Page MenuHomePhabricator
Projects Security-Team-Services Application Security Reviews

Application Security ReviewsComponent
ActivePublic
Watch Project

Members (4)

Watchers (2)

Details

Description

Requests for security audits of large pieces of code (e.g. a review of extension prior to deployment to the Wikimedia cluster).

Read: https://www.mediawiki.org/wiki/Security/SOP/Application_Security_Reviews

Scrum: https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_Review_Scrum

Part of Security-Team. Workboard is tracked at secscrum.

Recent Activity
View All

Tue, Dec 16

aranyap added a comment to T411146: Application Security Review Request: Wikipedia 25 microsite.

Hi @ATitkov and @Jdrewniak ,

Tue, Dec 16, 5:47 PM · secscrum, Application Security Reviews, PES1.3.3 WP25 Easter Eggs

Mon, Dec 15

Dzahn added a comment to T411146: Application Security Review Request: Wikipedia 25 microsite.

I can answer 3. - Wikimedia production - Kubernetes cluster "wikikube" in the existing "miscweb" service. Where other micro sites live nowadays like https://15.wikipedia.org/ or https://research.wikimedia.org/ among others.

Mon, Dec 15, 6:51 PM · secscrum, Application Security Reviews, PES1.3.3 WP25 Easter Eggs
mmartorana closed T404751: Application Security Review Request : ReaderExperiments as Resolved.

Security Review Summary - T404751 - 2025-12-15
Last commit reviewed: d77fc0e

Mon, Dec 15, 6:05 PM · FY2025-26 WE3.1 Engaging New Audiences, Reader Growth Team, Reader-Experiments, secscrum, Security, Application Security Reviews
sbassett added a comment to T411146: Application Security Review Request: Wikipedia 25 microsite.

Hello @ATitkov and @Jdrewniak -

Mon, Dec 15, 5:20 PM · secscrum, Application Security Reviews, PES1.3.3 WP25 Easter Eggs
sbassett updated subscribers of T411146: Application Security Review Request: Wikipedia 25 microsite.
Mon, Dec 15, 5:10 PM · secscrum, Application Security Reviews, PES1.3.3 WP25 Easter Eggs
sbassett updated subscribers of T411146: Application Security Review Request: Wikipedia 25 microsite.
Mon, Dec 15, 5:09 PM · secscrum, Application Security Reviews, PES1.3.3 WP25 Easter Eggs

Wed, Dec 10

sbassett closed T404738: Application Security Review Request : PersonalDashboard extension as Resolved.
Wed, Dec 10, 8:50 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
sbassett moved T404738: Application Security Review Request : PersonalDashboard extension from In Progress to Our Part Is Done on the secscrum board.
Wed, Dec 10, 8:49 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
sbassett added a comment to T404738: Application Security Review Request : PersonalDashboard extension.

Security Review Summary - T404738 - 2025-12-05
Last commit reviewed: 4a614aa4c0

Wed, Dec 10, 8:44 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews

Mon, Dec 8

sbassett added a comment to T404738: Application Security Review Request : PersonalDashboard extension.
In T404738#11440662, @jsn.sherman wrote:

@sbassett just checking in; do you have what you need to review this week?

Mon, Dec 8, 4:10 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
jsn.sherman added a comment to T404738: Application Security Review Request : PersonalDashboard extension.

@sbassett just checking in; do you have what you need to review this week?

Mon, Dec 8, 3:16 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
Tbodt updated the task description for T411649: Application Security Review Request : MultiTitle.
Mon, Dec 8, 7:23 AM · MediaWiki-extensions-MultiTitle, secscrum, Security, Application Security Reviews

Fri, Dec 5

Dzahn added a subtask for T411146: Application Security Review Request: Wikipedia 25 microsite: T408592: Request: Wikipedia 25 microsite hosting.
Fri, Dec 5, 4:02 PM · secscrum, Application Security Reviews, PES1.3.3 WP25 Easter Eggs
Dzahn removed a parent task for T411146: Application Security Review Request: Wikipedia 25 microsite: T407210: Wikipedia 25 Micro-site - implementation.
Fri, Dec 5, 4:01 PM · secscrum, Application Security Reviews, PES1.3.3 WP25 Easter Eggs
Dzahn added a parent task for T411146: Application Security Review Request: Wikipedia 25 microsite: T407210: Wikipedia 25 Micro-site - implementation.
Fri, Dec 5, 3:37 PM · secscrum, Application Security Reviews, PES1.3.3 WP25 Easter Eggs

Thu, Dec 4

sbassett moved T411649: Application Security Review Request : MultiTitle from Incoming to Upcoming Quarter Planning Queue on the secscrum board.
Thu, Dec 4, 3:24 PM · MediaWiki-extensions-MultiTitle, secscrum, Security, Application Security Reviews

Wed, Dec 3

taavi added a project to T411649: Application Security Review Request : MultiTitle: MediaWiki-extensions-MultiTitle.
Wed, Dec 3, 4:57 PM · MediaWiki-extensions-MultiTitle, secscrum, Security, Application Security Reviews
Tbodt added a parent task for T411649: Application Security Review Request : MultiTitle: T404461: Enable Extension:MultiTitle on tok.wikipedia.org.
Wed, Dec 3, 4:57 PM · MediaWiki-extensions-MultiTitle, secscrum, Security, Application Security Reviews
Tbodt created T411649: Application Security Review Request : MultiTitle.
Wed, Dec 3, 4:56 PM · MediaWiki-extensions-MultiTitle, secscrum, Security, Application Security Reviews
sbassett added a comment to T399459: Application Security Review Request: webonyx/graphql-php.
In T399459#11427691, @Ifrahkhanyaree_WMDE wrote:

Hi there, checking in on behalf of the Wikibase Reuse team - is the plan to still have the review done by end of this year?

Wed, Dec 3, 2:07 PM · Wikibase Reuse Team, secscrum, Security, Application Security Reviews
Ifrahkhanyaree_WMDE added a comment to T399459: Application Security Review Request: webonyx/graphql-php.

Hi there, checking in on behalf of the Wikibase Reuse team - is the plan to still have the review done by end of this year?

Wed, Dec 3, 11:31 AM · Wikibase Reuse Team, secscrum, Security, Application Security Reviews

Tue, Dec 2

Jdforrester-WMF closed T396486: Application Security Review Request: Wikifunctions rich text (HTML) output as Resolved.

Sorry, the trigger re-opened this automatically when moving the task. Have removed the trigger.

Tue, Dec 2, 4:06 PM · Abstract Wikipedia team (26Q2 (Oct–Dec)), OKR-Work, user-sbassett, WikiLambda, secscrum, Security, Application Security Reviews

Mon, Dec 1

sbassett moved T410091: Security review for Extension:WP25EasterEggs from Incoming to Upcoming Quarter Planning Queue on the secscrum board.
Mon, Dec 1, 4:37 PM · secscrum, Application Security Reviews, MediaWiki-extensions-WP25EasterEggs, PES1.3.3 WP25 Easter Eggs
sbassett moved T411146: Application Security Review Request: Wikipedia 25 microsite from Incoming to Upcoming Quarter Planning Queue on the secscrum board.
Mon, Dec 1, 4:37 PM · secscrum, Application Security Reviews, PES1.3.3 WP25 Easter Eggs
sbassett moved T411267: Application Security Review Request : language-data library from Incoming to Upcoming Quarter Planning Queue on the secscrum board.
Mon, Dec 1, 4:37 PM · secscrum, Security, Application Security Reviews

Fri, Nov 28

abi_ renamed T411267: Application Security Review Request : language-data library from Application Security Review Request : ... to Application Security Review Request : language-data library.
Fri, Nov 28, 2:01 PM · secscrum, Security, Application Security Reviews
abi_ created T411267: Application Security Review Request : language-data library.
Fri, Nov 28, 2:01 PM · secscrum, Security, Application Security Reviews

Wed, Nov 26

Jdrewniak created T411146: Application Security Review Request: Wikipedia 25 microsite.
Wed, Nov 26, 10:01 PM · secscrum, Application Security Reviews, PES1.3.3 WP25 Easter Eggs
Jdrewniak renamed T410091: Security review for Extension:WP25EasterEggs from [DRAFT]: Security review for Extension:WP25EasterEggs to Security review for Extension:WP25EasterEggs.
Wed, Nov 26, 9:14 PM · secscrum, Application Security Reviews, MediaWiki-extensions-WP25EasterEggs, PES1.3.3 WP25 Easter Eggs

Tue, Nov 25

jsn.sherman added a comment to T404738: Application Security Review Request : PersonalDashboard extension.
In T404738#11402314, @sbassett wrote:
In T404738#11401254, @jsn.sherman wrote:

Hi @sbassett, just checking in: how are things looking?

Is the code within a fairly stable state at this point? i.e. there are unlikely to be further, volatile changes for at least a few weeks? If so, we should get https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PersonalDashboard/+/1189934 rebased and free of conflicts and then I can complete the review.

Tue, Nov 25, 8:59 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews

Mon, Nov 24

sbassett added a comment to T404738: Application Security Review Request : PersonalDashboard extension.
In T404738#11401254, @jsn.sherman wrote:

Hi @sbassett, just checking in: how are things looking?

Mon, Nov 24, 6:44 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
jsn.sherman added a comment to T404738: Application Security Review Request : PersonalDashboard extension.

Hi @sbassett, just checking in: how are things looking?

Mon, Nov 24, 4:22 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews

Thu, Nov 20

Jdforrester-WMF reopened T396486: Application Security Review Request: Wikifunctions rich text (HTML) output as "In Progress".
Thu, Nov 20, 5:26 PM · Abstract Wikipedia team (26Q2 (Oct–Dec)), OKR-Work, user-sbassett, WikiLambda, secscrum, Security, Application Security Reviews

Nov 5 2025

jsn.sherman updated subscribers of T404738: Application Security Review Request : PersonalDashboard extension.
In T404738#11345291, @sbassett wrote:

Thanks, @jsn.sherman. Is there a more specific deployment date for this code? Not that this review would necessarily block such a milestone.

Nov 5 2025, 4:03 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
sbassett added a comment to T404738: Application Security Review Request : PersonalDashboard extension.

Thanks, @jsn.sherman. Is there a more specific deployment date for this code? Not that this review would necessarily block such a milestone.

Nov 5 2025, 3:43 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
Jakob_WMDE added a project to T399459: Application Security Review Request: webonyx/graphql-php: Wikibase Reuse Team.
Nov 5 2025, 10:30 AM · Wikibase Reuse Team, secscrum, Security, Application Security Reviews

Nov 3 2025

Samwalton9-WMF moved T404738: Application Security Review Request : PersonalDashboard extension from Backlog to MVP on the PersonalDashboard board.
Nov 3 2025, 10:50 AM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews

Oct 31 2025

jsn.sherman added a comment to T404738: Application Security Review Request : PersonalDashboard extension.

@sbassett @Catrope we now have at least one module merged in so you can see how this works. We do have another module about ready to go, but are running into a ci configuration issue on the new repo
You can run it locally easily enough as long as you setup CommunityConfiguration as well. Patch for that module:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PersonalDashboard/+/1200167

Oct 31 2025, 8:00 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews

Oct 17 2025

sbassett moved T404738: Application Security Review Request : PersonalDashboard extension from Backlog to In Progress on the user-sbassett board.
Oct 17 2025, 3:22 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
sbassett added a comment to T404738: Application Security Review Request : PersonalDashboard extension.

Just FYI, I plan to have a quick chat with @Catrope about this when he's back in the office next week.

Oct 17 2025, 3:22 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
sbassett added a project to T404738: Application Security Review Request : PersonalDashboard extension: user-sbassett.
Oct 17 2025, 3:21 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
sbassett closed T396486: Application Security Review Request: Wikifunctions rich text (HTML) output as Resolved.
Oct 17 2025, 3:20 PM · Abstract Wikipedia team (26Q2 (Oct–Dec)), OKR-Work, user-sbassett, WikiLambda, secscrum, Security, Application Security Reviews
sbassett moved T396486: Application Security Review Request: Wikifunctions rich text (HTML) output from In Progress to Done on the user-sbassett board.
Oct 17 2025, 3:20 PM · Abstract Wikipedia team (26Q2 (Oct–Dec)), OKR-Work, user-sbassett, WikiLambda, secscrum, Security, Application Security Reviews
sbassett moved T396486: Application Security Review Request: Wikifunctions rich text (HTML) output from Waiting to Our Part Is Done on the secscrum board.
Oct 17 2025, 3:19 PM · Abstract Wikipedia team (26Q2 (Oct–Dec)), OKR-Work, user-sbassett, WikiLambda, secscrum, Security, Application Security Reviews

Oct 16 2025

Jdforrester-WMF moved T396486: Application Security Review Request: Wikifunctions rich text (HTML) output from Incoming to In Code review on the Abstract Wikipedia team (26Q2 (Oct–Dec)) board.
Oct 16 2025, 2:07 PM · Abstract Wikipedia team (26Q2 (Oct–Dec)), OKR-Work, user-sbassett, WikiLambda, secscrum, Security, Application Security Reviews

Oct 9 2025

Jdforrester-WMF edited projects for T396486: Application Security Review Request: Wikifunctions rich text (HTML) output, added: Abstract Wikipedia team (26Q2 (Oct–Dec)); removed Abstract Wikipedia team (26Q1 (Jul–Sep)).
Oct 9 2025, 3:18 PM · Abstract Wikipedia team (26Q2 (Oct–Dec)), OKR-Work, user-sbassett, WikiLambda, secscrum, Security, Application Security Reviews
egardner added a comment to T404751: Application Security Review Request : ReaderExperiments.

We have received formal manager approval from @HSwan-WMF (see T405993#11257325) to proceed with deployment of this new extension to production prior to the completion of this review, and will move forward with deployment next week.

Oct 9 2025, 1:59 PM · FY2025-26 WE3.1 Engaging New Audiences, Reader Growth Team, Reader-Experiments, secscrum, Security, Application Security Reviews

Oct 8 2025

jsn.sherman added a comment to T404738: Application Security Review Request : PersonalDashboard extension.
In T404738#11250951, @sbassett wrote:

Hey @jsn.sherman and @Samwalton9-WMF - I'm not sure what conversations you've had with @Catrope regarding this review, but if we could summarize those here and any other expectations regarding this review, that would be great. Thanks.

Oct 8 2025, 2:13 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews

Oct 7 2025

egardner added a comment to T404751: Application Security Review Request : ReaderExperiments.
In T404751#11250894, @sbassett wrote:

@egardner - We are targeting a mid-quarter turnaround of this review, sometime in November 2025. This should not block any deployments on your end if you have tighter timelines.

Oct 7 2025, 4:51 PM · FY2025-26 WE3.1 Engaging New Audiences, Reader Growth Team, Reader-Experiments, secscrum, Security, Application Security Reviews
sbassett updated subscribers of T404738: Application Security Review Request : PersonalDashboard extension.

Hey @jsn.sherman and @Samwalton9-WMF - I'm not sure what conversations you've had with @Catrope regarding this review, but if we could summarize those here and any other expectations regarding this review, that would be great. Thanks.

Oct 7 2025, 3:59 PM · user-sbassett, OKR-Work, Moderator-Tools-Team, PersonalDashboard, secscrum, Security, Application Security Reviews
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits