Page MenuHomePhabricator
Files F4685463

0001-SECURITY-API-Don-t-log-sensitive-parameters.patch
Anomie
Actions

Authored By
Anomie
Nov 1 2016, 6:13 PM
Size
6 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-API-Don-t-log-sensitive-parameters.patch
View Options

From 961abb35b7996b08449b049175b9f77e4d7d3fa1 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Thu, 18 Aug 2016 13:37:05 -0400
Subject: [PATCH] SECURITY: API: Don't log "sensitive" parameters
Stuff like passwords and CSRF tokens shouldn't be in the logs.
The fact of being sensitive is intentionally separated from the need to
be in the POST body because, for example, the wltoken parameter to
ApiQueryWatchlist needs to be in the query string to serve its purpose
but still shouldn't be logged.
Bug: T125177
Change-Id: I1d61f4dcf792d77401ee2e2988b1afcb2a2ad58f
---
RELEASE-NOTES-1.29 | 2 ++
includes/api/ApiAuthManagerHelper.php | 1 +
includes/api/ApiBase.php | 12 ++++++++++++
includes/api/ApiCheckToken.php | 1 +
includes/api/ApiLogin.php | 1 +
includes/api/ApiMain.php | 25 ++++++++++++++++++++++++-
includes/api/ApiQueryWatchlist.php | 3 ++-
includes/api/ApiQueryWatchlistRaw.php | 3 ++-
8 files changed, 45 insertions(+), 3 deletions(-)
diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29
index 5a38cf9..e526af5 100644
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@@ -26,6 +26,8 @@ production.
body instead.
=== Action API internal changes in 1.29 ===
+* API parameters may now be marked as "sensitive" to keep their values out of
+ the logs.
=== Languages updated in 1.29 ===
diff --git a/includes/api/ApiAuthManagerHelper.php b/includes/api/ApiAuthManagerHelper.php
index 6fafebf..5527437 100644
--- a/includes/api/ApiAuthManagerHelper.php
+++ b/includes/api/ApiAuthManagerHelper.php
@@ -173,6 +173,7 @@ class ApiAuthManagerHelper {
$this->module->getMain()->markParamsUsed( array_keys( $data ) );
if ( $sensitive ) {
+ $this->module->getMain()->markParamsSensitive( array_keys( $sensitive ) );
$this->module->requirePostedParameters( array_keys( $sensitive ), 'noprefix' );
}
diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 506ff73..d3f52ab 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -171,6 +171,13 @@ abstract class ApiBase extends ContextSource {
*/
const PARAM_SUBMODULE_PARAM_PREFIX = 16;
+ /**
+ * (boolean) Is the parameter sensitive? Note 'password'-type fields are
+ * always sensitive regardless of the value of this field.
+ * @since 1.29
+ */
+ const PARAM_SENSITIVE = 17;
+
/**@}*/
/** Fast query, standard limit. */
@@ -948,6 +955,10 @@ abstract class ApiBase extends ContextSource {
$type = 'NULL'; // allow everything
}
}
+
+ if ( $type == 'password' || !empty( $paramSettings[self::PARAM_SENSITIVE] ) ) {
+ $this->getMain()->markParamsSensitive( $encParamName );
+ }
}
if ( $type == 'boolean' ) {
@@ -2366,6 +2377,7 @@ abstract class ApiBase extends ContextSource {
$params['token'] = [
ApiBase::PARAM_TYPE => 'string',
ApiBase::PARAM_REQUIRED => true,
+ ApiBase::PARAM_SENSITIVE => true,
ApiBase::PARAM_HELP_MSG => [
'api-help-param-token',
$this->needsToken(),
diff --git a/includes/api/ApiCheckToken.php b/includes/api/ApiCheckToken.php
index 3d2159c..2736ff4 100644
--- a/includes/api/ApiCheckToken.php
+++ b/includes/api/ApiCheckToken.php
@@ -66,6 +66,7 @@ class ApiCheckToken extends ApiBase {
'token' => [
ApiBase::PARAM_TYPE => 'string',
ApiBase::PARAM_REQUIRED => true,
+ ApiBase::PARAM_SENSITIVE => true,
],
'maxtokenage' => [
ApiBase::PARAM_TYPE => 'integer',
diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 6ac261d..c4060c5 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -256,6 +256,7 @@ class ApiLogin extends ApiBase {
'token' => [
ApiBase::PARAM_TYPE => 'string',
ApiBase::PARAM_REQUIRED => false, // for BC
+ ApiBase::PARAM_SENSITIVE => true,
ApiBase::PARAM_HELP_MSG => [ 'api-help-param-token', 'login' ],
],
];
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 8deee5c..4de86c8 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -152,6 +152,7 @@ class ApiMain extends ApiBase {
private $mCacheMode = 'private';
private $mCacheControl = [];
private $mParamsUsed = [];
+ private $mParamsSensitive = [];
/** @var bool|null Cached return value from self::lacksSameOriginSecurity() */
private $lacksSameOriginSecurity = null;
@@ -1491,13 +1492,17 @@ class ApiMain extends ApiBase {
" {$logCtx['ip']} " .
"T={$logCtx['timeSpentBackend']}ms";
+ $sensitive = array_flip( $this->getSensitiveParams() );
foreach ( $this->getParamsUsed() as $name ) {
$value = $request->getVal( $name );
if ( $value === null ) {
continue;
}
- if ( strlen( $value ) > 256 ) {
+ if ( isset( $sensitive[$name] ) ) {
+ $value = '[redacted]';
+ $encValue = '[redacted]';
+ } elseif ( strlen( $value ) > 256 ) {
$value = substr( $value, 0, 256 );
$encValue = $this->encodeRequestLogValue( $value ) . '[...]';
} else {
@@ -1548,6 +1553,24 @@ class ApiMain extends ApiBase {
}
/**
+ * Get the request parameters that should be considered sensitive
+ * @since 1.29
+ * @return array
+ */
+ protected function getSensitiveParams() {
+ return array_keys( $this->mParamsSensitive );
+ }
+
+ /**
+ * Mark parameters as sensitive
+ * @since 1.29
+ * @param string|string[] $params
+ */
+ public function markParamsSensitive( $params ) {
+ $this->mParamsSensitive += array_fill_keys( (array)$params, true );
+ }
+
+ /**
* Get a request value, and register the fact that it was used, for logging.
* @param string $name
* @param mixed $default
diff --git a/includes/api/ApiQueryWatchlist.php b/includes/api/ApiQueryWatchlist.php
index c30f0cf..c6b3f04 100644
--- a/includes/api/ApiQueryWatchlist.php
+++ b/includes/api/ApiQueryWatchlist.php
@@ -477,7 +477,8 @@ class ApiQueryWatchlist extends ApiQueryGeneratorBase {
ApiBase::PARAM_TYPE => 'user'
],
'token' => [
- ApiBase::PARAM_TYPE => 'string'
+ ApiBase::PARAM_TYPE => 'string',
+ ApiBase::PARAM_SENSITIVE => true,
],
'continue' => [
ApiBase::PARAM_HELP_MSG => 'api-help-param-continue',
diff --git a/includes/api/ApiQueryWatchlistRaw.php b/includes/api/ApiQueryWatchlistRaw.php
index 806861e..50417ea 100644
--- a/includes/api/ApiQueryWatchlistRaw.php
+++ b/includes/api/ApiQueryWatchlistRaw.php
@@ -170,7 +170,8 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase {
ApiBase::PARAM_TYPE => 'user'
],
'token' => [
- ApiBase::PARAM_TYPE => 'string'
+ ApiBase::PARAM_TYPE => 'string',
+ ApiBase::PARAM_SENSITIVE => true,
],
'dir' => [
ApiBase::PARAM_DFLT => 'ascending',
--
2.10.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4110287
Default Alt Text
0001-SECURITY-API-Don-t-log-sensitive-parameters.patch (6 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL