Page MenuHomePhabricator
Create Task
Maniphest T231518

Add *.wmflabs.org to w.wiki shortener
Closed, DeclinedPublic
Actions

Description

The w.wiki shortener allows a couple of whitelisted domains. I was surprised to see that *.wmflabs.org isn't one of them. This would be very helpful given that URL's can get pretty long with some of the tools, e.g. my own VizQuery tool can produce URL's like this:

https://tools.wmflabs.org/hay/vizquery/#PREFIX%20wd%3A%20%3Chttp%3A%2F%2Fwww.wikidata.org%2Fentity%2F%3E%0APREFIX%20wdt%3A%20%3Chttp%3A%2F%2Fwww.wikidata.org%2Fprop%2Fdirect%2F%3E%0APREFIX%20wikibase%3A%20%3Chttp%3A%2F%2Fwikiba.se%2Fontology%23%3E%0APREFIX%20schema%3A%20%3Chttp%3A%2F%2Fschema.org%2F%3E%0APREFIX%20bd%3A%20%3Chttp%3A%2F%2Fwww.bigdata.com%2Frdf%23%3E%0ASELECT%20DISTINCT%20%3Fitem%20%3FitemLabel%20%3FitemDescription%20(SAMPLE(%3Fimage)%20AS%20%3Fimage)%20%3Fsitelink%20WHERE%20%7B%0A%20%20%3Fitem%20wdt%3AP136%20wd%3AQ1792321.%0A%20%20OPTIONAL%20%7B%20%3Fitem%20wdt%3AP18%20%3Fimage.%20%7D%0A%20%20OPTIONAL%20%7B%0A%20%20%20%20%3Fsitelink%20schema%3Aabout%20%3Fitem%3B%0A%20%20%20%20%20%20schema%3AisPartOf%20%3Chttps%3A%2F%2Fen.wikipedia.org%2F%3E.%0A%20%20%7D%0A%20%20SERVICE%20wikibase%3Alabel%20%7B%20bd%3AserviceParam%20wikibase%3Alanguage%20%22%5BAUTO_LANGUAGE%5D%2Cen%2Cfr%2Ces%2Cde%2Cru%2Cit%2Cnl%2Cja%2Czh%2Cpl%2Ccs%22.%20%7D%0A%7D%0AGROUP%20BY%20%3Fitem%20%3FitemLabel%20%3FitemDescription%20%3Fsitelink%0ALIMIT%2050

Related Objects

Event Timeline

Husky created this task.Aug 29 2019, 7:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 29 2019, 7:15 AM
Husky mentioned this in T222089: Allow URL shortening for wikimediafoundation.org domain.Aug 29 2019, 7:16 AM
Husky updated the task description. (Show Details)
Bugreporter subscribed.Aug 29 2019, 9:32 AM

I oppose using w.wiki domain for shortening labs URLs. Labs does not follow WMF term of use and privacy policy, in particular you can load arbitrary 3rd party script (though this is being phased out) and redirect labs URL to arbitrary external URL.

Since there's some use case for shortening labs URLs, let's make a new domain (probably cs.w.wiki or labs.wiki) which points to an independant labs-hosted service.

Jdforrester-WMF added projects: Security-Team, Wikimedia-Site-requests.Aug 29 2019, 4:35 PM
Krenair subscribed.Aug 29 2019, 11:58 PM
Vojtech.dostal subscribed.Sep 6 2019, 3:59 PM

I would love if we could use a URL shortener for Wmflabs

Legoktm closed this task as Declined.Sep 7 2019, 12:43 AM
Legoktm subscribed.

It's all but impossible to verify *.wmflabs.org has no open redirects or security issues. Adding it to the whitelist would get rid of the privacy/security promise of w.wiki, in that the destination is trusted. We don't trust *.wmflabs.org in the same way.

Bugreporter mentioned this in T232240: New service to shorten wmflabs URLs.Sep 7 2019, 5:38 AM
sbassett subscribed.Sep 9 2019, 1:56 PM
In T231518#5471564, @Vojtech.dostal wrote:

I would love if we could use a URL shortener for Wmflabs

Looks like someone once attempted to provide a url shortening service at wmflabs.org: https://tools.wmflabs.org/durl-shortener/. Assuming that wasn't shut down for ToU or security issues, I'd think it'd be fairly trivial to set up such a service under wmflabs.org which only allowed redirects to other wmflabs.org urls. tools.wmflabs.org/tool/shortid isn't quite as nice w.wiki/shortid, but certainly better than the url mentioned within the task description.

Urbanecm subscribed.Sep 9 2019, 2:35 PM

What about https://wikitech.wikimedia.org/wiki/Nova_Resource:Redirects, @sbassett?

sbassett added a comment.Sep 9 2019, 2:40 PM

@Urbanecm That'd be functionally equivalent in some ways, though seems to have originally been for a different purpose. Also, editing Hiera configs and using the Horizon tool isn't quite as user-friendly as the UI for w.wiki (and most other url shorteners) IMO.

Urbanecm added a comment.Sep 9 2019, 2:42 PM

Yeah, but can serve as a start.

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Sep 10 2019, 4:58 PM
Ammarpad mentioned this in T240102: Allow URL shortener to work on tool server URLs.Dec 8 2019, 1:22 PM
Aklapper merged a task: T240102: Allow URL shortener to work on tool server URLs.Dec 8 2019, 1:44 PM
Aklapper added subscribers: Pigsonthewing, Ammarpad.
Pigsonthewing added a comment.Dec 8 2019, 3:03 PM

As I said in the recently-merged ticket:

"If the whole tools subdomain cannot be whitelisted, there should be a whitelist on a tool-by-tool basis"

Pigsonthewing reopened this task as Open.Dec 8 2019, 3:07 PM

Reopening, as this ticket did not address the whitelist I suggest in my merged ticket.

MarcoAurelio awarded a token.Dec 8 2019, 3:12 PM
Krenair added a comment.Dec 8 2019, 3:13 PM

What sort of criteria and restrictions would we have to impose on such a
whitelisted tool?

Bawolff subscribed.Dec 8 2019, 3:33 PM

Also what happens if a tool gets whitelisted and then fails to keep up high standards? Do we break all the links?

Pigsonthewing added a comment.Dec 8 2019, 3:36 PM
In T231518#5721207, @Krenair wrote:

What sort of criteria and restrictions would we have to impose on such a
whitelisted tool?

The objection, above, was "Labs does not follow WMF term of use and privacy policy"

So, presumably, the criteria would be to follow WMF term of use and privacy policy.

Krenair added a comment.Dec 8 2019, 10:33 PM

Well yes. The question is then what actual requirements and restrictions
does that create? For example, do we have to conceal UAs from the tool? Do
we need to restrict who can be a maintainer of the tool to people with NDAs?

Bugreporter added a comment.Dec 9 2019, 7:45 AM

Strong oppose for reason stated in T142068: Possible to circumvent shortening URL list by Special:Search (someone please make this task public); In particular development of Labs tools are not subject to security review of any kind.
I suggest T232240: New service to shorten wmflabs URLs instead.

Bawolff added a comment.Dec 9 2019, 7:57 AM

I guess the biggest risk here is phising potential, whether directly or via an open redirect?

I generally agree with the whole, we should just use another domain for labs shorterner argument, to be safe

Husky added a comment.Dec 9 2019, 10:18 AM

Another domain is fine for me. About the privacy/security implications: now people are using alternatives like bit.ly and tinyurl.com over which we have zero control in terms of privacy implications. So i guess anything we can create/control ourselves would be better.

Ladsgroup subscribed.Dec 9 2019, 10:24 AM

I can create a project in cloud vps and install url shortener there. Is there anyone who wants to help maintaining it for the future?

Urbanecm added a comment.Dec 9 2019, 10:40 AM
In T231518#5722865, @Ladsgroup wrote:

I can create a project in cloud vps and install url shortener there. Is there anyone who wants to help maintaining it for the future?

Count me in.

Bugreporter added a comment.EditedDec 9 2019, 9:13 PM

Note we don't need MediaWiki backend in a new system.

Also a new service may be helpful for shortening longer query URL (T220703: Increase the max length of URL to be shortened) in production domain.

taavi subscribed.Dec 10 2019, 4:13 PM
In T231518#5722865, @Ladsgroup wrote:

I can create a project in cloud vps and install url shortener there. Is there anyone who wants to help maintaining it for the future?

Sure, I'll help too.

Legoktm closed this task as Declined.Dec 10 2019, 8:28 PM
In T231518#5721190, @Pigsonthewing wrote:

As I said in the recently-merged ticket:

"If the whole tools subdomain cannot be whitelisted, there should be a whitelist on a tool-by-tool basis"

All code on the currently whitelisted domains goes through some form of code review or security review whether by us or a trusted upstream like Debian (if you find a domain where that isn't the case, it should be removed from the whitelist). There is currently no mechanism available in Toolforge to facilitate that. I suggest the best way forward is for you to explain which tool has too long URLs, and work with the maintainer to figure out how to shorten them. Or alternatively, move it into MediaWiki in some way.

If someone wants to set up a separate URL shortener, see T232240. w.wiki won't be whitelisting those domains at this time.

Reedy mentioned this in T249416: Allow URL shortening for qrpedia.org domain.Apr 4 2020, 2:06 PM
MZMcBride subscribed.Jun 4 2020, 9:35 AM
EdErhart-WMF subscribed.Dec 9 2020, 4:53 PM
IN mentioned this in T276915: IABot allows random "returnto" parameter values.Mar 9 2021, 11:26 PM
Nirmos mentioned this in T258895: Wikimedia Commons Query Service should use Wikimedia url shortener instead of tinyurl.Mar 18 2021, 6:20 PM
Zblace subscribed.Jun 8 2021, 10:57 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL