Page MenuHomePhabricator
Create Task
Maniphest T348780

Integrate a risk factor related to how many production projects an extension or skin is deployed
Open, Needs TriagePublic8 Estimated Story Points
Actions

Description

There is some existing code which could be helpful here, though instead of parsing Special:Version, we'd probably want to parse programmatic config files instead, for a more accurate representation.

Related Objects
Search...

Event Timeline

sbassett created this task.Oct 12 2023, 4:38 PM
Restricted Application added a project: Security-Team. · View Herald TranscriptOct 12 2023, 4:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Mstyles claimed this task.Oct 12 2023, 5:31 PM
Mstyles set the point value for this task to 2.Oct 12 2023, 6:14 PM
Mstyles changed the point value for this task from 2 to 4.
sbassett moved this task from Incoming to In Progress on the Security-Team board.Oct 16 2023, 4:05 PM
sbassett moved this task from Backlog to In Progress on the production-risk-assessment board.
Mstyles added a comment.Nov 21 2023, 8:06 PM

per conversation with @sbassett I will use the initialise settings file in wmf config to determine which extensions are deployed on a particular wiki.

Mstyles changed the point value for this task from 4 to 8.Dec 21 2023, 8:11 PM
sbassett added a comment.EditedFeb 29 2024, 10:56 PM

Just a very quick proof of concept, this seems to work for me to process the current Wikimedia config CS.php and IS.php files (and it's quite fast):

ast.php
#!/usr/bin/env php 
<?php

declare(strict_types=1);

define( "AST_PHP_VERSION", 80 );

if( PHP_SAPI !== 'cli' ) { 
    exit("Please run as a PHP CLI!");
}

if( ! isset($argv[1]) ) { 
    exit("Please provide a file name or string of PHP code as an argument!");
}

if( ! in_array( "ast", get_loaded_extensions() ) ) { 
    exit("Please ensure the php/ast module is installed!");
}

$ast = null;
if( is_file( $argv[1] ) ) { 
    $ast = ast\parse_file( $argv[1], $version=AST_PHP_VERSION );
}
else if( is_string( $argv[1] ) ) { 
    $ast = ast\parse_code( $argv[1], $version=AST_PHP_VERSION );
}
else {
    exit("A file name or valid PHP code string were not provided as an argument!");
}

if( $ast !== null ) { 
    echo( $ast );
}
else {
    exit("AST unable to be generated!");
}
run_ast.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-


import os
import requests
import subprocess
import sys 


def get_cfg_file():
    cfg_files = { 
        "CS.php": "https://noc.wikimedia.org/conf/CommonSettings.php.txt",
        "IS.php": "https://noc.wikimedia.org/conf/InitialiseSettings.php.txt",
    }   

    cfg_file_name = ""
    cfg_file_contents = ""
    print(sys.argv)
    if len(sys.argv) == 2:
        if sys.argv[1] == "CS.php" or sys.argv[1] == "IS.php":
            cfg_file_name = sys.argv[1]
            http_response = requests.get(cfg_files[cfg_file_name], timeout=5)
            if http_response.status_code == 200:
                cfg_file_contents = http_response.text
                f = open(cfg_file_name, "w")
                f.write(cfg_file_contents)
                f.close()
        else:
            raise ValueError("Please specify either CS.php or IS.php as your argument.")
    else:
        raise ValueError("Please specify either CS.php or IS.php as your argument.")

    return cfg_file_name


def run_ast_cmd():
    cfg_file_name = get_cfg_file()

    if cfg_file_name != "": 
        try:
            ast_data = subprocess.run(
                ["php", "ast.php", cfg_file_name],
                stdout=subprocess.PIPE,
                stderr=subprocess.DEVNULL,
                encoding='utf-8',
            )   
        except subprocess.CalledProcessError as err:
            print(str(err))
        finally:
            print(str(ast_data.stdout))


if __name__ == "__main__":
    run_ast_cmd()
Mstyles added a comment.Mar 1 2024, 2:45 AM

@sbassett this looks really good! glad it's fast since the other methods were not as fast.

sbassett added a comment.Mar 1 2024, 3:04 PM

Yes, this definitely works and is very fast. Though there might be more benefits to using PHP-Parser instead of php-ast, which is maintained by the same person who maintains php-ast. PHP-Parser is definitely slower, but has better support for traversing the generated ast nodes and converting back and forth in a couple of ways: php -> ast -> php and php -> ast -> json, which will likely be handy for our intended use-case.

sbassett added a comment.EditedMar 6 2024, 9:56 PM

Works just as well (and seemingly as fast) with PHP-Parser. We just need to update ast.php and bring in the new dependency via composer:

ast.php
#!/usr/bin/env php
<?php

declare( strict_types = 1 );

require "vendor/autoload.php";

use PhpParser\ParserFactory;

if( PHP_SAPI !== 'cli' ) {
	exit( "Please run as a PHP CLI!" );
}

if( !isset( $argv[1] ) ) {
	exit( "Please provide a file name or string of PHP code as an argument!" );
}

$ast = null;
$php_code = "";

if( is_file( $argv[1] ) ) {
	$php_code = file_get_contents( $argv[1] );
}
else if( is_string( $argv[1] ) ) {
	$php_code = $argv[1];
}
else {
	exit( "A file name or valid PHP code string were not provided as an argument!" );
}

$parser = ( new ParserFactory() )->createForHostVersion();

try {
	$stmts = $parser->parse( $php_code );
	$ast = json_encode( $stmts, JSON_PRETTY_PRINT );
} catch ( PhpParser\Error $e ) {
	echo 'Parse Error: ', $e->getMessage();
}

if( $ast !== null ) {
	echo $ast;
}
else {
	exit( "AST unable to be generated!" );
}
composer.json
{
    "require": {
        "nikic/php-parser": "^5.0"
    }
}
CodeReviewBot added a project: Patch-For-Review.Mar 13 2024, 6:53 PM

mstyles opened https://gitlab.wikimedia.org/repos/security/wikimedia-code-health-check/-/merge_requests/37

Extensions in WMF production

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits