Page MenuHomePhabricator
Create Task
Maniphest T255291

Require HTTPS for external survey link
Closed, ResolvedPublic2 Estimated Story Points
Actions

Description

What

Currently when configuring an external survey http URLs are accepted. They should be rejected when parsing the survey configuration and fail loudly.

Background

It looks like warning/erroring on http URLs was intended to become the default, but never quite implemented fully.

Some code to support this validation is still present and the frontend part is commented out.

Acceptance criteria

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/QuickSurveysmaster+78 -45QuickSurveys: Require https for external surveys.
mediawiki/extensions/QuickSurveysmaster+70 -33WIP: Adding test case.
mediawiki/extensions/QuickSurveysmaster+106 -63[DNM] Enforce external surveys are HTTPS
operations/mediawiki-configmaster+0 -4Remove unused field
Customize query in gerrit

Related Objects

Event Timeline

awight created this task.Jun 12 2020, 5:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 12 2020, 5:19 PM
gerritbot added a comment.Jun 12 2020, 5:19 PM

Change 605285 had a related patch set uploaded (by Awight; owner: Awight):
[operations/mediawiki-config@master] Remove unused field

https://gerrit.wikimedia.org/r/605285

gerritbot added a project: Patch-For-Review.Jun 12 2020, 5:19 PM
gerritbot added a comment.Jun 12 2020, 5:25 PM

Change 605285 merged by jenkins-bot:
[operations/mediawiki-config@master] Remove unused field

https://gerrit.wikimedia.org/r/605285

Maintenance_bot removed a project: Patch-For-Review.Jun 12 2020, 6:10 PM
gerritbot added a comment.Jun 12 2020, 6:19 PM

Change 605296 had a related patch set uploaded (by Awight; owner: Awight):
[mediawiki/extensions/QuickSurveys@master] [DNM] Enforce external surveys are HTTPS

https://gerrit.wikimedia.org/r/605296

gerritbot added a project: Patch-For-Review.Jun 12 2020, 6:19 PM
Jdlrobson added a project: Readers-Web-Backlog (Tracking).Jun 12 2020, 6:25 PM
awight updated the task description. (Show Details)Jun 19 2020, 8:02 AM
Jdlrobson moved this task from Backlog to Bugs on the QuickSurveys board.Apr 14 2021, 6:34 PM
Jdlrobson moved this task from Untriaged to Discuss further on the Readers-Web-Backlog (Tracking) board.Sep 29 2021, 9:12 PM
Jhernandez added a project: Trust and Safety Tools Team Backlog.Sep 30 2021, 7:51 PM
LGoto edited projects, added Readers-Web-Backlog; removed Readers-Web-Backlog (Tracking).Sep 30 2021, 9:04 PM
LGoto moved this task from Incoming to Tracking on the Readers-Web-Backlog board.
Jhernandez added a subscriber: Jhernandez.Oct 4 2021, 4:57 PM

It seems like the surveys are already classified in the backend and there was intention to show a warning in the frontend but the code is disabled with a TODO.

https://codesearch.wmcloud.org/search/?q=isInsecure&i=nope&files=&excludeFiles=&repos=

gerritbot added a comment.Oct 4 2021, 7:12 PM

Change 605296 abandoned by Jdlrobson:

[mediawiki/extensions/QuickSurveys@master] [DNM] Enforce external surveys are HTTPS

Reason:

No activity since June 2020.

https://gerrit.wikimedia.org/r/605296

Maintenance_bot removed a project: Patch-For-Review.Oct 4 2021, 8:10 PM
Jhernandez updated the task description. (Show Details)Oct 5 2021, 5:57 PM

We've chatted about this and I've updated the description, hopefully it is clearer and actionable now for folks with less context.

Jhernandez triaged this task as Medium priority.Oct 6 2021, 9:39 AM
Jhernandez moved this task from Needs triage to Ready for estimation on the Trust and Safety Tools Team Backlog board.
ARamirez_WMF set the point value for this task to 2.Oct 6 2021, 2:55 PM
ARamirez_WMF moved this task from Ready for estimation to Ready for dev on the Trust and Safety Tools Team Backlog board.Oct 6 2021, 3:00 PM
Jhernandez moved this task from Ready for dev to Kanban on the Trust and Safety Tools Team Backlog board.Oct 6 2021, 3:07 PM
Jhernandez edited projects, added Trust and Safety Tools Team Backlog (Kanban); removed Trust and Safety Tools Team Backlog.
eigyan claimed this task.Oct 13 2021, 2:58 PM
eigyan moved this task from 🎬 Ready to 💻 In Progress on the Trust and Safety Tools Team Backlog (Kanban) board.Oct 14 2021, 2:47 PM
Madalina added a project: WMF-Safety-Survey.Oct 25 2021, 5:07 PM
gerritbot added a comment.Nov 2 2021, 9:07 PM

Change 736301 had a related patch set uploaded (by Eigyan; author: Eigyan):

[mediawiki/extensions/QuickSurveys@master] WIP: Adding test case.

https://gerrit.wikimedia.org/r/736301

gerritbot added a project: Patch-For-Review.Nov 2 2021, 9:07 PM
gerritbot added a comment.Nov 9 2021, 8:16 PM

Change 736301 abandoned by Eigyan:

[mediawiki/extensions/QuickSurveys@master] WIP: Adding test case.

Reason:

Duplicate

https://gerrit.wikimedia.org/r/736301

Maintenance_bot removed a project: Patch-For-Review.Nov 9 2021, 9:11 PM
gerritbot added a comment.Nov 10 2021, 9:20 AM

Change 736300 had a related patch set uploaded (by Jhernandez; author: Eigyan):

[mediawiki/extensions/QuickSurveys@master] WIP: Adding test case.

https://gerrit.wikimedia.org/r/736300

gerritbot added a project: Patch-For-Review.Nov 10 2021, 9:20 AM
gerritbot added a comment.Nov 10 2021, 3:37 PM

Change 736301 restored by Eigyan:

[mediawiki/extensions/QuickSurveys@master] WIP: Adding test case.

https://gerrit.wikimedia.org/r/736301

gerritbot added a comment.Nov 10 2021, 5:03 PM

Change 736300 abandoned by Eigyan:

[mediawiki/extensions/QuickSurveys@master] WIP: Adding test case.

Reason:

https://gerrit.wikimedia.org/r/736300

eigyan moved this task from 💻 In Progress to 🔍 Review/Feedback on the Trust and Safety Tools Team Backlog (Kanban) board.Nov 10 2021, 6:05 PM
Jhernandez moved this task from 🔍 Review/Feedback to 💻 In Progress on the Trust and Safety Tools Team Backlog (Kanban) board.Nov 11 2021, 11:17 AM
mepps added a subscriber: mepps.Nov 15 2021, 4:04 PM

@eigyan I think this should be moved back to Review/Feedback?

eigyan moved this task from 💻 In Progress to 🔍 Review/Feedback on the Trust and Safety Tools Team Backlog (Kanban) board.Nov 16 2021, 2:07 PM
gerritbot added a comment.Nov 17 2021, 7:35 PM

Change 736301 merged by jenkins-bot:

[mediawiki/extensions/QuickSurveys@master] QuickSurveys: Require https for external surveys.

https://gerrit.wikimedia.org/r/736301

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.12; 2021-12-06).Nov 17 2021, 8:00 PM
Jhernandez added a subscriber: ERayfield.Nov 18 2021, 11:36 AM

@ERayfield When you +2 a patch, we go back to the task it links to (if any) and check if it can be moved to the QA or signoff columns depending on the task. This one for example is just a tech task so it can be moved to Signoff directly skipping QA.

In other tasks where QA is next, the reviewer and owner should ensure the QA steps/instructions are up to date before moving it to that column.

ARamirez_WMF moved this task from 🔍 Review/Feedback to 🤘 Product Sign-off on the Trust and Safety Tools Team Backlog (Kanban) board.Nov 22 2021, 4:39 PM
Madalina closed this task as Resolved.Nov 23 2021, 4:51 PM
Madalina added a subscriber: Madalina.

Marking this as resolved

STran mentioned this in T301940: Investigate: QuickSurveys capabilities.Apr 12 2022, 6:32 AM
Mstyles mentioned this in T320992: Application Security Review Request : Updated review of QuickSurveys extension.Dec 9 2022, 8:34 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL