User:SBassett (WMF)/Security Review Howto Extensions

The documentation below describes some of the typical steps followed by members of the Wikimedia Security Team when security-reviewing mediawiki extensions. Note that this page does not necessarily list every step followed by every engineer, nor does it go into extensive detail for each step. The hope is that this page becomes a set of general guidelines and best practices for security-reviewing mediawiki extensions.

Initial Items to Confirm

 * 1) Have the requestors of the security review followed the security review process?  Specifically, have they filled out a security review request within phabricator?  And is there an actual plan in place for the extension to be deployed to production (rfc, quarterly goal, sre/ops buy-in, beta-testing, scheduled launch date, etc.)?
 * 2) Have the requestors provided an adequate explanation of what the extension does and a working development environment with appropriate instructions (vagrant role, docker, installation instructions, etc.)?
 * 3) Have the requesters...