Page MenuHomePhabricator

Create a web demo for phan taint-check
Open, LowPublic

Description

Perhaps https://phan.github.io/demo/ can be used for a start. The demo should do the exact same things, with two differences:

  • it should load taint-check
  • it should hide all non-taint-check issues.

Event Timeline

Daimona created this task.Jul 7 2020, 11:10 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2020, 11:10 AM
Daimona triaged this task as Low priority.Jul 9 2020, 3:00 PM

Tried this on toolforge. It's not straightforward, because:

  • We need to import a few dependencies (most notably ace editor) due to CSP
  • We need to fiddle with the demo source to make it work (see https://github.com/phan/demo/issues/11)
  • Most importantly, the demo is based on Emscripten, which is not installed there.
Daimona closed this task as Resolved.Nov 24 2020, 10:26 PM
Daimona claimed this task.

https://taintcheck.toolforge.org/

Served you are, my young padawan.

https://taintcheck.toolforge.org/

Served you are, my young padawan.

For future reference, this was achieved by:

  • Forking https://phan.github.io/demo/
  • Applying some changes tracked on the fork repo on github:
    • Cosmetic changes (avoid external images, mention that it's a fork, mention taint-check, use a different example, etc.)
    • Backend changes (download taint-check as well, embed it in emscripten, etc.)
  • My fork on github is always up-to-date with the tool on toolforge
  • You can setup everything by running build.sh
    • On toolforge this took 74 minutes, so running it often is not exactly fun
  • I had to implant some horrible hacks in emscripten because it requires Python 3.6+ (toolforge has 3.5.3 and I didn't want to build python from source)
    • These hacks are mentioned in a MEMO file in the tool's $HOME

Change 643548 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[integration/config@master] Create image for building phan-taint-check-plugin demo

https://gerrit.wikimedia.org/r/643548

Change 643549 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[integration/config@master] Run new mw-tools-phan-demos-publish job postmerge

https://gerrit.wikimedia.org/r/643549

Change 643548 merged by jenkins-bot:
[integration/config@master] Create image for building phan-taint-check-plugin demo

https://gerrit.wikimedia.org/r/643548

Change 643549 merged by jenkins-bot:
[integration/config@master] Run new mw-tools-phan-demos-publish job postmerge

https://gerrit.wikimedia.org/r/643549

So... https://doc.wikimedia.org/mediawiki-tools-phan-SecurityCheckPlugin/master/demos/ exists! It'll get updated whenever a new commit is merged in phan-taint-check-plugin (takes ~15 min but we can speed it up a lot).

Except it seems to be getting blocked by CSP: Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://doc.wikimedia.org/f8ce60d3-f6e6-4f98-b42b-ab1c401856fc (“script-src”).

Do we need to adjust a CSP rule for this?

Notes on how to speed up the build:

  • Keep the tarballs in $XDG_CACHE_HOME so we don't need to redownload them every time.
  • The emscripten build of PHP7 also seems safe to cache (invalidate on the PHP version or emscripten version changing?), which would probably be the biggest speedup if getting the invalidation right isn't too hard.

It would be nice to move this into the repo itself since it seems a bit tightly integrated with the manual file list. I *think* we could get away with only keeping copies of our files and then relying on the main phan/demo repo for the C and other stuff?

So... https://doc.wikimedia.org/mediawiki-tools-phan-SecurityCheckPlugin/master/demos/ exists! It'll get updated whenever a new commit is merged in phan-taint-check-plugin (takes ~15 min but we can speed it up a lot).

Except it seems to be getting blocked by CSP: Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://doc.wikimedia.org/f8ce60d3-f6e6-4f98-b42b-ab1c401856fc (“script-src”).

Do we need to adjust a CSP rule for this?

So this would need to add blob: to script-src (blob: is not included by default with 'self'). You probably also need 'wasm-eval' as well.

Krinkle reopened this task as Open.EditedNov 26 2020, 3:31 AM
Krinkle added a subscriber: Krinkle.

Re-opening to track the above. Also, once done, might be good to add an entry to the https://doc.wikimedia.org/ index for easier (re)discovery of the exact URL.

So... https://doc.wikimedia.org/mediawiki-tools-phan-SecurityCheckPlugin/master/demos/ exists! It'll get updated whenever a new commit is merged in phan-taint-check-plugin (takes ~15 min but we can speed it up a lot).

Amazing, thank you!

Also, once done, might be good to add an entry to the https://doc.wikimedia.org/ index for easier (re)discovery of the exact URL.

+1

Aklapper renamed this task from Create a web demo to Create a web demo for phan taint-check.Dec 7 2020, 3:38 PM

So....I don't think what we're doing here is legal unfortunately. The PHP license is incompatible with the GPL. Normally this isn't a problem because it doesn't affect code that PHP executes, but here we've compiled GPL code with PHP code and distributing it as one wasm binary.

Can we have them as separate wasm binaries so they aren't being distributed together? That would actually be a pretty big win technically because then we're not recompiling PHP on every patch too.

Or if that's not possible and we still want a web demo, we'd need to relicense to Apache 2 or MIT.

So....I don't think what we're doing here is legal unfortunately.

Oh, that's a bummer.

but here we've compiled GPL code with PHP code and distributing it as one wasm binary.

I might be missing something but what code is licensed under the GPL here?

Can we have them as separate wasm binaries so they aren't being distributed together? That would actually be a pretty big win technically because then we're not recompiling PHP on every patch too.

Or if that's not possible and we still want a web demo, we'd need to relicense to Apache 2 or MIT.

I've killed the webservice for the time being.

but here we've compiled GPL code with PHP code and distributing it as one wasm binary.

I might be missing something but what code is licensed under the GPL here?

the taint-check-plugin, see https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/tools/phan/SecurityCheckPlugin/+/refs/heads/master/COPYING

but here we've compiled GPL code with PHP code and distributing it as one wasm binary.

I might be missing something but what code is licensed under the GPL here?

the taint-check-plugin, see https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/tools/phan/SecurityCheckPlugin/+/refs/heads/master/COPYING

Yuck, I thought I was missing something. Relicensing *might* be an option if everything else fails, but let's think about separating the binaries first. As you said, that would be hugely helpful. I'm not at all expert with emscripten though, so not sure about the feasibility.

Krinkle removed a subscriber: Krinkle.Jan 15 2021, 11:30 PM