Page MenuHomePhabricator

ULS CI Blocked: includes/api/ApiULSSetLanguage.php:75 SecurityCheck-SQLInjection
Closed, ResolvedPublic


CI fails for ULS and is blocking patches from being merged. See:

Full error message:

13:13:37 includes/api/ApiULSSetLanguage.php:75 SecurityCheck-SQLInjection Calling method \MediaWiki\User\UserOptionsManager::setOption() in \ApiULSSetLanguage::execute that outputs using tainted argument #3 (`$languageCode`). (Caused by: ../../includes/user/UserOptionsManager.php +465; ../../includes/user/UserOptionsManager.php +204; Builtin-\Wikimedia\Rdbms\IDatabase::insert; ../../includes/user/UserOptionsManager.php +436; ../../includes/user/UserOptionsManager.php +428; ../../includes/user/UserOptionsManager.php +420; ../../includes/user/UserOptionsManager.php +204; ../../includes/language/LanguageCode.php +162; ../../includes/user/UserOptionsManager.php +565; ../../includes/user/UserOptionsManager.php +564; ../../includes/user/UserOptionsManager.php +540; ../../includes/user/UserOptionsManager.php +539; ...) (Caused by: includes/api/ApiULSSetLanguage.php +50; Builtin-\WebRequest::getText)

Same error appears for the following patches:

  1. 734888: Use HookHandlers |
  2. 734766: MW 1.35: Re-add class attribute for ULS |

Event Timeline

abi_ triaged this task as Unbreak Now! priority.Oct 27 2021, 3:13 PM
abi_ created this task.

This is a bug in taint-check: T290563. UserOptionsManager inserts multiple rows at once, which is not correctly special-cased in the already-special-cased handling of DB functions. I'm going to suppress the issue in ULS.

Change 735011 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/extensions/UniversalLanguageSelector@master] Suppress taint-check false positive blocking CI

Change 735011 merged by jenkins-bot:

[mediawiki/extensions/UniversalLanguageSelector@master] Suppress taint-check false positive blocking CI

Thanks for the quick response on this one.