Page MenuHomePhabricator

CentralAuth phan issues...
Closed, ResolvedPublic

Description

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/812484/

https://integration.wikimedia.org/ci/job/mwext-php72-phan-docker/190901/console

02:59:19 includes/GlobalRename/GlobalRenameLogFormatter.php:21 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getLocalWikiLink() in \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getMessageParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +55; ../../includes/Linker.php +1016; Builtin-\Html::rawElement; ../../includes/Linker.php +1055; Builtin-\Html::rawElement; ../../includes/Linker.php +1030; ../../includes/Linker.php +1016) (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +18; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/GlobalRename/GlobalRenameLogFormatter.php:21 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getLocalWikiLink() in \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getMessageParameters that outputs using tainted argument #2 (`$params[5]`). (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +55; ../../includes/Linker.php +1016; Builtin-\Html::rawElement; ../../includes/Linker.php +1055; Builtin-\Html::rawElement; ../../includes/Linker.php +1030; ../../includes/Linker.php +1016) (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +18; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/GlobalRename/GlobalRenameLogFormatter.php:23 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getCentralAuthLink() in \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getMessageParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +41; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +18; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/GlobalRename/GlobalRenameLogFormatter.php:25 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getCentralAuthLink() in \MediaWiki\Extension\CentralAuth\GlobalRename\GlobalRenameLogFormatter::getMessageParameters that outputs using tainted argument #1 (`$params[4]`). (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +41; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/GlobalRename/GlobalRenameLogFormatter.php +18; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/GlobalUserMergeLogFormatter.php:25 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\GlobalUserMergeLogFormatter::getCentralAuthLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\GlobalUserMergeLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[4]`). (Caused by: includes/LogFormatter/GlobalUserMergeLogFormatter.php +37; Builtin-\MediaWiki\Linker\LinkRenderer::makeKnownLink; includes/LogFormatter/GlobalUserMergeLogFormatter.php +37) (Caused by: includes/LogFormatter/GlobalUserMergeLogFormatter.php +16; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/WikiSetLogFormatter.php:51 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::formatWikiSetLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +21; includes/LogFormatter/WikiSetLogFormatter.php +21; ../../includes/logging/LogFormatter.php +683; ../../includes/logging/LogFormatter.php +689; Builtin-\Html::element; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/logging/LogFormatter.php +700; ../../includes/logging/LogFormatter.php +697; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +41; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/WikiSetLogFormatter.php:58 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::formatWikiSetLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +21; includes/LogFormatter/WikiSetLogFormatter.php +21; ../../includes/logging/LogFormatter.php +683; ../../includes/logging/LogFormatter.php +689; Builtin-\Html::element; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/logging/LogFormatter.php +700; ../../includes/logging/LogFormatter.php +697; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +41; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/WikiSetLogFormatter.php:71 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::formatWikiSetLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +21; includes/LogFormatter/WikiSetLogFormatter.php +21; ../../includes/logging/LogFormatter.php +683; ../../includes/logging/LogFormatter.php +689; Builtin-\Html::element; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/logging/LogFormatter.php +700; ../../includes/logging/LogFormatter.php +697; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +41; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/WikiSetLogFormatter.php:79 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::formatWikiSetLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +21; includes/LogFormatter/WikiSetLogFormatter.php +21; ../../includes/logging/LogFormatter.php +683; ../../includes/logging/LogFormatter.php +689; Builtin-\Html::element; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/logging/LogFormatter.php +700; ../../includes/logging/LogFormatter.php +697; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +41; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/LogFormatter/WikiSetLogFormatter.php:85 SecurityCheck-DoubleEscaped Calling method \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::formatWikiSetLink() in \MediaWiki\Extension\CentralAuth\LogFormatter\WikiSetLogFormatter::extractParameters that outputs using tainted argument #1 (`$params[3]`). (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +21; includes/LogFormatter/WikiSetLogFormatter.php +21; ../../includes/logging/LogFormatter.php +683; ../../includes/logging/LogFormatter.php +689; Builtin-\Html::element; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink; ../../includes/logging/LogFormatter.php +700; ../../includes/logging/LogFormatter.php +697; Builtin-\MediaWiki\Linker\LinkRenderer::makeLink) (Caused by: includes/LogFormatter/WikiSetLogFormatter.php +41; ../../includes/logging/LogFormatter.php +564; ../../includes/logging/LogFormatter.php +546; ../../includes/logging/LogFormatter.php +670; ../../includes/logging/LogFormatter.php +629; ../../includes/language/Language.php +3494; Builtin-\Message::escaped)
02:59:19 includes/Special/SpecialGlobalGroupMembership.php:562 UnusedPluginSuppression Plugin BuiltinSuppressionPlugin suppresses issue SecurityCheck-XSS on this line but this suppression is unused or suppressed elsewhere

Event Timeline

With mw-phan 0.12.0 and taint-check 4.0.0, (some of) these issues are reported on master, see https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/840425. The time has come to fix them, I guess...

Change 921591 had a related patch set uploaded (by Hoo man; author: Hoo man):

[mediawiki/extensions/CentralAuth@master] Address Phan errors

https://gerrit.wikimedia.org/r/921591

Ladsgroup assigned this task to hoo.

FTR, the new failures are a consequence of r902363. The issues originally reported here stem from an attempt to move classes around, which changes the order in which phan analyzes the code, and thus the issues it sees. The original errors may or may not have been resolved in the meantime, I haven't checked that.

Change 921591 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Address Phan errors

https://gerrit.wikimedia.org/r/921591