Page MenuHomePhabricator
Create Task
Maniphest T250640

Security Readiness Review For Global watchlist user script
Closed, DeclinedPublic
Actions

Description

Project Information

Description of the tool/project: Create a functional global watchlist on the client side via the API

Description of how the tool will be used at WMF:
Currently used as a user script. Hopefully will serve as the starting point for an extension. See https://meta.wikimedia.org/wiki/Grants:Project/DannyS712/Create_a_global_watchlist_extension for more.

Dependencies

List dependencies, or upstream projects that this project relies on.

MediaWiki action API, jQuery, oojs[1]

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

No

Working test environment

Please link or describe setup process for setting up a test environment.

Install either the stable version of the script (currently 9.0.0) by importing it to a user's global.js on metawiki, then configure as desired at Special:BlankPage/GlobalWatchlistConfig on meta

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

@DannyS712

[1] The following ResourceLoader modules are loaded
* jquery.makeCollapsible
* mediawiki.util
* mediawiki.api
* mediawiki.ForeignApi
* oojs-ui-core
* oojs-ui-widgets
* oojs-ui-windows
* oojs-ui.styles.icons-movement
* oojs-ui.styles.icons-interactions
* oojs-ui.styles.icons-content
* oojs-ui.styles.icons-media
* oojs-ui.styles.icons-moderation

Event Timeline

DannyS712 created this task.Apr 20 2020, 12:53 AM
Restricted Application added projects: User-DannyS712, secscrum. · View Herald TranscriptApr 20 2020, 12:53 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 moved this task from Unsorted to Global Watchlist on the User-DannyS712 board.Apr 20 2020, 12:54 AM
DannyS712 added a project: DannyS712-Global_watchlist.js.
DannyS712 moved this task from Backlog to Ongoing on the DannyS712-Global_watchlist.js board.
DannyS712 added a subscriber: Masumrezarock100.
sbassett triaged this task as Medium priority.Apr 27 2020, 3:33 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.
sbassett subscribed.

@DannyS712 - Is there any kind of deployment date or date where you wanted to publicize or "launch" this userJS? If not, this will probably be a lower-priority review for us, but hopefully we can get to it this quarter.

DannyS712 added a comment.Apr 27 2020, 8:09 PM
In T250640#6085700, @sbassett wrote:

@DannyS712 - Is there any kind of deployment date or date where you wanted to publicize or "launch" this userJS? If not, this will probably be a lower-priority review for us, but hopefully we can get to it this quarter.

Ideally as soon as possible, but I know that this isn't requested by a WMF team and is lower priority.
As a note, the entire script is only 1650 lines, including almost 500 lines of i18n, so it shouldn't take as long as some other reviews (I assume)

DannyS712 added a comment.Apr 27 2020, 8:13 PM

Also, testing is currently done by running https://en.wikipedia.org/wiki/User:DannyS712_test/Global_watchlist_tests.js at https://en.wikipedia.org/wiki/Special:BlankPage/GlobalWatchlistTests (tests are not included in the script code itself)

DannyS712 added a comment.Jun 11 2020, 5:25 AM

Since the grant was approved, it may not make sense to conduct this review in full, but if there are any notes that I should bear in mind when converting this to an extension please let me know

DannyS712 moved this task from Global Watchlist to Others on the User-DannyS712 board.Jun 11 2020, 5:36 AM
Aklapper added a comment.Jun 11 2020, 5:52 AM

General notes would be https://www.mediawiki.org/wiki/Security_for_developers and https://www.mediawiki.org/wiki/Security_checklist_for_developers

sbassett added a comment.Jun 16 2020, 4:28 AM
In T250640#6213656, @DannyS712 wrote:

Since the grant was approved, it may not make sense to conduct this review in full, but if there are any notes that I should bear in mind when converting this to an extension please let me know

To be honest, we should probably resolve this task and wait until the extension has been finished and a deployment date scheduled, and then file a new security review request. Sadly, given our current team resources and further complications due to Covid19, this task would need to remain an extremely low priority for the Security-Team.

DannyS712 closed this task as Declined.Jun 17 2020, 6:28 AM
In T250640#6226806, @sbassett wrote:
In T250640#6213656, @DannyS712 wrote:

Since the grant was approved, it may not make sense to conduct this review in full, but if there are any notes that I should bear in mind when converting this to an extension please let me know

To be honest, we should probably resolve this task and wait until the extension has been finished and a deployment date scheduled, and then file a new security review request. Sadly, given our current team resources and further complications due to Covid19, this task would need to remain an extremely low priority for the Security-Team.

Sure. My understanding is that this needs to be security reviewed before it can be deployed, but either way I'll file a new task when the extension is (more) complete

sbassett added a comment.Jun 18 2020, 4:23 PM
In T250640#6230590, @DannyS712 wrote:

Sure. My understanding is that this needs to be security reviewed before it can be deployed, but either way I'll file a new task when the extension is (more) complete

I don't believe userJS and Gadgets have typically fallen into the category where they must have a security review before they can be "deployed". This is due in large part to there being an enormous volume of such code that spans a vast range of formality. It also isn't really viewed as "production" code, which has a very limited definition within the Wikimedia world. From an AppSec standpoint, the Security-Team tends to focus on MW core (major refactors), deployed extensions and services. And to a lesser extent, vendor code that we either self-host or vendor-host. While I think we'd love to be able to focus more on things like popular userJS and Gadgets, we just are not currently resourced to do so. And much of that wouldn't be under our direct control anyways, as both userJS and Gadgets have traditionally been managed by the community.

But yes, any new MW extension you develop that you would like deployed on Wikimedia production hardware will need a security review.

sbassett moved this task from Back Orders to Our Part Is Done on the secscrum board.Jun 23 2020, 4:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits