Security Review For MediaWiki REST API infrastructure
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	EvanProdromou
	Aug 8 2019, 4:21 PM

Description

Project Information

Name of tool/project: MediaWiki REST API router interface
Project home page: https://phabricator.wikimedia.org/T221177
Name of team requesting review: Core Platform
Primary contact: Evan Prodromou (eprodromou@wikimedia.org)
Target date for deployment: Sep 15 2019
Link to code repository / patchset: https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/508972/

Description of the tool/project

This is a set of modules in the MediaWiki core platform code for exposing RESTful API interfaces.

Description of how the tool will be used at WMF

The first API will be the Parsoid service API, and the next will be an API exposing the core functionality of MediaWiki. This review is just for the REST API infrastructure, and not for any API interfaces.

Dependencies

None; it's all homegrown code.

Has this project been reviewed before?

No.

Working test environment

Should work with a base MediaWiki installation, with $wgEnableRestAPI enabled.

Post-deployment

Core Platform Team will manage post deployment.

Related Objects

Mentioned In: T227209: Security Review For Parsoid-PHP
Mentioned Here: T221177: REST route handler extension interface RFC

Event Timeline

EvanProdromou created this task.Aug 8 2019, 4:21 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 8 2019, 4:21 PM

EvanProdromou renamed this task from Security Review For {...} to Security Review For MediaWiki REST API infrastructure.Aug 8 2019, 4:21 PM

sbassett triaged this task as Medium priority.Aug 8 2019, 4:30 PM

• Jcross assigned this task to Reedy.Aug 20 2019, 5:30 PM

@Reedy - could you please take a look at this one? Thanks!

sbassett moved this task from Incoming to In Progress on the deprecated-security-team-reviews board.Sep 3 2019, 4:55 PM

sbassett mentioned this in T227209: Security Review For Parsoid-PHP.Sep 11 2019, 9:56 PM

Sorry, this got a little bit lost over the last few weeks.

I don't see any reason for deployment and usages of this to be blocked in terms of wider rollout. Obviously it's still actively being developed, so a little hard to follow a moving target.

It is probably prudent to revisit this at some point at the future when things are more settled and mature, and especially running some further automated scanning/tooling over the code to see if anything comes up of interest

As per our standard practice, low risk is assigned.

sbassett moved this task from In Progress to Done on the deprecated-security-team-reviews board.Nov 6 2019, 8:06 PM

• chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:15 PM

• chasemp added a project: Application Security Reviews.Jan 8 2020, 4:39 PM

• chasemp moved this task from Incoming to Our Part Is Done on the Application Security Reviews board.Jan 8 2020, 4:43 PM

• chasemp added a project: secscrum.Mar 10 2020, 8:11 PM

• chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM