Page MenuHomePhabricator
Create Task
Maniphest T99358

[Task] Security review of Wikibase-Quality-External-Validation branch master
Closed, DeclinedPublic
Actions

Description

Please do a security review of Wikibase-Quality-External-Validation.
Thank you very much!

Gerrit: https://gerrit.wikimedia.org/r/#/admin/projects/mediawiki/extensions/WikibaseQualityExternalValidation

Related Objects
Search...

Event Timeline

Tamslo created this task.May 16 2015, 11:07 AM
Tamslo raised the priority of this task from to Needs Triage.
Tamslo updated the task description. (Show Details)
Tamslo added projects: Wikibase-Quality-External-Validation, deprecated-security-team-reviews.
Tamslo added a parent task: T99357: [Story] Review and deploy Wikibase-Quality-External-Validation on wikidata.org.
Tamslo added subscribers: Wikibase-Quality-External-Validation, Aklapper.
Liuxinyu970226 subscribed.May 17 2015, 10:29 PM
csteipp mentioned this in T99355: Security review of Wikibase-Quality-Constraints - v1 branch.May 18 2015, 7:28 PM
Tamslo updated the task description. (Show Details)May 20 2015, 1:27 PM
Tamslo set Security to None.
Andreasburmeister moved this task from Refer to WikibaseQuality Board to DOING on the Wikibase-Quality-External-Validation board.May 24 2015, 7:24 PM
Restricted Application added a project: Wikidata. · View Herald TranscriptMay 24 2015, 7:24 PM
Andreasburmeister added subscribers: Andreasburmeister, csteipp.May 27 2015, 2:25 PM
csteipp claimed this task.Jun 5 2015, 12:03 AM
csteipp added a project: Security-Team.
csteipp moved this task from Incoming to Ready on the Security-Team board.
Lydia_Pintscher moved this task from incoming to monitoring on the Wikidata board.Jun 12 2015, 1:25 PM
Tamslo subscribed.Jun 18 2015, 9:23 AM

@csteipp: are you still working on it? And on T99352? :)

csteipp added a comment.Jun 18 2015, 4:47 PM

@Tamslo, are you asking if this can be closed? Definitely not. Both of the other extensions have serious issues that need to be addressed before they can be deployed, and I've only started reviewing this one. If plans change on wmde's side, please let me know.

Jonaskeutel subscribed.Jun 18 2015, 5:19 PM

Could you be so kind and clarify the blocking issues for the other two extensions? For Constraints we have seen only one open ticket (T101467), for which we have uploaded a fix.
Same for the Quality extension. Only one blocking task for which we have uploaded some patches. I'm not sure if we can close it on our own or if you could have another look at it?

As far as the plans of wmde are concerned:
The current plan is to do a Beta deploy about June, 19th 2015 0800 PDT.
On June, 30th there should be a deploy on test and July, 8th on wikidata.org. So far the current plans.

Do you have, additional to the questions above, something that would block the planned beta deploy?

JanZerebecki subscribed.Jun 18 2015, 9:12 PM
Andreasburmeister added a comment.Jun 19 2015, 1:50 PM

Short clarification: Please review branch v1 on gerrit.

Tamslo added a project: Wikibase-Quality.Jun 19 2015, 2:23 PM
Tamslo moved this task from Backlog to DOING on the Wikibase-Quality board.Jun 19 2015, 2:32 PM
Tamslo moved this task from DOING to Beyond our power on the Wikibase-Quality board.Jun 19 2015, 2:36 PM
Tamslo moved this task from DOING to Refer to WikibaseQuality Board on the Wikibase-Quality-External-Validation board.Jun 22 2015, 11:10 AM
csteipp moved this task from Ready to In Progress on the Security-Team board.Jun 22 2015, 8:28 PM
Tamslo updated the task description. (Show Details)Jun 23 2015, 9:12 AM
Tamslo added a comment.Jun 23 2015, 9:20 AM

The URL of the repository changed, see the description.

soeren.oldag closed subtask T103438: Ex:WikibaseQualityExternalValidation - don't use .tar / phar to transfer files to production as Resolved.Jun 23 2015, 1:00 PM
csteipp closed subtask T103439: Ex:WikibaseQualityExternalValidation - DumpMetaInformationRepo needs to strictly validate table names as Resolved.Jun 24 2015, 12:38 AM
csteipp added a comment.Jun 24 2015, 12:42 AM

@Tamslo, what is the expected size of wbqev_dump_information?

soeren.oldag subscribed.Jun 24 2015, 9:48 AM

@csteipp, wbqev_dump_information contains a row for each database dump, that was imported. For now, there are only 3 ones. When new databases are integrated for cross-checks, the number will increase, but this table will always just have a few rows.

soeren.oldag closed subtask T103633: Ex:WikibaseQualityExternalValidation - SpecialExternalDbs escape or don't use raw cells as Resolved.Jun 24 2015, 9:56 AM
JanZerebecki renamed this task from Security review of Wikibase-Quality-External-Validation to Security review of Wikibase-Quality-External-Validation branch v1.Jun 25 2015, 11:02 AM
csteipp added a comment.Jun 25 2015, 8:15 PM
csteipp added a comment.Jun 25 2015, 8:16 PM

SpecialCrossCheck::buildResultTable
$referenceStatus = $this->msg( "wbqev-crosscheck-status-" . $result->getReferenceResult()->getStatus() )->text();

Either user escaped() or don't use rawhtml in the table cell.

csteipp added a comment.Jun 25 2015, 8:33 PM

In ComparisonResult you guard setting the result to a list of constant strings, but in ReferenceResult that only happens on object creation. ReferenceResult should do the same as ComparisonResult.

csteipp added a comment.Jun 25 2015, 8:34 PM
In T99358#1402101, @csteipp wrote:

SpecialCrossCheck::buildResultTable
$referenceStatus = $this->msg( "wbqev-crosscheck-status-" . $result->getReferenceResult()->getStatus() )->text();

Either user escaped() or don't use rawhtml in the table cell.

That already got fixed. Sorry about that.

csteipp moved this task from In Progress to Waiting on the Security-Team board.Jun 25 2015, 9:06 PM
gerritbot subscribed.Jun 26 2015, 12:19 PM

Change 221104 had a related patch set uploaded (by Dominic.sauer):
T99358 guard setting the result to a list of constant strings in ReferenceResult similar to the ComparisonResult

https://gerrit.wikimedia.org/r/221104

gerritbot added a project: Patch-For-Review.Jun 26 2015, 12:19 PM
gerritbot added a comment.Jun 26 2015, 12:25 PM

Change 221107 had a related patch set uploaded (by Dominic.sauer):
T99358 guard setting the result to a list of constant strings in ReferenceResult similar to the ComparisonResult

https://gerrit.wikimedia.org/r/221107

csteipp added a comment.Jun 26 2015, 9:55 PM
In T99358#1404599, @gerritbot wrote:

https://gerrit.wikimedia.org/r/221107

That looks right. Thanks.

soeren.oldag closed subtask T103905: Ex:WikibaseQualityExternalValidation - rate limit Special:CrossCheck as Resolved.Jun 29 2015, 8:22 AM
gerritbot added a comment.Jun 29 2015, 8:37 AM

Change 221104 merged by jenkins-bot:
T99358 guard setting the result to a list of constant strings in ReferenceResult similar to the ComparisonResult

https://gerrit.wikimedia.org/r/221104

gerritbot added a comment.Jun 29 2015, 8:38 AM

Change 221107 merged by jenkins-bot:
T99358 guard setting the result to a list of constant strings in ReferenceResult similar to the ComparisonResult

https://gerrit.wikimedia.org/r/221107

Lydia_Pintscher renamed this task from Security review of Wikibase-Quality-External-Validation branch v1 to [Task] Security review of Wikibase-Quality-External-Validation branch v1.Aug 17 2015, 4:18 PM
Lydia_Pintscher subscribed.Aug 27 2015, 11:14 AM

@csteipp: Is this good to go from your side once T103912 is closed?

Lydia_Pintscher added a comment.Sep 9 2015, 6:48 AM

*ping* :)

JanZerebecki renamed this task from [Task] Security review of Wikibase-Quality-External-Validation branch v1 to [Task] Security review of Wikibase-Quality-External-Validation branch master.Sep 29 2015, 10:53 AM
csteipp triaged this task as High priority.Sep 30 2015, 11:58 PM
csteipp moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.
csteipp added a comment.Oct 8 2015, 8:15 PM
In T99358#1579459, @Lydia_Pintscher wrote:

@csteipp: Is this good to go from your side once T103912 is closed?

Yes

csteipp moved this task from Scheduled to Incoming on the deprecated-security-team-reviews board.Dec 2 2015, 6:20 PM
csteipp moved this task from Incoming to Waiting/Blocked on the deprecated-security-team-reviews board.Dec 2 2015, 6:22 PM
aaron changed the status of subtask T103912: [Task] Ex:WikibaseQualityExternalValidation - performance review of Special:CrossCheck from Open to Stalled.Dec 17 2015, 9:10 PM
Pasleim moved this task from Beyond our power to DONE on the Wikibase-Quality board.Nov 14 2016, 4:16 AM
Pasleim moved this task from DONE to Beyond our power on the Wikibase-Quality board.Nov 14 2016, 4:24 AM
dpatrick subscribed.Mar 21 2017, 7:37 PM

@Lydia_Pintscher, can you give us an update on this ticket?

Lydia_Pintscher changed the task status from Open to Stalled.Apr 6 2017, 3:15 PM

Sorry. For now you can ignore this. I'll mark it as stalled and reopen it when it becomes relevant again.

Aklapper removed csteipp as the assignee of this task.Dec 9 2017, 11:58 AM
Aklapper lowered the priority of this task from High to Low.
Aklapper removed a project: Patch-For-Review.

Lowering priority per last comment by Lydia; resetting assignee.

chasemp edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 3:42 PM
Addshore closed this task as Declined.EditedSep 21 2018, 7:51 AM
Addshore subscribed.

We are archiving the extension T204490: Archive the WikibaseQualityExternalValidation extension

Restricted Application removed a subscriber: Liuxinyu970226. · View Herald TranscriptSep 21 2018, 7:51 AM
Addshore closed subtask T103912: [Task] Ex:WikibaseQualityExternalValidation - performance review of Special:CrossCheck as Declined.Sep 21 2018, 7:53 AM
sbassett moved this task from Waiting/Blocked to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:25 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits