./auth-api.php">
    <error line="25" severity="warning" message="Echoing expression that was not html escaped" source="SecurityCheck-XSS"/>
    <error line="31" severity="warning" message="Echoing expression that was not html escaped" source="SecurityCheck-XSS"/>
    <error line="36" severity="warning" message="Echoing expression that was not html escaped" source="SecurityCheck-XSS"/>
    <error line="42" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./auth-api.php +41)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./cli/delete.php">
    <error line="40" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./cli/delete.php +32)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./cli/makeSimpleList.php">
    <error line="121" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectRowCount() in [no method] that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::selectRowCount) (Caused by: ./cli/makeSimpleList.php +106)" source="SecurityCheck-SQLInjection"/>
    <error line="136" severity="error" message="Calling method \Wikimedia\Rdbms\Database::insert() in [no method] that outputs using tainted argument $insertBatch. (Caused by: ./cli/makeSimpleList.php +96; ./cli/makeSimpleList.php +94; ./cli/makeSimpleList.php +93; ./cli/makeSimpleList.php +132)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="./cli/testDebian.php">
    <error line="18" severity="warning" message="Calling method \spRunTest() in [no method] that outputs using tainted argument $debResult. (Caused by: ./cli/testDebian.php +104) (Caused by: ./cli/testDebian.php +17)" source="SecurityCheck-XSS"/>
    <error line="29" severity="warning" message="Calling method \spRunTest() in [no method] that outputs using tainted argument $debResult. (Caused by: ./cli/testDebian.php +104) (Caused by: ./cli/testDebian.php +17; ./cli/testDebian.php +28)" source="SecurityCheck-XSS"/>
    <error line="29" severity="warning" message="Calling method \spRunTest() in [no method] that outputs using tainted argument $debResult. (Caused by: ./cli/testDebian.php +104) (Caused by: ./cli/testDebian.php +17; ./cli/testDebian.php +28; ./cli/testDebian.php +18; ./cli/testDebian.php +29)" source="SecurityCheck-XSS"/>
    <error line="106" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./includes/talliers/SchulzeTallier.php +152)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./cli/wm-scripts/bv2013/buildSpamTranslations.php">
    <error line="28" severity="warning" message="Echoing expression that was not html escaped" source="SecurityCheck-XSS"/>
  </file>
  <file name="./cli/wm-scripts/bv2013/doSpam.php">
    <error line="183" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./cli/wm-scripts/bv2013/doSpam.php +182)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./cli/wm-scripts/bv2013/populateEditCount.php">
    <error line="45" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectField() in [no method] that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::selectField) (Caused by: ./cli/makeSimpleList.php +106; ./cli/wm-scripts/bv2013/populateEditCount.php +36; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/populateEditCount.php +45)" source="SecurityCheck-SQLInjection"/>
    <error line="57" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectField() in [no method] that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::selectField) (Caused by: ./cli/makeSimpleList.php +106; ./cli/wm-scripts/bv2013/populateEditCount.php +36; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/populateEditCount.php +45; ./cli/wm-scripts/bv2013/populateEditCount.php +57)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="./cli/wm-scripts/bv2013/voterList.php">
    <error line="41" severity="error" message="Calling method \Wikimedia\Rdbms\Database::insert() in [no method] that outputs using tainted argument $insertBatch. (Caused by: ./cli/makeSimpleList.php +96; ./cli/makeSimpleList.php +94; ./cli/makeSimpleList.php +93; ./cli/makeSimpleList.php +132; ./cli/wm-scripts/bv2013/voterList.php +35; ./cli/wm-scripts/bv2013/voterList.php +34)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="./cli/wm-scripts/bv2015/doSpam.php">
    <error line="118" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./cli/wm-scripts/bv2015/doSpam.php +112; ./cli/wm-scripts/bv2015/doSpam.php +117; ./cli/wm-scripts/bv2015/doSpam.php +112; ./cli/wm-scripts/bv2015/doSpam.php +117; ./cli/wm-scripts/bv2015/doSpam.php +112; ./cli/wm-scripts/bv2015/doSpam.php +117; ./cli/wm-scripts/bv2015/doSpam.php +112; ./cli/wm-scripts/bv2015/doSpam.php +117)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./cli/wm-scripts/bv2015/populateEditCount-fixup.php">
    <error line="31" severity="error" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./cli/makeSimpleList.php +106; ./cli/wm-scripts/bv2013/populateEditCount.php +36; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/populateEditCount.php +45; ./cli/wm-scripts/bv2013/populateEditCount.php +57; ./cli/wm-scripts/bv2017/populateEdi...)" source="SecurityCheck-SQLInjection"/>
    <error line="40" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectField() in [no method] that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::selectField) (Caused by: ./cli/makeSimpleList.php +106; ./cli/wm-scripts/bv2013/populateEditCount.php +36; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/populateEditCount.php +45; ./cli/wm-scripts/bv2013/populateEditCount.php +57; ./cli/wm-scripts/bv2017/populateEdi...)" source="SecurityCheck-SQLInjection"/>
    <error line="54" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./cli/wm-scripts/bv2015/populateEditCount-fixup.php +40; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/voterList.php +30; ./cli/wm-scripts/dumpGlobalVoterList.php +36)" source="SecurityCheck-XSS"/>
    <error line="63" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/voterList.php +30; ./cli/wm-scripts/dumpGlobalVoterList.php +36)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./cli/wm-scripts/bv2015/populateEditCount.php">
    <error line="36" severity="error" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./cli/makeSimpleList.php +106; ./cli/wm-scripts/bv2013/populateEditCount.php +36; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/populateEditCount.php +45; ./cli/wm-scripts/bv2013/populateEditCount.php +57; ./cli/wm-scripts/bv2017/populateEdi...)" source="SecurityCheck-SQLInjection"/>
    <error line="45" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectField() in [no method] that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::selectField) (Caused by: ./cli/makeSimpleList.php +106; ./cli/wm-scripts/bv2013/populateEditCount.php +36; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/populateEditCount.php +45; ./cli/wm-scripts/bv2013/populateEditCount.php +57; ./cli/wm-scripts/bv2017/populateEdi...)" source="SecurityCheck-SQLInjection"/>
    <error line="57" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectField() in [no method] that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::selectField) (Caused by: ./cli/makeSimpleList.php +106; ./cli/wm-scripts/bv2013/populateEditCount.php +36; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/populateEditCount.php +45; ./cli/wm-scripts/bv2013/populateEditCount.php +57; ./cli/wm-scripts/bv2017/populateEdi...)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="./cli/wm-scripts/bv2017/doSpam.php">
    <error line="118" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./cli/wm-scripts/bv2017/doSpam.php +112; ./cli/wm-scripts/bv2017/doSpam.php +117; ./cli/wm-scripts/bv2017/doSpam.php +112; ./cli/wm-scripts/bv2017/doSpam.php +117; ./cli/wm-scripts/bv2017/doSpam.php +112; ./cli/wm-scripts/bv2017/doSpam.php +117; ./cli/wm-scripts/bv2017/doSpam.php +112; ./cli/wm-scripts/bv2017/doSpam.php +117)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./cli/wm-scripts/bv2017/populateEditCount.php">
    <error line="36" severity="error" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./cli/makeSimpleList.php +106; ./cli/wm-scripts/bv2013/populateEditCount.php +36; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/populateEditCount.php +45; ./cli/wm-scripts/bv2013/populateEditCount.php +57)" source="SecurityCheck-SQLInjection"/>
    <error line="45" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectField() in [no method] that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::selectField) (Caused by: ./cli/makeSimpleList.php +106; ./cli/wm-scripts/bv2013/populateEditCount.php +36; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/populateEditCount.php +45; ./cli/wm-scripts/bv2013/populateEditCount.php +57; ./cli/wm-scripts/bv2017/populateEdi...)" source="SecurityCheck-SQLInjection"/>
    <error line="57" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectField() in [no method] that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::selectField) (Caused by: ./cli/makeSimpleList.php +106; ./cli/wm-scripts/bv2013/populateEditCount.php +36; ./cli/makeSimpleList.php +93; ./cli/wm-scripts/bv2013/populateEditCount.php +45; ./cli/wm-scripts/bv2013/populateEditCount.php +57; ./cli/wm-scripts/bv2017/populateEdi...)" source="SecurityCheck-SQLInjection"/>
  </file>
  <file name="./cli/wm-scripts/dumpGlobalVoterList.php">
    <error line="55" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./cli/wm-scripts/dumpGlobalVoterList.php +54; ./cli/wm-scripts/dumpGlobalVoterList.php +54)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/crypt/Crypt.php">
    <error line="315" severity="error" message="Calling method \SecurePoll_GpgCrypt::runGpg() in \SecurePoll_GpgCrypt::encrypt that outputs using tainted argument $args. (Caused by: ./includes/crypt/Crypt.php +277) (Caused by: ./includes/crypt/Crypt.php +306; ./includes/crypt/Crypt.php +311; ./includes/crypt/Crypt.php +214; ./includes/ballots/RadioRangeCommentBallot.php +43; ./includes/ballots/RadioRangeCommentBallot.php +40; ./includes/ballots/RadioRangeCommentBallot.php...)" source="SecurityCheck-ShellInjection"/>
  </file>
  <file name="./includes/pages/DumpPage.php">
    <error line="61" severity="warning" message="Echoing expression that was not html escaped" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/pages/MessageDumpPage.php">
    <error line="52" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./includes/pages/MessageDumpPage.php +41)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./includes/pages/VoterEligibilityPage.php">
    <error line="407" severity="warning" message="HTMLForm info field (non-raw) escapes default key already" source="SecurityCheck-DoubleEscaped"/>
    <error line="415" severity="warning" message="HTMLForm info field (non-raw) escapes default key already (Caused by: Builtin-\Html::rawElement; Builtin-\Html::rawElement; Builtin-\Html::rawElement)" source="SecurityCheck-DoubleEscaped"/>
    <error line="443" severity="warning" message="HTMLForm info field (non-raw) escapes default key already (Caused by: Builtin-\Html::rawElement; Builtin-\Html::rawElement; Builtin-\Html::rawElement)" source="SecurityCheck-DoubleEscaped"/>
    <error line="456" severity="warning" message="HTMLForm info field (non-raw) escapes default key already (Caused by: Builtin-\Html::rawElement; Builtin-\Html::rawElement; Builtin-\Html::rawElement)" source="SecurityCheck-DoubleEscaped"/>
    <error line="465" severity="warning" message="HTMLForm info field (non-raw) escapes default key already" source="SecurityCheck-DoubleEscaped"/>
  </file>
</checkstyle>

Please have a look or decline

The issue in VoterEligibilityPage.php is T201902

Event Timeline

Change 460211 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/SecurePoll@master] Build: Make extension pass phan-taint-check 1.5.0

https://gerrit.wikimedia.org/r/460211

Change 460211 merged by jenkins-bot:
[mediawiki/extensions/SecurePoll@master] Build: Make extension pass phan-taint-check 1.5.0

https://gerrit.wikimedia.org/r/460211

Legoktm assigned this task to Bawolff.
sbassett triaged this task as Medium priority.Oct 15 2019, 7:32 PM