phan-taint-check-plugin

From MediaWiki.org
Jump to navigation Jump to search

phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in MediaWiki extensions.

It is primarily intended for use with MediaWiki extensions, but also has a generic mode for general PHP projects. It can also be used with MediaWiki core.

This page is just a stub so far, for more information, see README.

Running on Wikimedia Jenkins[edit]

You can test any extension in Wikimedia version control by writing a comment check experimental on a gerrit patch.

Wikimedia jenkins decides what version of phan-taint-check-plugin to run by looking at the extra field of composer.json. This is so that the version can be specified, without requiring phan-taint-check-plugin and thus causing the extension to depend on phan-taint-check-plugin's dependency of php >= 7.0. For example (From InputBox)

	"extra": {
		"phan-taint-check-plugin": "2.0.1"
	}

Running locally with docker[edit]

The docker file used by Wikimedia Jenkins can also be used locally. See https://gerrit.wikimedia.org/r/plugins/gitiles/integration/config/+/master/dockerfiles/mediawiki-phan-seccheck for more info.

Checkout a copy of MediaWiki, with whichever extension/skins you want to scan checked out in the appropriate directory.

Run

docker run --rm \
    --env THING_SUBNAME=extensions/AbuseFilter \
    -v /dev/git/gerrit/mediawiki:/mediawiki \
    docker-registry.wikimedia.org/releng/mediawiki-phan-seccheck:latest \
    -m checkstyle

Running locally manually[edit]

  • Run (from the root directory of your project):

$ composer require --dev mediawiki/phan-taint-check-plugin

  • For mediawiki extension, add the following to composer.json:
"scripts": {
	"seccheck": "seccheck-mwext",
	"seccheck-fast": "seccheck-fast-mwext"
},
  • For a generic PHP project add:
"scripts": {
	"seccheck": "seccheck-generic"
},
  • For MediaWiki core add:
"scripts": {
	"seccheck": "seccheck-mw"
},

You can then run: $ composer seccheck


For more details see the plugin's README

Dependencies[edit]

The versions before 2.0.0 depend on PHP 7.0 (exactly - 7.1 doesn't work) and php-ast <=0.1.4 extension. From 2.0.0 on, it depends on PHP >= 7.0 and php-ast >= 1.0.0. For information on how to install these dependencies, see Continuous_integration/Phan#Dependencies.

External links[edit]