CI Phan check blocking CentralNotice patches
Closed, ResolvedPublic
Actions

Description

I don't know what changed to cause this... See https://integration.wikimedia.org/ci/job/mwext-php72-phan-docker/59603/console for details. Many thanks in advance for any input!!!

Details

	Subject	Repo	Branch	Lines +/-
	Suppress DoubleEscaped phan warning in CentralNoticePageLogPager	mediawiki/extensions/CentralNotice	master	+3 -0

Customize query in gerrit

Event Timeline

AndyRussG created this task.Jun 18 2020, 7:52 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 18 2020, 7:52 PM

Could you link to the patch?

https://gerrit.wikimedia.org/r/#/c/606371/

[You can find the patch set of the output by looking at the status page in the left navigation]

Judging from the caused-by lines, this seems a false positive that can be suppressed. Taint-check is probably confused by CommentStore::createComment, which puts an escaped value in CommentStoreComment::text before inserting the value in the DB. However, in the read context of CentralNoticePageLogPager the value should be considered tainted, and thus escaped.

The underlying issue should probably be resolved by putting in CommentStoreComment::text values with consistent levels of escaping. IMHO the property should hold unsafe strings, so it's the core call to truncateForVisual that should be changed. Even more: Language::truncateForVisual probably shouldn't return an escaped string. Currently, it does so because it's using $ellipsis = wfMessage( 'ellipsis' )->inLanguage( $this )->escaped(); (in truncateInternal), but other than that, it's not escaping anything else in its return value. Instead, truncateInternal should return an unsafe string, and escaping should be up to the caller.

sbassett removed a project: Security-Team.Jun 22 2020, 3:11 PM

• DStrine moved this task from Triage to Current Sprint on the Fundraising-Backlog board.Jun 22 2020, 8:00 PM

• DStrine added a project: Fundraising Sprint Lazy Loading Life.

Change 607149 had a related patch set uploaded (by AndyRussG; owner: AndyRussG):
[mediawiki/extensions/CentralNotice@master] Suppress DoubleEscaped phan warning in CentralNoticePageLogPager

https://gerrit.wikimedia.org/r/607149

gerritbot added a project: Patch-For-Review.Jun 22 2020, 11:56 PM

Change 607149 merged by Ejegg:
[mediawiki/extensions/CentralNotice@master] Suppress DoubleEscaped phan warning in CentralNoticePageLogPager

https://gerrit.wikimedia.org/r/607149

AndyRussG moved this task from Backlog to Pending Deployment on the Fundraising Sprint Lazy Loading Life board.Jun 23 2020, 12:50 AM

AndyRussG moved this task from Pending Deployment to Done on the Fundraising Sprint Lazy Loading Life board.

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.38; 2020-06-23).Jun 23 2020, 1:00 AM

Maintenance_bot removed a project: Patch-For-Review.Jun 23 2020, 1:10 AM

• DStrine closed this task as Resolved.Jun 23 2020, 8:11 PM