Page MenuHomeMiraheze

SamanthaNguyen as security reviewer
Closed, DeclinedPublic

Description

After a quick conversation with SamanthaNguyen (their mediawiki.org userpage) on Discord, they expressed the interest to becoming a security reviewer for Miraheze. While not really an active member of the Miraheze community, their mediawiki extensions and contributions should speak for themselves in their ability to preform this task. At the moment we have a huge backlog of requested extensions and do need more security reviewers. I will have them comment to this task to verify their own interest in it. Thank you!

Event Timeline

Unknown Object (User) triaged this task as Normal priority.Oct 14 2020, 21:59
Unknown Object (User) created this task.
Unknown Object (User) moved this task from Radar to Access on the Technology-Team board.Oct 14 2020, 22:00
Unknown Object (User) added a subscriber: SamanthaNguyen.

Hello everyone,

I used to work on the Brickimedia project and at ShoutWiki, together for probably about 5 years or so (SW for ~1.5 years).

I have written the StructuredNavigation extension, for which I was invited to talk by Mark Hershberger, with other people about it such as Cicalese (principal software engineer at Wikimedia Foundation), RheingoldRiver (staff member at Gamepedia and Esports wiki manager for Leaguepedia), and Richard Heigl (CEO of BlueSpice) (more information at https://mwstake.org/mwstake/wiki/Event:117). I am an active administrator on MediaWiki.org, and used to help be an administrator for Brickimedia and it's containing wikis.

I currently work on software development independently, and would like to help contribute to the MediaWiki community in any way that I can. I'm currently a university student, so I cannot say for sure how active I can be, but I would still like to be able to help review extensions. Thank you.

Unknown Object (User) added a subscriber: Southparkfan.Oct 18 2020, 13:43

While we need security reviewers, ideally they should be active members of MH. However, SRE does have the final say

@Zppix I would like to note that this is not the first time that an external member joins us as a security reviewer, as Sam Wilson is also one.

As long as someone is a trusted developer and has experience with PHP, I do not personally see any issue with having them as a security reviewer to help us out with the large backlog. I do however consider security reviews to be @Southparkfan 's domain and he has the final say on who becomes security reviewer.

I dont think thats a fair comparison.

Hi @SamanthaNguyen, welcome! Good to see interest for this position.

There's no official process yet for appointing new security reviewers. I suggest you read T6064#118472 and perform a review of an extension currently in the queue. While I never hope to see OWASP top 10 vulnerabilities, I still see them from time to time during the review process. Please note both the good points and bad security points of an extension, even if you don't actually notice high risk actions. For example: while $dbr->query() with $dbr->addQuotes() is better than $dbr->query() without input validation, it's still not best practice since $dbr->query() is unsafe by default and requires manual action to avoid SQL injections[1]. Secure coding includes using safe methods by default, with raw input handling requiring you to explicitly use a function suited for that (e.g. Html::rawElement instead of Html::element, contrary to Html::element accepting raw input by default).

Since you are a MediaWiki developer, I assume you have already read https://www.mediawiki.org/wiki/Security_for_developers and https://www.mediawiki.org/wiki/Security_checklist_for_developers. You don't have to review a very complex extension (taking multiple hours). As long as you can demonstrate you are capable of performing security reviews - by explaining what defensive measures are in place and what could be improved security wise - I am happy to review this access request. It's fine if you're not very active, I know how busy university life can be. ;-)

[1] As long as all ->query() calls are 1) only made if there's no other PHP method available, for example, if you're not executing a SELECT/UPDATE/DELETE SQL command(?) and 2) have sufficient ->addQuotes() calls, the extension could pass a review.

Unknown Object (User) changed the task status from Open to Stalled.Nov 10 2020, 05:11

SamanthaNguyen is currently unavailable until December, Stalling until they return to complete the task.

Unknown Object (User) lowered the priority of this task from Normal to Low.Nov 11 2020, 21:52

For now, changing to low

I'm all for it. Don't know much about them, but seem competent in role of cosmos dev, works with Omega closely. I'd support @SamanthaNguyen for Security Reviewer.

Unknown Object (User) removed a subscriber: BrandonWM.Nov 19 2020, 05:04
John subscribed.

No progress and no signs of activity either. Once @SamanthaNguyen returns back, they are more than welcome to re-open this task and follow the comments suggested by Southparkfan above.

Hi everyone, I'd like to apologize on my delayed response. Unfortunately I think I will have to take back my request for the time being, I don't think I'll be able to spend any time reviewing extensions, as life/college is getting really busy. I hope in the future that I will have some time, but right now doesn't seem like a good time. I wish everyone the best! Thank you.