phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in PHP code. It is internally also known as
It can be used on any PHP project, and it has a couple of features specific to MediaWiki code.
This page is just a stub so far, for more information, see README.
Running on Wikimedia Jenkins
You can test any extension in Wikimedia version control by writing a comment
check experimental on a gerrit patch. The best way to add taint-check is requiring
mediawiki-phan-config >= 0.10.2, and ensuring that the phan CI job is installed for your repo. Note that phan-taint-check should run as part of
mwext-phpXY-phan-docker within CI without needing to specifically comment
Starting with mediawiki-phan-config 0.10.0, taint-check comes bundled with the default MediaWiki configuration. As such, you should follow the instructions for running phan.
The plugin has the same dependencies as mediawiki-phan-config. Namely:
- phan/phan (the version is pinned and constantly updated)
- PHP >= 7.2
- Optionally, php-ast (install instructions) will make it faster (it worths the pain of compiling/installing the extension!)