Page MenuHomePhabricator
Create Task
Maniphest T203690

phan-taint-check-plugin failing for LiquidThreads extension
Closed, ResolvedPublic
Actions

Description

LiquidThreads failing on version 1.3.0 (and on 1.4.0, but that is T203281), which now blocks merges

<?xml version="1.0" encoding="ISO-8859-15"?>
<checkstyle version="6.5">
  <file name="./classes/Thread.php">
    <error line="1304" severity="warning" message="Calling method \LqtView::formatSubject in \Thread::formattedSubject that is always unsafe  (Caused by: ./classes/View.php +2494)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./classes/View.php">
    <error line="192" severity="warning" message="Calling method \Thread::formattedSubject in \LqtView::linkInContext that is always unsafe  (Caused by: ./classes/Thread.php +1304)" source="SecurityCheck-DoubleEscaped"/>
    <error line="1733" severity="warning" message="Calling method \Thread::formattedSubject in \LqtView::showThreadHeading that is always unsafe  (Caused by: ./classes/Thread.php +1304)" source="SecurityCheck-DoubleEscaped"/>
    <error line="1739" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +1733)" source="SecurityCheck-DoubleEscaped"/>
    <error line="1740" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +1733; ./classes/View.php +1739)" source="SecurityCheck-DoubleEscaped"/>
    <error line="1741" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +1733; ./classes/View.php +1739; ./classes/View.php +1740)" source="SecurityCheck-DoubleEscaped"/>
    <error line="1747" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +1733)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2176" severity="warning" message="Calling method \LqtView::showThreadHeading in \LqtView::showThread that is always unsafe  (Caused by: ./classes/View.php +1750; ./classes/View.php +1733; ./classes/View.php +1747)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2176" severity="warning" message="Calling method \LqtView::showThreadHeading in \LqtView::showThread that is always unsafe  (Caused by: ./classes/View.php +1750; ./classes/View.php +1733; ./classes/View.php +1747; ./classes/View.php +1733; ./classes/View.php +1747)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2176" severity="warning" message="Calling method \LqtView::showThreadHeading in \LqtView::showThread that is always unsafe  (Caused by: ./classes/View.php +1750; ./classes/View.php +1733; ./classes/View.php +1747; ./classes/View.php +1733; ./classes/View.php +1747; ./classes/View.php +1733; ./classes/View.php +1747)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2181" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2189" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2195" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2209" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189; ./classes/View.php +2195)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2259" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189; ./classes/View.php +2195; ./classes/View.php +2209; ./classes/View.php +2219)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2279" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189; ./classes/View.php +2195; ./classes/View.php +2209; ./classes/View.php +2219; ./classes/View.php +2260)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2284" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189; ./classes/View.php +2195; ./classes/View.php +2209; ./classes/View.php +2219; ./classes/View.php +2260; ./classes/View.php +2280)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2290" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: ./classes/View.php +2176; ./classes/View.php +2181; ./classes/View.php +2189; ./classes/View.php +2195; ./classes/View.php +2209; ./classes/View.php +2219; ./classes/View.php +2260; ./classes/View.php +2280)" source="SecurityCheck-DoubleEscaped"/>
    <error line="2494" severity="warning" message="Calling method \Linker::formatLinksInComment in \LqtView::formatSubject that is always unsafe  (Caused by: ../../includes/Linker.php +1218)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./pages/NewUserMessagesView.php">
    <error line="42" severity="warning" message="Calling method \LqtView::formatSubject in \NewUserMessagesView::getUndoButton that is always unsafe  (Caused by: ./classes/View.php +2494)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./pages/ThreadPermalinkView.php">
    <error line="108" severity="warning" message="Calling method \LqtView::showThreadHeading in \ThreadPermalinkView::showThreadHeading that is always unsafe  (Caused by: ./classes/View.php +1750; ./classes/View.php +1733; ./classes/View.php +1747; ./classes/View.php +1733; ./classes/View.php +1747; ./classes/View.php +1733; ./classes/View.php +1747)" source="SecurityCheck-DoubleEscaped"/>
  </file>
</checkstyle>

From https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LiquidThreads/+/458319/
https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker/13563/console

Details

SubjectRepoBranchLines +/-
Update phan-taint-check to 1.5.0 and suppress 2 errorsmediawiki/extensions/LiquidThreadsmaster+8 -1
Customize query in gerrit

Related Objects

Event Timeline

Umherirrender created this task.Sep 6 2018, 4:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 6 2018, 4:16 PM
Umherirrender updated the task description. (Show Details)Sep 6 2018, 4:23 PM
gerritbot subscribed.Sep 6 2018, 9:39 PM

Change 458596 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/LiquidThreads@master] Update phan-taint-check to 1.5.0

https://gerrit.wikimedia.org/r/458596

gerritbot added a project: Patch-For-Review.Sep 6 2018, 9:39 PM
Bawolff added a comment.Sep 6 2018, 10:20 PM

Leaving this bug open as there were additional failures I surpressed. They seemed reasonable, except they don't show up when I run tests locally, so I have to figure out what's going on there...

gerritbot added a comment.Sep 6 2018, 10:30 PM

Change 458596 merged by jenkins-bot:
[mediawiki/extensions/LiquidThreads@master] Update phan-taint-check to 1.5.0 and suppress 2 errors

https://gerrit.wikimedia.org/r/458596

Jdforrester-WMF removed a project: Patch-For-Review.Sep 6 2018, 10:31 PM
ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)).Sep 6 2018, 11:00 PM
Bawolff mentioned this in T203281: phan-taint-check regression in LiquidThreads.Sep 8 2018, 3:20 AM
Daimona closed this task as Resolved.Jul 12 2019, 11:15 AM
Daimona claimed this task.
Daimona subscribed.

Done together with the 2.0.1 upgrade in https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LiquidThreads/+/521672/.

sbassett moved this task from Backlog to Done on the phan-taint-check-plugin board.Oct 15 2019, 7:04 PM
sbassett triaged this task as Medium priority.Oct 15 2019, 7:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL