Brian Wolff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/395765 )
Change subject: Support installing via composer. ...................................................................... Support installing via composer. Add scripts for easy running of test. Change-Id: I315a0019f07130e0a09f14a856d1a7d5afb4d116 --- M README M composer.json A scripts/generic-config.php A scripts/mw-config.php A scripts/mwext-config.php A scripts/mwext-fast-config.php A scripts/mwext-slow-config.php A scripts/seccheck-fast-mwext A scripts/seccheck-generic A scripts/seccheck-mw A scripts/seccheck-mwext A scripts/seccheck-slow-mwext M src/TaintednessBaseVisitor.php A tests/integration/unserialize/expectedResults.txt A tests/integration/unserialize/test.php 15 files changed, 953 insertions(+), 5 deletions(-) diff --git a/README b/README index 7b7ca3a..6b6a965 100644 --- a/README +++ b/README @@ -20,9 +20,47 @@ == How to use == === via composer (recommended) === -[This doesn't actually work yet, once this plugin is in packagist] +[This doesn't actually work yet, as package not in packagist] -[TODO: fill this out] +* Run (from the root directory of your project) + +$ composer require --dev wikimedia/security-check-plugin + +* For mediawiki extension, add the following to composer.json + +"scripts": { + "seccheck": "seccheck-mwext" + "seccheck-fast": "seccheck-fast-mwext" +}, + +* For a generic php project add + +"scripts": { + "seccheck": "seccheck-generic" +}, + +* For mediawiki core add + +"scripts": { + "seccheck": "seccheck-mw" +}, + +You can then run: +$ composer seccheck + +to run the security check. Note that false positives are disabled by default. +For mediawiki extensions, this assumes the extension is installed in the normal +extension directory, and thus MediaWiki is in ../../. If this is not the case, +then you need to specify the MW_INSTALL_PATH environment variable. + +This plugin also provides variants seccheck-fast-mwext (Doesn't analyse mediawiki +core. May miss some stuff related to hooks) and seccheck-slow-mwext (Also analyzes vendor). seccheck-mwext will generally take about 3 minutes, where seccheck-fast-mwext +takes only about half a minute. + +Additionally, if you want to do a really quick check, you can run the seccheck-generic script from a mediawiki extension which will ignore all MediaWiki stuff, +making the check much faster (but misses many issues). + +If you want to do custom configuration (to say exclude some directories), follow the instructions below unser Manually. === Manually === For MediaWiki mode, add MediaWikiSecurityCheckPlugin.php to the @@ -53,7 +91,7 @@ get Issue::SEVERITY_LOW (0). Issues that may result in server compromise (as opposed to just end user compromise) such as shell or sql injection are marked as Issue::SEVERITY_CRITICAL (10). SerializationInjection would normally -be "critical" but its currently denoted as a severity of 4 because the check +be "critical" but its currently denoted as a severity of NORMAL because the check seems to have a high false positive rate at the moment. You can use the -y command line option of phan to filter by severity. diff --git a/composer.json b/composer.json index 9431ad0..4e64eb7 100644 --- a/composer.json +++ b/composer.json @@ -1,9 +1,12 @@ { "name": "wikimedia/security-check-plugin", "description": "A Phan plugin to do security checking", + "keywords": [ "php", "static", "analyzer", "phan", "security" ], "type": "library", "require": { - "etsy/phan": "0.8.0" + "etsy/phan": "0.8.0", + "php": "~7.0.0", + "ext-ast": "*" }, "require-dev": { "mediawiki/mediawiki-codesniffer": "14.1.0", @@ -20,6 +23,16 @@ "phan-for-plugin": "./tests/run-phan-on-plugin.sh", "fix": "phpcbf" }, + "bin": [ + "scripts/seccheck-mwext", + "scripts/seccheck-slow-mwext", + "scripts/seccheck-fast-mwext", + "scripts/seccheck-mw", + "scripts/seccheck-generic" + ], + "support": { + "issues": "https://phabricator.wikimedia.org" + }, "license": "GPLv2", "authors": [ { diff --git a/scripts/generic-config.php b/scripts/generic-config.php new file mode 100644 index 0000000..91b14ec --- /dev/null +++ b/scripts/generic-config.php @@ -0,0 +1,125 @@ +<?php + +// If xdebug is enabled, we need to increase the nesting level for phan +ini_set( 'xdebug.max_nesting_level', 1000 ); + +return [ + /** + * A list of individual files to include in analysis + * with a path relative to the root directory of the + * project. directory_list won't find .inc files so + * we augment it here. + */ + 'file_list' => [], + 'directory_list' => [ + '.' + ], + + /** + * A file list that defines files that will be excluded + * from parsing and analysis and will not be read at all. + * + * This is useful for excluding hopelessly unanalyzable + * files that can't be removed for whatever reason. + */ + 'exclude_file_list' => [], + + /** + * A list of directories holding code that we want + * to parse, but not analyze. Also works for individual + * files. + */ + "exclude_analysis_directory_list" => [ + 'vendor' + ], + + /** + * Backwards Compatibility Checking. This is slow + * and expensive, but you should consider running + * it before upgrading your version of PHP to a + * new version that has backward compatibility + * breaks. + */ + 'backward_compatibility_checks' => false, + + /** + * A set of fully qualified class-names for which + * a call to parent::__construct() is required + */ + 'parent_constructor_required' => [ + ], + + 'quick_mode' => false, + + 'should_visit_all_nodes' => true, + + 'analyze_signature_compatibility' => false, + + /** + * Do not emit false positives + */ + "minimum_severity" => 1, + 'allow_missing_properties' => false, + 'null_casts_as_any_type' => true, + 'scalar_implicit_cast' => true, + 'ignore_undeclared_variables_in_global_scope' => true, + 'dead_code_detection' => false, + 'dead_code_detection_prefer_false_negative' => true, + 'read_type_annotations' => true, + 'disable_suppression' => false, + 'dump_ast' => false, + 'dump_signatures_file' => null, + 'expand_file_list' => false, + // Include a progress bar in the output + 'progress_bar' => true, + 'progress_bar_sample_rate' => 0.005, + + /** + * The number of processes to fork off during the analysis + * phase. + */ + 'processes' => 1, + + /** We use the whitelist instead */ + 'suppress_issue_types' => [], + + /** + * If empty, no filter against issues types will be applied. + * If this white-list is non-empty, only issues within the list + * will be emitted by Phan. + */ + 'whitelist_issue_types' => [ + 'SecurityCheckMulti', + 'SecurityCheck-XSS', + 'SecurityCheck-SQLInjection', + 'SecurityCheck-ShellInjection', + 'SecurityCheck-CUSTOM1', + 'SecurityCheck-CUSTOM2', + 'SecurityCheck-OTHER', + // Rely on severity setting to blacklist false positive. + 'SecurityCheck-LikelyFalsePositive', + ], + + /** + * Override to hardcode existence and types of (non-builtin) globals in the global scope. + * Class names must be prefixed with '\\'. + * (E.g. ['_FOO' => '\\FooClass', 'page' => '\\PageClass', 'userId' => 'int']) + */ + 'globals_type_map' => [ + // 'IP' => 'string', + ], + + // Emit issue messages with markdown formatting + 'markdown_issue_messages' => false, + + /** + * Enable or disable support for generic templated + * class types. + */ + 'generic_types_enabled' => true, + + // A list of plugin files to execute + 'plugins' => [ + __DIR__ . '/../GenericSecurityCheckPlugin.php', + ], +]; diff --git a/scripts/mw-config.php b/scripts/mw-config.php new file mode 100644 index 0000000..89f79d1 --- /dev/null +++ b/scripts/mw-config.php @@ -0,0 +1,162 @@ +<?php + +// If xdebug is enabled, we need to increase the nesting level for phan +ini_set( 'xdebug.max_nesting_level', 1000 ); + +/** + * This is based on MW's phan config.php. + */ +return [ + /** + * A list of individual files to include in analysis + * with a path relative to the root directory of the + * project. directory_list won't find .inc files so + * we augment it here. + */ + 'file_list' => array_merge( + function_exists( 'register_postsend_function' ) ? [] : [ 'tests/phan/stubs/hhvm.php' ], + function_exists( 'wikidiff2_do_diff' ) ? [] : [ 'tests/phan/stubs/wikidiff.php' ], + function_exists( 'tideways_enable' ) ? [] : [ 'tests/phan/stubs/tideways.php' ], + class_exists( PEAR::class ) ? [] : [ 'tests/phan/stubs/mail.php' ], + class_exists( Memcached::class ) ? [] : [ 'tests/phan/stubs/memcached.php' ], + [ + 'maintenance/7zip.inc', + 'maintenance/backup.inc', + 'maintenance/backupPrefetch.inc', + 'maintenance/cleanupTable.inc', + 'maintenance/CodeCleanerGlobalsPass.inc', + 'maintenance/commandLine.inc', + 'maintenance/importImages.inc', + 'maintenance/sqlite.inc', + 'maintenance/userDupes.inc', + 'maintenance/userOptions.inc', + 'maintenance/language/checkLanguage.inc', + 'maintenance/language/languages.inc', + ] + ), + + 'directory_list' => [ + 'includes/', + 'languages/', + 'maintenance/', + 'mw-config/', + 'resources/', + 'skins/', + 'vendor/', + ], + + /** + * A file list that defines files that will be excluded + * from parsing and analysis and will not be read at all. + * + * This is useful for excluding hopelessly unanalyzable + * files that can't be removed for whatever reason. + */ + 'exclude_file_list' => [], + + /** + * A list of directories holding code that we want + * to parse, but not analyze. Also works for individual + * files. + */ + "exclude_analysis_directory_list" => [ + 'vendor/', + 'tests/phan/stubs/', + // The referenced classes are not available in vendor, only when + // included from composer. + 'includes/composer/', + 'maintenance/language/', + 'includes/libs/jsminplus.php', + 'skins/', + ], + + /** + * Backwards Compatibility Checking. This is slow + * and expensive, but you should consider running + * it before upgrading your version of PHP to a + * new version that has backward compatibility + * breaks. + */ + 'backward_compatibility_checks' => false, + + /** + * A set of fully qualified class-names for which + * a call to parent::__construct() is required + */ + 'parent_constructor_required' => [ + ], + + 'quick_mode' => false, + + 'should_visit_all_nodes' => true, + + 'analyze_signature_compatibility' => false, + + /** + * Do not emit false positives + */ + "minimum_severity" => 1, + 'allow_missing_properties' => false, + 'null_casts_as_any_type' => true, + 'scalar_implicit_cast' => true, + 'ignore_undeclared_variables_in_global_scope' => true, + 'dead_code_detection' => false, + 'dead_code_detection_prefer_false_negative' => true, + 'read_type_annotations' => true, + 'disable_suppression' => false, + 'dump_ast' => false, + 'dump_signatures_file' => null, + 'expand_file_list' => false, + // Include a progress bar in the output + 'progress_bar' => true, + 'progress_bar_sample_rate' => 0.005, + + /** + * The number of processes to fork off during the analysis + * phase. + */ + 'processes' => 1, + + /** We use the whitelist instead */ + 'suppress_issue_types' => [], + + /** + * If empty, no filter against issues types will be applied. + * If this white-list is non-empty, only issues within the list + * will be emitted by Phan. + */ + 'whitelist_issue_types' => [ + 'SecurityCheckMulti', + 'SecurityCheck-XSS', + 'SecurityCheck-SQLInjection', + 'SecurityCheck-ShellInjection', + 'SecurityCheck-CUSTOM1', + 'SecurityCheck-CUSTOM2', + 'SecurityCheck-OTHER', + // Rely on severity setting to blacklist false positive. + 'SecurityCheck-LikelyFalsePositive', + ], + + /** + * Override to hardcode existence and types of (non-builtin) globals in the global scope. + * Class names must be prefixed with '\\'. + * (E.g. ['_FOO' => '\\FooClass', 'page' => '\\PageClass', 'userId' => 'int']) + */ + 'globals_type_map' => [ + // 'IP' => 'string', + ], + + // Emit issue messages with markdown formatting + 'markdown_issue_messages' => false, + + /** + * Enable or disable support for generic templated + * class types. + */ + 'generic_types_enabled' => true, + + // A list of plugin files to execute + 'plugins' => [ + __DIR__ . '/../MediaWikiSecurityCheckPlugin.php', + ], +]; diff --git a/scripts/mwext-config.php b/scripts/mwext-config.php new file mode 100644 index 0000000..1df6fe0 --- /dev/null +++ b/scripts/mwext-config.php @@ -0,0 +1,169 @@ +<?php + +// If xdebug is enabled, we need to increase the nesting level for phan +ini_set( 'xdebug.max_nesting_level', 1000 ); + +$IP = getenv( 'MW_INSTALL_PATH' ) ?: '../../'; + +/** + * This is based on MW's phan config.php. + */ +$MWExtConfig = [ + /** + * A list of individual files to include in analysis + * with a path relative to the root directory of the + * project. directory_list won't find .inc files so + * we augment it here. + */ + 'file_list' => array_merge( + function_exists( 'register_postsend_function' ) ? [] : [ $IP . 'tests/phan/stubs/hhvm.php' ], + function_exists( 'wikidiff2_do_diff' ) ? [] : [ $IP . 'tests/phan/stubs/wikidiff.php' ], + function_exists( 'tideways_enable' ) ? [] : [ $IP . 'tests/phan/stubs/tideways.php' ], + class_exists( PEAR::class ) ? [] : [ $IP . 'tests/phan/stubs/mail.php' ], + class_exists( Memcached::class ) ? [] : [ $IP . 'tests/phan/stubs/memcached.php' ], + [ + $IP . 'maintenance/7zip.inc', + $IP . 'maintenance/backup.inc', + $IP . 'maintenance/backupPrefetch.inc', + $IP . 'maintenance/cleanupTable.inc', + $IP . 'maintenance/CodeCleanerGlobalsPass.inc', + $IP . 'maintenance/commandLine.inc', + $IP . 'maintenance/importImages.inc', + $IP . 'maintenance/sqlite.inc', + $IP . 'maintenance/userDupes.inc', + $IP . 'maintenance/userOptions.inc', + $IP . 'maintenance/language/checkLanguage.inc', + $IP . 'maintenance/language/languages.inc', + ] + ), + + 'directory_list' => [ + $IP . 'includes/', + $IP . 'languages/', + $IP . 'maintenance/', + $IP . 'mw-config/', + $IP . 'resources/', + $IP . 'skins/', + $IP . 'vendor/', + '.' + ], + + /** + * A file list that defines files that will be excluded + * from parsing and analysis and will not be read at all. + * + * This is useful for excluding hopelessly unanalyzable + * files that can't be removed for whatever reason. + */ + 'exclude_file_list' => [], + + /** + * A list of directories holding code that we want + * to parse, but not analyze. Also works for individual + * files. + */ + "exclude_analysis_directory_list" => [ + $IP . 'vendor/', + $IP . 'tests/phan/stubs/', + // The referenced classes are not available in vendor, only when + // included from composer. + $IP . 'includes/composer/', + $IP . 'maintenance/language/', + $IP . 'includes/libs/jsminplus.php', + $IP . 'skins/', + 'vendor' + ], + + /** + * Backwards Compatibility Checking. This is slow + * and expensive, but you should consider running + * it before upgrading your version of PHP to a + * new version that has backward compatibility + * breaks. + */ + 'backward_compatibility_checks' => false, + + /** + * A set of fully qualified class-names for which + * a call to parent::__construct() is required + */ + 'parent_constructor_required' => [ + ], + + 'quick_mode' => false, + + 'should_visit_all_nodes' => true, + + 'analyze_signature_compatibility' => false, + + /** + * Do not emit false positives + */ + "minimum_severity" => 1, + 'allow_missing_properties' => false, + 'null_casts_as_any_type' => true, + 'scalar_implicit_cast' => true, + 'ignore_undeclared_variables_in_global_scope' => true, + 'dead_code_detection' => false, + 'dead_code_detection_prefer_false_negative' => true, + 'read_type_annotations' => true, + 'disable_suppression' => false, + 'dump_ast' => false, + 'dump_signatures_file' => null, + 'expand_file_list' => false, + // Include a progress bar in the output + 'progress_bar' => true, + 'progress_bar_sample_rate' => 0.005, + + /** + * The number of processes to fork off during the analysis + * phase. + */ + 'processes' => 1, + + /** We use the whitelist instead */ + 'suppress_issue_types' => [], + + /** + * If empty, no filter against issues types will be applied. + * If this white-list is non-empty, only issues within the list + * will be emitted by Phan. + */ + 'whitelist_issue_types' => [ + 'SecurityCheckMulti', + 'SecurityCheck-XSS', + 'SecurityCheck-SQLInjection', + 'SecurityCheck-ShellInjection', + 'SecurityCheck-CUSTOM1', + 'SecurityCheck-CUSTOM2', + 'SecurityCheck-OTHER', + // Rely on severity setting to blacklist false positive. + 'SecurityCheck-LikelyFalsePositive', + ], + + /** + * Override to hardcode existence and types of (non-builtin) globals in the global scope. + * Class names must be prefixed with '\\'. + * (E.g. ['_FOO' => '\\FooClass', 'page' => '\\PageClass', 'userId' => 'int']) + */ + 'globals_type_map' => [ + // 'IP' => 'string', + ], + + // Emit issue messages with markdown formatting + 'markdown_issue_messages' => false, + + /** + * Enable or disable support for generic templated + * class types. + */ + 'generic_types_enabled' => true, + + // A list of plugin files to execute + 'plugins' => [ + __DIR__ . '/../MediaWikiSecurityCheckPlugin.php', + ], +]; + +unset( $IP ); +return $MWExtConfig; diff --git a/scripts/mwext-fast-config.php b/scripts/mwext-fast-config.php new file mode 100644 index 0000000..79590a4 --- /dev/null +++ b/scripts/mwext-fast-config.php @@ -0,0 +1,164 @@ +<?php + +// If xdebug is enabled, we need to increase the nesting level for phan +ini_set( 'xdebug.max_nesting_level', 1000 ); + +$IP = getenv( 'MW_INSTALL_PATH' ) ?: '../../'; + +/** + * Fast mode excludes MW from analysis. May miss some stuff with hooks. + * + * This is based on MW's phan config.php. + */ +$MWExtConfig = [ + /** + * A list of individual files to include in analysis + * with a path relative to the root directory of the + * project. directory_list won't find .inc files so + * we augment it here. + */ + 'file_list' => array_merge( + function_exists( 'register_postsend_function' ) ? [] : [ $IP . 'tests/phan/stubs/hhvm.php' ], + function_exists( 'wikidiff2_do_diff' ) ? [] : [ $IP . 'tests/phan/stubs/wikidiff.php' ], + function_exists( 'tideways_enable' ) ? [] : [ $IP . 'tests/phan/stubs/tideways.php' ], + class_exists( PEAR::class ) ? [] : [ $IP . 'tests/phan/stubs/mail.php' ], + class_exists( Memcached::class ) ? [] : [ $IP . 'tests/phan/stubs/memcached.php' ], + [ + $IP . 'maintenance/7zip.inc', + $IP . 'maintenance/backup.inc', + $IP . 'maintenance/backupPrefetch.inc', + $IP . 'maintenance/cleanupTable.inc', + $IP . 'maintenance/CodeCleanerGlobalsPass.inc', + $IP . 'maintenance/commandLine.inc', + $IP . 'maintenance/importImages.inc', + $IP . 'maintenance/sqlite.inc', + $IP . 'maintenance/userDupes.inc', + $IP . 'maintenance/userOptions.inc', + $IP . 'maintenance/language/checkLanguage.inc', + $IP . 'maintenance/language/languages.inc', + ] + ), + + 'directory_list' => [ + $IP . 'includes/', + $IP . 'languages/', + $IP . 'maintenance/', + $IP . 'mw-config/', + $IP . 'resources/', + $IP . 'skins/', + $IP . 'vendor/', + '.' + ], + + /** + * A file list that defines files that will be excluded + * from parsing and analysis and will not be read at all. + * + * This is useful for excluding hopelessly unanalyzable + * files that can't be removed for whatever reason. + */ + 'exclude_file_list' => [], + + /** + * A list of directories holding code that we want + * to parse, but not analyze. Also works for individual + * files. + */ + "exclude_analysis_directory_list" => [ + 'vendor/', + $IP, + ], + + /** + * Backwards Compatibility Checking. This is slow + * and expensive, but you should consider running + * it before upgrading your version of PHP to a + * new version that has backward compatibility + * breaks. + */ + 'backward_compatibility_checks' => false, + + /** + * A set of fully qualified class-names for which + * a call to parent::__construct() is required + */ + 'parent_constructor_required' => [ + ], + + 'quick_mode' => false, + + 'should_visit_all_nodes' => true, + + 'analyze_signature_compatibility' => false, + + /** + * Do not emit false positives + */ + "minimum_severity" => 1, + 'allow_missing_properties' => false, + 'null_casts_as_any_type' => true, + 'scalar_implicit_cast' => true, + 'ignore_undeclared_variables_in_global_scope' => true, + 'dead_code_detection' => false, + 'dead_code_detection_prefer_false_negative' => true, + 'read_type_annotations' => true, + 'disable_suppression' => false, + 'dump_ast' => false, + 'dump_signatures_file' => null, + 'expand_file_list' => false, + // Include a progress bar in the output + 'progress_bar' => true, + 'progress_bar_sample_rate' => 0.005, + + /** + * The number of processes to fork off during the analysis + * phase. + */ + 'processes' => 1, + + /** We use the whitelist instead */ + 'suppress_issue_types' => [], + + /** + * If empty, no filter against issues types will be applied. + * If this white-list is non-empty, only issues within the list + * will be emitted by Phan. + */ + 'whitelist_issue_types' => [ + 'SecurityCheckMulti', + 'SecurityCheck-XSS', + 'SecurityCheck-SQLInjection', + 'SecurityCheck-ShellInjection', + 'SecurityCheck-CUSTOM1', + 'SecurityCheck-CUSTOM2', + 'SecurityCheck-OTHER', + // Rely on severity setting to blacklist false positive. + 'SecurityCheck-LikelyFalsePositive', + ], + + /** + * Override to hardcode existence and types of (non-builtin) globals in the global scope. + * Class names must be prefixed with '\\'. + * (E.g. ['_FOO' => '\\FooClass', 'page' => '\\PageClass', 'userId' => 'int']) + */ + 'globals_type_map' => [ + // 'IP' => 'string', + ], + + // Emit issue messages with markdown formatting + 'markdown_issue_messages' => false, + + /** + * Enable or disable support for generic templated + * class types. + */ + 'generic_types_enabled' => true, + + // A list of plugin files to execute + 'plugins' => [ + __DIR__ . '/../MediaWikiSecurityCheckPlugin.php', + ], +]; + +unset( $IP ); +return $MWExtConfig; diff --git a/scripts/mwext-slow-config.php b/scripts/mwext-slow-config.php new file mode 100644 index 0000000..af59410 --- /dev/null +++ b/scripts/mwext-slow-config.php @@ -0,0 +1,163 @@ +<?php + +// If xdebug is enabled, we need to increase the nesting level for phan +ini_set( 'xdebug.max_nesting_level', 1000 ); + +$IP = getenv( 'MW_INSTALL_PATH' ) ?: '../../'; + +/** + * Slow config. Include vendor in the analysis. + * + * This is based on MW's phan config.php. + */ +$MWExtConfig = [ + /** + * A list of individual files to include in analysis + * with a path relative to the root directory of the + * project. directory_list won't find .inc files so + * we augment it here. + */ + 'file_list' => array_merge( + function_exists( 'register_postsend_function' ) ? [] : [ $IP . 'tests/phan/stubs/hhvm.php' ], + function_exists( 'wikidiff2_do_diff' ) ? [] : [ $IP . 'tests/phan/stubs/wikidiff.php' ], + function_exists( 'tideways_enable' ) ? [] : [ $IP . 'tests/phan/stubs/tideways.php' ], + class_exists( PEAR::class ) ? [] : [ $IP . 'tests/phan/stubs/mail.php' ], + class_exists( Memcached::class ) ? [] : [ $IP . 'tests/phan/stubs/memcached.php' ], + [ + $IP . 'maintenance/7zip.inc', + $IP . 'maintenance/backup.inc', + $IP . 'maintenance/backupPrefetch.inc', + $IP . 'maintenance/cleanupTable.inc', + $IP . 'maintenance/CodeCleanerGlobalsPass.inc', + $IP . 'maintenance/commandLine.inc', + $IP . 'maintenance/importImages.inc', + $IP . 'maintenance/sqlite.inc', + $IP . 'maintenance/userDupes.inc', + $IP . 'maintenance/userOptions.inc', + $IP . 'maintenance/language/checkLanguage.inc', + $IP . 'maintenance/language/languages.inc', + ] + ), + + 'directory_list' => [ + $IP . 'includes/', + $IP . 'languages/', + $IP . 'maintenance/', + $IP . 'mw-config/', + $IP . 'resources/', + $IP . 'skins/', + $IP . 'vendor/', + '.' + ], + + /** + * A file list that defines files that will be excluded + * from parsing and analysis and will not be read at all. + * + * This is useful for excluding hopelessly unanalyzable + * files that can't be removed for whatever reason. + */ + 'exclude_file_list' => [], + + /** + * A list of directories holding code that we want + * to parse, but not analyze. Also works for individual + * files. + */ + "exclude_analysis_directory_list" => [ + 'vendor/wikimedia/security-check-plugin' + ], + + /** + * Backwards Compatibility Checking. This is slow + * and expensive, but you should consider running + * it before upgrading your version of PHP to a + * new version that has backward compatibility + * breaks. + */ + 'backward_compatibility_checks' => false, + + /** + * A set of fully qualified class-names for which + * a call to parent::__construct() is required + */ + 'parent_constructor_required' => [ + ], + + 'quick_mode' => false, + + 'should_visit_all_nodes' => true, + + 'analyze_signature_compatibility' => false, + + /** + * Do not emit false positives + */ + "minimum_severity" => 1, + 'allow_missing_properties' => false, + 'null_casts_as_any_type' => true, + 'scalar_implicit_cast' => true, + 'ignore_undeclared_variables_in_global_scope' => true, + 'dead_code_detection' => false, + 'dead_code_detection_prefer_false_negative' => true, + 'read_type_annotations' => true, + 'disable_suppression' => false, + 'dump_ast' => false, + 'dump_signatures_file' => null, + 'expand_file_list' => false, + // Include a progress bar in the output + 'progress_bar' => true, + 'progress_bar_sample_rate' => 0.005, + + /** + * The number of processes to fork off during the analysis + * phase. + */ + 'processes' => 1, + + /** We use the whitelist instead */ + 'suppress_issue_types' => [], + + /** + * If empty, no filter against issues types will be applied. + * If this white-list is non-empty, only issues within the list + * will be emitted by Phan. + */ + 'whitelist_issue_types' => [ + 'SecurityCheckMulti', + 'SecurityCheck-XSS', + 'SecurityCheck-SQLInjection', + 'SecurityCheck-ShellInjection', + 'SecurityCheck-CUSTOM1', + 'SecurityCheck-CUSTOM2', + 'SecurityCheck-OTHER', + // Rely on severity setting to blacklist false positive. + 'SecurityCheck-LikelyFalsePositive', + ], + + /** + * Override to hardcode existence and types of (non-builtin) globals in the global scope. + * Class names must be prefixed with '\\'. + * (E.g. ['_FOO' => '\\FooClass', 'page' => '\\PageClass', 'userId' => 'int']) + */ + 'globals_type_map' => [ + // 'IP' => 'string', + ], + + // Emit issue messages with markdown formatting + 'markdown_issue_messages' => false, + + /** + * Enable or disable support for generic templated + * class types. + */ + 'generic_types_enabled' => true, + + // A list of plugin files to execute + 'plugins' => [ + __DIR__ . '/../MediaWikiSecurityCheckPlugin.php', + ], +]; + +unset( $IP ); +return $MWExtConfig; diff --git a/scripts/seccheck-fast-mwext b/scripts/seccheck-fast-mwext new file mode 100755 index 0000000..7083cec --- /dev/null +++ b/scripts/seccheck-fast-mwext @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Run the security check test on the extension +# in the current directory. +# +# This script is meant to be run via composer +# +# Assumes that either MediaWiki is installed in ../../ +# or the user has set MW_INSTALL_PATH environment variable. + +php=`which php7.0` +if [ "$?" != 0 ] +then + php=`which php` +fi + +$php vendor/etsy/phan/phan \ + -d . \ + -k vendor/wikimedia/security-check-plugin/scripts/mwext-fast-config.php \ + --output "php://stdout" "$@" + +exit $? diff --git a/scripts/seccheck-generic b/scripts/seccheck-generic new file mode 100755 index 0000000..9a73dbf --- /dev/null +++ b/scripts/seccheck-generic @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Run the security check test on the extension +# in the current directory. +# +# This script is meant to be run via composer +# +# Assumes that either MediaWiki is installed in ../../ +# or the user has set MW_INSTALL_PATH environment variable. + +php=`which php7.0` +if [ "$?" != 0 ] +then + php=`which php` +fi + +$php vendor/etsy/phan/phan \ + -d . \ + -k vendor/wikimedia/security-check-plugin/scripts/generic-config.php \ + --output "php://stdout" "$@" + +exit $? diff --git a/scripts/seccheck-mw b/scripts/seccheck-mw new file mode 100755 index 0000000..ddc8c4f --- /dev/null +++ b/scripts/seccheck-mw @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Run the security check test on the extension +# in the current directory. +# +# This script is meant to be run via composer +# +# Assumes that either MediaWiki is installed in ../../ +# or the user has set MW_INSTALL_PATH environment variable. + +php=`which php7.0` +if [ "$?" != 0 ] +then + php=`which php` +fi + +$php vendor/etsy/phan/phan \ + -d . \ + -k vendor/wikimedia/security-check-plugin/scripts/mw-config.php \ + --output "php://stdout" "$@" + +exit $? diff --git a/scripts/seccheck-mwext b/scripts/seccheck-mwext new file mode 100755 index 0000000..0aca7b4 --- /dev/null +++ b/scripts/seccheck-mwext @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Run the security check test on the extension +# in the current directory. +# +# This script is meant to be run via composer +# +# Assumes that either MediaWiki is installed in ../../ +# or the user has set MW_INSTALL_PATH environment variable. + +php=`which php7.0` +if [ "$?" != 0 ] +then + php=`which php` +fi + +$php vendor/etsy/phan/phan \ + -d . \ + -k vendor/wikimedia/security-check-plugin/scripts/mwext-config.php \ + --output "php://stdout" "$@" | grep '\(^\./\| \./\)' + +exit $? diff --git a/scripts/seccheck-slow-mwext b/scripts/seccheck-slow-mwext new file mode 100755 index 0000000..4714787 --- /dev/null +++ b/scripts/seccheck-slow-mwext @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Run the security check test on the extension +# in the current directory. +# +# This script is meant to be run via composer +# +# Assumes that either MediaWiki is installed in ../../ +# or the user has set MW_INSTALL_PATH environment variable. + +php=`which php7.0` +if [ "$?" != 0 ] +then + php=`which php` +fi + +$php vendor/etsy/phan/phan \ + -d . \ + -k vendor/wikimedia/security-check-plugin/scripts/mwext-slow-config.php \ + --output "php://stdout" "$@" | grep '\(^\./\| \./\)' + +exit $? diff --git a/src/TaintednessBaseVisitor.php b/src/TaintednessBaseVisitor.php index 340cad2..fa8df1d 100644 --- a/src/TaintednessBaseVisitor.php +++ b/src/TaintednessBaseVisitor.php @@ -1443,7 +1443,7 @@ $issueType = 'SecurityCheck-PHPSerializeInjection'; // For now this is low because it seems to have a lot // of false positives. - $severity = 4; + // $severity = 4; } elseif ( $combinedTaint === SecurityCheckPlugin::CUSTOM1_TAINT ) { diff --git a/tests/integration/unserialize/expectedResults.txt b/tests/integration/unserialize/expectedResults.txt new file mode 100644 index 0000000..3e1c758 --- /dev/null +++ b/tests/integration/unserialize/expectedResults.txt @@ -0,0 +1 @@ +integration/unserialize/test.php:3 SecurityCheck-PHPSerializeInjection Calling method \unserialize() in [no method] that outputs using tainted argument $[arg #1]. diff --git a/tests/integration/unserialize/test.php b/tests/integration/unserialize/test.php new file mode 100644 index 0000000..afddbdb --- /dev/null +++ b/tests/integration/unserialize/test.php @@ -0,0 +1,3 @@ +<?php + +unserialize( $_GET['foo'] ); -- To view, visit https://gerrit.wikimedia.org/r/395765 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I315a0019f07130e0a09f14a856d1a7d5afb4d116 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/tools/phan/SecurityCheckPlugin Gerrit-Branch: master Gerrit-Owner: Brian Wolff <bawolff...@gmail.com> Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits