phan-taint-check-plugin
phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in MediaWiki extensions.
It is primarily intended for use with MediaWiki extensions, but also has a generic mode for general PHP projects. It can also be used with MediaWiki core.
This page is just a stub so far, for more information, see README.
Running on Wikimedia Jenkins[edit]
You can test any extension in Wikimedia version control by writing a comment check experimental on a gerrit patch. The best way to add taint-check is requiring mediawiki-phan-config >= 0.10.0. If for any reason, you cannot require the whole phan config, you can add the extra key in composer.json, like this:
"extra": {
"phan-taint-check-plugin": "3.0.1"
}
Note that doing so is discouraged, and support will be dropped in the near future.
Running locally[edit]
If you already require mediawiki-phan-config >= 0.10.0, you should follow the instructions for running phan.
Otherwise, you can do the following (but again, this is discouraged):
- Run (from the root directory of your project):
$ composer require --dev mediawiki/phan-taint-check-plugin
- For mediawiki extension, add the following to
composer.json:
"scripts": {
"seccheck": "seccheck-mwext",
"seccheck-fast": "seccheck-fast-mwext"
},
- For a generic PHP project add:
"scripts": {
"seccheck": "seccheck-generic"
},
- For MediaWiki core add:
"scripts": {
"seccheck": "seccheck-mw"
},
You can then run: $ composer seccheck
For more details see the plugin's README
Dependencies[edit]
The plugin has the same dependencies as mediawiki-phan-config. Namely:
- phan/phan (the version is pinned and constantly updated)
- PHP >= 7.2
- Possibly, php-ast to increase performance a bit.
External links[edit]
- Browse source code (Gerrit)
- Other projects
