Page MenuHomePhabricator
Create Task
Maniphest T203490

Blocked MobileFrontend merges: Calling method \ApiMobileView::parseSectionsData in \ApiMobileView::getData that is always unsafe
Closed, ResolvedPublic
Actions

Description

A new phan-taint-plugin related error is blocking merges in MobileFrontend.

<?xml version="1.0" encoding="ISO-8859-15"?>
15:37:04 <checkstyle version="6.5">
15:37:04   <file name="./includes/api/ApiMobileView.php">
15:37:04     <error line="660" severity="warning" message="Calling method \ApiMobileView::parseSectionsData in \ApiMobileView::getData that is always unsafe  (Caused by: ./includes/api/ApiMobileView.php +550; ./includes/api/ApiMobileView.php +529; ./includes/api/ApiMobileView.php +528)" source="SecurityCheck-XSS"/>
15:37:04   </file>
15:37:04 </checkstyle>
15:37:05 Build step 'Execute shell' marked build as failure
15:37:05 [CHECKSTYLE] Collecting checkstyle analysis files...
15:37:05 [CHECKSTYLE] Searching for all files in /srv/jenkins-workspace/workspace/mwext-php70-phan-seccheck-docker that match the pattern src/seccheck-issues
15:37:05 [CHECKSTYLE] Parsing 1 file in /srv/jenkins-workspace/workspace/mwext-php70-phan-seccheck-docker
15:37:05 [CHECKSTYLE] Successfully parsed file /srv/jenkins-workspace/workspace/mwext-php70-phan-seccheck-docker/src/seccheck-issues with 1 unique warning and 0 duplicates.
15:37:05 [CHECKSTYLE] Computing warning deltas based on reference build #13268
15:37:05 [CHECKSTYLE] Ignore new warnings since this is the first valid build
15:37:05 [CHECKSTYLE] Plug-in Result: Success - no threshold has been exceeded
15:37:06 Finished: FAILURE

Details

SubjectRepoBranchLines +/-
Fix some confusion over which group of taints to mask out in various placesmediawiki/tools/phan/SecurityCheckPluginmaster+57 -23
Temporarily suppress SecurityCheck-XSS errormediawiki/extensions/MobileFrontendmaster+1 -0
Customize query in gerrit

Related Objects

Event Timeline

Jdlrobson created this task.Sep 4 2018, 5:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 4 2018, 5:48 PM
Jdlrobson triaged this task as High priority.Sep 4 2018, 5:48 PM
Jdlrobson mentioned this in T202701: Bug: Thumbnails are incorrectly given the view-border-box class causing a minor on-load reflow (FOUC).Sep 4 2018, 5:52 PM
Bawolff subscribed.Sep 4 2018, 7:57 PM

Its a bug in the plugin. I think i know whats causing it and its next up to work on.

In the mean time you can @suppress the error

gerritbot subscribed.Sep 4 2018, 8:17 PM

Change 457994 had a related patch set uploaded (by Jdlrobson; owner: Jdlrobson):
[mediawiki/extensions/MobileFrontend@master] Temporarily suppress SecurityCheck-XSS error

https://gerrit.wikimedia.org/r/457994

gerritbot added a project: Patch-For-Review.Sep 4 2018, 8:17 PM
Jdlrobson moved this task from To Do to Ready for Signoff on the Web-Team-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q1) board.Sep 4 2018, 9:49 PM
gerritbot added a comment.Sep 4 2018, 10:07 PM

Change 457994 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] Temporarily suppress SecurityCheck-XSS error

https://gerrit.wikimedia.org/r/457994

ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)).Sep 4 2018, 11:00 PM
Jdlrobson removed projects: Patch-For-Review, Web-Team-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q1).Sep 5 2018, 12:00 AM

Immediate issue resolved. The bug remains.
Thanks for the pointer @Bawolff !

gerritbot added a comment.Sep 6 2018, 12:17 AM

Change 458334 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/tools/phan/SecurityCheckPlugin@master] Fix some confusion over which group of taints to mask out in various places

https://gerrit.wikimedia.org/r/458334

gerritbot added a project: Patch-For-Review.Sep 6 2018, 12:17 AM
Bawolff added a comment.Sep 6 2018, 12:20 AM
In T203490#4558237, @Jdlrobson wrote:

Immediate issue resolved. The bug remains.
Thanks for the pointer @Bawolff !

Thank you for your patience as we work out the kinks.

gerritbot added a comment.Sep 6 2018, 6:10 AM

Change 458334 merged by jenkins-bot:
[mediawiki/tools/phan/SecurityCheckPlugin@master] Fix some confusion over which group of taints to mask out in various places

https://gerrit.wikimedia.org/r/458334

Bawolff closed this task as Resolved.Sep 13 2018, 3:32 AM
Bawolff claimed this task.
sbassett moved this task from Backlog to Done on the phan-taint-check-plugin board.Oct 15 2019, 7:05 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 15 2019, 7:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits