Page MenuHomeMiraheze

SamanthaNguyen as security reviewer
Open, NormalPublic

Description

After a quick conversation with SamanthaNguyen (their mediawiki.org userpage) on Discord, they expressed the interest to becoming a security reviewer for Miraheze. While not really an active member of the Miraheze community, their mediawiki extensions and contributions should speak for themselves in their ability to preform this task. At the moment we have a huge backlog of requested extensions and do need more security reviewers. I will have them comment to this task to verify their own interest in it. Thank you!

Event Timeline

Universal_Omega created this task.

Hello everyone,

I used to work on the Brickimedia project and at ShoutWiki, together for probably about 5 years or so (SW for ~1.5 years).

I have written the StructuredNavigation extension, for which I was invited to talk by Mark Hershberger, with other people about it such as Cicalese (principal software engineer at Wikimedia Foundation), RheingoldRiver (staff member at Gamepedia and Esports wiki manager for Leaguepedia), and Richard Heigl (CEO of BlueSpice) (more information at https://mwstake.org/mwstake/wiki/Event:117). I am an active administrator on MediaWiki.org, and used to help be an administrator for Brickimedia and it's containing wikis.

I currently work on software development independently, and would like to help contribute to the MediaWiki community in any way that I can. I'm currently a university student, so I cannot say for sure how active I can be, but I would still like to be able to help review extensions. Thank you.

While we need security reviewers, ideally they should be active members of MH. However, SRE does have the final say

@Zppix I would like to note that this is not the first time that an external member joins us as a security reviewer, as Sam Wilson is also one.

As long as someone is a trusted developer and has experience with PHP, I do not personally see any issue with having them as a security reviewer to help us out with the large backlog. I do however consider security reviews to be @Southparkfan 's domain and he has the final say on who becomes security reviewer.

I dont think thats a fair comparison.

Hi @SamanthaNguyen, welcome! Good to see interest for this position.

There's no official process yet for appointing new security reviewers. I suggest you read T6064#118472 and perform a review of an extension currently in the queue. While I never hope to see OWASP top 10 vulnerabilities, I still see them from time to time during the review process. Please note both the good points and bad security points of an extension, even if you don't actually notice high risk actions. For example: while $dbr->query() with $dbr->addQuotes() is better than $dbr->query() without input validation, it's still not best practice since $dbr->query() is unsafe by default and requires manual action to avoid SQL injections[1]. Secure coding includes using safe methods by default, with raw input handling requiring you to explicitly use a function suited for that (e.g. Html::rawElement instead of Html::element, contrary to Html::element accepting raw input by default).

Since you are a MediaWiki developer, I assume you have already read https://www.mediawiki.org/wiki/Security_for_developers and https://www.mediawiki.org/wiki/Security_checklist_for_developers. You don't have to review a very complex extension (taking multiple hours). As long as you can demonstrate you are capable of performing security reviews - by explaining what defensive measures are in place and what could be improved security wise - I am happy to review this access request. It's fine if you're not very active, I know how busy university life can be. ;-)

[1] As long as all ->query() calls are 1) only made if there's no other PHP method available, for example, if you're not executing a SELECT/UPDATE/DELETE SQL command(?) and 2) have sufficient ->addQuotes() calls, the extension could pass a review.