Improve caused-by lines as seen for GlobalBlocking
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Daimona
	Mar 11 2020, 5:43 PM

Description

From T247365:

<file name="includes/GlobalBlockingHooks.php">
    <error line="187" severity="warning" message="Calling method \OutputPage::addHTML() in \GlobalBlockingHooks::onSpecialContributionsBeforeMainOutput that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: Builtin-\Html::rawElement; Builtin-\Html::rawElement; ../../includes/Html.php +210; Builtin-\Html::rawElement; Builtin-\Html::rawElement; Builtin-\Message::parseAsBlock; Builtin-\Html::rawElement; Builtin-\Html::rawElement; ../../includes/Html.php +210; Builtin-\Html::rawElement; Builtin-\Html::rawElement; includes/GlobalBlockingHooks.php +184)" source="SecurityCheck-XSS"/>
  </file>

It's as long as useless.

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Don't link parameters of functions with hardcoded taintedness	mediawiki/tools/phan/SecurityCheckPlugin	master	+134 -3
	Improve caused-by lines	mediawiki/tools/phan/SecurityCheckPlugin	master	+69 -10

Customize query in gerrit

Related Objects

Mentioned In: rMTPSb2ddd1ae03da: Don't link parameters of functions with hardcoded taintedness
rMTPS8120d02b2e1a: Improve caused-by lines
T272123: Merging to MediaWiki/extensions/CentralAuth is blocked
Mentioned Here: T247365: Add comment directive to includes/GlobalBlockingHooks.php to suppress SecurityCheck-XSS warning

Event Timeline

Daimona created this task.Mar 11 2020, 5:43 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 11 2020, 5:43 PM

sbassett subscribed.Mar 11 2020, 7:22 PM

Change 586098 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/tools/phan/SecurityCheckPlugin@master] [WIP] Long caused-by lines

https://gerrit.wikimedia.org/r/586098

gerritbot added a project: Patch-For-Review.Apr 5 2020, 3:02 PM

r592448 helps a bit by removing some rawElement repetitions, bringing it down from

integration/long-causedby/test.php:11 SecurityCheck-XSS Calling method \A::output() in \A::main that outputs using tainted argument $[arg #1]. (Caused by: integration/long-causedby/test.php +17) (Caused by: Builtin-\Html::rawElement; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11)

integration/long-causedby/test.php:11 SecurityCheck-XSS Calling method \A::output() in \A::main that outputs using tainted argument $[arg #1]. (Caused by: integration/long-causedby/test.php +17) (Caused by: Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11; Builtin-\Html::rawElement; integration/long-causedby/test.php +11)

Daimona moved this task from Backlog to Plugin itself on the phan-taint-check-plugin board.Jul 9 2020, 4:00 PM

Daimona claimed this task.Jan 7 2021, 1:31 PM

Aklapper mentioned this in T272123: Merging to MediaWiki/extensions/CentralAuth is blocked.Jan 15 2021, 8:38 AM

Change 656455 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/tools/phan/SecurityCheckPlugin@master] Don't link parameters of functions with hardcoded taintedness

https://gerrit.wikimedia.org/r/656455

Change 586098 merged by jenkins-bot:
[mediawiki/tools/phan/SecurityCheckPlugin@master] Improve caused-by lines

https://gerrit.wikimedia.org/r/586098

Change 656455 merged by jenkins-bot:
[mediawiki/tools/phan/SecurityCheckPlugin@master] Don't link parameters of functions with hardcoded taintedness

https://gerrit.wikimedia.org/r/656455

Jdforrester-WMF mentioned this in rMTPS8120d02b2e1a: Improve caused-by lines.Jan 21 2021, 5:50 AM

Jdforrester-WMF mentioned this in rMTPSb2ddd1ae03da: Don't link parameters of functions with hardcoded taintedness.

Maintenance_bot removed a project: Patch-For-Review.Jan 21 2021, 6:10 AM

Daimona closed this task as Resolved.Jan 21 2021, 12:21 PM

Improve caused-by lines as seen for GlobalBlockingClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Improve caused-by lines as seen for GlobalBlocking
Closed, ResolvedPublic
Actions