Page MenuHomePhabricator

Add phan-taint-check-plugin to Translate extension
Closed, ResolvedPublic

Description

Would be nice to add phan-taint-check-plugin to Translate extensions

<?xml version="1.0" encoding="ISO-8859-15"?>
<checkstyle version="6.5">
  <file name="./specials/SpecialTranslationStats.php">
    <error line="208" severity="warning" message="Calling method \Html::element() in \SpecialTranslationStats::form that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Html::element) (Caused by: ./specials/SpecialTranslationStats.php +199; ./specials/SpecialTranslationStats.php +203; ./specials/SpecialTranslationStats.php +206)" source="SecurityCheck-DoubleEscaped"/>
    <error line="209" severity="warning" message="Calling method \Html::element() in \SpecialTranslationStats::form that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Html::element) (Caused by: ./specials/SpecialTranslationStats.php +199; ./specials/SpecialTranslationStats.php +203; ./specials/SpecialTranslationStats.php +206)" source="SecurityCheck-DoubleEscaped"/>
    <error line="210" severity="warning" message="Calling method \Html::element() in \SpecialTranslationStats::form that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Html::element) (Caused by: ./specials/SpecialTranslationStats.php +199; ./specials/SpecialTranslationStats.php +203; ./specials/SpecialTranslationStats.php +206)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./tag/PageTranslationLogFormatter.php">
    <error line="77" severity="warning" message="Calling method \LogFormatter::getComment in \PageTranslationLogFormatter::getComment that is always unsafe  (Caused by: ../../includes/logging/LogFormatter.php +706; ../../includes/logging/LogFormatter.php +703)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./utils/MessageWebImporter.php">
    <error line="362" severity="warning" message="Calling method \OutputPage::addHTML() in \MessageWebImporter::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./utils/MessageWebImporter.php +293; ./utils/MessageWebImporter.php +281; ./utils/MessageWebImporter.php +301; ./utils/MessageWebImporter.php +361)" source="SecurityCheck-XSS"/>
    <error line="376" severity="warning" message="Calling method \OutputPage::addHTML() in \MessageWebImporter::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./utils/MessageWebImporter.php +293; ./utils/MessageWebImporter.php +281; ./utils/MessageWebImporter.php +301; ./utils/MessageWebImporter.php +361)" source="SecurityCheck-XSS"/>
  </file>
</checkstyle>

Issues in PageTranslationLogFormatter.php is T201565

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 21 2018, 11:32 AM
Nikerabbit triaged this task as Normal priority.Aug 30 2018, 9:54 AM

Change 456812 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[integration/config@master] seccheck for Translate

https://gerrit.wikimedia.org/r/456812

Change 456812 merged by jenkins-bot:
[integration/config@master] seccheck for Translate

https://gerrit.wikimedia.org/r/456812

Legoktm closed this task as Resolved.Sep 1 2018, 7:18 AM
Legoktm assigned this task to Bawolff.