---------- Forwarded message ----------
From: Brian Wolff <bwolff@wikimedia.org>
Date: Mon, Dec 11, 2017 at 10:09 PM
Subject: [Wikitech-l] Announcing a new security testing tool for MediaWiki extensions "phan-taint-check-plugin"
To: wikitech-l@lists.wikimedia.org


Hello everyone,

For the last little while I have been working on a new tool
to automatically detect common security issues in MediaWiki
extensions.

The tool can detect a number of issues, including:
* XSS
** We include here using wfMessage( 'foo' )->text()
   when you should have used ->escaped() or ->parse().
* Sql injection
* Shell injection
* PHP deserialization vulnerabilities (A little buggy on this one)

In the future, it will likely also detect double escaping issues.

Of course, as with any static analysis tool, there will be instances
of false positives, as well as things it cannot detect.

I've now reached the stage where I feel the tool is useful,
and would really like people to test it out and give feedback.

Note: the tool has a requirement of php 7.0 (neither higher nor lower)
see https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies
for how to install php 7.0 if your system doesn't have it.

To test with your extension, simply do:

$ composer require --dev mediawiki/phan-taint-check-plugin

and then merge into the scripts directive of composer.json
  "scripts": {
     "seccheck": "seccheck-mwext",
     "seccheck-fast": "seccheck-fast-mwext"
  }
and simply run
composer seccheck

seccheck will take about 3 minutes and use lots of ram (~2 GB),
seccheck-fast won't test certain things involving hooks,
but will work in about 27 seconds and use much less ram.
This assumes that your extension is installed in the extensions/
subdirectory of MediaWiki.

In the future we may make this into a non-voting jenkins job.

If you are not making a MediaWiki extension, there is also
a "seccheck-generic" script you can use, which should work
with any PHP project. It is also possible to customize the script
for other projects that have custom escaping methods.
Generic mode is not well tested yet.

See the README for more information about the tool:
https://github.com/wikimedia/Phan-Taint-Check-Plugin/blob/master/README.md

Anyways, I hope this is useful, and am very eager to
hear feedback. I also hope that this will not only be useful
for Wikimedia, but also helpful to the third party extension
development community. Please test it and let me know what
you think.
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l