Page MenuHomePhabricator
Create Task
Maniphest T268905

taint-check has trouble for taintedness of unknown array keys and reports possible false positives
Closed, ResolvedPublic
Actions

Description

In T216348#6653147, @Umherirrender wrote:
13:49:09 includes/jobqueue/utils/BacklinkJobUtils.php:102 SecurityCheck-SQLInjection Calling method \BacklinkCache::partition() in \BacklinkJobUtils::partitionBacklinkJob that outputs using tainted argument #1 (`$params['table']`). (Caused by: includes/cache/BacklinkCache.php +443) (Caused by: includes/jobqueue/utils/BacklinkJobUtils.php +90)

This could be a false positive: Variable $params has taintedness: YES

In T216348#6653391, @Umherirrender wrote:
In T216348#6653388, @Daimona wrote:
In T216348#6653147, @Umherirrender wrote:
13:49:09 includes/jobqueue/utils/BacklinkJobUtils.php:102 SecurityCheck-SQLInjection Calling method \BacklinkCache::partition() in \BacklinkJobUtils::partitionBacklinkJob that outputs using tainted argument #1 (`$params['table']`). (Caused by: includes/cache/BacklinkCache.php +443) (Caused by: includes/jobqueue/utils/BacklinkJobUtils.php +90)

This could be a false positive: Variable $params has taintedness: YES

The annotation still doesn't print the whole taintedness object. Could you please tryapplying the following hack to vendor/mediawiki/phan-taint-check-plugin/src/SecurityCheckPlugin.php

$msg = "Variable {CODE} has taintedness: {DETAILS}"; // Line 246
echo "\n\n$taint\n\n"; // Add this line

and then re-running phan. It should print the whole shape.

$taint is equal to {DETAILS}, but what about var_export( $var->taintedness )?

SecurityCheckPlugin\Taintedness::__set_state(array(
   'flags' => 43688,
   'dimTaint' =>
  array (
    'namespace' =>
    SecurityCheckPlugin\Taintedness::__set_state(array(
       'flags' => 0,
       'dimTaint' =>
      array (
      ),
       'unknownDimsTaint' => 0,
    )),
    'title' =>
    SecurityCheckPlugin\Taintedness::__set_state(array(
       'flags' => 0,
       'dimTaint' =>
      array (
      ),
       'unknownDimsTaint' => 0,
    )),
    'requestId' =>
    SecurityCheckPlugin\Taintedness::__set_state(array(
       'flags' => 43688,
       'dimTaint' =>
      array (
      ),
       'unknownDimsTaint' => 0,
    )),
  ),
   'unknownDimsTaint' => 0,
))

In Job.php:

$this->params = $params + [ 'requestId' => WebRequest::getRequestId() ];

When comment out that line, everything is fine ...

In T216348#6653394, @Daimona wrote:
In T216348#6653391, @Umherirrender wrote:

$taint is equal to {DETAILS}, but what about var_export( $var->taintedness )?

Oh yes, I meant $var->taintedness. No need to var_export it though, it has a __toString() which pretty-prints the object.

[ object snip ]

Seems like it's picking up taintedness in an offset it can't resolve.

In Job.php:

$this->params = $params + [ 'requestId' => WebRequest::getRequestId() ];

When comment out that line, everything is fine ...

I'd have to investigate, could you please copy these comments to a new task while I take a look?

pretty print:

{
    Own taint: YES
    Unknown keys: NONE
    Keys: {
        namespace => {
            Own taint: NONE
            Unknown keys: NONE
            Keys: {}
        }
        title => {
            Own taint: NONE
            Unknown keys: NONE
            Keys: {}
        }
        requestId => {
            Own taint: YES
            Unknown keys: NONE
            Keys: {}
        }
    }
}

Details

SubjectRepoBranchLines +/-
Exclude some taint bits in case of unknown keysmediawiki/tools/phan/SecurityCheckPluginmaster+24 -5
Suppress taint-check issue in BacklinkJobUtilsmediawiki/coremaster+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Umherirrender created this task.Nov 28 2020, 1:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 28 2020, 1:15 AM
Umherirrender renamed this task from taint-check has trouble for taintness for arrays to taint-check has trouble for taintedness of arrays or array-keys.Nov 28 2020, 1:16 AM
Umherirrender mentioned this in T216348: Suppress or fix non-double escape phan-taint-check warnings for MW core.
Umherirrender added a comment.Nov 28 2020, 1:20 AM

WebRequest::getRequestId() is using $_SERVER['UNIQUE_ID'] which means the return could contain user input?

But the first report was about the key 'table', which is not part of this taint print and that is the unknown offset.

Umherirrender renamed this task from taint-check has trouble for taintedness of arrays or array-keys to taint-check has trouble for taintedness of unknown array keys and reports possible false positives.Nov 28 2020, 1:21 AM
Umherirrender added a parent task: T216348: Suppress or fix non-double escape phan-taint-check warnings for MW core.
gerritbot added a comment.Nov 28 2020, 2:18 PM

Change 644012 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/tools/phan/SecurityCheckPlugin@master] Exclude some taint bits in case of unknown keys

https://gerrit.wikimedia.org/r/644012

gerritbot added a project: Patch-For-Review.Nov 28 2020, 2:18 PM
Daimona claimed this task.Nov 28 2020, 2:18 PM
Daimona added a comment.Nov 28 2020, 11:04 PM

The patch above solves part of the issue, but it will remain on MediaWiki core. I got tired after a few hours of debugging, but this is related to the max depth being reached (see https://gerrit.wikimedia.org/r/c/mediawiki/tools/phan/SecurityCheckPlugin/+/601336), which I don't think can be resolved soon, so suppressing is fine.

gerritbot added a comment.Nov 29 2020, 10:33 AM

Change 644049 had a related patch set uploaded (by Umherirrender; owner: Umherirrender):
[mediawiki/core@master] Suppress taint-check issue in BacklinkJobUtils

https://gerrit.wikimedia.org/r/644049

gerritbot added a comment.Nov 30 2020, 4:58 PM

Change 644049 merged by jenkins-bot:
[mediawiki/core@master] Suppress taint-check issue in BacklinkJobUtils

https://gerrit.wikimedia.org/r/644049

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.20; 2020-12-01).Nov 30 2020, 5:00 PM
gerritbot added a comment.Dec 11 2020, 8:38 PM

Change 644012 merged by jenkins-bot:
[mediawiki/tools/phan/SecurityCheckPlugin@master] Exclude some taint bits in case of unknown keys

https://gerrit.wikimedia.org/r/644012

Jdforrester-WMF mentioned this in rMTPS162a42adf37d: Exclude some taint bits in case of unknown keys.Dec 11 2020, 8:54 PM
Daimona closed this task as Resolved.Dec 11 2020, 8:59 PM
Daimona removed a project: Patch-For-Review.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL