[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T312710

CentralAuth phan issues...
Closed, ResolvedPublic
Actions

Description

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/812484/

https://integration.wikimedia.org/ci/job/mwext-php72-phan-docker/190901/console

02:59:19 includes/GlobalRename/GlobalRenameLogFormatter.php:21 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getLocalWikiLink() in \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getMessageParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +55; ../../includes/Linker.php +1016; Builtin-\Html::rawElement; ../../includes/Linker.php +1055; Builtin-\Html::rawElement; ../../includes/Linker.php +1030; ../../includes/Linker.php +1016) (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +18; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/GlobalRename/GlobalRenameLogFormatter.php:21 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getLocalWikiLink() in \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getMessageParameters that outputs using tainted argument #2 (`$params[5]`). (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +55; ../../includes/Linker.php +1016; Builtin-\Html::rawElement; ../../includes/Linker.php +1055; Builtin-\Html::rawElement; ../../includes/Linker.php +1030; ../../includes/Linker.php +1016) (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +18; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/GlobalRename/GlobalRenameLogFormatter.php:23 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getCentralAuthLink() in \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getMessageParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +41; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +18; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/GlobalRename/GlobalRenameLogFormatter.php:25 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getCentralAuthLink() in \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getMessageParameters that outputs using tainted argument #1 (`$params[4]`). (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +41; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +18; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/GlobalUserMergeLogFormatter.php:25 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\GlobalUserMergeLogFormatter::getCentralAuthLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\GlobalUserMergeLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[4]`). (Caused by: includes/LogFormatter/GlobalUserMergeLogFormatter.php +37; Builtin-\MediaWiki\Linker\LinkRenderer::makeKnownLink; includes/LogFormatter/GlobalUserMergeLogFormatter.php +37) (Caused by: includes/LogFormatter/GlobalUserMergeLogFormatter.php +16; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/WikiSetLogFormatter.php:51 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::formatWikiSetLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +21; includes/LogFormatter/WikiSetLogFormatter.php +21; ../../includes/logging/LogFormatter.php +683; ../../includes/logging/LogFormatter.php +689; Builtin-\Html::element; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/logging/LogFormatter.php +700; ../../includes/logging/LogFormatter.php +697; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +41; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/WikiSetLogFormatter.php:58 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::formatWikiSetLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +21; includes/LogFormatter/WikiSetLogFormatter.php +21; ../../includes/logging/LogFormatter.php +683; ../../includes/logging/LogFormatter.php +689; Builtin-\Html::element; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/logging/LogFormatter.php +700; ../../includes/logging/LogFormatter.php +697; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +41; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/WikiSetLogFormatter.php:71 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::formatWikiSetLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +21; includes/LogFormatter/WikiSetLogFormatter.php +21; ../../includes/logging/LogFormatter.php +683; ../../includes/logging/LogFormatter.php +689; Builtin-\Html::element; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/logging/LogFormatter.php +700; ../../includes/logging/LogFormatter.php +697; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +41; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/WikiSetLogFormatter.php:79 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::formatWikiSetLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +21; includes/LogFormatter/WikiSetLogFormatter.php +21; ../../includes/logging/LogFormatter.php +683; ../../includes/logging/LogFormatter.php +689; Builtin-\Html::element; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/logging/LogFormatter.php +700; ../../includes/logging/LogFormatter.php +697; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +41; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/WikiSetLogFormatter.php:85 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::formatWikiSetLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +21; includes/LogFormatter/WikiSetLogFormatter.php +21; ../../includes/logging/LogFormatter.php +683; ../../includes/logging/LogFormatter.php +689; Builtin-\Html::element; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/logging/LogFormatter.php +700; ../../includes/logging/LogFormatter.php +697; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +41; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/Special/SpecialGlobalGroupMembership.php:562 UnusedPluginSuppression Plugin BuiltinSuppressionPlugin suppresses issue SecurityCheck-XSS on this line but this suppression is unused or suppressed elsewhere

Details

SubjectRepoBranchLines +/-
Address Phan errorsmediawiki/extensions/CentralAuthmaster+8 -8
Customize query in gerrit

Event Timeline

Reedy created this task.Jul 10 2022, 2:01 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 10 2022, 2:01 AM
Umherirrender moved this task from Backlog to Extensions on the phan board.Aug 30 2022, 8:13 PM
Daimona subscribed.Oct 15 2022, 5:14 PM

With mw-phan 0.12.0 and taint-check 4.0.0, (some of) these issues are reported on master, see https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/840425. The time has come to fix them, I guess...

Daimona moved this task from Backlog to Issues in MediaWiki code on the phan-taint-check-plugin board.Oct 15 2022, 5:18 PM
gerritbot added a comment.May 20 2023, 3:01 PM

Change 921591 had a related patch set uploaded (by Hoo man; author: Hoo man):

[mediawiki/extensions/CentralAuth@master] Address Phan errors

https://gerrit.wikimedia.org/r/921591

gerritbot added a project: Patch-For-Review.May 20 2023, 3:01 PM
hoo subscribed.May 20 2023, 3:06 PM

Example failure: https://integration.wikimedia.org/ci/job/mwext-php74-phan-docker/45659/console

Ladsgroup closed this task as Resolved.May 20 2023, 3:24 PM
Ladsgroup assigned this task to hoo.
Ladsgroup added a project: Wikimania-Hackathon-2023.
Daimona added a comment.May 20 2023, 3:27 PM

FTR, the new failures are a consequence of r902363. The issues originally reported here stem from an attempt to move classes around, which changes the order in which phan analyzes the code, and thus the issues it sees. The original errors may or may not have been resolved in the meantime, I haven't checked that.

gerritbot added a comment.May 20 2023, 3:39 PM

Change 921591 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Address Phan errors

https://gerrit.wikimedia.org/r/921591

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.10; 2023-05-23).May 20 2023, 4:00 PM
Maintenance_bot removed a project: Patch-For-Review.May 20 2023, 4:10 PM
Aklapper moved this task from Inbox to Hacking Projects on the Wikimania-Hackathon-2023 board.Sep 1 2023, 8:18 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptSep 1 2023, 8:18 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits