TemplateData doesn't fully validate suggestedvalues
Closed, ResolvedPublicBUG REPORT
Actions

Description

The suggestedvalues feature in TemplateData is currently not properly validated. It must be an array. But the values can be anything. Example:

"suggestedvalues": [
    "string, as expected",
    { "value": "well…", … }
]

This is successfully stored and returned by the API as is. VisualEditor doesn't fail immediately, but behaves odd.

Details

Subject	Repo	Branch	Lines +/-
Update OOUI to v0.43.0	mediawiki/core	master	+824 -1 K
Don't feed bad values to TagMultiselectWidget	mediawiki/extensions/TemplateData	master	+4 -0
Fix TagMultiselectWidget.setValue behaving odd in edge cases	oojs/ui	master	+3 -3
Skip bad suggestedvalues and aliases in the template dialog	mediawiki/extensions/VisualEditor	master	+6 -2
Add missing validation for aliases and suggestedvalues	mediawiki/extensions/TemplateData	master	+17 -12

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved	Feature	thiemowmde	T298795 breaking change in templatedata: asserting an alias must be a string
		Resolved	BUG REPORT	thiemowmde	T297386 TemplateData doesn't fully validate suggestedvalues

Event Timeline

thiemowmde created this task.Dec 9 2021, 1:15 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 9 2021, 1:15 PM

Change 745543 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):

[mediawiki/extensions/VisualEditor@master] Skip bad suggestedvalues in the template dialog

https://gerrit.wikimedia.org/r/745543

gerritbot added a project: Patch-For-Review.Dec 9 2021, 1:17 PM

Change 745544 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):

[mediawiki/extensions/TemplateData@master] Add missing validation for aliases and suggestedvalues

https://gerrit.wikimedia.org/r/745544

thiemowmde updated the task description. (Show Details)Dec 9 2021, 1:44 PM

ppelberg moved this task from To Triage to Triaged on the VisualEditor board.Dec 9 2021, 5:15 PM

WMDE-Fisch added projects: WMDE-TechWish-Sprint-2021-12-08, Unplanned-Sprint-Work.Dec 13 2021, 8:41 AM

WMDE-Fisch moved this task from Sprint Backlog to Tech Review on the WMDE-TechWish-Sprint-2021-12-08 board.

Lena_WMDE moved this task from Backlog to In sprint on the WMDE-Templates-FocusArea board.Dec 13 2021, 9:21 AM

FYI, I just checked both enwiki and dewiki if there is any template using anything but an array of strings. It looks like there are none. There is the custom JSON format on dewiki that is processes by Template:TemplateData, but that's guaranteed to output the correct format.

awight added a project: WMDE-TechWish-XMAS-Sprint-2021-12-15.Dec 14 2021, 1:39 PM

awight removed a project: Unplanned-Sprint-Work.

awight moved this task from Sprint Backlog to Tech Review on the WMDE-TechWish-XMAS-Sprint-2021-12-15 board.

Change 745544 merged by jenkins-bot:

[mediawiki/extensions/TemplateData@master] Add missing validation for aliases and suggestedvalues

https://gerrit.wikimedia.org/r/745544

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.16; 2022-01-03).Dec 15 2021, 1:00 PM

Andrew-WMDE moved this task from Tech Review to Demo on the WMDE-TechWish-XMAS-Sprint-2021-12-15 board.Dec 17 2021, 10:55 AM

Change 745543 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@master] Skip bad suggestedvalues and aliases in the template dialog

https://gerrit.wikimedia.org/r/745543

Maintenance_bot removed a project: Patch-For-Review.Dec 17 2021, 12:10 PM

thiemowmde moved this task from Backlog to Doing on the TemplateData board.Dec 23 2021, 11:56 AM

Note: when opening a legacy broken suggestedvalue e.g. with a raw integer 3, an empty pill appears where the entry should be. No warning appears. Saving the template data will silently replace the broken value with a null.

awight moved this task from Demo to Done on the WMDE-TechWish-XMAS-Sprint-2021-12-15 board.Jan 4 2022, 9:35 AM

Change 751488 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):

[mediawiki/extensions/TemplateData@master] Don't feed bad values to TagMultiselectWidget

https://gerrit.wikimedia.org/r/751488

gerritbot added a project: Patch-For-Review.Jan 4 2022, 7:36 PM

[…] an empty pill appears […] Saving the template data will silently replace the broken value with a null.

Nice find! Even with all validation in place it's possible to run into this. Just add "suggestedvalues": [ 3 ] manually to the JSON, don't save the page, but start the TemplateData editor.

I uploaded a quick patch that makes the editor behave less broken in such a situation.

Change 751749 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):

[oojs/ui@master] Fix TagMultiselectWidget.setValue behaving odd in edge cases

https://gerrit.wikimedia.org/r/751749

Change 751749 merged by jenkins-bot:

[oojs/ui@master] Fix TagMultiselectWidget.setValue behaving odd in edge cases

https://gerrit.wikimedia.org/r/751749

thiemowmde added a parent task: T298795: breaking change in templatedata: asserting an alias must be a string.Jan 11 2022, 9:09 AM

thiemowmde claimed this task.Jan 12 2022, 8:52 AM

thiemowmde added a project: WMDE-TechWish-Sprint-2022-01-05.

thiemowmde moved this task from Sprint Backlog to Tech Review on the WMDE-TechWish-Sprint-2022-01-05 board.

Change 751488 abandoned by Thiemo Kreuz (WMDE):