[MediaWiki-commits] [Gerrit] mediawiki...SecurityCheckPlugin[master]: Make README prettier
Brian Wolff has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/395925 )
Change subject: Make README prettier
..
Make README prettier
Make the README a bit nicer introduction to the functionality provided
by the plugin by converting to Markdown and adding some headings and
formatting.
Change-Id: I4b02a95c7b00b04c96915f6d94b3f715460f643c
---
D README
A README.md
2 files changed, 180 insertions(+), 144 deletions(-)
Approvals:
Brian Wolff: Verified; Looks good to me, approved
diff --git a/README b/README
deleted file mode 100644
index 6b6a965..000
--- a/README
+++ /dev/null
@@ -1,144 +0,0 @@
-This is a plugin to Phan to try and detect security issues
-(such as XSS). It keeps track of any time a user can modify
-a variable, and checks to see that such variables are
-escaped before being output as html or used as an sql query, etc.
-
-It is primarily intended for scanning MediaWiki extensions,
-however it supports a generic mode which should work with
-any PHP project.
-
-This plugin should be considered beta quality. Generic mode isn't
-well tested yet.
-
-Requirements:
-* php >= 7.0
-* Phan 0.8.0 [This has not been tested on any other version of phan]
-* Lots of memory. Scanning MediaWiki seems to take about 3 minutes
-and use about 2 GB of memory. Running out of memory may be a real issue
-if you try and scan something from within a VM that has limited
-memory.
-
-== How to use ==
-=== via composer (recommended) ===
-[This doesn't actually work yet, as package not in packagist]
-
-* Run (from the root directory of your project)
-
-$ composer require --dev wikimedia/security-check-plugin
-
-* For mediawiki extension, add the following to composer.json
-
-"scripts": {
- "seccheck": "seccheck-mwext"
- "seccheck-fast": "seccheck-fast-mwext"
-},
-
-* For a generic php project add
-
-"scripts": {
- "seccheck": "seccheck-generic"
-},
-
-* For mediawiki core add
-
-"scripts": {
- "seccheck": "seccheck-mw"
-},
-
-You can then run:
-$ composer seccheck
-
-to run the security check. Note that false positives are disabled by default.
-For mediawiki extensions, this assumes the extension is installed in the normal
-extension directory, and thus MediaWiki is in ../../. If this is not the case,
-then you need to specify the MW_INSTALL_PATH environment variable.
-
-This plugin also provides variants seccheck-fast-mwext (Doesn't analyse
mediawiki
-core. May miss some stuff related to hooks) and seccheck-slow-mwext (Also
analyzes vendor). seccheck-mwext will generally take about 3 minutes, where
seccheck-fast-mwext
-takes only about half a minute.
-
-Additionally, if you want to do a really quick check, you can run the
seccheck-generic script from a mediawiki extension which will ignore all
MediaWiki stuff,
-making the check much faster (but misses many issues).
-
-If you want to do custom configuration (to say exclude some directories),
follow the instructions below unser Manually.
-=== Manually ===
-
-For MediaWiki mode, add MediaWikiSecurityCheckPlugin.php to the
-list of plugins in your phan config.php file.
-
-For generic mode, add GenericSecurityCheckPlugin.php to the list
-of plugins in your phan config.php file.
-
-Then run phan as you normally would:
-$ php7.0 /path/to/phan/phan -p
-
-== Using the plugin ==
-
-The plugin will output various issue types depending on what it
-detects. The issue types it outputs are:
-
-* SecurityCheckMulti - For when there are multiple types of security issues
involved
-* SecurityCheck-XSS
-* SecurityCheck-SQLInjection
-* SecurityCheck-ShellInjection
-* SecurityCheck-PHPSerializeInjection - For when someone does unserialize(
$_GET['d'] ); This issue type seems to have a high false positive rate
currently.
-* SecurityCheck-CUSTOM1 - To allow people to have custom taint types
-* SecurityCheck-CUSTOM2 - ditto
-* SecurityCheck-OTHER - At the moment, this corresponds to things that don't
have an escaping function to make input safe. e.g. eval( $_GET['foo'] );
require $_GET['bar'];
-* SecurityCheck-LikelyFalsePositive - A potential issue, but probably not.
Mostly happens when the plugin gets confused.
-
-The severity field is usually marked as Issue::SEVERITY_NORMAL (5). False
positives
-get Issue::SEVERITY_LOW (0). Issues that may result in server compromise
-(as opposed to just end user compromise) such as shell or sql injection are
-marked as Issue::SEVERITY_CRITICAL (10). SerializationInjection would normally
-be "critical" but its currently denoted as a severity of NORMAL because the
check
-seems to have a high false positive rate at the moment.
-
-You can use the -y command line option of phan to filter by severity.
-
-=== Limitations ===
-There's much more than listed here, but some notable limitations/bugs:
-
-* When an issue is output, the plugin tries to include details about what
-line originally caused the issue. Usually it works, but sometimes it
[MediaWiki-commits] [Gerrit] mediawiki...SecurityCheckPlugin[master]: Make README prettier
BryanDavis has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/395925 )
Change subject: Make README prettier
..
Make README prettier
Make the README a bit nicer introduction to the functionality provided
by the plugin by converting to Markdown and adding some headings and
formatting.
Change-Id: I4b02a95c7b00b04c96915f6d94b3f715460f643c
---
D README
A README.md
2 files changed, 180 insertions(+), 144 deletions(-)
git pull
ssh://gerrit.wikimedia.org:29418/mediawiki/tools/phan/SecurityCheckPlugin
refs/changes/25/395925/1
diff --git a/README b/README
deleted file mode 100644
index 6b6a965..000
--- a/README
+++ /dev/null
@@ -1,144 +0,0 @@
-This is a plugin to Phan to try and detect security issues
-(such as XSS). It keeps track of any time a user can modify
-a variable, and checks to see that such variables are
-escaped before being output as html or used as an sql query, etc.
-
-It is primarily intended for scanning MediaWiki extensions,
-however it supports a generic mode which should work with
-any PHP project.
-
-This plugin should be considered beta quality. Generic mode isn't
-well tested yet.
-
-Requirements:
-* php >= 7.0
-* Phan 0.8.0 [This has not been tested on any other version of phan]
-* Lots of memory. Scanning MediaWiki seems to take about 3 minutes
-and use about 2 GB of memory. Running out of memory may be a real issue
-if you try and scan something from within a VM that has limited
-memory.
-
-== How to use ==
-=== via composer (recommended) ===
-[This doesn't actually work yet, as package not in packagist]
-
-* Run (from the root directory of your project)
-
-$ composer require --dev wikimedia/security-check-plugin
-
-* For mediawiki extension, add the following to composer.json
-
-"scripts": {
- "seccheck": "seccheck-mwext"
- "seccheck-fast": "seccheck-fast-mwext"
-},
-
-* For a generic php project add
-
-"scripts": {
- "seccheck": "seccheck-generic"
-},
-
-* For mediawiki core add
-
-"scripts": {
- "seccheck": "seccheck-mw"
-},
-
-You can then run:
-$ composer seccheck
-
-to run the security check. Note that false positives are disabled by default.
-For mediawiki extensions, this assumes the extension is installed in the normal
-extension directory, and thus MediaWiki is in ../../. If this is not the case,
-then you need to specify the MW_INSTALL_PATH environment variable.
-
-This plugin also provides variants seccheck-fast-mwext (Doesn't analyse
mediawiki
-core. May miss some stuff related to hooks) and seccheck-slow-mwext (Also
analyzes vendor). seccheck-mwext will generally take about 3 minutes, where
seccheck-fast-mwext
-takes only about half a minute.
-
-Additionally, if you want to do a really quick check, you can run the
seccheck-generic script from a mediawiki extension which will ignore all
MediaWiki stuff,
-making the check much faster (but misses many issues).
-
-If you want to do custom configuration (to say exclude some directories),
follow the instructions below unser Manually.
-=== Manually ===
-
-For MediaWiki mode, add MediaWikiSecurityCheckPlugin.php to the
-list of plugins in your phan config.php file.
-
-For generic mode, add GenericSecurityCheckPlugin.php to the list
-of plugins in your phan config.php file.
-
-Then run phan as you normally would:
-$ php7.0 /path/to/phan/phan -p
-
-== Using the plugin ==
-
-The plugin will output various issue types depending on what it
-detects. The issue types it outputs are:
-
-* SecurityCheckMulti - For when there are multiple types of security issues
involved
-* SecurityCheck-XSS
-* SecurityCheck-SQLInjection
-* SecurityCheck-ShellInjection
-* SecurityCheck-PHPSerializeInjection - For when someone does unserialize(
$_GET['d'] ); This issue type seems to have a high false positive rate
currently.
-* SecurityCheck-CUSTOM1 - To allow people to have custom taint types
-* SecurityCheck-CUSTOM2 - ditto
-* SecurityCheck-OTHER - At the moment, this corresponds to things that don't
have an escaping function to make input safe. e.g. eval( $_GET['foo'] );
require $_GET['bar'];
-* SecurityCheck-LikelyFalsePositive - A potential issue, but probably not.
Mostly happens when the plugin gets confused.
-
-The severity field is usually marked as Issue::SEVERITY_NORMAL (5). False
positives
-get Issue::SEVERITY_LOW (0). Issues that may result in server compromise
-(as opposed to just end user compromise) such as shell or sql injection are
-marked as Issue::SEVERITY_CRITICAL (10). SerializationInjection would normally
-be "critical" but its currently denoted as a severity of NORMAL because the
check
-seems to have a high false positive rate at the moment.
-
-You can use the -y command line option of phan to filter by severity.
-
-=== Limitations ===
-There's much more than listed here, but some notable limitations/bugs:
-
-* When an issue is output, the plugin tries to include details about what
-line originally caused the
