Improved heuristics for detecting TPRs in gadet code (!1) · Merge requests · repos / security / Wikimedia Gadgets Scan · GitLab

How to register an account on GitLab. Due to spam, new accounts are locked until approved by an admin or the approver bot. Your GitLab account gets automatically approved within one hour if you are a member of Trusted Contributors in Gerrit, or a member of the Trusted-Contributors group in Phabricator and linked your Developer account to your Phabricator account. If none of these apply, you can file an unlock request to expedite access.

Take the 2024 Developer Satisfaction Survey ^{(privacy statement)} to help identify areas for improvement and measure satisfaction within the Wikimedia developer community.

Support: mw:GitLab, how to host a project on GitLab, #wikimedia-gitlab on libera.chat, #GitLab on Phabricator.

Samuel (WMF) requested to merge improved-detection-heuristics into main Jun 17, 2024

Reduce false positives by combining a few conditions:

Single-line or multiple-line comments are ignored during code scan
Gadget code contains some URLs that aren't part of the allow-list
Gadget code matches abritrary rules such as the presence of mw.loader or iframe.

Still, some gadgets won't be caught if they load TPRs in a way that evades those rules.

Bug: T335892

Edited Jun 17, 2024 by Samuel (WMF)