From 0c2f5f180df70779a56ae5e8dff7148b8a51d4dd Mon Sep 17 00:00:00 2001 From: Martin Urbanec Date: Fri, 28 Feb 2025 12:19:00 +0100 Subject: [PATCH] SECURITY: Validate mentor's weight is within the expected range This should not break any mentor list, as evidenced by global search query on the task. Bug: T386826 Change-Id: I1661ac92a43cb70f83e1e4804ab031971c0b57e2 --- i18n/mentorship/en.json | 1 + i18n/mentorship/qqq.json | 1 + .../Validation/StructuredMentorListValidator.php | 10 ++++++++++ 3 files changed, 12 insertions(+) diff --git a/i18n/mentorship/en.json b/i18n/mentorship/en.json index 1af982a5a..0888ed840 100644 --- a/i18n/mentorship/en.json +++ b/i18n/mentorship/en.json @@ -171,6 +171,7 @@ "growthexperiments-mentor-list-missing-key": "Key $1 is missing", "growthexperiments-mentor-list-datatype-mismatch": "$1 is expected to be $2, but is $3", "growthexperiments-mentor-list-unexpected-key-mentor": "Mentor definition contains an unexpected key $1", + "growthexperiments-mentor-list-invalid-weight": "$1 is expected to be one of: $2, but is $3", "growthexperiments-mentor-writer-error-already-added": "Mentor $1 was already added to the mentor list", "growthexperiments-mentor-writer-error-not-in-the-list": "Mentor $1 is not in the mentor list", "growthexperiments-mentor-writer-error-anonymous-user": "Mentor $1 is not a registered user", diff --git a/i18n/mentorship/qqq.json b/i18n/mentorship/qqq.json index b8e2755ca..89374fadf 100644 --- a/i18n/mentorship/qqq.json +++ b/i18n/mentorship/qqq.json @@ -179,6 +179,7 @@ "growthexperiments-mentor-list-missing-key": "Error message displayed when a manual save of MediaWiki:GrowthMentors.json (configurable by GEStructuredMentorList) is invalid.", "growthexperiments-mentor-list-datatype-mismatch": "Error message displayed when a manual save of MediaWiki:GrowthMentors.json (configurable by GEStructuredMentorList) is invalid.", "growthexperiments-mentor-list-unexpected-key-mentor": "Error message displayed when a manual save of MediaWiki:GrowthMentors.json (configurable by GEStructuredMentorList) is invalid.", + "growthexperiments-mentor-list-invalid-weight": "Error message displayed when a manual save of MediaWiki:GrowthMentors.json (configurable by GEStructuredMentorList) is invalid.", "growthexperiments-mentor-writer-error-already-added": "Error message displayed when a change to MediaWiki:GrowthMentors.json (configurable by GEStructuredMentorList) tries to add a mentor who is already added", "growthexperiments-mentor-writer-error-not-in-the-list": "Error message displayed when a change to MediaWiki:GrowthMentors.json (configurable by GEStructuredMentorList) tries to remove/change a mentor who is not in the list", "growthexperiments-mentor-writer-error-anonymous-user": "Error message displayed when a change to MediaWiki:GrowthMentors.json (configurable by GEStructuredMentorList) tries to remove/change a mentor who is not in the list", diff --git a/includes/Config/Validation/StructuredMentorListValidator.php b/includes/Config/Validation/StructuredMentorListValidator.php index 8a2719e48..e2d4d1b37 100644 --- a/includes/Config/Validation/StructuredMentorListValidator.php +++ b/includes/Config/Validation/StructuredMentorListValidator.php @@ -2,6 +2,7 @@ namespace GrowthExperiments\Config\Validation; +use GrowthExperiments\MentorDashboard\MentorTools\IMentorWeights; use GrowthExperiments\Mentorship\Provider\MentorProvider; use InvalidArgumentException; use StatusValue; @@ -98,6 +99,15 @@ class StructuredMentorListValidator implements IConfigValidator { gettype( $value ) ); } + + if ( $key === 'weight' && !in_array( $value, IMentorWeights::WEIGHTS ) ) { + return StatusValue::newFatal( + 'growthexperiments-mentor-list-invalid-weight', + $key, + \FormatJson::encode( IMentorWeights::WEIGHTS ), + $value + ); + } } // Code below assumes mentor declarations are syntactically correct. -- 2.39.3 (Apple Git-145)