Page MenuHomeMiraheze

Naleksuh as security reviewer
Open, NormalPublic

Description

Similar to T6312, when I posted the task for @SamanthaNguyen to become security reviewer, I now do the same exact thing for @Naleksuh.

Naleksuh has advanced knowledge of PHP scripting language, and would easily be able to spot security risks/deployment blockers. While I have not personally seen their knowledge/expirence first-hand, from my own interaction with them and from what I've heard from others, they do seem to know what they are talking about, and do have a least to some degree, knowledge of PHP, and will be able to preform this task. I have asked Naleksuh to comment to this task to confirm, as well as to begin a test review going off the basis of what @Southparkfan requested of me and SamanthaNguyen to hopefully make this task go smoothly and speed up the approval process. Thank you!

Event Timeline

Universal_Omega created this task.

Are there any contributions to MediaWiki core or extensions that can serve as evidence they are familiar with the MediaWiki architecture?

While my work in core has been primarily propositions, I like to work on solutions to problems and I have contributed to a number of floating extensions with my specialty being access levels. Me and Universal Omega were also going to make an extension that fixes bypassing create protection, although this is postponed due to IRL issues.

I am told the review process centers around commenting on extensions currently in queue. Are there any other extensions pending addition that I may review?

@Universal_Omega I could be wrong, but when I saw that @Southparkfan assigned this Phabricator ticket to you, he might have been suggesting for you to pick an extension in the queue for @Naleksuh to review, perhaps, and that, though the final approval decision of @Naleksuh as a security reviewer would rest with @Southparkfan and the Site Reliability Engineering team (who, in practice, essentially defer to Southparkfan with regard to such matters), he values your input and would give it a great deal of weight in the approval decision. On the other hand, I may have read too much into him handing off this Phabricator ticket to you, and be completely wrong, which is totally fine.

As far as @Naleksuh's security reviewer application goes, though I realize I have no real input into this, I will just say that I encouraged Naleksuh to put his name forward as a security reviewer, acknowledging his php coding experience and, in part, because of the discussion the three of us had about him potentially developing an extension with @Universal_Omega. Together with @SamanthaNguyen and @Universal_Omega, I think it would be absolutely wonderful to have three new experienced security reviewers on the team, all in the span of 3-4 months.

@Dmehus I am pretty sure @Southparkfan just wanted me to answer the above question. But @Naleksuh already did.

Are there any contributions to MediaWiki core or extensions that can serve as evidence they are familiar with the MediaWiki architecture?

" But @Naleksuh already did." Considering he used "they" I would assume you are supposed to answer, perhaps based on the history of #miraheze. It's also possible to try via reviewing extensions that are proposed for addition, which I could do. Are there any in mind?

@Naleksuh, I'd support. Seems good, bureaucrat on TestWiki, knowledge of coding, seems competent.

SCVSlalom lowered the priority of this task from Normal to Low.Thu, Nov 12, 01:09

For now, moving to low.

Universal_Omega raised the priority of this task from Low to Normal.Thu, Nov 12, 01:20

" But @Naleksuh already did." Considering he used "they" I would assume you are supposed to answer, perhaps based on the history of #miraheze. It's also possible to try via reviewing extensions that are proposed for addition, which I could do. Are there any in mind?

I suppose you can do a test review of an extension. But keep in mind I say this in no official capacity and @Southparkfan holds the overall decision. You can pick one from Extensions if you wish. But again, I do not say this under official capacity in any way.

Quoting Southparkfan from my own request,

Good to see interest in this job! I would recommend doing an actual security review of a pending extension, using the checklist from https://www.mediawiki.org/wiki/Security_checklist_for_developers. Note the good (e.g. CSRF tokens used, code being compliant with MediaWiki's standards and thus making the review much easier) and bad points (e.g. a lot of htmlspecialchars usage within echo statements, instead of using the Html functions) of the extension's code, security risks you find (e.g. accessing external resources, thus introducing DoS possibilities, passing user input directly into shell commands). Especially for a somewhat larger extension, that gives me an idea about your review capabilities. If I think you are capable of doing security reviews for real, you may be grant permission to approve extensions without being in a SRE position or similar.