Page MenuHomePhabricator

Security Review For MediaWiki REST API infrastructure
Closed, ResolvedPublic


Project Information

Description of the tool/project

This is a set of modules in the MediaWiki core platform code for exposing RESTful API interfaces.

Description of how the tool will be used at WMF

The first API will be the Parsoid service API, and the next will be an API exposing the core functionality of MediaWiki. This review is just for the REST API infrastructure, and not for any API interfaces.


None; it's all homegrown code.

Has this project been reviewed before?


Working test environment

Should work with a base MediaWiki installation, with $wgEnableRestAPI enabled.


Core Platform Team will manage post deployment.

Event Timeline

EvanProdromou renamed this task from Security Review For {...} to Security Review For MediaWiki REST API infrastructure.Aug 8 2019, 4:21 PM
sbassett triaged this task as Medium priority.Aug 8 2019, 4:30 PM

@Reedy - could you please take a look at this one? Thanks!

Sorry, this got a little bit lost over the last few weeks.

I don't see any reason for deployment and usages of this to be blocked in terms of wider rollout. Obviously it's still actively being developed, so a little hard to follow a moving target.

It is probably prudent to revisit this at some point at the future when things are more settled and mature, and especially running some further automated scanning/tooling over the code to see if anything comes up of interest

As per our standard practice, low risk is assigned.