Page MenuHomePhabricator

Add phan-taint-check-plugin to Echo extension
Closed, ResolvedPublic

Description

Would be nice to add phan-taint-check-plugin to Echo extensions

<?xml version="1.0" encoding="ISO-8859-15"?>
<checkstyle version="6.5">
  <file name="./includes/special/SpecialNotifications.php">
    <error line="106" severity="warning" message="Calling method \OOUI\HtmlSnippet::__construct() in \SpecialNotifications::execute that outputs using tainted argument $[arg #1]. (Caused by: ../../vendor/oojs/oojs-ui/php/HtmlSnippet.php +25) (Caused by: ./includes/special/SpecialNotifications.php +72)" source="SecurityCheck-XSS"/>
    <error line="113" severity="warning" message="Calling method \OOUI\HtmlSnippet::__construct() in \SpecialNotifications::execute that outputs using tainted argument $[arg #1]. (Caused by: ../../vendor/oojs/oojs-ui/php/HtmlSnippet.php +25) (Caused by: ./includes/special/SpecialNotifications.php +72)" source="SecurityCheck-XSS"/>
    <error line="154" severity="warning" message="Calling method \OOUI\LabelWidget::__construct() in \SpecialNotifications::execute that outputs using tainted argument $[arg #1]. (Caused by: ../../vendor/oojs/oojs-ui/php/widgets/LabelWidget.php +29) (Caused by: ./includes/special/SpecialNotifications.php +150)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./scripts/generatecss.php">
    <error line="26" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./scripts/generatecss.php +25; ./scripts/generatecss.php +6)" source="SecurityCheck-XSS"/>
  </file>
</checkstyle>

Event Timeline

Restricted Application added a project: Growth-Team. · View Herald TranscriptAug 21 2018, 12:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Legoktm updated the task description. (Show Details)Sep 10 2018, 12:02 AM
Legoktm added a subscriber: Legoktm.

The SpecialNotifications::execute() false positives are because the plugin assumes that all values of an array have the same taint value, but in this case they don't, it's a big mixture.

Change 460465 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/Echo@master] Build: Make pass phan-taint-check 1.5.0

https://gerrit.wikimedia.org/r/460465

Change 460465 merged by jenkins-bot:
[mediawiki/extensions/Echo@master] Build: Make pass phan-taint-check 1.5.0

https://gerrit.wikimedia.org/r/460465

Legoktm closed this task as Resolved.Sep 14 2018, 6:16 AM
Legoktm assigned this task to Bawolff.