---------- Forwarded message ---------- From: Brian Wolff bwolff@wikimedia.org Date: Mon, Dec 11, 2017 at 10:09 PM Subject: [Wikitech-l] Announcing a new security testing tool for MediaWiki extensions "phan-taint-check-plugin" To: wikitech-l@lists.wikimedia.org

Hello everyone,

For the last little while I have been working on a new tool to automatically detect common security issues in MediaWiki extensions.

The tool can detect a number of issues, including: * XSS ** We include here using wfMessage( 'foo' )->text() when you should have used ->escaped() or ->parse(). * Sql injection * Shell injection * PHP deserialization vulnerabilities (A little buggy on this one)

In the future, it will likely also detect double escaping issues.

Of course, as with any static analysis tool, there will be instances of false positives, as well as things it cannot detect.

I've now reached the stage where I feel the tool is useful, and would really like people to test it out and give feedback.

Note: the tool has a requirement of php 7.0 (neither higher nor lower) see https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies for how to install php 7.0 if your system doesn't have it.

To test with your extension, simply do:

$ composer require --dev mediawiki/phan-taint-check-plugin

and then merge into the scripts directive of composer.json "scripts": { "seccheck": "seccheck-mwext", "seccheck-fast": "seccheck-fast-mwext" } and simply run composer seccheck

seccheck will take about 3 minutes and use lots of ram (~2 GB), seccheck-fast won't test certain things involving hooks, but will work in about 27 seconds and use much less ram. This assumes that your extension is installed in the extensions/ subdirectory of MediaWiki.

In the future we may make this into a non-voting jenkins job.

If you are not making a MediaWiki extension, there is also a "seccheck-generic" script you can use, which should work with any PHP project. It is also possible to customize the script for other projects that have custom escaping methods. Generic mode is not well tested yet.

See the README for more information about the tool: https://github.com/wikimedia/Phan-Taint-Check-Plugin/blob/master/README.md

Anyways, I hope this is useful, and am very eager to hear feedback. I also hope that this will not only be useful for Wikimedia, but also helpful to the third party extension development community. Please test it and let me know what you think. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l