Page MenuHomePhabricator
Create Task
Maniphest T324536

Application Security Review Request: RealMe
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project: Allows users to add links with the rel="me" HTML attribute to their user pages. This is useful because some sites or tools (for example Mastodon) use that to verify profile ownership.

Description of how the tool will be used at WMF: Deployed to production wikis.

Dependencies MediaWiki itself

Has this project been reviewed before? No.

Working test environment The extension is easy to set up with a local MediaWiki installation, as it doesn't require any special configuration. I believe a security review is required to deploy it to the beta cluster.

Post-deployment I imagine this extension will not require very active maintenance in the future given its low complexity. I and other MW +2'ers using this functionality will ensure that the extension is kept compatible with core changes.

Details

Risk Rating
Low

Related Objects
Search...

Event Timeline

taavi created this task.Dec 6 2022, 8:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 6 2022, 8:25 AM
taavi added a parent task: T324535: Deploy RealMe to production.Dec 6 2022, 8:26 AM
sbassett moved this task from Incoming to Back Orders on the secscrum board.Dec 6 2022, 6:23 PM
Legoktm subscribed.Dec 12 2022, 7:46 AM
sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.Jan 4 2023, 5:14 PM
sbassett changed the task status from Open to In Progress.Jan 4 2023, 5:20 PM
sbassett assigned this task to mmartorana.
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.
sbassett triaged this task as Medium priority.Jan 4 2023, 5:27 PM
TheresNoTime subscribed.Mar 28 2023, 7:40 PM
stwalkerster subscribed.Mar 29 2023, 2:35 PM
mmartorana moved this task from In Progress to Our Part Is Done on the secscrum board.Mar 31 2023, 3:22 PM

Security Review Summary - T324536 - 2023-03-31
Last commit reviewed: 536706d

Summary

In terms of basic application security, the current RealMe extension seems to be in good standing overall, largely because of its relatively simple logic and lack of complexity. However, there are a few outdated packages in addition to one vulnerable development dependency (which is also indirect). Aside from these issues, there do not appear to be any other significant concerns regarding code cleanliness and security.
The overall risk rating is: low.

Vulnerable Packages - Production

snyk reported no results. low risk
osv-detector reported no results. low risk
npm audit reported no results. low risk
composer security:check reported no results. low risk

none

Vulnerable Packages - Development

VulnerabilityPackageNotesServiceRemediationRisk
ReDoS vulnerabilityminimatch<3.0.5osvadvisory link high

Outdated Packages
As reported via composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentLatest (Remediation)
microsoft/tolerant-php-parserv0.1.1v0.1.2
phan/phan5.4.15.4.2
psr/log2.0.03.0.0
sabre/event5.1.46.0.0
symfony/consolev5.4.21v6.2.8

As reported via npm outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentLatest (Remediation)
grunt-eslintv24.0.024.0.1

Static Analysis Findings
snyk reported no results. low risk
semgrep reported no results. low risk
horusec reported no results. low risk
sast-scan reported no results. low risk

General Security Issues
git secrets, gitleaks and whispers returned no results. Risk low.

taavi closed this task as Resolved.Mar 31 2023, 4:32 PM

Thanks. The minimatch issue and most other outdated packages has since been fixed by LibUp. Based on that I don't believe there's anything actionable as a result of the review and I'll close this task.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits