⚓ T410091 Security review for Extension:WP25EasterEggs

⚓ T410091 Security review for Extension:WP25EasterEggs
Page Menu
Phabricator
Create Task
Maniphest
T410091
Security review for Extension:WP25EasterEggs
Closed, Resolved
Public
Actions
Edit Task
Edit Related Tasks...
Create Subtask
Edit Parent Tasks
Edit Subtasks
Merge Duplicates In
Close As Duplicate
Edit Related Objects...
Edit Commits
Edit Mocks
Mute Notifications
Protect as security issue
Assigned To
mmartorana
Authored By
Jdrewniak
Nov 13 2025, 9:25 PM
2025-11-13 21:25:39 (UTC+0)
Tags
PES1.3.3 WP25 Easter Eggs
(extension:WP25EasterEggs)
MediaWiki-extensions-WP25EasterEggs
(Backlog)
Application Security Reviews
secscrum
(Our Part Is Done)
Security-Team
(Our Part Is Done)
SecTeam-Processed
(Completed)
MW-1.46-notes (1.46.0-wmf.17; 2026-02-24)
Referenced Files
None
Subscribers
A_smart_kitten
Aklapper
ASanford-WMF
ATitkov
CDekock-WMF
cmadeo
HFan-WMF
View All 9 Subscribers
Description
NOTE:
Due to the time-sensitive nature of the Wikipedia 25 birthday celebrations, it is unreasonable to expect a full security review for this extension before a production deployment in January/February 2026. The developer
@ATitkov
will provide a self-review to the best of their abilities and
@Jdrewniak
will assume the security risk for deploying this to production. The self-review is tracked in
T411130
Project Information
Name of tool/project: Extension:WP25EasterEggs
Project home page:
Name of team requesting review:
Reader Experience Team
Primary contact:
@ATitkov
(developer)
@cmadeo
(project lead)
Target date for deployment: January/February 2026
Link to code repository:
Link to scc output for general sizing of codebases (
): TODO
Description of the tool/project:
The Wikipedia 25 Easter eggs extension will provide readers of Wikipedia with a celebratory mascot who will accompany them on their Wikipedia journey.
Description of how the tool will be used at WMF:
This extension is meant to celebrate Wikipedia's 25th birthday by enabling users to show an graphical mascot on the sidebar of Wikipedia articles on the Vector 2022 and MinervaNeue skins. This mascot may occasional be animated during parts of the users reading journey. Since the purpose of the extension is to celebrate Wikipedia's 25th birthday, it is by nature time-limited and temporary. There currently no intention of leaving this extension in production for longer than an a year after it has been deployed.
Dependencies
No external dependencies.
Has this project been reviewed before?
No, but we will undertake a detailed self-review as part of
T411130
Working test environment
Local setup available on documentation page:
Post-deployment
Primary developer is
@ATitkov
, manager is
@cmadeo
with support from the
Reader Experience Team
Details
Other Assignee
ASanford-WMF
Related Changes in Gerrit:
Subject
Repo
Branch
Lines +/-
Use mw.message instead of mw.msg to fix error
mediawiki/extensions/WP25EasterEggs
master
+1
-1
Escape the unescaped i18n messages
mediawiki/extensions/WP25EasterEggs
wmf/1.46.0-wmf.15
+5
-5
Escape the unescaped i18n messages
mediawiki/extensions/WP25EasterEggs
master
+5
-5
Customize query in gerrit
Related Objects
Search...
Task Graph
Mentions
Status
Subtype
Assigned
Task
Resolved
None
T411065
Extension:WP25EasterEggs deployment checklist
Resolved
mmartorana
T410091
Security review for Extension:WP25EasterEggs
Declined
ATitkov
T411130
[DRAFT] Security self-review for Extension:WP25EasterEggs
Mentioned In
T4171: Query page to list protected pages
T417078: Hide Baby Globe when VisualEditor loads
T41711: Login should only be required when uploading photos
T417077: Add link to settings below Baby Globe on Minerva
T411408: Deploy extension:WP25EasterEggs to beta cluster
T411065: Extension:WP25EasterEggs deployment checklist
Mentioned Here
T4171: Query page to list protected pages
T41711: Login should only be required when uploading photos
T417077: Add link to settings below Baby Globe on Minerva
T417078: Hide Baby Globe when VisualEditor loads
rEWEE38ce7a229a57: Remove WANObjectCache from PageCompanionService, add soft-launch Qids
T411130: [DRAFT] Security self-review for Extension:WP25EasterEggs
Event Timeline
Jdrewniak
created this task.
Nov 13 2025, 9:25 PM
2025-11-13 21:25:39 (UTC+0)
Restricted Application
added a subscriber:
Aklapper
View Herald Transcript
Nov 13 2025, 9:25 PM
2025-11-13 21:25:40 (UTC+0)
A_smart_kitten
subscribed.
Nov 14 2025, 10:05 AM
2025-11-14 10:05:18 (UTC+0)
Aklapper
added a comment.
Nov 14 2025, 4:04 PM
2025-11-14 16:04:39 (UTC+0)
Comment Actions
lists several steps which have not been resolved yet before requesting a Security review.
Jdrewniak
mentioned this in
T411065: Extension:WP25EasterEggs deployment checklist
Nov 26 2025, 1:15 PM
2025-11-26 13:15:30 (UTC+0)
Jdrewniak
added a parent task:
T411065: Extension:WP25EasterEggs deployment checklist
Nov 26 2025, 1:18 PM
2025-11-26 13:18:30 (UTC+0)
Jdrewniak
added a project:
MediaWiki-extensions-WP25EasterEggs
Nov 26 2025, 1:37 PM
2025-11-26 13:37:28 (UTC+0)
Jdrewniak
created subtask
T411130: [DRAFT] Security self-review for Extension:WP25EasterEggs
Nov 26 2025, 8:17 PM
2025-11-26 20:17:14 (UTC+0)
Jdrewniak
renamed this task from
[DRAFT]: Security review for Extension:WP25EasterEggs
to
Security review for Extension:WP25EasterEggs
Nov 26 2025, 9:14 PM
2025-11-26 21:14:16 (UTC+0)
Jdrewniak
added a project:
Application Security Reviews
Jdrewniak
updated the task description.
(Show Details)
Restricted Application
added a project:
secscrum
View Herald Transcript
Nov 26 2025, 9:14 PM
2025-11-26 21:14:17 (UTC+0)
sbassett
moved this task from
Incoming
to
Upcoming Quarter Planning Queue
on the
secscrum
board.
Dec 1 2025, 4:37 PM
2025-12-01 16:37:17 (UTC+0)
bd808
mentioned this in
T411408: Deploy extension:WP25EasterEggs to beta cluster
Dec 1 2025, 9:54 PM
2025-12-01 21:54:32 (UTC+0)
sbassett
changed the task status from
Open
to
In Progress
Jan 5 2026, 5:46 PM
2026-01-05 17:46:40 (UTC+0)
sbassett
assigned this task to
mmartorana
sbassett
triaged this task as
Medium
priority.
sbassett
moved this task from
Upcoming Quarter Planning Queue
to
In Progress
on the
secscrum
board.
sbassett
added projects:
Security-Team
SecTeam-Processed
sbassett
moved this task from
Incoming
to
In Progress
on the
Security-Team
board.
mmartorana
added a comment.
Jan 8 2026, 5:15 PM
2026-01-08 17:15:25 (UTC+0)
Comment Actions
Hi
@Jdrewniak
- to help us scope this review, could you clarify the expected deployment window more precisely ?
Also, do you anticipate a staged rollout or a single deployment, and is there a planned removal date given this extension is temporary ?
Jdrewniak
added a comment.
Jan 23 2026, 2:45 PM
2026-01-23 14:45:04 (UTC+0)
Comment Actions
hi
@mmartorana
sorry I missed that previous message. To answer your questions, the deployment timeline for this extension is to deploy it to production by the week of February 15th. We hope to have it enabled on beta cluster next week. This extension will be deployed globally, but it will be gated by community configuration settings, which will disable the feature from appearing on wikis that don't reach community consensus.
In regards to the removal date, this has been communicated as March 16th, so it'll only run for one month! (although I wouldn't mind keeping it on for longer).
This feature will remain supported until 16 March 2026, after this we will remove the feature from all Wikis.
HFan-WMF
subscribed.
Feb 2 2026, 11:46 PM
2026-02-02 23:46:06 (UTC+0)
Comment Actions
Since our planned rollout date is in about 12 days, wondering whether there's any additional questions or concerns from Security side,
@mmartorana
Thank you so much!!
mmartorana
added a subscriber:
ASanford-WMF
Feb 3 2026, 6:57 PM
2026-02-03 18:57:52 (UTC+0)
Comment Actions
Thanks for the ping! We’re aware of the rollout timeline.
We’re pairing on the review with
@ASanford-WMF
to move this along.
I’ll follow up shortly if any security concerns or questions come up; otherwise we’ll confirm once the review is complete.
CDekock-WMF
subscribed.
Feb 10 2026, 8:59 AM
2026-02-10 08:59:30 (UTC+0)
ASanford-WMF
updated Other Assignee, added:
ASanford-WMF
Feb 10 2026, 2:52 PM
2026-02-10 14:52:22 (UTC+0)
Jdrewniak
added a subscriber:
NBaca-WMF
Feb 12 2026, 5:16 PM
2026-02-12 17:16:08 (UTC+0)
Comment Actions
Hi
@mmartorana
and
@ASanford-WMF
Thank you both for your work on this review, as you can both see, the volume of code in this repo has increase substantially since we requested this review in January, so I can only imagine the effort required to undertake this. Unfortunately, we are working towards a hard deadline of Monday Feb 16th for this project, which will mean we will have to deploy this into production on that day. The reason that this is a hard deadline is because there has been press and media coordinated with this launch, spread out across many outlets, and rescheduling that press is not possible at this time. Because of that, we'll have to proceed with this launch even if the security review isn't finished yet. I've been given the guidance that security review shouldn't be a hard blocker for releases, so I'm working under that assumption (please correct me if that's not the case) but we are committed to fixing any issues that arise from the review ASAP, even if it means disabling the extension. Our contractor
@ATitkov
is ready and available to resolve any issues that crop up during this review.
I have approval from
@NBaca-WMF
to assume responsibility for proceeding with the following deployment plan, security-review notwithstanding:
Thursday Feb 12
: Enable this extension in production today hidden under a feature flag -- essentially
wfLoadExtension( 'WP25EasterEggs' );
for all Wikipedias. This will hopefully reveal any performance issues with the extension when it's in an idle state and gives us a chance to rollback tomorrow.
Mon Feb 16:
Enable the
$wgWp25EasterEggsEnable = true;
flag for all wikipedias.
In the first week, this extension will
opt-in only
by individual users, but it will also have to be opt-in on a per-wiki basis by admins, through a communityConfig page. The extension can also be immediately disable through that communityConfig as well. The following wikis have expressed interest in enabling this feature on the
project meta-page
Czech: cs.wikipedia.org
French: fr.wikipedia.org
Gorontalo: gor.wikipedia.org
Italian: it.wikipedia.org
Indonesian: id.wikipedia.org
Madurese: mad.wikipedia.org
Thai: th.wikipedia.org
Vietnamese: vi.wikipedia.org
Wayuu: guc.wikipedia.org
Sicilian: scn.wikipedia.org/
This double opt-in "soft-launch" scenario is meant to de-risk this deploy as much as possible, so that hopefully by the week of Feb 23rd, we'll be able to show baby globe more broadly as more wikis opt-in. Please let me know if there are any immediate concerns or issues that have cropped up that might affect this plan.
@mmartorana
and
@ASanford-WMF
thank you both again for working on this. Looking forward to the outcome of the review.
ASanford-WMF
added a comment.
Feb 12 2026, 6:07 PM
2026-02-12 18:07:33 (UTC+0)
Comment Actions
Hi
@Jdrewniak
! Thanks for the heads up. That all sounds good on our end. We're aiming to have our review posted tomorrow 👍
ASanford-WMF
added a comment.
Feb 13 2026, 6:39 PM
2026-02-13 18:39:59 (UTC+0)
Comment Actions
Security Review Summary -
T410091
- 2026-02-13
Last commit reviewed:
38ce7a2
Summary
Overall, the extension was not found to have issues of critical or high severity. Some
medium
severity XSS issues in the handling of translation strings were noted, and should be addressed. Some vulnerable or outdated packages were noted for completeness, but no reachable vulnerabilities were found. Finally, a note on unreachable code (incidentally containing vulnerabilities) is included below.
The overall risk rating is:
medium
Vulnerable Packages - Production
Risk:
none
No
npm
or
composer
vulnerable packages are being used in production.
Vulnerable Packages - Development
Risk:
none
Vulnerability
Package
Notes
Service
Remediation
Risk
Uncontrolled Recursion (CVE-2025-50537)
eslint
Not using custom rules or serialization module, vulnerable code is not reachable.
snyk
(none)
Informational
Memory Leak
inflight
Not directly using this package within the extension.
snyk
(none)
Informational
Prototype Pollution (CVE-2025-13465)
lodash
Vulnerable functions
_.unset
and
_.omit
not being used.
snyk
(none)
Informational
Outdated Packages
Risk:
low
As reported via
npm outdated
none
As reported via
composer outdated
(no explicit vulnerabilities reported, simply noting for completeness' sake.)
Package
Current
Latest
doctrine/dbal
3.10.4
4.4.1
doctrine/sql-formatter
1.5.3
1.5.4
giorgiosironi/eris
0.14.1
1.0.0
justinrainbow/json-schema
5.3.1
6.6.4
lcobucci/jwt
4.1.5
5.6.0
mediawiki/mediawiki-codesniffer
48.0.0
50.0.0
mediawiki/mediawiki-phan-config
0.18.0
0.19.0
mediawiki/minus-x
1.1.3
2.0.1
monolog/monolog
2.11.0
3.10.0
phpunit/phpunit
9.6.34
12.5.11
psr/http-message
1.1
2.0
psr/log
1.1.4
3.0.2
psr/simple-cache
1.0.1
3.0.0
psy/psysh
0.12.19
0.12.20
symfony/yaml
6.4.30
7.4.1
wikimedia/parsoid
0.23.0-a14
0.23.0-a15
lcobucci/clock
2.2.0
3.5.0
mediawiki/phan-taint-check-plugin
8.0.0
9.0.0
netresearch/jsonmapper
4.5.0
5.0.0
phan/phan
5.5.2
6.0.1
phpcsstandards/phpcsextra
1.4.0
1.5.0
phpcsstandards/phpcsutils
1.1.1
1.2.2
phpdocumentor/reflection-docblock
5.6.6
6.0.1
phpdocumentor/type-resolver
1.12.0
2.0.0
phpunit/php-code-coverage
9.2.32
12.5.3
phpunit/php-file-iterator
3.0.6
6.0.1
phpunit/php-invoker
3.1.1
6.0.0
phpunit/php-text-template
2.0.4
5.0.0
phpunit/php-timer
5.0.3
8.0.0
sabre/event
5.1.7
6.0.1
sebastian/cli-parser
1.0.2
4.2.0
sebastian/code-unit
1.0.8
3.0.3
sebastian/code-unit-reverse-lookup
2.0.3
4.0.1
sebastian/comparator
4.0.10
7.1.4
sebastian/complexity
2.0.3
5.0.0
sebastian/diff
4.0.6
7.0.0
sebastian/environment
5.1.5
8.0.3
sebastian/exporter
4.0.8
7.0.2
sebastian/global-state
5.0.8
8.0.2
sebastian/lines-of-code
1.0.4
4.0.0
sebastian/object-enumerator
4.0.4
7.0.0
sebastian/object-reflector
2.0.4
5.0.0
sebastian/recursion-context
4.0.6
7.0.1
sebastian/type
3.2.1
6.0.3
sebastian/version
3.0.2
6.0.0
squizlabs/php_codesniffer
3.13.2
4.0.1
symfony/string
7.3.8
7.4.4
theseer/tokenizer
1.3.1
2.0.1
Static Analysis Findings
Risk:
low
The following function is potentially dangerous if supplied with values affected by user input ("tainted" values). Currently, only one vulnerability exists related to this function (see
General Security Issues
below). However, vulnerabilities may arise in the future if code is added which passes tainted values the function.
domUtils.js
createElement
: This function does not perform sanitization or validation of the value of
tag
or
innerHTML
parameters before using them to create an element within the DOM. Tainted input may lead to XSS vulnerabilities, for example by adding a