Is it possible to become a security reviewer for Miraheze? I did see the Miraheze vacancies page and it said it was, but am uncertain if that's still the same. Someone requested I do this, because the current ones are understandably busy (and I do want to help). I do know PHP fluently, and have knowledge of SQL, so was wondering if this is possible. If so, how do I proceed? If not I understand. Thanks!
Description
Description
Related Objects
Related Objects
Event Timeline
Comment Actions
Adding the current security reviewers for their thoughts and maybe you could invent a proficieny test.
@Universal_Omega: do you have examples of the work you've done before? GitHub? Sonarcloud? https://sourcerer.io/ ?
Comment Actions
Good to see interest in this job! I would recommend doing an actual security review of a pending extension, using the checklist from https://www.mediawiki.org/wiki/Security_checklist_for_developers. Note the good (e.g. CSRF tokens used, code being compliant with MediaWiki's standards and thus making the review much easier) and bad points (e.g. a lot of htmlspecialchars usage within echo statements, instead of using the Html functions) of the extension's code, security risks you find (e.g. accessing external resources, thus introducing DoS possibilities, passing user input directly into shell commands). Especially for a somewhat larger extension, that gives me an idea about your review capabilities. If I think you are capable of doing security reviews for real, you may be grant permission to approve extensions without being in a SRE position or similar.
Comment Actions
@Southparkfan Thank you for the opportunity. I have reviewed a skin, which was simple, with only 2 PHP files, used mustache engine, and few JS files. It used zero SQL injections, provides all elements MediaWiki needs to run, and follows the Security checklist. Now I will review an extension as well, hopefully finding one with issues, which I can use to verify my capabilities at this. The skin I reviewed was Medik (T5888).
For extension: (T6002) - DateDiff
The code itself looks fine, no security vulnerabilities, it does follow the security checklist, however, the while the extension page at MediaWiki.org does not tag it as unmaintained, the last update to the repository was 3 years ago (except library or translation updates). As being an unupdated extension, the extension also uses the old method of enabling the extension. There is no Extension.json. while this in itself is not a reason for rejecting it, it being unmaintained, in addition to this, does show the developers don't work on the project anymore, which does mean there could be security issues with the extension, and should not be approved. Unmaintained extensions are typically not approved, and even though this is not tagged as unmaintained, it is unmaintained and should not be approved.
In addition, in response to @RhinosF1: Yes, I do have a decently advanced MediaWiki skin posted on GitHub (and currently awaiting review on Miraheze (T6039) - Cosmos) While this may not be the best example of my capabilities with PHP, it does show I know the language. I do intend to update the skin to use mustache instead, but for now that in itself should not be a blocker. I do believe this shows I am capable with PHP, and does give an idea that I am capable of performing this task. https://github.com/Universal-Omega/MediaWiki-Cosmos-skin/tree/master
Comment Actions
@Universal_Omega seems fine to me. Welcome. Do you have MFA enabled on your Phabricator? If so, we'll add you to acl*security_reviewers.