ExternalData has something that feels like a security opening, but I need some from operations to explain to me if that's the case.

This extension includes a parser function called {{#get_db_data}} which is not quite so dangerous as it sounds, because it requires you to know the domain, username, and password of the database. Which is cool and all, but a lot of places limit the IPs which can login to the DB server. Are we one of those places? If so this defeats one tier of our security, at least for select statements, because it runs on mw* servers.

I am disinclined to go further at this point, even though this is maybe paranoid.

In T1792#39772, @labster wrote:

Are we one of those places?

https://github.com/miraheze/puppet/blob/master/modules/role/manifests/db.pp#L30-L59

OK, so the above note doesn't apply, because we'd have to specifically allow database domain names for {{#get_db_data}} to work. But looking at it a bit more today, I noticed a SQL injection in the code, primarily because of a comment which said something akin to "imma leave this sql injection here on purpose", to make it easier, and I'm not really that happy with it.

So before I go further, I want to ask @RibShark: If all you want to do is include content from another page, would Extension:Widgets do this for you? Because it's not like ExternalData is doing anything much special here. We're not using a caching layer, so ED would request the data on every page load anyway. I was thinking a Widget might do it, because you can just grab what you need from JS and insert it into the page. Unless you really need to have the data from your API request at page parse time?

Like there are parts of this extension that are fine, but other parts that make me very nervous, and I'm worried that those parts will get accidentally switched on.