Re: [Wikitech-l] Announcing a new security testing tool for MediaWiki extensions "phan-taint-check-plugin"

2017-12-14 Thread Addshore 
WMF CI currently uses a docker image to run phan tests.

This is currently at https://hub.docker.com/r/wmfreleng/mediawiki-phan/

Once we get this running in CI there will also be a docker image for phan
with the security plugin.

On 14 December 2017 at 15:40, Brian Wolff  wrote:

> The 7.0 requirement is due to phan 0.8. You could try changing the version
> of phan to a higher one (I used phan 0.8 originally because thats what
> Wikimedia used in their continous integration setup. Which in retrospect
> really didn't matter). I have not tried it with higher versions of phan. I
> have no idea how stable the phan plugin api is, so it could totally work
> with higher versions of phan - I have no idea. That is really something I
> should test.
>
> You should be able to co-install both versions of php beside each other,
> with the php 7.0 binary named php7.0 instead of php. On macs homebrew will
> let you do this, and I assume other installation methods will let you do
> this too.
>
> Thanks,
> Brian
>
> On Thursday, December 14, 2017, Tom Bishop, Wenlin Institute <
> tan...@wenlin.com> wrote:
> >
> >
> >> On Dec 11, 2017, at 4:09 PM, Brian Wolff  wrote:
> >>
> >> ...
> >> Note: the tool has a requirement of php 7.0 (neither higher nor lower)
> >> see
> https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies
> >> for how to install php 7.0 if your system doesn't have it.
> >
> > I'm interested in trying it. However, I'm on macOS with php 7.1.1 and
> reluctant to downgrade to php 7.0 or set up a virtual machine just for
> this. Has anybody tried it wih macOS and/or php 7.1.1?
> >
> > Thanks!
> >
> > Tom
> >
> > Wenlin Institute, Inc. SPC (a Social Purpose Corporation)
> > 文林研究所社会目的公司
> > Software for Learning Chinese
> > E-mail: wen...@wenlin.com Web: http://www.wenlin.com
> > Telephone: 1-877-4-WENLIN (1-877-493-6546)
> > ☯
> >
> >
> >
> >
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Announcing a new security testing tool for MediaWiki extensions "phan-taint-check-plugin"

2017-12-14 Thread Brian Wolff 
The 7.0 requirement is due to phan 0.8. You could try changing the version
of phan to a higher one (I used phan 0.8 originally because thats what
Wikimedia used in their continous integration setup. Which in retrospect
really didn't matter). I have not tried it with higher versions of phan. I
have no idea how stable the phan plugin api is, so it could totally work
with higher versions of phan - I have no idea. That is really something I
should test.

You should be able to co-install both versions of php beside each other,
with the php 7.0 binary named php7.0 instead of php. On macs homebrew will
let you do this, and I assume other installation methods will let you do
this too.

Thanks,
Brian

On Thursday, December 14, 2017, Tom Bishop, Wenlin Institute <
tan...@wenlin.com> wrote:
>
>
>> On Dec 11, 2017, at 4:09 PM, Brian Wolff  wrote:
>>
>> ...
>> Note: the tool has a requirement of php 7.0 (neither higher nor lower)
>> see
https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies
>> for how to install php 7.0 if your system doesn't have it.
>
> I'm interested in trying it. However, I'm on macOS with php 7.1.1 and
reluctant to downgrade to php 7.0 or set up a virtual machine just for
this. Has anybody tried it wih macOS and/or php 7.1.1?
>
> Thanks!
>
> Tom
>
> Wenlin Institute, Inc. SPC (a Social Purpose Corporation)
> 文林研究所社会目的公司
> Software for Learning Chinese
> E-mail: wen...@wenlin.com Web: http://www.wenlin.com
> Telephone: 1-877-4-WENLIN (1-877-493-6546)
> ☯
>
>
>
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Announcing a new security testing tool for MediaWiki extensions "phan-taint-check-plugin"

2017-12-14 Thread Tom Bishop, Wenlin Institute 


> On Dec 11, 2017, at 4:09 PM, Brian Wolff  wrote:
> 
> ...
> Note: the tool has a requirement of php 7.0 (neither higher nor lower)
> see https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies
> for how to install php 7.0 if your system doesn't have it.

I'm interested in trying it. However, I'm on macOS with php 7.1.1 and reluctant 
to downgrade to php 7.0 or set up a virtual machine just for this. Has anybody 
tried it wih macOS and/or php 7.1.1?

Thanks!

Tom

Wenlin Institute, Inc. SPC (a Social Purpose Corporation)
文林研究所社会目的公司
Software for Learning Chinese
E-mail: wen...@wenlin.com Web: http://www.wenlin.com
Telephone: 1-877-4-WENLIN (1-877-493-6546)
☯




___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Announcing a new security testing tool for MediaWiki extensions "phan-taint-check-plugin"

2017-12-11 Thread zppix e 
Brian,
When you were talking about it in IRC it sounded cool, looking at the current 
project is even better! However can I suggest maybe making this into a wmflabs 
tool so we can choose to run certain repos without using our own personal 
ram/resources? Thank you for all you do.
Merry Christmas and Happy New Years (Happy Holidays)

--
Zppix
Volunteer Wikimedia Developer
Volunteer Wikimedia GCI2017 Mentor
enwp.org/User:Zppix
**Note: I do not work for Wikimedia Foundation, or any of its chapters.** 

> On Dec 11, 2017, at 7:40 PM, Greg Rundlett (freephile)  
> wrote:
> 
> Thanks Brian!
> 
> As an integrator, I'm often concerned about the quality of 3rd party
> extensions. This should be super useful. I hope to give feedback once I get
> this setup and run various checks with it.
> 
> Greg Rundlett
> https://qualitybox.us
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Announcing a new security testing tool for MediaWiki extensions "phan-taint-check-plugin"

2017-12-11 Thread Greg Rundlett (freephile) 
Thanks Brian!

As an integrator, I'm often concerned about the quality of 3rd party
extensions. This should be super useful. I hope to give feedback once I get
this setup and run various checks with it.

Greg Rundlett
https://qualitybox.us
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Announcing a new security testing tool for MediaWiki extensions "phan-taint-check-plugin"

2017-12-11 Thread Brian Wolff 
Hello everyone,

For the last little while I have been working on a new tool
to automatically detect common security issues in MediaWiki
extensions.

The tool can detect a number of issues, including:
* XSS
** We include here using wfMessage( 'foo' )->text()
   when you should have used ->escaped() or ->parse().
* Sql injection
* Shell injection
* PHP deserialization vulnerabilities (A little buggy on this one)

In the future, it will likely also detect double escaping issues.

Of course, as with any static analysis tool, there will be instances
of false positives, as well as things it cannot detect.

I've now reached the stage where I feel the tool is useful,
and would really like people to test it out and give feedback.

Note: the tool has a requirement of php 7.0 (neither higher nor lower)
see https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies
for how to install php 7.0 if your system doesn't have it.

To test with your extension, simply do:

$ composer require --dev mediawiki/phan-taint-check-plugin

and then merge into the scripts directive of composer.json
  "scripts": {
 "seccheck": "seccheck-mwext",
 "seccheck-fast": "seccheck-fast-mwext"
  }
and simply run
composer seccheck

seccheck will take about 3 minutes and use lots of ram (~2 GB),
seccheck-fast won't test certain things involving hooks,
but will work in about 27 seconds and use much less ram.
This assumes that your extension is installed in the extensions/
subdirectory of MediaWiki.

In the future we may make this into a non-voting jenkins job.

If you are not making a MediaWiki extension, there is also
a "seccheck-generic" script you can use, which should work
with any PHP project. It is also possible to customize the script
for other projects that have custom escaping methods.
Generic mode is not well tested yet.

See the README for more information about the tool:
https://github.com/wikimedia/Phan-Taint-Check-Plugin/blob/master/README.md

Anyways, I hope this is useful, and am very eager to
hear feedback. I also hope that this will not only be useful
for Wikimedia, but also helpful to the third party extension
development community. Please test it and let me know what
you think.
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l