Commit graph

2831 commits

Author SHA1 Message Date
Kunal Mehta 0ae3a127d5 Configure phan-taint-check-plugin
The plugin checks and flags potential security issues (XSS, SQLi, etc.)
using static analysis.

See <https://www.mediawiki.org/wiki/Phan-taint-check-plugin> for more
details.

Bug: T201219
Change-Id: I307dc7848562ba7db9b0aca4085b135a314cd66f
2018-08-03 21:30:01 -07:00
Translation updater bot 2d56971b89 Localisation updates from https://translatewiki.net.
Change-Id: I3f5eb07a66353a889b4698ec374c60b35a07c9d8
2018-08-01 22:10:41 +02:00
Volker E f47e333ff1 build: Bring SVGO optimization to build step
Enabling SVGO automation with 'grunt-svgmin' and conservative
plugin settings to build step, among those:
- enable removeRasterImages and sortAttrs,
- disable cleanupIDs, removeDesc, removeTitle, & removeViewBox as
  described in
  https://www.mediawiki.org/wiki/Manual:Coding_conventions/SVG#Exemplified_safe_configuration
- disable removeXMLProcInst; if the SVG doesn't start with an XML
  declaration, then it's MIME type will be detected as "text/plain"
  rather than "image/svg+xml" by libmagic and, consequently, MediaWiki's
  CSSMin CSS minifier. libmagic's default database currently requires
  that SVGs contain an XML declaration:
  <https://github.com/threatstack/libmagic/blob/master/magic/Magdir/sgml#L5>.
- make use of pretty and multipass options.

Settings are stored in a JSON file to be independent of the Grunt build
process. Also updating SVG accordingly.

Bug: T185596
Change-Id: I715ad4cf2e900665e4c32c78b4c2d9d9cebf0222
2018-08-01 10:51:43 -05:00
libraryupgrader c42b25585b build: Updating mediawiki/mediawiki-codesniffer to 21.0.0
Change-Id: Ibd1a92e09449b26d73053a0ef1f266c03729c2c0
2018-07-27 13:42:06 +00:00
Stephen Niedzielski 8ba5c0f773 Hygiene: make JSDoc configs consistent
Make the Popups, MobileFrontend, and MinervaNeue JSDocs consistent. For
Popups, specify package.json, readme, and default template options and
moved doc/ to docs/ and autogenerated JavaScript documentation from
doc/autogenerated to docs/js.

http://usejsdoc.org/about-configuring-jsdoc.html
http://usejsdoc.org/about-commandline.html
http://usejsdoc.org/about-configuring-default-template.html

Bug: T188261
Change-Id: I81e64f06265f1ecc4e2ee159deef9b204ea7e957
2018-07-23 14:45:14 -05:00
Translation updater bot 9b15c940c0 Localisation updates from https://translatewiki.net.
Change-Id: I3481832413cae702316a46dfffdd2d08219f32e2
2018-07-21 22:12:00 +02:00
Translation updater bot 0c36b81cbe Localisation updates from https://translatewiki.net.
Change-Id: Id4e63ed681541852f7216220aa55542cc4debc80
2018-07-19 22:30:54 +02:00
Antoine Musso 1cff4a15a7 QA: Selenium no more needs wgUsejQueryThree
$wgUsejQueryThree was a transient setting that has been removed with
MediaWiki 1.31.  It is thus no more needed in the Selenium
LocalSettings.php file.

Bug: T199939
Change-Id: I74565cc81ff3704d2d91c8768b0e8f8ee7a4dcc3
2018-07-19 15:57:47 +02:00
Translation updater bot 9e85e9b00e Localisation updates from https://translatewiki.net.
Change-Id: I38db0ab24751a0c6e2d54ec32f3e4bd001119de6
2018-07-18 22:12:40 +02:00
jdlrobson 69efbfc377 Enforce eslinting for jsdoc
Let's improve our documentation by linting it and ensuring it
is complete and matches guidelines

This fixes offenders

Change-Id: I7c829b375705e763085cf731e9a77cc14339af67
2018-07-17 08:21:01 -05:00
Stephen Niedzielski ab7a5808ef Hygiene: update JSDoc boxed and JQuery types
Although Popups only uses JSDocs at this time which seemingly doesn't
care about casing[1], we should endeavor to use the proper return types.

This patch lowercases typing to indicate primitive / boxed type as
appropriate.[2] As a special case, function types are uppercased for
compatibility with TypeScript type checking.

Lastly, JQuery types are of type "JQuery". The global JQuery object's
identifier is "jQuery". This patch uppercases J's where appropriate.

[0] https://github.com/jsdoc3/jsdoc/issues/1046#issuecomment-126477791

[1] find src tests -iname \*.js|
    xargs -rd\\n sed -ri '
      s%\{\s*([?!])?(number|string|boolean|null|undefined)%{\1\L\2%gi;
      s%\{\s*([?!])?(function|object)%{\1\u\2%gi;
      s%\{\s*([?!])?jquery%{\1JQuery%gi
    '

Change-Id: I771bdbb69dc978796a331998c0657622ac39c449
2018-07-17 08:20:08 -05:00
Translation updater bot 84d6be1a85 Localisation updates from https://translatewiki.net.
Change-Id: I7776cfa95cefbb57a3cfa4fc687ec7b9e9822c8d
2018-07-16 22:20:18 +02:00
jenkins-bot 6c802dfded Merge "Fix: mw-node-qunit package reference" 2018-07-13 17:46:14 +00:00
Piotr Miazga 4684b39841 Hygiene: use actionsTest consts instead of hardcoded states
The unit tests should use defined action types instead of hardcoding
each state.

Change-Id: I6769ba057e93239e1c720c3bfa050c618ea63978
2018-07-13 17:12:49 +02:00
Piotr Miazga c823a0e6cb When request gets aborted it shouldn't finish with FETCH_FAILED
Whe user moves mouse away and we abort the http request we shouldn't
count that request as a FETCH_FAILED. The reasoning behind is that
FETCH_FAILED state increments the counter.PagePreviewsApiFailure.
Our StatsD graph gets polluted with lots of aborted requests and it
becomes unsuable. It doesn't show only the failed requests.

Changes:
 - introduced new state: FETCH_ABORTED
 - switch to FETCH_ABORTED when browser aborts the request

Bug: T199482
Change-Id: I58047eb80f0700b78b2991daff9395ecc92553b8
2018-07-13 16:52:53 +02:00
Stephen Niedzielski 89df27595b Fix: mw-node-qunit package reference
Update the mw-node-qunit require to @wikimedia/mw-node-qunit. 2d150f0
missed this and it caused tests in CI to silently succeed.

Bug: T197251
Change-Id: I9de597b0e9afc747c47bddc6debcbe5b87bcd793
2018-07-13 07:47:30 -05:00
jdlrobson 10e6e25091 Upgrade eslint-config-wikimedia
* Force arrow-parens
* Disable no-prototype-builtins for time being
* Drop unnecessary maxlen rule

Change-Id: Iceb0fe47354a5753202d2c6ad9e1a9c76791f744
2018-07-13 07:42:12 -05:00
jenkins-bot 147f5a4fa1 Merge "Properly handle catch() when calling gateway fetch." 2018-07-12 22:47:07 +00:00
Piotr Miazga 2527f931a2 Properly handle catch() when calling gateway fetch.
Previous implementation did not pass the `result` variable
to the catch() statement. Because of that every execution that
ended with exception inside fetch() statement was threated as
not a network exception and tried to present the null preview.

Changes:
 - properly handle data returned by rejected fetch promise
 - chaged the big if (result && result....) into something easier
 to read
 - pass Error object instead of 'http' string
 - Restbase can return exception, it doesn't have to handle the 404
 errors by itself, it's already taken care in the catch() logic
 - fixed unit tests to reflect new logic in restbase gateway

Bug: T199482
Change-Id: Ibb30fc58248623d9ad4c5388a5b2ff9b387e01de
2018-07-13 00:02:59 +02:00
jenkins-bot 1ca683fb3f Merge "Tweak page previews margin for consistency" 2018-07-12 19:45:51 +00:00
Translation updater bot 206388eb26 Localisation updates from https://translatewiki.net.
Change-Id: Iceed7282e4028091cdb00381ed1e2e056b562d40
2018-07-11 22:39:48 +02:00
jdlrobson bce82dab1f Tweak page previews margin for consistency
Bug: T198663
Change-Id: Ice5c24015371d6f2f67076698314537944bf8705
2018-07-11 11:45:59 -07:00
Stephen Niedzielski a0dc96cac9 Hygiene: consistently refer to globals directly
Instead of mixing window.mediaWiki / mediaWiki and window.jQuery /
jQuery references, always refer to globals which exist whether code is
executed in browser or headless Node.js environments.

  find src tests -iname \*.js|
  xargs -rd\\n sed -ri 's%window.(mediaWiki|jQuery)%\1%gi'

Change-Id: I21d0a602dcbd2bc6774934bee6c487e443270fe0
2018-07-09 08:46:40 -05:00
jenkins-bot f0a19b6f18 Merge "Hygiene: forbid unused lint directives" 2018-07-06 22:22:56 +00:00
Translation updater bot 1dd9c4a16b Localisation updates from https://translatewiki.net.
Change-Id: If58e9f0fd6ec418ea75edc3e14d6ec6ef93ce23f
2018-07-05 22:44:04 +02:00
Piotr Miazga c1d281f0dc Send the Accept-Language header when calling API
Changes:
 - added acceptLanguage as a config option passed to
 both mwApi and restbaseApi, by default code will use
 the language defined in `wgContentLanguage` config
 variable. The `wgContentLanguage` is always defined
 (see ResourceLoaderStartUpModule::getConfigSettings())
 so there is no need for checking the variable existence.

The new logic was tested both on MediaWiki API and Restbase API

Bug: T198619
Change-Id: I1cb31f1999fd674a8b870b2b5effb92ed3dfaa1f
2018-07-05 11:31:55 -07:00
Stephen Niedzielski ce8a2d4c3f Update: cancel unused HTTP requests in flight
Whenever an HTTP request sequence is started, i.e. wait for the fetch
start time, issue a network request, and return the result, abort the
process if the results are known to no longer be needed. This occurs
when a user has dwelt upon one link and then abandoned it either during
the fetch start wait time or during the fetch network request itself.

This change is accomplished by preserving the pending promises in two
actions, LINK_DWELL and FETCH_START, and whenever the ABANDON_START
action is issued, it now aborts any previously pending XHR-like promise,
called a "AbortPromise" which is just a thenable with an abort() method.
There is a similar concept in Core:
ecc812f06e/resources/src/mediawiki.api/index.js.

Aborting pending requests has big implications for client and server
logging as requests are quickly canceled, especially on slower
connections. These differences can be observed on the network tab of
DevTools and the log in Redux DevTools.

Consider, for instance, the scenario of dwelling upon and quickly
abandoning a single link prior to this patch:

  BOOT EVENT_LOGGED LINK_DWELL FETCH_START ABANDON_START FETCH_END STATSV_LOGGED ABANDON_END EVENT_LOGGED FETCH_COMPLETE

And after this patch when the fetch timer is canceled (prior to an
actual network request):

  BOOT EVENT_LOGGED LINK_DWELL ABANDON_START ABANDON_END EVENT_LOGGED

In the above sequence, FETCH_* and STATSV_LOGGED actions never occur.

And after this patch when the network request itself is canceled:

  BOOT EVENT_LOGGED LINK_DWELL FETCH_START ABANDON_START FETCH_FAILED STATSV_LOGGED FETCH_COMPLETE ABANDON_END EVENT_LOGGED

FETCH_FAILED occurs intentionally, STATSV_LOGGED and FETCH_COMPLETE
still happen even though the fetch didn't complete successfully, and
FETCH_END doesn't.

Additionally, since less data is transmitted, it's possible that the
timing and success rate of logging will improve on low bandwidth
connections.

Also, this patch tries to revise the JSDocs where possible to support
type checking and fix a call to the missing assert.fail() function in
changeListener.test.js.

Bug: T197700
Change-Id: I9a73b3086fc8fb0edd897a347b5497d5362e20ef
2018-07-04 13:48:14 -05:00
Stephen Niedzielski 2a854f7649 Hygiene: forbid unused lint directives
Prevent outdated ESLint error waivers from littering the code by
enabling `--report-unused-disable-directives`.

Change-Id: I3b9c39131f030cf2c4113ecd947c3f4a8679bdfe
2018-07-02 14:59:40 -05:00
Stephen Niedzielski 89e592183f Hygiene: enable Redux DevTools for debug builds
Redux DevTools are available in all builds by passing the `?debug=true`
query string. Since globally enabling debug significantly slows load
times, also enable support when the build is non-production (debug)
which is known at transpile time. This enables a debuggable version of
Popups in an otherwise production-like MediaWiki without changing the
Popups release build product.

Also, update the readme with a couple debug tips and flip a few bullets
from hyphens to asterisks since that seems to be more prevalent.

Change-Id: I4cab0b8069b12505dbfa840939caac196bae2750
2018-07-02 14:54:36 -05:00
Stephen Niedzielski 2d150f0aad Hygiene: update mw-node-qunit dependency package
mw-node-qunit has moved to a new NPM package, @wikimedia/mw-node-qunit.
There are no functional changes with this release but dependencies
should be kept up to date.

https://github.com/wikimedia/mw-node-qunit/blob/9a368a1/CHANGELOG.md#500

Bug: T197251
Change-Id: I25bfc541551cbc29812985df7fa05dc17f0338c5
2018-06-29 17:30:03 +00:00
jdlrobson 6c17af260c Extracts can expand with narrow thumbnails
If a thumbnail is narrow, then the extract can expand to take
the available space. It does this via JavaScript taking the difference
between the normal space for a thumbnail minus the actual space needed
to display the thumbnail.

This removes unused whitespace in both the thumbnail and extract.

Bug: T192928
Change-Id: I59e87f9160e707fbce321a567c0a68e85f6d72ec
2018-06-28 16:34:41 -07:00
Jan Drewniak 4e43f0cf9e Truncate source_url to max 1000 characters
Prevents the source_url param in virtual page-views from getting
too long and causing an error because it exceeds varnish's max-url size.

Bug: T196904

Change-Id: Idf3667c4c2ad7e0436f013c70d5ff4ebea453d7a
2018-06-28 14:30:42 -07:00
jdlrobson ff5bfd1d04 Whole popup area should be clickable
Make it so the entire popup area is clickable.
Update the click handler to reflect the actual parameter
it receives (an Event not an Element) and do not pass it
in the action, given it is unusedt

Bug: T192773
Change-Id: If80969f4759b1675278d11caaf5cb093ce72031c
2018-06-28 20:50:16 +00:00
jenkins-bot bc34ba6742 Merge "Add SVG border using polyline element" 2018-06-28 19:22:58 +00:00
jdlrobson 21c8e6213e Add SVG border using polyline element
Since we use an SVG mask, we cannot use border-left to visually
separate the page preview thumbnail from the text. We can however
make use of a polyline and programatically work out it's start and
end.

Bug: T192928
Change-Id: I0f983a80e3210b2f7e9aa197d2a632680675973e
2018-06-28 11:23:48 -07:00
Translation updater bot a7ab517dcb Localisation updates from https://translatewiki.net.
Change-Id: I3675841b43ab850d6830f5f96a48193c741bc50b
2018-06-27 22:20:00 +02:00
Stephen Niedzielski 823b6af879 Hygiene: replace tap-dot reporter
The tap-dot executable crashes on some test failure outputs.[0] This is
confusing since a test failure in itself often requires debugging. The
issue is present from v1.0.1 to the latest, v2.0.0.

Instead of downgrading, replace tap-dot with the popular
tap-mocha-reporter. This change comes with a bonus: console.log is no
longer filtered out. The benefit cannot be overstated.

[0]: https://github.com/scottcorgan/tap-dot/issues/9

Change-Id: I4ce2d2816885b7c5214f5c1863be595be0d8b1aa
2018-06-27 09:16:07 -05:00
Stephen Niedzielski bf6ee6f24e Doc: forbid JSDoc warnings & work around tag checker
The Popups' JSDocs currently generate without any warnings. Let's keep
it that way for as long as we can by enabling pedantic mode which causes
a failing exit status when warnings are emitted. This behavior can be
verified by adding adding `/** @ignore foo */`.

The JSDoc tag checker should leverage the default enabled dictionaries
but that doesn't seem to be happening[0]. For the time being, allow
unknown tags so that the full range is supported, including @template,
which are very useful for type checking. Minerva already allows unknown
tags.

Lastly, change spaces to tabs since that's what this codebase uses.

[0] https://github.com/jsdoc3/jsdoc/issues/1542

Change-Id: I0aef9f7a6ca4af28d104628cda7763ec70110413
2018-06-26 10:57:40 -05:00
Jan Drewniak 3b2480d6ce Ensure popup thumbnail images are a supported format
Prevents video files and other non-image files from being rendered as
popup thumbnails. Restricts thumbnail format to either jpg, png, or gif.

Bug: T193792
Change-Id: I7a9be5d1c8396c02ebf0893c960f65644acc9d99
2018-06-21 00:55:04 +02:00
Translation updater bot e09c4faabe Localisation updates from https://translatewiki.net.
Change-Id: I4eab89d9eadcf81cb0c6aec3c2afb19253303d1a
2018-06-20 23:11:45 +02:00
Stephen Niedzielski 36741c96c8 Hygiene: don't auto-add on pre-commit
Since it can be unexpected for a pre-commit hook to make edits to the
commit, leverage the existing tests to simply verify that the proper
files have been staged. This also slightly simplifies the existing NPM
scripts and forces the dev to run the same test about to be executed CI,
`npm test` itself, which previously had no other automation tie in.

Change-Id: I74e407ea17a6c2809a49ba56d3ef28b25d5ba5de
2018-06-20 09:40:47 -05:00
Stephen Niedzielski c2a37d75e2 Hygiene: remove doc:start script
The `doc:start` NPM script simply runs the `doc` script whenever a
change is detected. It doesn't seem especially useful for standard
development and adds an extra nodemon depedency. This patch removes the
script and nodemon.

Change-Id: Ib679f6d83bd10f0b8d1572c07080fba7f8d6a701
2018-06-20 09:36:53 -05:00
Stephen Niedzielski 95047ba360 Fix: code coverage
Replace Istanbul with nyc, Istanbul's CLI. nyc appears to have some
bugs that this patch works around:

  - When all files in the project are considered, not just those
    imported via tests, the coverage rates and line numbers vary between
    runs. This patch disables the `all` option for now and points to the
    bug:
    https://github.com/istanbuljs/nyc/issues/537#issuecomment-390814662.

  - Source map line numbers appear to be incorrect except when `all` is
    enabled and working correctly (see previous bullet).

  - `sourceMap` must be disabled to avoid ENAMETOOLONG errors when nyc
    tries to include them as encoded strings. The patch disables the
    setting and points to: https://github.com/istanbuljs/nyc/issues/847.
    Using babel-plugin-istanbul and source-map-support appears to have
    no effect (the former in tests/node-qunit/run.js and .babelrc).

  - CI fails with
    `Error: EACCES: permission denied, mkdir '/nonexistent'`. Specify
    `SPAWN_WRAP_SHIM_ROOT` instead of constructing a subdirectory from a
    nonexistent home directory.

Bug: T196952
Bug: T193519
Change-Id: Idf2e3accd4a6277cbef91c1156fcd206c9e7d882
2018-06-19 18:10:02 -05:00
Translation updater bot 3cf54a0ff6 Localisation updates from https://translatewiki.net.
Change-Id: If1d1cad8c459ee659546d250b7c15f901c53169a
2018-06-19 22:25:20 +02:00
L10n-bot 41fe4877cb Merge "Localisation updates from https://translatewiki.net." 2018-06-18 20:11:31 +00:00
jenkins-bot f8252ec071 Merge "Hygiene: replace QUnit assert.equal with strictEqual()" 2018-06-18 20:10:39 +00:00
Translation updater bot 5b3aa7af2e Localisation updates from https://translatewiki.net.
Change-Id: I748362d7eadd42e6dd5a32ea3fb52cba3df2fcc4
2018-06-18 22:09:50 +02:00
Stephen Niedzielski abc2026890 Hygiene: replace QUnit assert.equal with strictEqual()
Via jscodeshift:

  jscodeshift \
    -t jscodeshift-recipes/src/qunit-assert-equal-to-strictEqual.js \
    Popups/tests

Also, some very minor manual clean up.

https://github.com/niedzielski/jscodeshift-recipes/blob/5944e50/src/qunit-assert-equal-to-strictEqual.js

Additional change:
* Drop redundant clipPath parameter from createThumbnailElement - this
parameter does not exist in the function signature.

Change-Id: I209ecf2d54b6f5c17767aa2041d8f11cb368a9b5
2018-06-18 19:48:16 +00:00
Stephen Niedzielski fe2c3b23ee Hygiene: replace call to rm with clean-webpack-plugin
The invocation of `rm -rf resources/dist` in package.json
(`check-built-assets`) is replaced with clean-webpack-plugin.
The benefit of this change is that calling `npm run build` now works the
same as the `check-built-assets` script.

Bug: T193522
Change-Id: I64f048855ddceb7159279671b2174a7937e169ff
2018-06-18 09:09:28 -05:00
Stephen Niedzielski 3e248d75cc Hygiene: refactor common popup template code
Move the outer container common to all previews to a new template.

Bug: T191646
Change-Id: I8f3d99b25c457495ece7b66bfa6026fe827608be
2018-06-14 07:50:22 -05:00