Hello everyone,
For the last little while I have been working on a new tool to automatically detect common security issues in MediaWiki extensions.
The tool can detect a number of issues, including: * XSS ** We include here using wfMessage( 'foo' )->text() when you should have used ->escaped() or ->parse(). * Sql injection * Shell injection * PHP deserialization vulnerabilities (A little buggy on this one)
In the future, it will likely also detect double escaping issues.
Of course, as with any static analysis tool, there will be instances of false positives, as well as things it cannot detect.
I've now reached the stage where I feel the tool is useful, and would really like people to test it out and give feedback.
Note: the tool has a requirement of php 7.0 (neither higher nor lower) see https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies for how to install php 7.0 if your system doesn't have it.
To test with your extension, simply do:
$ composer require --dev mediawiki/phan-taint-check-plugin
and then merge into the scripts directive of composer.json "scripts": { "seccheck": "seccheck-mwext", "seccheck-fast": "seccheck-fast-mwext" } and simply run composer seccheck
seccheck will take about 3 minutes and use lots of ram (~2 GB), seccheck-fast won't test certain things involving hooks, but will work in about 27 seconds and use much less ram. This assumes that your extension is installed in the extensions/ subdirectory of MediaWiki.
In the future we may make this into a non-voting jenkins job.
If you are not making a MediaWiki extension, there is also a "seccheck-generic" script you can use, which should work with any PHP project. It is also possible to customize the script for other projects that have custom escaping methods. Generic mode is not well tested yet.
See the README for more information about the tool: https://github.com/wikimedia/Phan-Taint-Check-Plugin/blob/master/README.md
Anyways, I hope this is useful, and am very eager to hear feedback. I also hope that this will not only be useful for Wikimedia, but also helpful to the third party extension development community. Please test it and let me know what you think.
Thanks Brian!
As an integrator, I'm often concerned about the quality of 3rd party extensions. This should be super useful. I hope to give feedback once I get this setup and run various checks with it.
Greg Rundlett https://qualitybox.us
Brian, When you were talking about it in IRC it sounded cool, looking at the current project is even better! However can I suggest maybe making this into a wmflabs tool so we can choose to run certain repos without using our own personal ram/resources? Thank you for all you do. Merry Christmas and Happy New Years (Happy Holidays)
-- Zppix Volunteer Wikimedia Developer Volunteer Wikimedia GCI2017 Mentor enwp.org/User:Zppix **Note: I do not work for Wikimedia Foundation, or any of its chapters.**
On Dec 11, 2017, at 7:40 PM, Greg Rundlett (freephile) greg@freephile.com wrote:
Thanks Brian!
As an integrator, I'm often concerned about the quality of 3rd party extensions. This should be super useful. I hope to give feedback once I get this setup and run various checks with it.
Greg Rundlett https://qualitybox.us _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Dec 11, 2017, at 4:09 PM, Brian Wolff bwolff@wikimedia.org wrote:
... Note: the tool has a requirement of php 7.0 (neither higher nor lower) see https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies for how to install php 7.0 if your system doesn't have it.
I'm interested in trying it. However, I'm on macOS with php 7.1.1 and reluctant to downgrade to php 7.0 or set up a virtual machine just for this. Has anybody tried it wih macOS and/or php 7.1.1?
Thanks!
Tom
Wenlin Institute, Inc. SPC (a Social Purpose Corporation) 文林研究所社会目的公司 Software for Learning Chinese E-mail: wenlin@wenlin.com Web: http://www.wenlin.com Telephone: 1-877-4-WENLIN (1-877-493-6546) ☯
The 7.0 requirement is due to phan 0.8. You could try changing the version of phan to a higher one (I used phan 0.8 originally because thats what Wikimedia used in their continous integration setup. Which in retrospect really didn't matter). I have not tried it with higher versions of phan. I have no idea how stable the phan plugin api is, so it could totally work with higher versions of phan - I have no idea. That is really something I should test.
You should be able to co-install both versions of php beside each other, with the php 7.0 binary named php7.0 instead of php. On macs homebrew will let you do this, and I assume other installation methods will let you do this too.
Thanks, Brian
On Thursday, December 14, 2017, Tom Bishop, Wenlin Institute < tangmu@wenlin.com> wrote:
On Dec 11, 2017, at 4:09 PM, Brian Wolff bwolff@wikimedia.org wrote:
... Note: the tool has a requirement of php 7.0 (neither higher nor lower) see
https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies
for how to install php 7.0 if your system doesn't have it.
I'm interested in trying it. However, I'm on macOS with php 7.1.1 and
reluctant to downgrade to php 7.0 or set up a virtual machine just for this. Has anybody tried it wih macOS and/or php 7.1.1?
Thanks!
Tom
Wenlin Institute, Inc. SPC (a Social Purpose Corporation) 文林研究所社会目的公司 Software for Learning Chinese E-mail: wenlin@wenlin.com Web: http://www.wenlin.com Telephone: 1-877-4-WENLIN (1-877-493-6546) ☯
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
WMF CI currently uses a docker image to run phan tests.
This is currently at https://hub.docker.com/r/wmfreleng/mediawiki-phan/
Once we get this running in CI there will also be a docker image for phan with the security plugin.
On 14 December 2017 at 15:40, Brian Wolff bawolff@gmail.com wrote:
The 7.0 requirement is due to phan 0.8. You could try changing the version of phan to a higher one (I used phan 0.8 originally because thats what Wikimedia used in their continous integration setup. Which in retrospect really didn't matter). I have not tried it with higher versions of phan. I have no idea how stable the phan plugin api is, so it could totally work with higher versions of phan - I have no idea. That is really something I should test.
You should be able to co-install both versions of php beside each other, with the php 7.0 binary named php7.0 instead of php. On macs homebrew will let you do this, and I assume other installation methods will let you do this too.
Thanks, Brian
On Thursday, December 14, 2017, Tom Bishop, Wenlin Institute < tangmu@wenlin.com> wrote:
On Dec 11, 2017, at 4:09 PM, Brian Wolff bwolff@wikimedia.org wrote:
... Note: the tool has a requirement of php 7.0 (neither higher nor lower) see
https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies
for how to install php 7.0 if your system doesn't have it.
I'm interested in trying it. However, I'm on macOS with php 7.1.1 and
reluctant to downgrade to php 7.0 or set up a virtual machine just for this. Has anybody tried it wih macOS and/or php 7.1.1?
Thanks!
Tom
Wenlin Institute, Inc. SPC (a Social Purpose Corporation) 文林研究所社会目的公司 Software for Learning Chinese E-mail: wenlin@wenlin.com Web: http://www.wenlin.com Telephone: 1-877-4-WENLIN (1-877-493-6546) ☯
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org