Page MenuHomePhabricator

Security Review For MediaWiki REST API infrastructure
Closed, ResolvedPublic

Description

Project Information

Description of the tool/project

This is a set of modules in the MediaWiki core platform code for exposing RESTful API interfaces.

Description of how the tool will be used at WMF

The first API will be the Parsoid service API, and the next will be an API exposing the core functionality of MediaWiki. This review is just for the REST API infrastructure, and not for any API interfaces.

Dependencies

None; it's all homegrown code.

Has this project been reviewed before?

No.

Working test environment

Should work with a base MediaWiki installation, with $wgEnableRestAPI enabled.

Post-deployment

Core Platform Team will manage post deployment.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 8 2019, 4:21 PM
EvanProdromou renamed this task from Security Review For {...} to Security Review For MediaWiki REST API infrastructure.Aug 8 2019, 4:21 PM
sbassett triaged this task as Medium priority.Aug 8 2019, 4:30 PM
Jcross assigned this task to Reedy.Aug 20 2019, 5:30 PM
Jcross added a subscriber: Jcross.Aug 20 2019, 5:33 PM

@Reedy - could you please take a look at this one? Thanks!

Reedy closed this task as Resolved.Nov 5 2019, 9:14 PM

Sorry, this got a little bit lost over the last few weeks.

I don't see any reason for deployment and usages of this to be blocked in terms of wider rollout. Obviously it's still actively being developed, so a little hard to follow a moving target.

It is probably prudent to revisit this at some point at the future when things are more settled and mature, and especially running some further automated scanning/tooling over the code to see if anything comes up of interest

As per our standard practice, low risk is assigned.