Page MenuHomePhabricator
Create Task
Maniphest T350900

Application Security Review Request : Extension:WikimediaCampaignEvents
Closed, ResolvedPublic16 Estimated Story Points
Actions

Description

Project Information

Description of the tool/project:

The goal of this project is to let organizers share the grant ID when they configure a specific event so that grant officers can easily track and analyze the impact of events supported by grants.

When an organizer enters a grant ID in Special:EnableEventRegistration, the tool will use the Fluxx API to validate the ID provided. See T321814 for a high-level list of requirements/features.

Description of how the tool will be used at WMF:
This extension will be used to gather specific WMF information (Grant ID) that will be used by the Advancement department. The event registration tool will be used to gather the information from the organizer.
It will be saved with the rest of the CampaignEvents data (same database in the x1 cluster, new table) and used by data analytics to further create reports and metrics for the advancement department.

Dependencies

List dependencies, or upstream projects that this project relies on.

Hard dependency on the CampaignEvents extension (already in production, reviewed in T290248).

Has this project been reviewed before?

We had a privacy review of the Grant ID: https://docs.google.com/document/d/1lFeq7jtUCmXdwoKwIfqgO-74ccTU0kBtX7zkJkeMByw/edit#bookmark=id.8ac47nrsiaqh
Product analytics got a review of the measurement plan for the Grant ID.
https://docs.google.com/document/d/1XloYVx_luuFzyHnnvqyyLTy76GY-rl0Lu_F4bnyDkZs/edit#heading=h.dsus1x29zwjd

Working test environment

Please link or describe setup process for setting up a test environment.

The extension is not available on patchdemo, but it can be installed locally by following the instructions on mediawiki.org. You then need to set the secret API keys in your LocalSettings.php; these can be found in P53297.

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

Connection-Team - @VPuffetMichel.

Details

Risk Rating
Low

Related Objects
Search...

Event Timeline

VPuffetMichel created this task.Nov 9 2023, 5:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 9 2023, 5:19 PM
VPuffetMichel added a comment.Nov 9 2023, 5:21 PM

We recognize that this is last minute and will be thankful for your help. Note that the codebase will only be ready for review next week, but we are making this request now to get the ball rolling. We have left [TODO] on purpose.

This can actually be deployed after you have time for the review. We hope that this won’t be too much work as the code base will be quite small. Thank you so much for looking into this!

Daimona renamed this task from Application Security Review Request : Grant ID to Application Security Review Request : Extension:WikimediaCampaignEvents.Nov 9 2023, 5:31 PM
Daimona added projects: WikimediaCampaignEvents, Connection-Team.
Daimona added a parent task: T347896: Prepare the WikimediaCampaignEvents extension for deployment.
Daimona mentioned this in T347896: Prepare the WikimediaCampaignEvents extension for deployment.Nov 9 2023, 5:46 PM
Daimona mentioned this in T350906: Review database schema of the WikimediaCampaignEvents extension.Nov 9 2023, 6:07 PM
Daimona moved this task from Backlog to Following on the Connection-Team board.
Daimona updated the task description. (Show Details)Nov 10 2023, 4:57 PM
sbassett moved this task from Incoming to Upcoming Quarter Planning Queue on the secscrum board.Nov 13 2023, 4:39 PM
sbassett changed the task status from Open to In Progress.Nov 15 2023, 5:05 PM
sbassett assigned this task to mmartorana.
sbassett triaged this task as Low priority.
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.
Daimona updated the task description. (Show Details)Nov 23 2023, 3:05 PM

The code base is now ready for review, and I've added the scc output to the task description. Please let us know if you need anything else. Thanks!

mmartorana set the point value for this task to 16.Dec 7 2023, 3:47 PM
mmartorana moved this task from In Progress to Our Part Is Done on the secscrum board.Dec 22 2023, 5:01 PM

Security Review Summary - T350900 - 2023-11-22
Last commit reviewed: be04cea

Summary

From a security perspective, the WikimediaCampaignEvents extension is robust and free from known security vulnerabilities due to its up-to-date dependencies. The codebase is generally clean; however, it does involve some usage, although discouraged, of the service locator pattern. Although this approach might not be optimal for testing and maintaining code, there are situations where it can be beneficial. I'm curious to understand the reasoning behind its choice.
The overall risk rating is: low.

Vulnerable Packages - Production
npm audit returned no results. low risk
snyk returned no results. low risk
auditjs returned no results. low risk
osv-scanner and osv-detector returned no results. low risk

Risk: none

Outdated Packages
As reported via npm outdated:
none

As reported via composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentLatest
composer/semver3.3.23.4.0
psr/log2.0.03.0.0
sabre/event5.1.46.0.0
squizlabs/php_codesniffer3.7.23.8.0
symfony/consolev5.4.32v7.0.1
symfony/stringv6.4.0v7.0.0

Static Analysis Findings
semgrep returned no results. low risk
snyk code returned no results. low risk
horusec returned a couple of false-positives related to secret leaks. low risk
sast-scan returned a couple of false-positives related to secret leaks. low risk

General Security Issues
gitleaks returned no results. low risk
whispers returned no results. low risk

General code health score

  1. The Wikimedia code health check tool returned a weighted risk score of 31.10:
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+
| Vuln Pkgs | Pkg Mgmt | Test Cov | SAST | Non-auto Cmts | Uniq Contribs | Contrib Conc | Lang Guides | Staff Supp | Task Backlog | Code Stew | Weighted Risk |
+===========+==========+==========+======+===============+===============+==============+=============+============+==============+===========+===============+
|         0 |        4 |        3 |    0 |            10 |            10 |            4 |           7 |         10 |            0 |         0 |         31.10 |
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+
Daimona added a comment.Dec 22 2023, 6:13 PM

Thanks for the review!

In T350900#9423738, @mmartorana wrote:

The codebase is generally clean; however, it does involve some usage, although discouraged, of the service locator pattern. Although this approach might not be optimal for testing and maintaining code, there are situations where it can be beneficial. I'm curious to understand the reasoning behind its choice.

Where did you see those? I'm unable to find any static service access in the code base.

mmartorana added a comment.Dec 22 2023, 6:31 PM
In T350900#9423899, @Daimona wrote:

Thanks for the review!

In T350900#9423738, @mmartorana wrote:

The codebase is generally clean; however, it does involve some usage, although discouraged, of the service locator pattern. Although this approach might not be optimal for testing and maintaining code, there are situations where it can be beneficial. I'm curious to understand the reasoning behind its choice.

Where did you see those? I'm unable to find any static service access in the code base.

I am talking about WikimediaCampaignEventsServices class/file where I can see a service locator pattern usage. I was just curious about this approach.

Daimona added a comment.Dec 22 2023, 9:36 PM
In T350900#9423938, @mmartorana wrote:
In T350900#9423899, @Daimona wrote:

Thanks for the review!

In T350900#9423738, @mmartorana wrote:

The codebase is generally clean; however, it does involve some usage, although discouraged, of the service locator pattern. Although this approach might not be optimal for testing and maintaining code, there are situations where it can be beneficial. I'm curious to understand the reasoning behind its choice.

Where did you see those? I'm unable to find any static service access in the code base.

I am talking about WikimediaCampaignEventsServices class/file where I can see a service locator pattern usage. I was just curious about this approach.

Ah, sure! That class is a service locator for extension-specific services. It can be used in place of the central service locator (MediaWikiServices) to obtain instances of the extension's services. Its main purposes are to avoid things like MediaWikiServices::getInstance()->get( 'NameOfTheExtensionService' ) where the name of the service can be misspelled, as well as provide information on the return type. In practice, though, DI is always preferred, and so this locator should only used either when DI is not possible (e.g., old-style static hook handlers), or unnecessary (e.g., tests). HTH!

VPuffetMichel added a comment.Jan 9 2024, 2:08 PM

Hi @mmartorana
Are you done with the security review?
Let us know!

mmartorana closed this task as Resolved.Jan 10 2024, 10:07 AM

Hi @VPuffetMichel - I submitted the review on December 22, Friday. The risk was assessed as low risk, so there's no further action needed from your end. Appreciate it.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits