Page MenuHomePhabricator
Create Task
Maniphest T355161

Application Security Review Request : PlaceNewSection extension
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:
The PlaceNewSection extension introduces two magic words, __ADDNEWSECTIONBELOW__ and __ADDNEWSECTIONABOVE__, that control placement of new talk page sections.

Description of how the tool will be used at WMF:
In some projects, many discussion pages use adding topics at the top rather than at the bottom. This extension allows you to implement this behavior without using scripts or hacks.

Dependencies

List dependencies, or upstream projects that this project relies on.

	"require-dev": {
		"mediawiki/mediawiki-codesniffer": "41.0.0",
		"mediawiki/mediawiki-phan-config": "0.12.1",
		"mediawiki/minus-x": "1.1.1",
		"php-parallel-lint/php-console-highlighter": "1.0.0",
		"php-parallel-lint/php-parallel-lint": "1.3.2"
	},

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

No previous reviews.

Working test environment

Please link or describe setup process for setting up a test environment.

  • Install extension.
  • Add __ADDNEWSECTIONABOVE__ (or __ADDNEWSECTIONBELOW__) on any talk page.
  • Start some topics with "Add topic" button.

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

I hope Editing-team I will ask review them.

Details

Risk Rating
Low

Related Objects
Search...

Event Timeline

Iniquity created this task.Jan 16 2024, 5:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 16 2024, 5:01 PM
Iniquity added a parent task: T344501: Add Extension:PlaceNewSection to Russian Wikipedia.Jan 16 2024, 5:01 PM
Iniquity mentioned this in T344501: Add Extension:PlaceNewSection to Russian Wikipedia.Jan 16 2024, 5:11 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.Jan 16 2024, 5:14 PM
sbassett subscribed.Jan 16 2024, 10:23 PM

@Iniquity - The Security-Team typically handles application security reviews on a quarterly cadence, and we've just set our reviews for this quarter. Also - is there a sponsoring team at the WMF to assist in the management of maintenance, security, etc. issues?

Iniquity added a comment.EditedJan 17 2024, 11:35 AM
In T355161#9464099, @sbassett wrote:

@Iniquity - The Security-Team typically handles application security reviews on a quarterly cadence, and we've just set our reviews for this quarter.

Thanks for the information! :) But suddenly you have time earlier, the extension is very small :)

Also - is there a sponsoring team at the WMF to assist in the management of maintenance, security, etc. issues?

@Ernstkm and, I hope, Editing team: T355164

Iniquity added a comment.Apr 11 2024, 7:01 PM

@sbassett Hello! I see you have already created a pool of extensions for testing? Are we missing this quarter too? How long should we wait? Are there any criteria or something like that?
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_Review_Planning/2024-04-08

sbassett added a comment.Apr 15 2024, 8:06 PM
In T355161#9708335, @Iniquity wrote:

@sbassett Hello! I see you have already created a pool of extensions for testing? Are we missing this quarter too? How long should we wait? Are there any criteria or something like that?
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_Review_Planning/2024-04-08

Yes, unfortunately we had a few other reviews to accommodate at this time and due to our limited resources, this one wasn't able to be officially scheduled this quarter. Please also refer to our AppSec Review SOP: https://www.mediawiki.org/wiki/Security/SOP/Application_Security_Reviews#How_are_these_requests_prioritized?

Iniquity added a comment.Apr 15 2024, 8:25 PM
In T355161#9715419, @sbassett wrote:
In T355161#9708335, @Iniquity wrote:

@sbassett Hello! I see you have already created a pool of extensions for testing? Are we missing this quarter too? How long should we wait? Are there any criteria or something like that?
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_Review_Planning/2024-04-08

Yes, unfortunately we had a few other reviews to accommodate at this time and due to our limited resources, this one wasn't able to be officially scheduled this quarter. Please also refer to our AppSec Review SOP: https://www.mediawiki.org/wiki/Security/SOP/Application_Security_Reviews#How_are_these_requests_prioritized?

Is there any time frame for when this task will be taken on?

sbassett added a comment.Apr 15 2024, 8:50 PM
In T355161#9715467, @Iniquity wrote:

Is there any time frame for when this task will be taken on?

Not officially, no. As a team, we basically have a look at all requests that we've accumulated during a given quarter and then prioritize and distribute those across the limited resources Security Team AppSec has available for reviews each quarter. We try to accommodate every request as best we can, but sometimes there are re-prioritizations, delays, etc.

Iniquity added a comment.Apr 15 2024, 9:32 PM
In T355161#9715544, @sbassett wrote:
In T355161#9715467, @Iniquity wrote:

Is there any time frame for when this task will be taken on?

Not officially, no. As a team, we basically have a look at all requests that we've accumulated during a given quarter and then prioritize and distribute those across the limited resources Security Team AppSec has available for reviews each quarter. We try to accommodate every request as best we can, but sometimes there are re-prioritizations, delays, etc.

Do I understand correctly that with the current state of affairs, this request can be processed for several years? And is it easier for me to forget about this request and not plan any work for the coming years?

DannyS712 subscribed.Apr 15 2024, 10:35 PM

@Iniquity if you fill in the

Link to scc output for general sizing of codebases (https://github.com/boyter/scc):

part of the task description it might be easier for the security team to prioritize given just how *tiny* this extension really is (120 lines of PHP total and by my count 57 of those are comments and 14 are blank, so really 49 lines of PHP; no JavaScript)

Iniquity updated the task description. (Show Details)Apr 15 2024, 11:03 PM
In T355161#9715739, @DannyS712 wrote:

@Iniquity if you fill in the

Link to scc output for general sizing of codebases (https://github.com/boyter/scc):

part of the task description it might be easier for the security team to prioritize given just how *tiny* this extension really is (120 lines of PHP total and by my count 57 of those are comments and 14 are blank, so really 49 lines of PHP; no JavaScript)

Thanks for the tip! I thought it would be more difficult to do than it turned out :)

sbassett added a comment.EditedApr 16 2024, 3:40 PM
In T355161#9715623, @Iniquity wrote:

Do I understand correctly that with the current state of affairs, this request can be processed for several years? And is it easier for me to forget about this request and not plan any work for the coming years?

Probably not several years, but it might have to wait a quarter or two, yes. Our manual security review process just isn't realistically scalable for the entirety of the MediaWiki/Wikimedia ecosystem. We hope to provide better and faster security analysis in the future via increased automation and better processes (like rapid risk assessments).

Iniquity added a comment.Jun 24 2024, 6:37 PM

@sbassett Hi! Are you able to check the extension next quarter?

sbassett added a comment.Jun 25 2024, 2:36 PM
In T355161#9919029, @Iniquity wrote:

@sbassett Hi! Are you able to check the extension next quarter?

We'll be having our quarterly reviews planning meeting sometime either the first week (or early second week) of July, where we select reviews to complete for the upcoming quarter. We'll use the current prioritization process to select and prioritize security reviews. We have quite a few reviews within our upcoming planning and back orders columns, so it's going to be difficult to guarantee anything at this time.

sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.Jul 3 2024, 3:37 PM
sbassett moved this task from Upcoming Quarter Planning Queue to Waiting on the secscrum board.Jul 3 2024, 5:14 PM
ppelberg subscribed.Oct 11 2024, 6:42 PM
Iniquity added a comment.Dec 9 2024, 9:23 PM

Hello again! Another quarter has passed... What are your plans?

Iniquity added a subscriber: JWheeler-WMF.EditedDec 9 2024, 9:29 PM

@ppelberg Can you help push this request, because as far as I understand, the security team absolutely does not want to work on something that is not supported by the WMF, but is requested by volunteers :( Or maybe @JWheeler-WMF can help, CWS request was here: https://meta.wikimedia.org/wiki/Community_Wishlist_Survey_2023/Notifications,_Watchlists_and_Talk_Pages/Allow_posting_new_sections_to_top_of_Talk_pages

sbassett added a subscriber: acooper.Dec 9 2024, 10:35 PM

I believe @acooper was attempting to find a WMF sponsor for this extension. At least that's where I believe we left things during our most recent quarterly planning session.

sbassett moved this task from Waiting to Back Orders on the secscrum board.Jan 9 2025, 4:54 PM
sbassett moved this task from Back Orders to Waiting on the secscrum board.
sbassett added a comment.Jan 9 2025, 5:31 PM

@acooper plans to follow up with various policy updates related to this request, this quarter (January 2025 - March 2025).

Esanders updated the task description. (Show Details)Feb 11 2025, 4:42 PM
RhinosF1 subscribed.Feb 22 2025, 9:47 AM
A_smart_kitten added a project: MediaWiki-extensions-PlaceNewSection.Mar 1 2025, 8:01 AM
A_smart_kitten subscribed.
aliu subscribed.Mar 28 2025, 2:15 PM
sbassett moved this task from Waiting to Upcoming Quarter Planning Queue on the secscrum board.Apr 17 2025, 3:28 PM
sbassett moved this task from Upcoming Quarter Planning Queue to Back Orders on the secscrum board.
Iniquity added a comment.EditedApr 28 2025, 6:52 PM

Hi, any progress here? 468 days or 5 quarters have passed.

sbassett added a comment.Apr 28 2025, 6:54 PM
In T355161#10774012, @Iniquity wrote:

Hi, any progress here? 468 days or 5 quaters left.

Unfortunately, no. @acooper was assigned this task, to determine some variety of policy approach for community-developed extensions. But he apparently did not do this and has since left the WMF. My hope is that we can revisit this issue once a replacement manager/director has been hired and within the context of policy being developed by the WMF's working group for code ownership and maintenance.

Pppery mentioned this in T392754: Installing the UserPageEditProtection extension on jawiki.May 10 2025, 4:13 AM
Jj881 renamed this task from Application Security Review Request : PlaceNewSection extension to Application Security Review Request :.Jun 3 2025, 1:51 AM
Jj881 triaged this task as Low priority.
JJMC89 renamed this task from Application Security Review Request : to Application Security Review Request : PlaceNewSection extension.Jun 3 2025, 2:07 AM
JJMC89 raised the priority of this task from Low to Needs Triage.
sbassett moved this task from Back Orders to In Progress on the secscrum board.Jul 8 2025, 3:38 PM
sbassett changed the task status from Open to In Progress.Jul 8 2025, 3:57 PM
sbassett assigned this task to mmartorana.
sbassett triaged this task as Medium priority.
DLynch subscribed.Jul 8 2025, 4:21 PM

We talked about this in some Editing team meetings a while ago, and at the time we felt that we didn't think there were any security issues with it, but we wouldn't want to deploy this to WMF wikis without making some changes to how it works. I don't know whether you'd like to put off formal security review until after anything like that happened...

sbassett added a comment.Jul 8 2025, 4:24 PM
In T355161#10984939, @DLynch wrote:

We talked about this in some Editing team meetings a while ago, and at the time we felt that we didn't think there were any security issues with it, but we wouldn't want to deploy this to WMF wikis without making some changes to how it works. I don't know whether you'd like to put off formal security review until after anything like that happened...

I think we can review the extension as-is and determine any current security risks. This, of course, is not an implicit endorsement for production deployment, as many other qualifications will still need to be met. If the codebase is ever significantly refactored, I think we'd be happy to have another look at the code at that time.

Iniquity mentioned this in T355164: Review Request: PlaceNewSection extension.Aug 2 2025, 7:54 PM
mmartorana closed this task as Resolved.Sep 9 2025, 6:03 PM
mmartorana moved this task from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T355161 - 2025-09-09
Last commit reviewed: 1a70f4d

Summary

This extension has a minimal attack surface: magic words are static, regex operations use MediaWiki's escaping functions, and no direct user input controls vulnerable code paths.

The theoretical regex injection and content injection risks are largely mitigated by MediaWiki's framework protections and the hardcoded nature of magic word definitions.

The overall risk rating is low.

Vulnerable Packages - Production
Risk: None

Vulnerable Packages - Development
Risk: None

As reported via composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentLatestDescription
composer/semver3.4.33.4.4Semver library that offers utilities, version constraint parsing and validation.
netresearch/jsonmapper4.5.05.0.0Map nested JSON structures onto PHP classes
phpcsstandards/phpcsextra1.2.11.4.0A collection of sniffs and standards for use with PHP_CodeSniffer.
phpcsstandards/phpcsutils1.0.121.1.1A suite of utility functions for use with PHP_CodeSniffer
sabre/event5.1.76.0.1sabre/event is a library for lightweight event-based programming
squizlabs/php_codesniffer3.12.23.13.2PHP_CodeSniffer tokenizes PHP, JavaScript and CSS files and detects violations o...

Static Analysis Findings
Risk: None
semgrep reported no issues low risk.
bearer reported no issues low risk.
sh-scan reported no issues low risk.
horusec reported no issues low risk.
snyk reported no issues low risk.
git-secrets reported no issues low risk.

General Security Issues (XSS, S/CSRF, SQLi, Ci, Cjack, etc.)
Risk: None

Iniquity added a comment.Sep 17 2025, 5:16 AM

Thanks! :)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits