Page MenuHomeMiraheze

Request to be security reviewer
Closed, ResolvedPublic

Description

Is it possible to become a security reviewer for Miraheze? I did see the Miraheze vacancies page and it said it was, but am uncertain if that's still the same. Someone requested I do this, because the current ones are understandably busy (and I do want to help). I do know PHP fluently, and have knowledge of SQL, so was wondering if this is possible. If so, how do I proceed? If not I understand. Thanks!

Event Timeline

Universal_Omega triaged this task as Normal priority.Wed, Aug 19, 20:34
Universal_Omega created this task.
Universal_Omega renamed this task from Application for security reviewer to Security review.Wed, Aug 19, 20:38

Adding the current security reviewers for their thoughts and maybe you could invent a proficieny test.

@Universal_Omega: do you have examples of the work you've done before? GitHub? Sonarcloud? https://sourcerer.io/ ?

Good to see interest in this job! I would recommend doing an actual security review of a pending extension, using the checklist from https://www.mediawiki.org/wiki/Security_checklist_for_developers. Note the good (e.g. CSRF tokens used, code being compliant with MediaWiki's standards and thus making the review much easier) and bad points (e.g. a lot of htmlspecialchars usage within echo statements, instead of using the Html functions) of the extension's code, security risks you find (e.g. accessing external resources, thus introducing DoS possibilities, passing user input directly into shell commands). Especially for a somewhat larger extension, that gives me an idea about your review capabilities. If I think you are capable of doing security reviews for real, you may be grant permission to approve extensions without being in a SRE position or similar.

Universal_Omega updated the task description. (Show Details)

Good to see interest in this job! I would recommend doing an actual security review of a pending extension, using the checklist from https://www.mediawiki.org/wiki/Security_checklist_for_developers. Note the good (e.g. CSRF tokens used, code being compliant with MediaWiki's standards and thus making the review much easier) and bad points (e.g. a lot of htmlspecialchars usage within echo statements, instead of using the Html functions) of the extension's code, security risks you find (e.g. accessing external resources, thus introducing DoS possibilities, passing user input directly into shell commands). Especially for a somewhat larger extension, that gives me an idea about your review capabilities. If I think you are capable of doing security reviews for real, you may be grant permission to approve extensions without being in a SRE position or similar.

@Southparkfan Thank you for the opportunity. I have reviewed a skin, which was simple, with only 2 PHP files, used mustache engine, and few JS files. It used zero SQL injections, provides all elements MediaWiki needs to run, and follows the Security checklist. Now I will review an extension as well, hopefully finding one with issues, which I can use to verify my capabilities at this. The skin I reviewed was Medik (T5888).

For extension: (T6002) - DateDiff

The code itself looks fine, no security vulnerabilities, it does follow the security checklist, however, the while the extension page at MediaWiki.org does not tag it as unmaintained, the last update to the repository was 3 years ago (except library or translation updates). As being an unupdated extension, the extension also uses the old method of enabling the extension. There is no Extension.json. while this in itself is not a reason for rejecting it, it being unmaintained, in addition to this, does show the developers don't work on the project anymore, which does mean there could be security issues with the extension, and should not be approved. Unmaintained extensions are typically not approved, and even though this is not tagged as unmaintained, it is unmaintained and should not be approved.

In addition, in response to @RhinosF1: Yes, I do have a decently advanced MediaWiki skin posted on GitHub (and currently awaiting review on Miraheze (T6039) - Cosmos) While this may not be the best example of my capabilities with PHP, it does show I know the language. I do intend to update the skin to use mustache instead, but for now that in itself should not be a blocker. I do believe this shows I am capable with PHP, and does give an idea that I am capable of performing this task. https://github.com/Universal-Omega/MediaWiki-Cosmos-skin/tree/master

Reception123 renamed this task from Security review to Request to be security reviewer.Fri, Aug 21, 07:08

@Universal_Omega seems fine to me. Welcome. Do you have MFA enabled on your Phabricator? If so, we'll add you to acl*security_reviewers.

@Universal_Omega seems fine to me. Welcome. Do you have MFA enabled on your Phabricator? If so, we'll add you to acl*security_reviewers.

@Southparkfan, Thank you! I have MFA enabled on my Phabricator account.

Reception123 closed this task as Resolved.Tue, Aug 25, 04:59

Added to acl*security_reviewers per confirmation that they have MFA enabled.