[MediaWiki-commits] [Gerrit] mediawiki...SecurityCheckPlugin[master]: Make README prettier
Brian Wolff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/395925 ) Change subject: Make README prettier .. Make README prettier Make the README a bit nicer introduction to the functionality provided by the plugin by converting to Markdown and adding some headings and formatting. Change-Id: I4b02a95c7b00b04c96915f6d94b3f715460f643c --- D README A README.md 2 files changed, 180 insertions(+), 144 deletions(-) Approvals: Brian Wolff: Verified; Looks good to me, approved diff --git a/README b/README deleted file mode 100644 index 6b6a965..000 --- a/README +++ /dev/null @@ -1,144 +0,0 @@ -This is a plugin to Phan to try and detect security issues -(such as XSS). It keeps track of any time a user can modify -a variable, and checks to see that such variables are -escaped before being output as html or used as an sql query, etc. - -It is primarily intended for scanning MediaWiki extensions, -however it supports a generic mode which should work with -any PHP project. - -This plugin should be considered beta quality. Generic mode isn't -well tested yet. - -Requirements: -* php >= 7.0 -* Phan 0.8.0 [This has not been tested on any other version of phan] -* Lots of memory. Scanning MediaWiki seems to take about 3 minutes -and use about 2 GB of memory. Running out of memory may be a real issue -if you try and scan something from within a VM that has limited -memory. - -== How to use == -=== via composer (recommended) === -[This doesn't actually work yet, as package not in packagist] - -* Run (from the root directory of your project) - -$ composer require --dev wikimedia/security-check-plugin - -* For mediawiki extension, add the following to composer.json - -"scripts": { - "seccheck": "seccheck-mwext" - "seccheck-fast": "seccheck-fast-mwext" -}, - -* For a generic php project add - -"scripts": { - "seccheck": "seccheck-generic" -}, - -* For mediawiki core add - -"scripts": { - "seccheck": "seccheck-mw" -}, - -You can then run: -$ composer seccheck - -to run the security check. Note that false positives are disabled by default. -For mediawiki extensions, this assumes the extension is installed in the normal -extension directory, and thus MediaWiki is in ../../. If this is not the case, -then you need to specify the MW_INSTALL_PATH environment variable. - -This plugin also provides variants seccheck-fast-mwext (Doesn't analyse mediawiki -core. May miss some stuff related to hooks) and seccheck-slow-mwext (Also analyzes vendor). seccheck-mwext will generally take about 3 minutes, where seccheck-fast-mwext -takes only about half a minute. - -Additionally, if you want to do a really quick check, you can run the seccheck-generic script from a mediawiki extension which will ignore all MediaWiki stuff, -making the check much faster (but misses many issues). - -If you want to do custom configuration (to say exclude some directories), follow the instructions below unser Manually. -=== Manually === - -For MediaWiki mode, add MediaWikiSecurityCheckPlugin.php to the -list of plugins in your phan config.php file. - -For generic mode, add GenericSecurityCheckPlugin.php to the list -of plugins in your phan config.php file. - -Then run phan as you normally would: -$ php7.0 /path/to/phan/phan -p - -== Using the plugin == - -The plugin will output various issue types depending on what it -detects. The issue types it outputs are: - -* SecurityCheckMulti - For when there are multiple types of security issues involved -* SecurityCheck-XSS -* SecurityCheck-SQLInjection -* SecurityCheck-ShellInjection -* SecurityCheck-PHPSerializeInjection - For when someone does unserialize( $_GET['d'] ); This issue type seems to have a high false positive rate currently. -* SecurityCheck-CUSTOM1 - To allow people to have custom taint types -* SecurityCheck-CUSTOM2 - ditto -* SecurityCheck-OTHER - At the moment, this corresponds to things that don't have an escaping function to make input safe. e.g. eval( $_GET['foo'] ); require $_GET['bar']; -* SecurityCheck-LikelyFalsePositive - A potential issue, but probably not. Mostly happens when the plugin gets confused. - -The severity field is usually marked as Issue::SEVERITY_NORMAL (5). False positives -get Issue::SEVERITY_LOW (0). Issues that may result in server compromise -(as opposed to just end user compromise) such as shell or sql injection are -marked as Issue::SEVERITY_CRITICAL (10). SerializationInjection would normally -be "critical" but its currently denoted as a severity of NORMAL because the check -seems to have a high false positive rate at the moment. - -You can use the -y command line option of phan to filter by severity. - -=== Limitations === -There's much more than listed here, but some notable limitations/bugs: - -* When an issue is output, the plugin tries to include details about what -line originally caused the issue. Usually it works, but sometimes it
[MediaWiki-commits] [Gerrit] mediawiki...SecurityCheckPlugin[master]: Make README prettier
BryanDavis has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/395925 ) Change subject: Make README prettier .. Make README prettier Make the README a bit nicer introduction to the functionality provided by the plugin by converting to Markdown and adding some headings and formatting. Change-Id: I4b02a95c7b00b04c96915f6d94b3f715460f643c --- D README A README.md 2 files changed, 180 insertions(+), 144 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/tools/phan/SecurityCheckPlugin refs/changes/25/395925/1 diff --git a/README b/README deleted file mode 100644 index 6b6a965..000 --- a/README +++ /dev/null @@ -1,144 +0,0 @@ -This is a plugin to Phan to try and detect security issues -(such as XSS). It keeps track of any time a user can modify -a variable, and checks to see that such variables are -escaped before being output as html or used as an sql query, etc. - -It is primarily intended for scanning MediaWiki extensions, -however it supports a generic mode which should work with -any PHP project. - -This plugin should be considered beta quality. Generic mode isn't -well tested yet. - -Requirements: -* php >= 7.0 -* Phan 0.8.0 [This has not been tested on any other version of phan] -* Lots of memory. Scanning MediaWiki seems to take about 3 minutes -and use about 2 GB of memory. Running out of memory may be a real issue -if you try and scan something from within a VM that has limited -memory. - -== How to use == -=== via composer (recommended) === -[This doesn't actually work yet, as package not in packagist] - -* Run (from the root directory of your project) - -$ composer require --dev wikimedia/security-check-plugin - -* For mediawiki extension, add the following to composer.json - -"scripts": { - "seccheck": "seccheck-mwext" - "seccheck-fast": "seccheck-fast-mwext" -}, - -* For a generic php project add - -"scripts": { - "seccheck": "seccheck-generic" -}, - -* For mediawiki core add - -"scripts": { - "seccheck": "seccheck-mw" -}, - -You can then run: -$ composer seccheck - -to run the security check. Note that false positives are disabled by default. -For mediawiki extensions, this assumes the extension is installed in the normal -extension directory, and thus MediaWiki is in ../../. If this is not the case, -then you need to specify the MW_INSTALL_PATH environment variable. - -This plugin also provides variants seccheck-fast-mwext (Doesn't analyse mediawiki -core. May miss some stuff related to hooks) and seccheck-slow-mwext (Also analyzes vendor). seccheck-mwext will generally take about 3 minutes, where seccheck-fast-mwext -takes only about half a minute. - -Additionally, if you want to do a really quick check, you can run the seccheck-generic script from a mediawiki extension which will ignore all MediaWiki stuff, -making the check much faster (but misses many issues). - -If you want to do custom configuration (to say exclude some directories), follow the instructions below unser Manually. -=== Manually === - -For MediaWiki mode, add MediaWikiSecurityCheckPlugin.php to the -list of plugins in your phan config.php file. - -For generic mode, add GenericSecurityCheckPlugin.php to the list -of plugins in your phan config.php file. - -Then run phan as you normally would: -$ php7.0 /path/to/phan/phan -p - -== Using the plugin == - -The plugin will output various issue types depending on what it -detects. The issue types it outputs are: - -* SecurityCheckMulti - For when there are multiple types of security issues involved -* SecurityCheck-XSS -* SecurityCheck-SQLInjection -* SecurityCheck-ShellInjection -* SecurityCheck-PHPSerializeInjection - For when someone does unserialize( $_GET['d'] ); This issue type seems to have a high false positive rate currently. -* SecurityCheck-CUSTOM1 - To allow people to have custom taint types -* SecurityCheck-CUSTOM2 - ditto -* SecurityCheck-OTHER - At the moment, this corresponds to things that don't have an escaping function to make input safe. e.g. eval( $_GET['foo'] ); require $_GET['bar']; -* SecurityCheck-LikelyFalsePositive - A potential issue, but probably not. Mostly happens when the plugin gets confused. - -The severity field is usually marked as Issue::SEVERITY_NORMAL (5). False positives -get Issue::SEVERITY_LOW (0). Issues that may result in server compromise -(as opposed to just end user compromise) such as shell or sql injection are -marked as Issue::SEVERITY_CRITICAL (10). SerializationInjection would normally -be "critical" but its currently denoted as a severity of NORMAL because the check -seems to have a high false positive rate at the moment. - -You can use the -y command line option of phan to filter by severity. - -=== Limitations === -There's much more than listed here, but some notable limitations/bugs: - -* When an issue is output, the plugin tries to include details about what -line originally caused the