Page MenuHomePhabricator
Create Task
Maniphest T202383

Add phan-taint-check-plugin to Echo extension
Closed, ResolvedPublic
Actions

Description

Would be nice to add phan-taint-check-plugin to Echo extensions

<?xml version="1.0" encoding="ISO-8859-15"?>
<checkstyle version="6.5">
  <file name="./includes/special/SpecialNotifications.php">
    <error line="106" severity="warning" message="Calling method \OOUI\HtmlSnippet::__construct() in \SpecialNotifications::execute that outputs using tainted argument $[arg #1]. (Caused by: ../../vendor/oojs/oojs-ui/php/HtmlSnippet.php +25) (Caused by: ./includes/special/SpecialNotifications.php +72)" source="SecurityCheck-XSS"/>
    <error line="113" severity="warning" message="Calling method \OOUI\HtmlSnippet::__construct() in \SpecialNotifications::execute that outputs using tainted argument $[arg #1]. (Caused by: ../../vendor/oojs/oojs-ui/php/HtmlSnippet.php +25) (Caused by: ./includes/special/SpecialNotifications.php +72)" source="SecurityCheck-XSS"/>
    <error line="154" severity="warning" message="Calling method \OOUI\LabelWidget::__construct() in \SpecialNotifications::execute that outputs using tainted argument $[arg #1]. (Caused by: ../../vendor/oojs/oojs-ui/php/widgets/LabelWidget.php +29) (Caused by: ./includes/special/SpecialNotifications.php +150)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./scripts/generatecss.php">
    <error line="26" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./scripts/generatecss.php +25; ./scripts/generatecss.php +6)" source="SecurityCheck-XSS"/>
  </file>
</checkstyle>

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Build: Make pass phan-taint-check 1.5.0mediawiki/extensions/Echomaster+12 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Umherirrender created this task.Aug 21 2018, 12:20 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptAug 21 2018, 12:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Umherirrender moved this task from Backlog to Wikimedia deployed on the phan-taint-check-plugin board.Aug 21 2018, 12:22 PM
Umherirrender added a parent task: T201219: Enable phan-taint-check-plugin on all Wikimedia-deployed repositories after getting it to pass.Aug 21 2018, 12:40 PM
Legoktm updated the task description. (Show Details)Sep 10 2018, 12:02 AM
Legoktm subscribed.

The SpecialNotifications::execute() false positives are because the plugin assumes that all values of an array have the same taint value, but in this case they don't, it's a big mixture.

gerritbot subscribed.Sep 14 2018, 2:05 AM

Change 460465 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/Echo@master] Build: Make pass phan-taint-check 1.5.0

https://gerrit.wikimedia.org/r/460465

gerritbot added a project: Patch-For-Review.Sep 14 2018, 2:05 AM
gerritbot added a comment.Sep 14 2018, 6:05 AM

Change 460465 merged by jenkins-bot:
[mediawiki/extensions/Echo@master] Build: Make pass phan-taint-check 1.5.0

https://gerrit.wikimedia.org/r/460465

Legoktm closed this task as Resolved.Sep 14 2018, 6:16 AM
Legoktm assigned this task to Bawolff.
ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)).Sep 14 2018, 7:00 AM
sbassett moved this task from Wikimedia deployed to Done on the phan-taint-check-plugin board.Oct 15 2019, 6:53 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 15 2019, 7:13 PM
sbassett triaged this task as Medium priority.Oct 15 2019, 7:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits