centralauthtoken, although is only alive for a short time, is an auth token, and its probably best not to log auth tokens (imo). similar to how passwords are treated.
Description
Description
Details
Details
Event Timeline
Comment Actions
For the logs generated by the API itself (e.g. api.log on mwlog1001) you'd want to change this code to set PARAM_SENSITIVE (added in MW 1.29), like
$params['centralauthtoken'] = [ ApiBase::PARAM_TYPE => 'string', ApiBase::PARAM_SENSITIVE => true, ];
I have no idea about hadoop or other logging external to MediaWiki.
Comment Actions
Currently, apiaction is generated by Mediawiki directly via monolog and the Kafka/Avro producer. I don't know much about how this works, but to stop logging it it needs to be removed from logging in MW.
Comment Actions
Ah, that must be the code at https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/b86593a2da96539ca60ac7011eda0faf4e9e00d9/includes/api/ApiMain.php#1655. In that case adding PARAM_SENSITIVE will take care of that too.
Comment Actions
@Ladsgroup - this looks fine to me. Were you pinging @Bawolff and @Reedy to deploy this during the security window (2200 UTC Mondays) or did you want to deploy? I'd guess either would most likely be fine.
Comment Actions
Hey, either is fine for me. I can try it SWAT today (with all of the needed measures for security patches)
Comment Actions
It's depoyed and the patch also got merged in gerrit as well. I wait until I can make sure it's actually redacted before closing this.
Comment Actions
It seems it doesn't fix it. select * from wmf_raw.apiaction where year = 2018 and month = 12 and day = 19 and params['centralauthtoken'] is not null and hour is not NULL order by hour desc limit 50; still gives out centralauthtoken.
Comment Actions
Ah, I see why. We'd also need to remove the && $flags from CentralAuthTokenSessionProvider.php line 200.
Comment Actions
Now we have a weird situation. The main patch is in gerrit but it's not public that it's not working. Is it okay if I make a security patch and deploy it today?
Comment Actions
Code-Review+1 That looks like it should do it. Virtual +2 for you to do the security patch as mentioned in T207814#4835169 and approved in T207814#4838417.
Comment Actions
This query used to give out the actual tokens but now returns this:
select params['centralauthtoken'], hour, ts from wmf_raw.apiaction where year = 2019 and month = 1 and day = 23 and params['centralauthtoken'] is not null and hour is not NULL order by ts desc limit 50; .... _c0 hour ts [redacted] 10 1548241199 [redacted] 10 1548241197 [redacted] 10 1548241195 [redacted] 10 1548241194 [redacted] 10 1548241194 [redacted] 10 1548241189 [redacted] 10 1548241185 [redacted] 10 1548241182 [redacted] 10 1548241182 [redacted] 10 1548241180 [redacted] 10 1548241180 [redacted] 10 1548241180 [redacted] 10 1548241180 [redacted] 10 1548241180 [redacted] 10 1548241178 [redacted] 10 1548241177 [redacted] 10 1548241176 [redacted] 10 1548241174 [redacted] 10 1548241173 [redacted] 10 1548241172 [redacted] 10 1548241172 [redacted] 10 1548241172 [redacted] 10 1548241160 [redacted] 10 1548241158 [redacted] 10 1548241158 [redacted] 10 1548241158 [redacted] 10 1548241157 [redacted] 10 1548241155 [redacted] 10 1548241150 [redacted] 10 1548241149 [redacted] 10 1548241146 [redacted] 10 1548241146 [redacted] 10 1548241146 [redacted] 10 1548241146 [redacted] 10 1548241145 [redacted] 10 1548241145 [redacted] 10 1548241144 [redacted] 10 1548241143 [redacted] 10 1548241119 [redacted] 10 1548241119 [redacted] 10 1548241119 [redacted] 10 1548241119 [redacted] 10 1548241117 [redacted] 10 1548241117 [redacted] 10 1548241112 [redacted] 10 1548241109 [redacted] 10 1548241104 [redacted] 10 1548241104 [redacted] 10 1548241104 [redacted] 10 1548241104 50 rows selected (46.093 seconds)
Comment Actions
Change 486063 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] Security: Remove $flags in conditions when adding centralauthtoken param