Security/Guides/SQL Queries and 3rd Party Packages

SQL Queries
Connecting your application and database layers can pose security risks. Notably, SQL injection (SQLi). Below is an outline of the do's and dont's of executing SQL queries in MediaWiki.



Never Correct
MediaWiki developers MUST NOT directly execute SQL queries through PHP's database extension functions (such as  or  ). While this is not so much for security reasons, it helps with maintainability. Using the MediaWiki database wrappers helps ensure your queries end up at the correct database (which may or may not be the same as where the wiki itself is stored), and handles things like table prefixes.

Directly build a SQL string in one of these provided functions makes the developer responsible for escaping the SQL parameters themselves. Otherwise, applications can be susceptible to SQL injection.

In this very simple example, no validation is done on the input, and as such, passing something like could result in more rows being dumped than expected, as the SQL becomes:

Even when you do use the MediaWiki wrappers, you should be careful about quoting values manually, and should use appropriate functions such as  and   when necessary. These examples below would still be potentially vulnerable to SQLi. It is generally better to assume the input is coming from an untrusted source, and as such, allow escaping to happen as necessary. It's better to quote and it not be needed, than not quote because it's not currently needed, and someone add a different usage of your code later, and pass in untrusted input, opening up an SQLi vector.

Most queries have dedicated wrappers that you should used. For  queries, don't use the , use.

This is still wrong though!

Usually Correct
Most of the time, developers SHOULD use existing wrapper functions like  or   to perform SQL queries. When passing in parameters to these wrapper functions, it is important to know when you need to manually use  on raw user data. correctly escapes the provided input (such as values in  statements) to help prevent SQL injection vectors.

For simple queries ( or , the database wrappers will take care of escaping input for you. Manually calling   this is unnecessary. You can pass an int, an array or a string in the same way, and the code will deal with it. For a single value,   will be used, and when passed an array   will be used instead.

If you want to do other queries in statements such as  with operators like   or , you will need to do some manual escaping yourself, such as done in the first example.

SelectQueryBuilder
As of MediaWiki 1.35, developers MAY use the SelectQueryBuilder class to create SQL  statements. This class allows function chaining so SQL queries are easily readable and don't require specifically formatted input parameters (like  does). The parameters to SelectQueryBuilder wrapper functions such as  should also be escaped via   before being passed in.

Rarely Correct
Rarely, developers MAY use  to execute a custom SQL query, one that does not fit within the parameters of the IDatabase wrapper functions or the. This is useful for queries that are explicitly DBMS-dependent and are unsupported by the query wrappers such as.

3rd Party Packages
Installing 3rd party packages in MediaWiki and other WMF projects can be incredibly useful, but also has the opportunity to introduce security risks.

NPM
MediaWiki and other WMF projects SHOULD NOT directly install non-WMF NPM packages in production environments (WMF packages being anything in the NPM Wikimedia organization). Installing NPM dependencies for development environments however (e.g. adding packages to your    vs  ) is considered secure. When you install an NPM package you not only install itself, but the tens or hundreds of other dependencies it relies on. At the end of the day, you're introducing untrusted code onto production machines that could do anything from steal ssh keys to access secure files on the hard drive. (See this article by Timo Tijhof for more details on specific risks).

Since a majority of the security risks are introduced at install time, developers MAY install 3rd party NPM packages from another repository for use, such as from github. Mediawiki core for example, does have a series of NPM packages loaded using ResourceLoader in the  directory. These packages are downloaded from other sources...... The source of these packages are specified in Mediawiki's  file.

One way to mitigate security risks posed from NPM might be by performing security audits, however doing a thorough audit can be cumbersome and requires many of the Security team's time and resources. One such case study in this topic was the usage of the build step...[?]

Composer
MediaWiki and other WMF projects do however, have Composer packages installed in production environments...