Page MenuHomePhabricator

phan-taint-check-plugin failing for LiquidThreads extension
Closed, ResolvedPublic

Description

LiquidThreads failing on version 1.3.0 (and on 1.4.0, but that is T203281), which now blocks merges

<?xml version="1.0" encoding="ISO-8859-15"?>
<checkstyle version="6.5">
  <file name="./classes/Thread.php">
    <error line="1304" severity="warning" message="Calling method \LqtView::formatSubject in \Thread::formattedSubject that is always unsafe  (Caused by: ./classes/View.php +2494)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./classes/View.php">
    <error line="192" severity="warning" message="Calling method \Thread::formattedSubject in \LqtView::linkInContext that is always unsafe  (Caused by: ./classes/Thread.php +1304)" source="SecurityCheck-DoubleEscaped"/>
    <error line="1733" severity="warning" message="Calling method \Thread::formattedSubject in \LqtView::showThreadHeading that is always unsafe  (Caused by: ./classes/Thread.php +1304)" source="SecurityCheck-DoubleEscaped"/>
    <error line="1739" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +1733)" source="SecurityCheck-DoubleEscaped"/>
    <error line="1740" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +1733; ./classes/View.php +1739)" source="SecurityCheck-DoubleEscaped"/>
    <error line="1741" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +1733; ./classes/View.php +1739; ./classes/View.php +1740)" source="SecurityCheck-DoubleEscaped"/>
    <error line="1747" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +1733)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2176" severity="warning" message="Calling method \LqtView::showThreadHeading in \LqtView::showThread that is always unsafe  (Caused by: ./classes/View.php +1750; ./classes/View.php +1733; ./classes/View.php +1747)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2176" severity="warning" message="Calling method \LqtView::showThreadHeading in \LqtView::showThread that is always unsafe  (Caused by: ./classes/View.php +1750; ./classes/View.php +1733; ./classes/View.php +1747; ./classes/View.php +1733; ./classes/View.php +1747)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2176" severity="warning" message="Calling method \LqtView::showThreadHeading in \LqtView::showThread that is always unsafe  (Caused by: ./classes/View.php +1750; ./classes/View.php +1733; ./classes/View.php +1747; ./classes/View.php +1733; ./classes/View.php +1747; ./classes/View.php +1733; ./classes/View.php +1747)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2181" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2189" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2195" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2209" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189; ./classes/View.php +2195)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2259" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189; ./classes/View.php +2195; ./classes/View.php +2209; ./classes/View.php +2219)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2279" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189; ./classes/View.php +2195; ./classes/View.php +2209; ./classes/View.php +2219; ./classes/View.php +2260)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2284" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189; ./classes/View.php +2195; ./classes/View.php +2209; ./classes/View.php +2219; ./classes/View.php +2260; ./classes/View.php +2280)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2290" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189; ./classes/View.php +2195; ./classes/View.php +2209; ./classes/View.php +2219; ./classes/View.php +2260; ./classes/View.php +2280)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2494" severity="warning" message="Calling method \Linker::formatLinksInComment in \LqtView::formatSubject that is always unsafe  (Caused by: ../../includes/Linker.php +1218)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./pages/NewUserMessagesView.php">
    <error line="42" severity="warning" message="Calling method \LqtView::formatSubject in \NewUserMessagesView::getUndoButton that is always unsafe  (Caused by: ./classes/View.php +2494)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./pages/ThreadPermalinkView.php">
    <error line="108" severity="warning" message="Calling method \LqtView::showThreadHeading in \ThreadPermalinkView::showThreadHeading that is always unsafe  (Caused by: ./classes/View.php +1750; ./classes/View.php +1733; ./classes/View.php +1747; ./classes/View.php +1733; ./classes/View.php +1747; ./classes/View.php +1733; ./classes/View.php +1747)" source="SecurityCheck-DoubleEscaped"/>
  </file>
</checkstyle>

From https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LiquidThreads/+/458319/
https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker/13563/console

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 6 2018, 4:16 PM
Umherirrender updated the task description. (Show Details)Sep 6 2018, 4:23 PM

Change 458596 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/LiquidThreads@master] Update phan-taint-check to 1.5.0

https://gerrit.wikimedia.org/r/458596

Leaving this bug open as there were additional failures I surpressed. They seemed reasonable, except they don't show up when I run tests locally, so I have to figure out what's going on there...

Change 458596 merged by jenkins-bot:
[mediawiki/extensions/LiquidThreads@master] Update phan-taint-check to 1.5.0 and suppress 2 errors

https://gerrit.wikimedia.org/r/458596

Daimona closed this task as Resolved.Jul 12 2019, 11:15 AM
Daimona claimed this task.
Daimona added a subscriber: Daimona.
sbassett triaged this task as Normal priority.Tue, Oct 15, 7:17 PM