Page MenuHomePhabricator
Create Task
Maniphest T355161

Application Security Review Request : PlaceNewSection extension
Open, Needs TriagePublic
Actions

Description

Project Information

Description of the tool/project:
The PlaceNewSection extension introduces two magic words, ADDNEWSECTIONBELOW and ADDNEWSECTIONABOVE, that control placement of new talk page sections.

Description of how the tool will be used at WMF:
In some projects, many discussion pages use adding topics at the top rather than at the bottom. This extension allows you to implement this behavior without using scripts or hacks.

Dependencies

List dependencies, or upstream projects that this project relies on.

	"require-dev": {
		"mediawiki/mediawiki-codesniffer": "41.0.0",
		"mediawiki/mediawiki-phan-config": "0.12.1",
		"mediawiki/minus-x": "1.1.1",
		"php-parallel-lint/php-console-highlighter": "1.0.0",
		"php-parallel-lint/php-parallel-lint": "1.3.2"
	},

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

No previous reviews.

Working test environment

Please link or describe setup process for setting up a test environment.

  • Install extension.
  • Add ADDNEWSECTIONABOVE (or ADDNEWSECTIONBELOW) on any talk page.
  • Start some topics with "Add topic" button.

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

I hope Editing-team I will ask review them.

Details

Risk Rating
Low

Related Objects
Search...

Event Timeline

Iniquity created this task.Jan 16 2024, 5:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 16 2024, 5:01 PM
Iniquity added a parent task: T344501: Add Extension:PlaceNewSection to Russian Wikipedia.Jan 16 2024, 5:01 PM
Iniquity mentioned this in T344501: Add Extension:PlaceNewSection to Russian Wikipedia.Jan 16 2024, 5:11 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.Jan 16 2024, 5:14 PM
sbassett subscribed.Jan 16 2024, 10:23 PM

@Iniquity - The Security-Team typically handles application security reviews on a quarterly cadence, and we've just set our reviews for this quarter. Also - is there a sponsoring team at the WMF to assist in the management of maintenance, security, etc. issues?

Iniquity added a comment.EditedJan 17 2024, 11:35 AM
In T355161#9464099, @sbassett wrote:

@Iniquity - The Security-Team typically handles application security reviews on a quarterly cadence, and we've just set our reviews for this quarter.

Thanks for the information! :) But suddenly you have time earlier, the extension is very small :)

Also - is there a sponsoring team at the WMF to assist in the management of maintenance, security, etc. issues?

@Ernstkm and, I hope, Editing team: T355164

Iniquity added a comment.Apr 11 2024, 7:01 PM

@sbassett Hello! I see you have already created a pool of extensions for testing? Are we missing this quarter too? How long should we wait? Are there any criteria or something like that?
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_Review_Planning/2024-04-08

sbassett added a comment.Apr 15 2024, 8:06 PM
In T355161#9708335, @Iniquity wrote:

@sbassett Hello! I see you have already created a pool of extensions for testing? Are we missing this quarter too? How long should we wait? Are there any criteria or something like that?
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_Review_Planning/2024-04-08

Yes, unfortunately we had a few other reviews to accommodate at this time and due to our limited resources, this one wasn't able to be officially scheduled this quarter. Please also refer to our AppSec Review SOP: https://www.mediawiki.org/wiki/Security/SOP/Application_Security_Reviews#How_are_these_requests_prioritized?

Iniquity added a comment.Apr 15 2024, 8:25 PM
In T355161#9715419, @sbassett wrote:
In T355161#9708335, @Iniquity wrote:

@sbassett Hello! I see you have already created a pool of extensions for testing? Are we missing this quarter too? How long should we wait? Are there any criteria or something like that?
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_Review_Planning/2024-04-08

Yes, unfortunately we had a few other reviews to accommodate at this time and due to our limited resources, this one wasn't able to be officially scheduled this quarter. Please also refer to our AppSec Review SOP: https://www.mediawiki.org/wiki/Security/SOP/Application_Security_Reviews#How_are_these_requests_prioritized?

Is there any time frame for when this task will be taken on?

sbassett added a comment.Apr 15 2024, 8:50 PM
In T355161#9715467, @Iniquity wrote:

Is there any time frame for when this task will be taken on?

Not officially, no. As a team, we basically have a look at all requests that we've accumulated during a given quarter and then prioritize and distribute those across the limited resources Security Team AppSec has available for reviews each quarter. We try to accommodate every request as best we can, but sometimes there are re-prioritizations, delays, etc.

Iniquity added a comment.Apr 15 2024, 9:32 PM
In T355161#9715544, @sbassett wrote:
In T355161#9715467, @Iniquity wrote:

Is there any time frame for when this task will be taken on?

Not officially, no. As a team, we basically have a look at all requests that we've accumulated during a given quarter and then prioritize and distribute those across the limited resources Security Team AppSec has available for reviews each quarter. We try to accommodate every request as best we can, but sometimes there are re-prioritizations, delays, etc.

Do I understand correctly that with the current state of affairs, this request can be processed for several years? And is it easier for me to forget about this request and not plan any work for the coming years?

DannyS712 subscribed.Apr 15 2024, 10:35 PM

@Iniquity if you fill in the

Link to scc output for general sizing of codebases (https://github.com/boyter/scc):

part of the task description it might be easier for the security team to prioritize given just how *tiny* this extension really is (120 lines of PHP total and by my count 57 of those are comments and 14 are blank, so really 49 lines of PHP; no JavaScript)

Iniquity updated the task description. (Show Details)Apr 15 2024, 11:03 PM
In T355161#9715739, @DannyS712 wrote:

@Iniquity if you fill in the

Link to scc output for general sizing of codebases (https://github.com/boyter/scc):

part of the task description it might be easier for the security team to prioritize given just how *tiny* this extension really is (120 lines of PHP total and by my count 57 of those are comments and 14 are blank, so really 49 lines of PHP; no JavaScript)

Thanks for the tip! I thought it would be more difficult to do than it turned out :)

sbassett added a comment.EditedApr 16 2024, 3:40 PM
In T355161#9715623, @Iniquity wrote:

Do I understand correctly that with the current state of affairs, this request can be processed for several years? And is it easier for me to forget about this request and not plan any work for the coming years?

Probably not several years, but it might have to wait a quarter or two, yes. Our manual security review process just isn't realistically scalable for the entirety of the MediaWiki/Wikimedia ecosystem. We hope to provide better and faster security analysis in the future via increased automation and better processes (like rapid risk assessments).

Iniquity added a comment.Jun 24 2024, 6:37 PM

@sbassett Hi! Are you able to check the extension next quarter?

sbassett added a comment.Jun 25 2024, 2:36 PM
In T355161#9919029, @Iniquity wrote:

@sbassett Hi! Are you able to check the extension next quarter?

We'll be having our quarterly reviews planning meeting sometime either the first week (or early second week) of July, where we select reviews to complete for the upcoming quarter. We'll use the current prioritization process to select and prioritize security reviews. We have quite a few reviews within our upcoming planning and back orders columns, so it's going to be difficult to guarantee anything at this time.

sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.Jul 3 2024, 3:37 PM
sbassett moved this task from Upcoming Quarter Planning Queue to Waiting on the secscrum board.Jul 3 2024, 5:14 PM
ppelberg subscribed.Oct 11 2024, 6:42 PM
Iniquity added a comment.Mon, Dec 9, 9:23 PM

Hello again! Another quarter has passed... What are your plans?

Iniquity added a subscriber: JWheeler-WMF.EditedMon, Dec 9, 9:29 PM

@ppelberg Can you help push this request, because as far as I understand, the security team absolutely does not want to work on something that is not supported by the WMF, but is requested by volunteers :( Or maybe @JWheeler-WMF can help, CWS request was here: https://meta.wikimedia.org/wiki/Community_Wishlist_Survey_2023/Notifications,_Watchlists_and_Talk_Pages/Allow_posting_new_sections_to_top_of_Talk_pages

sbassett added a subscriber: acooper.Mon, Dec 9, 10:35 PM

I believe @acooper was attempting to find a WMF sponsor for this extension. At least that's where I believe we left things during our most recent quarterly planning session.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits