Page MenuHomePhabricator
Create Task
Maniphest T404738

Application Security Review Request : PersonalDashboard extension
Closed, ResolvedPublic
Actions

Description

Project Information

  • Name of tool/project: PersonalDashboard
  • Project home page: https://www.mediawiki.org/wiki/Moderator_Tools/Dashboard
  • Name of team requesting review: Moderator-Tools-Team
  • Primary contact: @jsn.sherman
  • Target date for deployment: FY 25/26 Q2
  • Link to code repository / patchset: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PersonalDashboard/+/1189933
  • Link to scc output for general sizing of codebases (https://github.com/boyter/scc):
    P83446 PersonalDashboard.scc
    1───────────────────────────────────────────────────────────────────────────────
    2Language Files Lines Blanks Comments Code Complexity
    3───────────────────────────────────────────────────────────────────────────────
    4PHP 14 2012 218 580 1214 71
    5JSON 6 229 0 0 229 0
    6LESS 6 561 88 48 425 0
    7JavaScript 3 227 27 84 116 13
    8Markdown 2 10 3 0 7 0
    9SVG 2 14 0 0 14 0
    10License 1 339 58 0 281 0
    11───────────────────────────────────────────────────────────────────────────────
    12Total 34 3392 394 712 2286 84
    13───────────────────────────────────────────────────────────────────────────────
    14Estimated Cost to Develop (organic) $64,361
    15Estimated Schedule Effort (organic) 4.85 months
    16Estimated People Required (organic) 1.18
    17───────────────────────────────────────────────────────────────────────────────
    18Processed 100841 bytes, 0.101 megabytes (SI)
    19───────────────────────────────────────────────────────────────────────────────

Description of the tool/project:
The PersonalDashboard extension houses code for the Moderator Tools Team's experiments in building a dashboard for moderators. Read more about the project at https://www.mediawiki.org/wiki/Special:MyLanguage/Moderator_Tools/Dashboard.

Description of how the tool will be used at WMF:
We plan to deploy the extension to five Wikimedia projects initially: id.wiki, tr.wiki, simple.wiki, az.wiki, and bn.wiki. Later, this is expected to expand to all Wikipedias.

This extension may at some point house code from multiple teams, with the dashboard serving as a 'central location' for routing users to different workflows based on their interests.

Dependencies

List dependencies, or upstream projects that this project relies on.

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

No, but this is mostly a subset/flattening/refactor of the homepage feature in the GrowthExperiments extension

Working test environment

Please link or describe setup process for setting up a test environment.

  • Install and load the extension
  • Go to Special:PersonalDashboard

There won't be anything useful there since this initial commit is basically just a container for dashboard modules.
If you want to see a dashboard with a PoC moderation module, you can use this example patch:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PersonalDashboard/+/1189934

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

Moderator-Tools-Team; @Samwalton9-WMF / @jsn.sherman

Details

Risk Rating
Low

Related Objects
Search...

Event Timeline

Samwalton9-WMF created this task.Sep 16 2025, 4:23 PM
Samwalton9-WMF changed the task status from Open to Stalled.
Restricted Application added a project: Moderator-Tools-Team. · View Herald TranscriptSep 16 2025, 4:23 PM
Restricted Application added subscribers: Nemoralis, Aklapper. · View Herald Transcript
Samwalton9-WMF mentioned this in T403982: Create and deploy Extension:PersonalDashboard.Sep 16 2025, 4:23 PM
A_smart_kitten subscribed.Sep 16 2025, 4:40 PM
Scardenasmolinar moved this task from Inbox to Radar / Tracking on the Moderator-Tools-Team board.Sep 17 2025, 6:30 PM
jsn.sherman changed the task status from Stalled to Open.Sep 20 2025, 12:08 AM
jsn.sherman updated the task description. (Show Details)
jsn.sherman updated the task description. (Show Details)Sep 20 2025, 1:00 AM
sbassett moved this task from Incoming to Back Orders on the secscrum board.Sep 22 2025, 5:07 PM
ldelench_wmf added a project: OKR-Work.Sep 29 2025, 9:17 PM
ldelench_wmf subscribed.
Nemoralis unsubscribed.Sep 30 2025, 5:31 PM
sbassett changed the task status from Open to In Progress.EditedOct 7 2025, 3:58 PM
sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett moved this task from Back Orders to In Progress on the secscrum board.
sbassett added a subscriber: Catrope.

Hey @jsn.sherman and @Samwalton9-WMF - I'm not sure what conversations you've had with @Catrope regarding this review, but if we could summarize those here and any other expectations regarding this review, that would be great. Thanks.

jsn.sherman added a comment.EditedOct 8 2025, 2:13 PM
In T404738#11250951, @sbassett wrote:

Hey @jsn.sherman and @Samwalton9-WMF - I'm not sure what conversations you've had with @Catrope regarding this review, but if we could summarize those here and any other expectations regarding this review, that would be great. Thanks.

Hi there,

After walking @Catrope through the code a few weeks ago, our expectation is that this should be a fairly quick/fast track review given that the extension is a refactor/streamlining of the homepage portion of the GrowthExperiments extension; i.e. this code is pretty much already in production.

We'd like to be able to roll out this extension with our first experimental/trial dashboard modules in November. We know we need the dashboard in the long term, but the since the initial modules themselves are currently under development and will be part of an experiment, we want to exclude them from review for now.

If there's anything we can do to move things along, please let us know.

sbassett added a project: user-sbassett.Oct 17 2025, 3:21 PM

Just FYI, I plan to have a quick chat with @Catrope about this when he's back in the office next week.

sbassett moved this task from Backlog to In Progress on the user-sbassett board.Oct 17 2025, 3:22 PM
jsn.sherman added a comment.Oct 31 2025, 8:00 PM

@sbassett @Catrope we now have at least one module merged in so you can see how this works. We do have another module about ready to go, but are running into a ci configuration issue on the new repo
You can run it locally easily enough as long as you setup CommunityConfiguration as well. Patch for that module:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PersonalDashboard/+/1200167

Samwalton9-WMF moved this task from Backlog to MVP on the PersonalDashboard board.Nov 3 2025, 10:50 AM
sbassett added a comment.Nov 5 2025, 3:43 PM

Thanks, @jsn.sherman. Is there a more specific deployment date for this code? Not that this review would necessarily block such a milestone.

jsn.sherman added a subscriber: DMburugu.Nov 5 2025, 4:03 PM
In T404738#11345291, @sbassett wrote:

Thanks, @jsn.sherman. Is there a more specific deployment date for this code? Not that this review would necessarily block such a milestone.

Originally we were aiming to deploy by the week of the 17th, but there are still design and copy changes happening. We're deploying to non-English wikis, so translation will be the other potential blocker besides this review. We're aiming to be deployed with translations by the end of this month. Sooner is better, but it's not like we have everything else wrapped up with a neat bow and are solely waiting on this.

cc @Samwalton9-WMF @DMburugu

jsn.sherman added a comment.Nov 24 2025, 4:22 PM

Hi @sbassett, just checking in: how are things looking?

sbassett added a comment.Nov 24 2025, 6:44 PM
In T404738#11401254, @jsn.sherman wrote:

Hi @sbassett, just checking in: how are things looking?

Is the code within a fairly stable state at this point? i.e. there are unlikely to be further, volatile changes for at least a few weeks? If so, we should get https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PersonalDashboard/+/1189934 rebased and free of conflicts and then I can complete the review.

jsn.sherman added a comment.Nov 25 2025, 8:58 PM
In T404738#11402314, @sbassett wrote:
In T404738#11401254, @jsn.sherman wrote:

Hi @sbassett, just checking in: how are things looking?

Is the code within a fairly stable state at this point? i.e. there are unlikely to be further, volatile changes for at least a few weeks? If so, we should get https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PersonalDashboard/+/1189934 rebased and free of conflicts and then I can complete the review.

The master branch now has functional modules in it, so you should just be able to look directly there and skip the example module patch. I will abandon it.
There are a few other things that will be added for the MVP, but we shouldn't be blazing any trails that would impact our security posture. We can call those changes out when we're merging them in if that would be helpful.

Since we're drifting near the end-of-calendar-year deployment freeze, we're amending our goal to reflect reality: we're now aiming to get this in front of users in early January. We would like to shake down on test wiki before the deployment freeze, which would mean catching the Dec 15 (1.46.0-wmf.7) train at the latest.

jsn.sherman added a comment.Dec 8 2025, 3:16 PM

@sbassett just checking in; do you have what you need to review this week?

sbassett added a comment.Dec 8 2025, 4:10 PM
In T404738#11440662, @jsn.sherman wrote:

@sbassett just checking in; do you have what you need to review this week?

Hey @jsn.sherman - Yes, the review has been in-progress, up to 4a614aa4c0. I need to analyze a few additional details and then should have something posted this week.

sbassett added a comment.Dec 10 2025, 8:44 PM

Security Review Summary - T404738 - 2025-12-05
Last commit reviewed: 4a614aa4c0

Summary

Overall, the current PersonalDashboard extension code appears to be in very good shape with an overall risk rating of: low. See specific issues found below.

Vulnerable Packages - Production
Risk: low

Numerous tools including osv_scanner, semgrep and various language-specifc audit tools were run and no vulnerabilities were found.

Vulnerable Packages - Development
Risk: low

Numerous tools including osv_scanner, semgrep and various language-specifc audit tools were run and no vulnerabilities were found.

Outdated Packages

As reported via composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentLatestDescription
mediawiki/phan-taint-check-plugin7.0.08.0.0A Phan plugin to do security checking
netresearch/jsonmapper4.5.05.0.0Map nested JSON structures onto PHP classes
phan/phan5.5.15.5.2A static analyzer for PHP
phpcsstandards/phpcsextra1.4.01.5.0A collection of sniffs and standards for use with PHP_CodeSniffer.
phpcsstandards/phpcsutils1.1.11.2.1A suite of utility functions for use with PHP_CodeSniffer
sabre/event5.1.76.0.1sabre/event is a library for lightweight event-based programming
squizlabs/php_codesniffer3.13.24.0.1PHP_CodeSniffer tokenizes PHP, JavaScript and CSS files and detects violations o...

Static Analysis Findings
Risk: low

No major findings via semgrep and similar tools. See General Security Issues below for more details.

HTTP and other protocol Leaks
Risk: low

None found.

General code health score
Risk: low

  1. The Wikimedia code health check tool returned a weighted risk score of 35.90.
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+
| Vuln Pkgs | Pkg Mgmt | Test Cov | SAST | Non-auto Cmts | Uniq Contribs | Contrib Conc | Lang Guides | Staff Supp | Task Backlog | Code Stew | Weighted Risk |
+===========+==========+==========+======+===============+===============+==============+=============+============+==============+===========+===============+
|         0 |        7 |        7 |    0 |            10 |            10 |            4 |           7 |         10 |            0 |         0 |         35.90 |
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+

General Security Issues
Risk: low

  1. Within package.json, for the vitest-plugin-mediawiki dev dependency, it is preferred that this be set to an actual published, pinned version as opposed to referencing specific commits within a gitlab.wikimedia.org URL. Since this is a dev dependency and is hosted at Wikimedia's Gitlab instance, it would still be considered low-risk but is not a best practice.
  2. There were a couple of extremely minor issues found by bearer SAST in certain JavaScript files in resources: basically insufficient randomization with Math.random() and potentially disclosing sensitive data via certain console.warn() calls. These are extremely low-risk issues, if that, primarily just flagging for awareness.
  3. There are several instances of Html::rawElement() that some of our MediaWiki-specific semgrep rules found, but cross-checking with $wgUseXssLanguage enabled within a local MediaWiki-Docker environment and the Phan taint-check plugin did not yield any positive findings.
sbassett closed this task as Resolved.Dec 10 2025, 8:49 PM
sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.
sbassett moved this task from In Progress to Done on the user-sbassett board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits