Page MenuHomeMiraheze
Create Task
Maniphest T6360

Naleksuh as security reviewer
Closed, DeclinedPublic
Actions

Description

Similar to T6312, when I posted the task for @SamanthaNguyen to become security reviewer, I now do the same exact thing for @Naleksuh.

Naleksuh has advanced knowledge of PHP scripting language, and would easily be able to spot security risks/deployment blockers. While I have not personally seen their knowledge/expirence first-hand, from my own interaction with them and from what I've heard from others, they do seem to know what they are talking about, and do have a least to some degree, knowledge of PHP, and will be able to preform this task. I have asked Naleksuh to comment to this task to confirm, as well as to begin a test review going off the basis of what @Southparkfan requested of me and SamanthaNguyen to hopefully make this task go smoothly and speed up the approval process. Thank you!

Related Objects

Event Timeline

Universal_Omega triaged this task as Normal priority.Oct 27 2020, 03:32
Universal_Omega created this task.
Herald added subscribers: RhinosF1, Reception123. · View Herald TranscriptOct 27 2020, 03:32
Naleksuh removed a subscriber: Naleksuh.Oct 27 2020, 03:33
Naleksuh added a subscriber: Naleksuh.
Dmehus added a subscriber: Dmehus.Oct 28 2020, 02:00
Southparkfan reassigned this task from Southparkfan to Universal_Omega.Nov 8 2020, 16:10

Are there any contributions to MediaWiki core or extensions that can serve as evidence they are familiar with the MediaWiki architecture?

Herald added a project: Universal Omega. · View Herald TranscriptNov 8 2020, 16:10
Naleksuh added a comment.Nov 8 2020, 22:12

While my work in core has been primarily propositions, I like to work on solutions to problems and I have contributed to a number of floating extensions with my specialty being access levels. Me and Universal Omega were also going to make an extension that fixes bypassing create protection, although this is postponed due to IRL issues.

I am told the review process centers around commenting on extensions currently in queue. Are there any other extensions pending addition that I may review?

Universal_Omega reassigned this task from Universal_Omega to Southparkfan.Nov 9 2020, 06:37
Dmehus added a comment.Nov 10 2020, 05:14

@Universal_Omega I could be wrong, but when I saw that @Southparkfan assigned this Phabricator ticket to you, he might have been suggesting for you to pick an extension in the queue for @Naleksuh to review, perhaps, and that, though the final approval decision of @Naleksuh as a security reviewer would rest with @Southparkfan and the Site Reliability Engineering team (who, in practice, essentially defer to Southparkfan with regard to such matters), he values your input and would give it a great deal of weight in the approval decision. On the other hand, I may have read too much into him handing off this Phabricator ticket to you, and be completely wrong, which is totally fine.

As far as @Naleksuh's security reviewer application goes, though I realize I have no real input into this, I will just say that I encouraged Naleksuh to put his name forward as a security reviewer, acknowledging his php coding experience and, in part, because of the discussion the three of us had about him potentially developing an extension with @Universal_Omega. Together with @SamanthaNguyen and @Universal_Omega, I think it would be absolutely wonderful to have three new experienced security reviewers on the team, all in the span of 3-4 months.

Universal_Omega added a comment.EditedNov 10 2020, 05:20

@Dmehus I am pretty sure @Southparkfan just wanted me to answer the above question. But @Naleksuh already did.

Are there any contributions to MediaWiki core or extensions that can serve as evidence they are familiar with the MediaWiki architecture?

Naleksuh added a comment.Nov 10 2020, 22:26

" But @Naleksuh already did." Considering he used "they" I would assume you are supposed to answer, perhaps based on the history of #miraheze. It's also possible to try via reviewing extensions that are proposed for addition, which I could do. Are there any in mind?

SCVSlalom added a subscriber: SCVSlalom.Nov 12 2020, 01:09

@Naleksuh, I'd support. Seems good, bureaucrat on TestWiki, knowledge of coding, seems competent.

SCVSlalom lowered the priority of this task from Normal to Low.Nov 12 2020, 01:09

For now, moving to low.

Universal_Omega raised the priority of this task from Low to Normal.Nov 12 2020, 01:20
Universal_Omega reassigned this task from Southparkfan to Naleksuh.EditedNov 12 2020, 01:32
In T6360#125947, @Naleksuh wrote:

" But @Naleksuh already did." Considering he used "they" I would assume you are supposed to answer, perhaps based on the history of #miraheze. It's also possible to try via reviewing extensions that are proposed for addition, which I could do. Are there any in mind?

I suppose you can do a test review of an extension. But keep in mind I say this in no official capacity and @Southparkfan holds the overall decision. You can pick one from Extensions if you wish. But again, I do not say this under official capacity in any way.

Quoting Southparkfan from my own request,

In T6064#118472, @Southparkfan wrote:

Good to see interest in this job! I would recommend doing an actual security review of a pending extension, using the checklist from https://www.mediawiki.org/wiki/Security_checklist_for_developers. Note the good (e.g. CSRF tokens used, code being compliant with MediaWiki's standards and thus making the review much easier) and bad points (e.g. a lot of htmlspecialchars usage within echo statements, instead of using the Html functions) of the extension's code, security risks you find (e.g. accessing external resources, thus introducing DoS possibilities, passing user input directly into shell commands). Especially for a somewhat larger extension, that gives me an idea about your review capabilities. If I think you are capable of doing security reviews for real, you may be grant permission to approve extensions without being in a SRE position or similar.

BrandonWM edited subscribers, added: BrandonWM; removed: SCVSlalom.Nov 12 2020, 20:32
Universal_Omega removed a subscriber: BrandonWM.Nov 19 2020, 05:04
John added a subscriber: John.Dec 22 2020, 13:19

@Naleksuh any updates on this from your end?

Naleksuh added a comment.Dec 23 2020, 19:47
In T6360#129984, @John wrote:

@Naleksuh any updates on this from your end?

Hey there. Per the last comment by Universal Omega, I was somewhat under the impression that I was waiting on a response from Southparkfan. If that is not the case, should I proceed as Universal Omega suggested?

John added a comment.Dec 23 2020, 20:20

Yes please.

Universal_Omega reassigned this task from Naleksuh to Southparkfan.Jan 3 2021, 05:40

Reassigning to Southparkfan, for how to proceed here since there are no more extensions to review.

Dmehus added a subscriber: Redmin.Jan 7 2021, 17:35

@Universal_Omega Since we now have T6700 in the extension review queue, could this be an appropriate extension for @Naleksuh and @R4356th to post their security reviews in their respective requests? Whether we install the extension is another matter, but don't really need to install an extension; we just need to have an extension for them to review

Universal_Omega added a comment.Jan 7 2021, 20:26
In T6360#131801, @Dmehus wrote:

@Universal_Omega Since we now have T6700 in the extension review queue, could this be an appropriate extension for @Naleksuh and @R4356th to post their security reviews in their respective requests? Whether we install the extension is another matter, but don't really need to install an extension; we just need to have an extension for them to review

No, because as of right now, it's not in the queue and is not until they reply if they really need it.

Universal_Omega closed this task as Declined.Jan 9 2021, 05:46
Universal_Omega claimed this task.

Unfortunately and regrettably I must decline this now, after a conversation I had with @Southparkfan on IRC, we can't really approve this without evidence that shows your knowledge and abilities to preform in this capacity. If you do feel you can provide such evidence, do feel free to reopen and it'll later be considered. Thank you!

Naleksuh reopened this task as Open.Jan 9 2021, 06:11

It is my understanding that the list of extensions is currently empty. If that is the case, what is the deal with other similar requests?

Universal_Omega added a comment.Jan 9 2021, 06:13
In T6360#132051, @Naleksuh wrote:

It is my understanding that the list of extensions is currently empty. If that is the case, what is the deal with other similar requests?

In this case it's the lack of evidence of your understanding. In other words no existing extension examples of your own to go off of.

Naleksuh changed the task status from Open to Stalled.Jan 9 2021, 06:20

In that case I would likely put this on hold until more extensions are avaailable

Universal_Omega added a comment.Jan 9 2021, 06:25
In T6360#132057, @Naleksuh wrote:

In that case I would likely put this on hold until more extensions are avaailable

It's not the lack of extensions to review. Reviewing an extension is not necessarily, solely enough. You'll need to show your own PHP, etc.. skills as well, at least from my understanding. Security reviewer is a serious job on there must be serious consideration in the matter of approving or declining security reviewer requests.

Universal_Omega closed this task as Declined.Jan 9 2021, 06:44

Declining again per my above comments. This doesn't mean it can't be reopened just that it is declined for now and doesn't necessarily warrent to be a stalled task.