Page MenuHomePhabricator

sbassett (Scott Bassett)
Staff Security EngineerAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (285 w, 5 d)
Roles
Administrator
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.

Recent Activity

Yesterday

sbassett added a project to T358619: Security Issue Access Request for SGupta-WMF: SecTeam-Processed.
Mon, Mar 4, 5:18 PM · SecTeam-Processed, Data Products, Security-Team, Security
sbassett moved T358618: Security Issue Access Request for Sfaci from Incoming to In Progress on the Security-Team board.
Mon, Mar 4, 5:17 PM · SecTeam-Processed, Data Products, Security-Team, Security
sbassett changed the visibility for T270456: Parsoid REST API does not check access permissions of user - allowed information disclosure for private or semi-private wikis (e.g. affecting VisualEditor + Lockdown).
Mon, Mar 4, 4:58 PM · SecTeam-Processed, VisualEditor, Editing-team, Vuln-Authn/Session, Security-Team, Security, Parsoid
sbassett removed a project from T222807: Sandbox Graph extension into an iframe: Patch-For-Review.
Mon, Mar 4, 4:00 PM · MediaWiki-Platform-Team, MediaWiki-extensions-Graph
sbassett closed T270456: Parsoid REST API does not check access permissions of user - allowed information disclosure for private or semi-private wikis (e.g. affecting VisualEditor + Lockdown) as Declined.
Mon, Mar 4, 3:58 PM · SecTeam-Processed, VisualEditor, Editing-team, Vuln-Authn/Session, Security-Team, Security, Parsoid
sbassett closed T270456: Parsoid REST API does not check access permissions of user - allowed information disclosure for private or semi-private wikis (e.g. affecting VisualEditor + Lockdown), a subtask of T268529: Adopt VisualEditor in wiki.wikimedia.it, as Declined.
Mon, Mar 4, 3:58 PM · WMIT-Infrastructure
sbassett added a comment to T270456: Parsoid REST API does not check access permissions of user - allowed information disclosure for private or semi-private wikis (e.g. affecting VisualEditor + Lockdown).

Feel free to close this as declined, since at least my known stakeholders migrated away from Lockdown and completely changed their workflows to do not involve any secret in the wiki. There are private pages only for members, but just for commodity reasons. No secret is stored. So their workflows cannot involve security issues anymore.

Maybe one day MediaWiki will be ready to flexibly host secrets. But we all know this is just discouraged at the moment.

Mon, Mar 4, 3:58 PM · SecTeam-Processed, VisualEditor, Editing-team, Vuln-Authn/Session, Security-Team, Security, Parsoid

Fri, Mar 1

sbassett added a comment to T260201: Parsoid REST API may not check access permissions of user.

I think this issue is moot, now that VE is using direct access to Parsoid?

Can anyone confirm?

Fri, Mar 1, 3:23 PM · Parsoid (Tracking), MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Security-Team, Security
sbassett added a comment to T348780: Integrate a risk factor related to how many production projects an extension or skin is deployed.

Yes, this definitely works and is very fast. Though there might be more benefits to using PHP-Parser instead of php-ast, which is maintained by the same person who maintains php-ast. PHP-Parser is definitely slower, but has better support for traversing the generated ast nodes and converting back and forth in a couple of ways: php -> ast -> php and php -> ast -> json, which will likely be handy for our intended use-case.

Fri, Mar 1, 3:04 PM · SecTeam-Processed, Code-Health, Security, Security Team AppSec, production-risk-assessment, Security-Team

Thu, Feb 29

sbassett added a comment to T348780: Integrate a risk factor related to how many production projects an extension or skin is deployed.

Just a very quick proof of concept, this seems to work for me to process the current Wikimedia config CS.php and IS.php files (and it's quite fast):

ast.php
#!/usr/bin/env php 
<?php
Thu, Feb 29, 10:56 PM · SecTeam-Processed, Code-Health, Security, Security Team AppSec, production-risk-assessment, Security-Team
sbassett removed a project from T329266: Debian security update for git silently broke mediawiki-i18n-check-docker: Patch-For-Review.
Thu, Feb 29, 2:52 PM · Release-Engineering-Team (Priority Backlog 📥), Vuln-Misconfiguration, SecTeam-Processed, Security, Security-Team

Wed, Feb 28

sbassett moved T357353: Application Security Review Request : NetworkSession MediaWiki extension from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.
Wed, Feb 28, 5:18 PM · Discovery-Search (Current work), secscrum, Security, Application Security Reviews
sbassett updated the task description for T353826: Pentest FY2023/24 - Wikipedia Library .
Wed, Feb 28, 5:04 PM · secscrum
sbassett added a comment to T353826: Pentest FY2023/24 - Wikipedia Library .

See team's issue tracking task: T358257: Wikipedia Library January 2024 Pentest

Wed, Feb 28, 5:03 PM · secscrum
sbassett added a comment to T358140: Security Issue Access Request for @MShilova_WMF .

Team, I am still not able to see the content of this ticket https://phabricator.wikimedia.org/T358115. I'd like to be able to 'watch' it.

Wed, Feb 28, 3:49 PM · SecTeam-Processed, Security-Team, Security

Tue, Feb 27

sbassett added a comment to T358140: Security Issue Access Request for @MShilova_WMF .

Confirming that user @MShilova_WMF currently has Phab MFA enabled:

Screenshot 2024-02-27 at 9.40.56 AM.png (77×473 px, 12 KB)

Tue, Feb 27, 3:44 PM · SecTeam-Processed, Security-Team, Security
sbassett added a comment to T356297: Offboard James Fishback from Security Team.

privacy is planning to switch ownership of @priv_eng_sync to a privacy google group that is being created. However the account currently has 2FA tied to James Fishback's phab account, and that account has been disabled, so there might be some issues

Tue, Feb 27, 3:43 PM · SecTeam-Processed, Security-Team

Mon, Feb 26

sbassett changed the visibility for T356459: Password exposure on PCC when adding new host to LB pool?.
Mon, Feb 26, 5:59 PM · Vuln-Infoleak, SecTeam-Processed, Infrastructure-Foundations, Security
sbassett added a comment to T357353: Application Security Review Request : NetworkSession MediaWiki extension .

This will likely be reviewed next quarter (April 1st to June 30th, 2024).

Mon, Feb 26, 4:39 PM · Discovery-Search (Current work), secscrum, Security, Application Security Reviews
sbassett moved T357353: Application Security Review Request : NetworkSession MediaWiki extension from Incoming to Back Orders on the secscrum board.
Mon, Feb 26, 4:39 PM · Discovery-Search (Current work), secscrum, Security, Application Security Reviews
sbassett added a comment to T356459: Password exposure on PCC when adding new host to LB pool?.

Patch merged, this should be done.

Mon, Feb 26, 4:16 PM · Vuln-Infoleak, SecTeam-Processed, Infrastructure-Foundations, Security

Fri, Feb 23

sbassett assigned T283839: Open refine stored password available in PAWS public to Bstorm.
Fri, Feb 23, 9:02 PM · SecTeam-Processed, OpenRefine, Cloud-VPS, Vuln-Infoleak, PAWS, Security
sbassett set Author Affiliation to community on T283839: Open refine stored password available in PAWS public.
Fri, Feb 23, 9:01 PM · SecTeam-Processed, OpenRefine, Cloud-VPS, Vuln-Infoleak, PAWS, Security
sbassett added a comment to T283839: Open refine stored password available in PAWS public.

Anything here that would keep us from making this task public? I'm not seeing anything obvious.

Fri, Feb 23, 4:06 PM · SecTeam-Processed, OpenRefine, Cloud-VPS, Vuln-Infoleak, PAWS, Security

Thu, Feb 22

sbassett added a project to T354607: Security Issue Access Request for jhsoby: SecTeam-Processed.
Thu, Feb 22, 11:35 PM · SecTeam-Processed, Security-Team, Security
sbassett added a comment to T354607: Security Issue Access Request for jhsoby.

Confirming that user @jhsoby has Phab MFA enabled:

Screenshot 2024-02-22 at 11.07.15 AM.png (60×472 px, 15 KB)

Thu, Feb 22, 5:20 PM · SecTeam-Processed, Security-Team, Security
sbassett added a parent task for T354607: Security Issue Access Request for jhsoby: T353393: Request to add jhsoby to WMF-NDA group.
Thu, Feb 22, 5:02 PM · SecTeam-Processed, Security-Team, Security
sbassett added a subtask for T353393: Request to add jhsoby to WMF-NDA group: T354607: Security Issue Access Request for jhsoby.
Thu, Feb 22, 5:02 PM · WMF-NDA-Requests
sbassett added a comment to T354607: Security Issue Access Request for jhsoby.

I think this should now be unblocked due to T353393#9568781.

Thu, Feb 22, 5:01 PM · SecTeam-Processed, Security-Team, Security
sbassett closed T353393: Request to add jhsoby to WMF-NDA group as Resolved.

Per @Mstyles comment above, adding @jhsoby to WMF-NDA and resolving this task.

Thu, Feb 22, 5:00 PM · WMF-NDA-Requests
sbassett added a member for WMF-NDA: jhsoby.
Thu, Feb 22, 5:00 PM

Tue, Feb 20

sbassett added a project to T357622: Requesting access to security@wikimedia.org: SecTeam-Processed.
Tue, Feb 20, 7:17 PM · SecTeam-Processed, Security-Team
sbassett triaged T357479: Stop sending X-Webkit-CSP and X-Webkit-CSP-Report-Only headers as Medium priority.
Tue, Feb 20, 6:15 PM · SecTeam-Processed, Security-Team, ContentSecurityPolicy, Traffic
sbassett closed T357479: Stop sending X-Webkit-CSP and X-Webkit-CSP-Report-Only headers as Resolved.
Tue, Feb 20, 6:15 PM · SecTeam-Processed, Security-Team, ContentSecurityPolicy, Traffic
sbassett edited projects for T357479: Stop sending X-Webkit-CSP and X-Webkit-CSP-Report-Only headers, added: SecTeam-Processed; removed Patch-For-Review.
Tue, Feb 20, 6:14 PM · SecTeam-Processed, Security-Team, ContentSecurityPolicy, Traffic
sbassett moved T357479: Stop sending X-Webkit-CSP and X-Webkit-CSP-Report-Only headers from Incoming to Our Part Is Done on the Security-Team board.
Tue, Feb 20, 6:14 PM · SecTeam-Processed, Security-Team, ContentSecurityPolicy, Traffic
sbassett moved T357570: Run prod risk assessment cli to generate updated results from Incoming to In Progress on the Security-Team board.
Tue, Feb 20, 6:11 PM · SecTeam-Processed, user-sbassett, Code-Health, Security, Security Team AppSec, Security-Team, production-risk-assessment
sbassett removed a project from T354104: Wikibooks reported to be vulnerable to DOM Clobbering attack: Security-Team.
Tue, Feb 20, 6:05 PM · Vuln-Inject, SecTeam-Processed, user-sbassett, Security
sbassett moved T354104: Wikibooks reported to be vulnerable to DOM Clobbering attack from In Progress to Done on the user-sbassett board.
Tue, Feb 20, 6:05 PM · Vuln-Inject, SecTeam-Processed, user-sbassett, Security
sbassett moved T329266: Debian security update for git silently broke mediawiki-i18n-check-docker from Watching to Our Part Is Done on the Security-Team board.
Tue, Feb 20, 4:02 PM · Release-Engineering-Team (Priority Backlog 📥), Vuln-Misconfiguration, SecTeam-Processed, Security, Security-Team

Fri, Feb 16

sbassett added a comment to T356599: DiscussionTools is incompatible with hCaptcha (and likely ReCaptcha).

Note for Editing Team: this does not affect WMF wikis

Fri, Feb 16, 3:02 PM · ConfirmEdit (CAPTCHA extension), affects-Miraheze, DiscussionTools
sbassett moved T335698: Install the Application Security Pipeline templates for WikILambda CLI's GitLab repo from Frozen to Our Part Is Done on the Security-Team board.
Fri, Feb 16, 2:55 PM · Security-Team, SecTeam-Processed, Security Architecture Tooling, Abstract Wikipedia Fix-It tasks, Abstract Wikipedia team

Thu, Feb 15

sbassett updated the task description for T356297: Offboard James Fishback from Security Team.
Thu, Feb 15, 9:46 PM · SecTeam-Processed, Security-Team
sbassett updated the task description for T356297: Offboard James Fishback from Security Team.
Thu, Feb 15, 8:42 PM · SecTeam-Processed, Security-Team
sbassett changed the visibility for T352827: Directory traversal allows single-page whitelisting to override entire spam-blacklist entry.
Thu, Feb 15, 8:42 PM · SecTeam-Processed, Vuln-Misconfiguration, SpamBlacklist, Security, Security-Team
sbassett moved T352827: Directory traversal allows single-page whitelisting to override entire spam-blacklist entry from Watching to Our Part Is Done on the Security-Team board.
Thu, Feb 15, 8:41 PM · SecTeam-Processed, Vuln-Misconfiguration, SpamBlacklist, Security, Security-Team
sbassett added a comment to T352827: Directory traversal allows single-page whitelisting to override entire spam-blacklist entry.

(This was resolved by that patch, I just forgot to close it. @sbassett Could you please make it public?)

Thu, Feb 15, 8:41 PM · SecTeam-Processed, Vuln-Misconfiguration, SpamBlacklist, Security, Security-Team
sbassett updated the task description for T356297: Offboard James Fishback from Security Team.
Thu, Feb 15, 8:38 PM · SecTeam-Processed, Security-Team
sbassett updated the task description for T356297: Offboard James Fishback from Security Team.
Thu, Feb 15, 7:13 PM · SecTeam-Processed, Security-Team
sbassett awarded T335696: Install the Application Security Pipeline templates for function-evaluator's GitLab repo a Like token.
Thu, Feb 15, 7:11 PM · Abstract Wikipedia team, Security-Team, SecTeam-Processed, Security Architecture Tooling, function-evaluator, Abstract Wikipedia Fix-It tasks
sbassett moved T335696: Install the Application Security Pipeline templates for function-evaluator's GitLab repo from Frozen to Our Part Is Done on the Security-Team board.
Thu, Feb 15, 7:11 PM · Abstract Wikipedia team, Security-Team, SecTeam-Processed, Security Architecture Tooling, function-evaluator, Abstract Wikipedia Fix-It tasks
sbassett moved T335695: Install the Application Security Pipeline templates for function-orchestrator's GitLab repo from Frozen to Our Part Is Done on the Security-Team board.
Thu, Feb 15, 7:10 PM · Security-Team, SecTeam-Processed, Security Architecture Tooling, Abstract Wikipedia team, Abstract Wikipedia Fix-It tasks, function-orchestrator
sbassett awarded T335695: Install the Application Security Pipeline templates for function-orchestrator's GitLab repo a Like token.
Thu, Feb 15, 7:10 PM · Security-Team, SecTeam-Processed, Security Architecture Tooling, Abstract Wikipedia team, Abstract Wikipedia Fix-It tasks, function-orchestrator
sbassett updated the task description for T356297: Offboard James Fishback from Security Team.
Thu, Feb 15, 6:48 PM · SecTeam-Processed, Security-Team
sbassett removed a member for WMF-NDA: Nuria.
Thu, Feb 15, 6:38 PM
sbassett removed a member for WMF-NDA: Deskana.
Thu, Feb 15, 6:38 PM
sbassett removed a member for WMF-NDA: mmodell.
Thu, Feb 15, 6:38 PM
sbassett removed a member for WMF-NDA: Kalliope.
Thu, Feb 15, 6:37 PM
sbassett removed a member for WMF-NDA: BAbiola-WMF.
Thu, Feb 15, 6:37 PM
sbassett removed a member for WMF-NDA: demon.
Thu, Feb 15, 6:37 PM
sbassett removed a member for WMF-NDA: JFishback_WMF.
Thu, Feb 15, 6:31 PM
sbassett updated the task description for T356297: Offboard James Fishback from Security Team.
Thu, Feb 15, 6:28 PM · SecTeam-Processed, Security-Team
sbassett removed a member for production-risk-assessment: JFishback_WMF.
Thu, Feb 15, 6:27 PM

Wed, Feb 14

sbassett renamed T357570: Run prod risk assessment cli to generate updated results from Re-run prod risk assessment cli to update results to Run prod risk assessment cli to generate updated results.
Wed, Feb 14, 6:06 PM · SecTeam-Processed, user-sbassett, Code-Health, Security, Security Team AppSec, Security-Team, production-risk-assessment
sbassett updated the task description for T357570: Run prod risk assessment cli to generate updated results.
Wed, Feb 14, 6:06 PM · SecTeam-Processed, user-sbassett, Code-Health, Security, Security Team AppSec, Security-Team, production-risk-assessment
sbassett moved T357570: Run prod risk assessment cli to generate updated results from Backlog to In Progress on the user-sbassett board.
Wed, Feb 14, 6:05 PM · SecTeam-Processed, user-sbassett, Code-Health, Security, Security Team AppSec, Security-Team, production-risk-assessment
sbassett moved T357570: Run prod risk assessment cli to generate updated results from Backlog to In Progress on the production-risk-assessment board.
Wed, Feb 14, 6:05 PM · SecTeam-Processed, user-sbassett, Code-Health, Security, Security Team AppSec, Security-Team, production-risk-assessment
sbassett created T357570: Run prod risk assessment cli to generate updated results.
Wed, Feb 14, 6:05 PM · SecTeam-Processed, user-sbassett, Code-Health, Security, Security Team AppSec, Security-Team, production-risk-assessment
sbassett closed T357487: Create new subproject for acl*security as Resolved.

https://phabricator.wikimedia.org/project/members/6986/ reports "Joinable By" as "All Users"
Moving to unbreak now since my understanding is that the project automatically allows access to the security tasks and now allows *anyone* to access security issues

Wed, Feb 14, 3:27 PM · SecTeam-Processed, Project-Admins, Security-Team
sbassett changed the edit policy for acl*security_bots.
Wed, Feb 14, 3:26 PM
sbassett changed the join policy for acl*security_bots.
Wed, Feb 14, 3:25 PM
sbassett closed T357487: Create new subproject for acl*security as Resolved.

I believe this should automatically inherit the permissions of acl*security.

Wed, Feb 14, 3:12 PM · SecTeam-Processed, Project-Admins, Security-Team
sbassett set the image for acl*security_bots to F41897132: fa-lock-red.png.
Wed, Feb 14, 3:10 PM
sbassett set the icon for acl*security_bots to Policy.
Wed, Feb 14, 3:09 PM
sbassett renamed acl*security_bots from acl_security_bots to acl*security_bots.
Wed, Feb 14, 3:09 PM
sbassett created acl*security_bots.
Wed, Feb 14, 3:09 PM

Tue, Feb 13

sbassett removed a project from T345448: Improve task backlog checks: Patch-For-Review.
Tue, Feb 13, 8:42 PM · SecTeam-Processed, Code-Health, Security, production-risk-assessment
sbassett reopened T356768: DOM Clobbering Risk in WikiBooks as "Open".
Tue, Feb 13, 4:27 PM · Patch-For-Review, Vuln-XSS, SecTeam-Processed, Security, Security-Team
sbassett closed T356768: DOM Clobbering Risk in WikiBooks as Resolved.
Tue, Feb 13, 4:26 PM · Patch-For-Review, Vuln-XSS, SecTeam-Processed, Security, Security-Team
sbassett added a comment to T356183: IPInfo REST APIs are not safe from CSRF attacks.

Noting I dropped the security patch from this task from the train this week (1.42.0-wmf.18), still applied to previous weeks.

Patch was failing to apply, presumably because it's now merged in master. If this is incorrect, please let me know/flag someone on the blocker task for this week: T354436

Tue, Feb 13, 2:01 AM · Trust and Safety Product Sprint (Sprint Piano (Feb 19th - 1st March)), MW-1.42-notes (1.42.0-wmf.19; 2024-02-20), Patch-For-Review, Vuln-CSRF, SecTeam-Processed, IP Info, Trust and Safety Product Team, Security, Security-Team

Mon, Feb 12

sbassett moved T356183: IPInfo REST APIs are not safe from CSRF attacks from Security Patch To Deploy to Watching on the Security-Team board.
Mon, Feb 12, 8:33 PM · Trust and Safety Product Sprint (Sprint Piano (Feb 19th - 1st March)), MW-1.42-notes (1.42.0-wmf.19; 2024-02-20), Patch-For-Review, Vuln-CSRF, SecTeam-Processed, IP Info, Trust and Safety Product Team, Security, Security-Team
sbassett added projects to T357203: XSS through interface message in UnlinkedWikibase: SecTeam-Processed, Vuln-XSS.
Mon, Feb 12, 5:29 PM · Vuln-XSS, SecTeam-Processed, MediaWiki-extensions-UnlinkedWikibase, affects-Miraheze, Security, Security-Team
sbassett added a project to T356852: Security Issue Access Request for SecurityPatchBot: SecTeam-Processed.
Mon, Feb 12, 5:27 PM · SecTeam-Processed, Security-Team, Security
sbassett changed the status of T356852: Security Issue Access Request for SecurityPatchBot from Open to In Progress.
Mon, Feb 12, 5:27 PM · SecTeam-Processed, Security-Team, Security
sbassett triaged T356971: Rename help key to help-raw in HTMLForm and deprecate old key name as Low priority.
Mon, Feb 12, 5:25 PM · good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security
sbassett changed the status of T337949: Add security.txt to Wikimedia sites? (2023 edition) from Open to In Progress.
Mon, Feb 12, 5:22 PM · SecTeam-Processed, Documentation, WMF-General-or-Unknown, Security-Team, Security, Wikimedia-Apache-configuration
sbassett changed the status of T356768: DOM Clobbering Risk in WikiBooks from Open to In Progress.

I'm thinking about making this task public for awareness and if anybody wanted to publicly work on any related tooling. And possibly add this to any theoretically-updated security best practices for MediaWiki developers. Any strong objections?

Mon, Feb 12, 5:21 PM · Patch-For-Review, Vuln-XSS, SecTeam-Processed, Security, Security-Team
sbassett changed the status of T356297: Offboard James Fishback from Security Team from Open to In Progress.
Mon, Feb 12, 5:14 PM · SecTeam-Processed, Security-Team
sbassett added a project to T356297: Offboard James Fishback from Security Team: SecTeam-Processed.
Mon, Feb 12, 5:14 PM · SecTeam-Processed, Security-Team
sbassett updated subscribers of T357203: XSS through interface message in UnlinkedWikibase.

Merged gerrit patch: https://gerrit.wikimedia.org/r/1002175

Mon, Feb 12, 4:09 PM · Vuln-XSS, SecTeam-Processed, MediaWiki-extensions-UnlinkedWikibase, affects-Miraheze, Security, Security-Team

Fri, Feb 9

sbassett added a comment to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.

I've always hated that the key is named help instead of help-raw or help-html. Its super confusing. I'd support making a new name for the key and deprecating the old name.

+1. If nothing it would at least make it consistent with the naming scheme used in for example label/label-raw.

Fri, Feb 9, 4:48 PM · good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security

Thu, Feb 8

sbassett added a comment to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.

Is there a reason we can't make it use something like 'raw' to make it possible to not escape, I was wondering?

Thu, Feb 8, 6:03 PM · good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security
sbassett added a comment to T356768: DOM Clobbering Risk in WikiBooks.

It'd be really nice to have some high-quality SAST/Sanitization run against Gadget code (and userJS for that matter) and at least admit warnings. Or send some kind of audit report somewhere. But that's obviously not a trivial project. And one that's been talked about at least a few times, including this still somewhat-recent incident: T296855.

Thu, Feb 8, 5:08 PM · Patch-For-Review, Vuln-XSS, SecTeam-Processed, Security, Security-Team
sbassett added a comment to T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.

I believe this is intentional, as some help messages can contain small amounts of harmless html for formatting purposes. This is a pattern we'd likely try to correct though, if found in actual code. And we do that in various ways (see also T347742 et al). Otherwise it's generally incumbent upon an engineer or developer to have a good understanding the MediaWiki Messages API and its output modes.

Thu, Feb 8, 5:01 PM · good first task, SecTeam-Processed, MediaWiki-HTMLForm, Vuln-XSS, Security
sbassett triaged T356958: Problem with logging into my developer account. as Low priority.
Thu, Feb 8, 4:54 PM · SecTeam-Processed, cloud-services-team, LDAP, wikitech.wikimedia.org, Security
sbassett closed T356884: Specific fr.wp page is very slow to parse as Resolved.
Thu, Feb 8, 4:54 PM · MW-1.42-notes (1.42.0-wmf.18; 2024-02-13), Editing-team (Kanban Board), SecTeam-Processed, Vuln-DoS, Patch-For-Review, DiscussionTools, Security
sbassett closed T356884: Specific fr.wp page is very slow to parse, a subtask of T315510: Start maintenance script to backfill talk page comment database, as Resolved.
Thu, Feb 8, 4:53 PM · MW-1.42-notes (1.42.0-wmf.4; 2023-11-07), Goal, MW-1.40-notes (1.40.0-wmf.6; 2022-10-17), MW-1.39-notes (1.39.0-wmf.26; 2022-08-22), Editing-team (Kanban Board), TPP-Phase1, DiscussionTools

Wed, Feb 7

sbassett added a comment to T356824: Unsuppressable DoubleEscaped warnings.

Like @Daimona, I played around with this locally and could not reproduce the issue, even when cloning all of the same extensions and mediawiki/vendor that mwext-php74-phan-docker does and running releng/mediawiki-phan-php74:0.2.3 against CentralAuth directly via docker run. But then I noticed in the jenkins console output for the first round of failing jobs for c997980 that phan was only complaining about the missing SecurityCheck-XSS suppressions and not the SecurityCheck-DoubleEscaped suppressions. So I uploaded a new PS which seems to test fine.

Wed, Feb 7, 10:27 PM · MW-1.42-notes (1.42.0-wmf.19; 2024-02-20), ci-test-error, phan-taint-check-plugin
sbassett removed a project from T356884: Specific fr.wp page is very slow to parse: GerritBot.
Wed, Feb 7, 9:27 PM · MW-1.42-notes (1.42.0-wmf.18; 2024-02-13), Editing-team (Kanban Board), SecTeam-Processed, Vuln-DoS, Patch-For-Review, DiscussionTools, Security
sbassett triaged T310393: IP Info log can be used to deanonymize user as Low priority.
Wed, Feb 7, 8:50 PM · Privacy Engineering, Anti-Harassment, Vuln-Infoleak, SecTeam-Processed, IP Info, Security, Security-Team