Page MenuHomePhabricator
Create Task
Maniphest T128525

Strip old metadata from old Parsoid content <head>: mw:TimeUuid, user, comment
Open, MediumPublic
Actions

Description

As discussed in T125266 and implemented in https://gerrit.wikimedia.org/r/#/c/271930/2/lib/wt2html/DOMPostProcessor.js, Parsoid recently removed user information from their <head>. For old content (spec version 1.1.0), we should strip this information before returning it to the client to avoid exposing possibly-sensitive user information.

Additionally, we used to inject a mw:TimeUuid meta tag as a fall-back solution for clients not supplying If-Match headers to the html2wt end point. We should verify that all major clients like VE have moved to the If-Match header, and strip it from old content as well.

Related Objects
Search...

Event Timeline

GWicke created this task.Mar 1 2016, 10:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 1 2016, 10:40 PM
GWicke added a subscriber: Pchelolo.Mar 2 2016, 5:29 AM

Related PR by @Pchelolo to document If-Match & log remaining mw:TimeUuid users: https://github.com/wikimedia/restbase/pull/529

Pchelolo added a comment.Mar 2 2016, 5:45 PM

After the last deployment we're logging the clients who don't supply the If-Match header, but do supply the mw:TimeUuid meta property. There's around 5 requests like that per hour. Here's a sample log entry:

{
  "_index": "logstash-2016.03.02",
  "_type": "restbase",
  "_id": "AVM4Ry_qO3D718AOW20G",
  "_score": null,
  "_source": {
    "host": "restbase1008",
    "level": "WARNING",
    "version": "1.0",
    "@version": "1",
    "@timestamp": "2016-03-02T17:01:41.790Z",
    "source_host": "10.64.32.178",
    "pid": 289,
    "levelPath": "warn/parsoid/etag",
    "root_req.method": "post",
    "root_req.uri": "/en.wikipedia.org/v1/transform/html/to/wikitext/Luke_Skywalker/707928665",
    "root_req.headers.content-length": "377642",
    "root_req.headers.content-type": "application/x-www-form-urlencoded",
    "root_req.headers.user-agent": "wikimedia/multi-http-client v1.0",
    "root_req.headers.x-client-ip": "::ffff:10.64.48.34",
    "root_req.headers.x-request-id": "6fa06749-e098-11e5-9d0c-d4de92971dc1",
    "request_id": "6fa06749-e098-11e5-9d0c-d4de92971dc1",
    "type": "restbase",
    "tags": [
      "es",
      "gelf",
      "normalized_message_untrimmed"
    ],
    "message": "Client did not supply etag, fallback to mw:TimeUuid meta element",
    "normalized_message": "Client did not supply etag, fallback to mw:TimeUuid meta element",
    "gelf_level": "4"
  },
  "sort": [
    1456938101790
  ]
}

This particular log entry suggests that this edit was done by a bot, but more investigation is needed.

Mattflaschen-WMF unsubscribed.EditedMar 12 2016, 1:36 AM

Flow doesn't use RESTBase, and I don't think the Parsoid change is applicable to the endpoint we use (we don't use the same kind of revisions as MW).

GWicke edited projects, added Services (next); removed Services.Oct 12 2016, 3:58 PM
Pchelolo removed a parent task: T120409: RESTBase should honor wiki-wide deletion/suppression of users.Oct 2 2018, 8:17 PM
Restricted Application added a project: Analytics. · View Herald TranscriptOct 2 2018, 8:17 PM
Pchelolo added a comment.EditedOct 2 2018, 8:23 PM

There's been 700 cases when the If-Match was not supplied over the last month and only 2 user agents:

  1. https://en.wikipedia.org/wiki/User:Jackmcbarn/editProtectedHelper - a user script. I will reach out to the maintainer
  2. And, surprisingly, still VE https://logstash.wikimedia.org/goto/4b751b3fbf5de1044bd4255c693fc724
Pchelolo edited projects, added good first task; removed Services-next, RESTBase-release-1.0.Oct 2 2018, 8:41 PM

Tagging as a good onboarding bug as once the subtask is resolved, it will be easy to fix in code and it provides a great glimpse into what a render is, how Parsoid, RESTBase and VE interacts and what constraints we need to maintain in order to make the 3 works together correctly.

Ottomata removed projects: Analytics, Event-Platform.Oct 4 2018, 5:18 PM
Clarakosi added a project: User-Clarakosi.Nov 8 2018, 6:18 PM
mobrovac added a project: Platform Team Legacy (Later).Dec 20 2018, 12:17 PM
mobrovac added a subtask: T233320: VisualEditor <-> RESTBase communication and ETags.Sep 19 2019, 3:06 PM
matmarex mentioned this in T233320: VisualEditor <-> RESTBase communication and ETags.Nov 5 2019, 10:59 PM
matmarex closed subtask T233320: VisualEditor <-> RESTBase communication and ETags as Resolved.Jan 7 2020, 9:28 PM
daniel subscribed.Jun 17 2022, 1:48 PM
In T128525#4635865, @Pchelolo wrote:

There's been 700 cases when the If-Match was not supplied over the last month and only 2 user agents:

  1. https://en.wikipedia.org/wiki/User:Jackmcbarn/editProtectedHelper - a user script. I will reach out to the maintainer
  2. And, surprisingly, still VE https://logstash.wikimedia.org/goto/4b751b3fbf5de1044bd4255c693fc724

We are currently exposing "weak" etags (apparently because Varnish makes them weak). Per the HTTP spec, weak ETags never match an If-Match header. RESTbase ignores this and allows them to work, but MediaWiki's REST framework is more strict, causing all If-Match conditionals to fail with weak etags (T238849). This lead to If-Match handing to be disabled entirely for the endpoint in the parsoid extension, which breaks things the other way around. See T310710 for further discussion.

If we do not find a reliable way to get strong etags through varnish, we should probably go back to supplying them as part of the payload, be it embedded in HTML or in a JSON field.

Eevans unsubscribed.Jun 17 2022, 2:03 PM
sbassett mentioned this in T337274: ReDoS vulnerability in parsoid.js.May 23 2023, 2:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL