Page MenuHomePhabricator
Create Task
Maniphest T249859

Unable to merge CentralAuth patches (master does not satisfy mwext-php72-phan-seccheck-docker in CI)
Closed, ResolvedPublic
Actions

Description

https://integration.wikimedia.org/ci/job/mwext-php72-phan-seccheck-docker/46078/console

00:01:36.348 <checkstyle version="6.5">
00:01:36.348   <file name="includes/specials/SpecialMultiLock.php">
00:01:36.348     <error line="342" severity="warning" message="Calling method \OutputPage::addHTML() in \SpecialMultiLock::showUserTable that outputs using tainted argument $rowtext. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: includes/specials/SpecialMultiLock.php +327; includes/specials/SpecialMultiLock.php +332; includes/specials/SpecialMultiLock.php +334; includes/specials/SpecialMultiLock.php +341; includes/specials/SpecialMultiLock.php +342)" source="SecurityCheck-XSS"/>
00:01:36.348   </file>
00:01:36.348 </checkstyle>

Details

SubjectRepoBranchLines +/-
Suppress phan sec-check false positivemediawiki/extensions/CentralAuthmaster+1 -0
Customize query in gerrit

Related Objects

Event Timeline

Jdforrester-WMF triaged this task as High priority.Apr 9 2020, 6:48 PM
Jdforrester-WMF created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 9 2020, 6:48 PM
DannyS712 subscribed.Apr 9 2020, 7:15 PM

Preventing merge of https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/CentralAuth/+/587619/

Krinkle subscribed.Apr 13 2020, 3:20 PM

Also preventing patches for T187154#6041485.

Krinkle renamed this task from CentralAuth master broken on mwext-php72-phan-seccheck-docker to Unable to merge CentralAuth patches (master does not satisfy mwext-php72-phan-seccheck-docker in CI).Apr 13 2020, 3:21 PM
Krinkle added a project: Platform Engineering.
Krinkle added a subscriber: WDoranWMF.

@WDoranWMF This component is currently lacking a steward. Could your team perhaps take a look as part of clinic duty?

Jdforrester-WMF added a subscriber: Daimona.Apr 13 2020, 3:38 PM
daniel edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.Apr 14 2020, 7:39 PM
daniel moved this task from Inbox to Later on the Platform Team Workboards (Clinic Duty Team) board.
Daimona added a project: phan-taint-check-plugin.Apr 14 2020, 8:21 PM
Pchelolo assigned this task to holger.knust.Apr 15 2020, 4:43 PM
Pchelolo moved this task from Later to Ready (WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.
Daimona added a comment.Apr 16 2020, 1:14 PM

FTR, this is a false positive, and it's already fixed in taint-check 3. You can just suppress it for now, and remove the suppression while upgrading taint-check.

gerritbot added a comment.Apr 16 2020, 2:17 PM

Change 589313 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[mediawiki/extensions/CentralAuth@master] Suppress phan sec-check false positive

https://gerrit.wikimedia.org/r/589313

gerritbot added a project: Patch-For-Review.Apr 16 2020, 2:17 PM
Jdforrester-WMF added a comment.Apr 16 2020, 2:21 PM
In T249859#6062422, @Daimona wrote:

FTR, this is a false positive, and it's already fixed in taint-check 3. You can just suppress it for now, and remove the suppression while upgrading taint-check.

Thanks! Didn't want to blindly disable if it was a novel or more systemic issue.

gerritbot added a comment.Apr 16 2020, 2:39 PM

Change 589313 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] Suppress phan sec-check false positive

https://gerrit.wikimedia.org/r/589313

Jdforrester-WMF closed this task as Resolved.Apr 16 2020, 2:55 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 16 2020, 3:10 PM
ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.30; 2020-04-28).Apr 16 2020, 7:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL