Page MenuHomePhabricator
Create Task
Maniphest T242821

Separate access to tools and test features from ability to view private filters
Open, LowestPublicSecurity
Actions

Description

As a user who does not have access to view private filters on some wikis,
It should be possible for users who cannot view private filters to be able to use the /test and /tools abuse filter features

Currently, AbuseFilter::canViewPrivate is used to restrict access to the tools and test utilities.
As noted in {T230320}, "private" is the highest (and only) possible restriction on viewing abuse filters.
In a vein similar to T230103: Systematize wgRestrictionLevels, the ability to use /test and /tools should not be restricted based on other rights.

Proposal: Create a new right (or two?) abusefilter-test, to be able to use the /test and /tools utilities.
Just as abusefilter-modify implies abusefilter-view-private, both should imply abusefilter-test for backwards compatibility (at least for now)

Filed as a security task in case there are security issues pertinent to expanding access, given that the views are restricted in the first place

Details

Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Create a new method for authorizing access to test toolsmediawiki/extensions/AbuseFiltermaster+34 -9
Customize query in gerrit

Related Objects

Event Timeline

DannyS712 created this task.Jan 15 2020, 3:25 AM
Restricted Application added a project: User-DannyS712. · View Herald TranscriptJan 15 2020, 3:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 moved this task from Unsorted to Abuse Filter on the User-DannyS712 board.Jan 15 2020, 3:26 AM
DannyS712 added projects: AbuseFilter, MediaWiki-User-management.
DannyS712 changed Author Affiliation from N/A to Wikimedia Communities.
DannyS712 added subscribers: Daimona, Huji, Urbanecm.
Urbanecm added a comment.Jan 15 2020, 9:37 AM

Why is this security?

DannyS712 added a comment.Jan 15 2020, 10:04 AM
In T242821#5804476, @Urbanecm wrote:

Why is this security?

"Filed as a security task in case there are security issues pertinent to expanding access, given that the views are restricted in the first place" - I don't have access to security tasks, so I don't know the full history / can't tell if there is some other issue that may be relevant. Filed as security to err on the side of caution.

Urbanecm added a subscriber: sbassett.Jan 15 2020, 11:23 AM

Thanks, missed that. @Daimona and @sbassett , what do you think?

Daimona added a comment.Jan 15 2020, 11:42 AM

I think it's good to have this task protected as sectask as a precaution. However, I don't really think it should stay protected. I believe there's nothing exploitable in the various test features, as they don't give any access to private filters, in any way. Either way, it'd be good to have Scott or someone else on the Sec Team speak their mind.

As for the subject of the task, I'm fine with that, we can introduce a new right (as long as the change is back-compat for WMF wikis).

Dsharpe moved this task from Incoming to Watching on the Security-Team board.Jan 22 2020, 5:22 PM
chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM
Daimona added a project: User-Daimona.Aug 30 2020, 5:25 PM
Daimona moved this task from Backlog to Ideas for overhaul on the User-Daimona board.
Daimona added a subscriber: matej_suchanek.Sep 16 2020, 1:27 PM
Daimona triaged this task as Lowest priority.Sep 16 2020, 1:32 PM
Daimona edited projects, added AbuseFilter (Overhaul-2020); removed User-Daimona, AbuseFilter.
Daimona moved this task from Backlog to Discussion on the AbuseFilter (Overhaul-2020) board.
DannyS712 added subscribers: GeneralNotability, suffusion_of_yellow.Dec 30 2020, 6:00 AM

Just want to note that the restrictions on access to /test separate from the ability to view private filters came up in a discussion at https://en.wikipedia.org/w/index.php?title=Wikipedia_talk:Edit_filter_helper#Nomination_requirement? - allowing a separate right would make it easier to expand access to the testing interface without the potential consequences of expanding access to viewing private filters.

In T242821#5804775, @Daimona wrote:

I think it's good to have this task protected as sectask as a precaution. However, I don't really think it should stay protected. I believe there's nothing exploitable in the various test features, as they don't give any access to private filters, in any way. Either way, it'd be good to have Scott or someone else on the Sec Team speak their mind.

{{ping}} any objections to making this public @sbassett?

sbassett added a comment.Jan 5 2021, 8:07 PM
In T242821#6714343, @DannyS712 wrote:

{{ping}} any objections to making this public @sbassett?

None from me. I agree with @Daimona that the task and the proposed solution do not expose anything particularly security-sensitive and/or not already-known by interested parties. I'll make this task public now.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 5 2021, 8:07 PM
RhinosF1 subscribed.Jan 5 2021, 8:34 PM
Perryprog subscribed.Jan 6 2021, 3:04 AM
taavi subscribed.Jan 6 2021, 7:00 AM
Crow subscribed.Jan 6 2021, 11:01 PM

The only concern that came up on the enwp discussion was to ensure that someone could not overload the tool with either rate or size of test cases, with a corresponding effect on the wiki itself since the tool does run the regex against the live database. So some sort of rate limit or query condition limit may be desirable.

JJMC89 moved this task from Backlog to User rights on the MediaWiki-User-management board.Jan 7 2021, 8:39 PM
JJMC89 subscribed.

Please reset the edit policy.

JJMC89 unsubscribed.Jan 7 2021, 8:40 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".Jan 8 2021, 1:14 AM
suffusion_of_yellow added a comment.Jan 11 2021, 1:57 AM

Instead of a rate limit, what if unprivileged uses of /test were limited to at most N cores and M bytes of memory? Then the only "service" anyone could "deny" is /test itself, which doesn't seem like a worthwhile target. Something similar is done with regex and Special:Search, if I recall.

Daimona moved this task from Discussion to In progress on the AbuseFilter (Overhaul-2020) board.Feb 5 2021, 3:20 PM
gerritbot added a comment.Feb 19 2021, 6:36 PM

Change 665374 had a related patch set uploaded (by Matěj Suchánek; owner: Matěj Suchánek):
[mediawiki/extensions/AbuseFilter@master] Use a new method for using

https://gerrit.wikimedia.org/r/665374

gerritbot added a project: Patch-For-Review.Feb 19 2021, 6:36 PM
suffusion_of_yellow added a comment.Feb 19 2021, 6:48 PM

As a reminder, Special:AbuseFilter/test still allows you to view private filters with a URL like https://en.wikipedia.org/wiki/Special:AbuseFilter/test/2.

sbassett added a comment.Feb 19 2021, 7:18 PM
In T242821#6844239, @suffusion_of_yellow wrote:

As a reminder, Special:AbuseFilter/test still allows you to view private filters with a URL like https://en.wikipedia.org/wiki/Special:AbuseFilter/test/2.

But only if you have abusefilter-modify or abusefilter-view-private.

suffusion_of_yellow added a comment.EditedFeb 19 2021, 7:23 PM

@sbassett: I thought the idea was to have canTestTools(), in the future, also allow users some new right (abusefilter-test, etc.). If that's done, then users with that new right will also be able to view private filters, with an URL like the one above.

Not saying anything is broken now, or even with this patch.

sbassett added a comment.Feb 19 2021, 7:28 PM
In T242821#6844336, @suffusion_of_yellow wrote:

Not saying anything is broken now, or even with this patch.

Right, I just wanted to avoid any confusion if someone thought /test wasn't currently locked down via af user rights.

gerritbot added a comment.Feb 22 2021, 6:00 PM

Change 665374 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Create a new method for authorizing access to test tools

https://gerrit.wikimedia.org/r/665374

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.32; 2021-02-23).Feb 22 2021, 6:00 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 22 2021, 6:10 PM
Dsharpe edited projects, added SecTeam-Processed; removed Security-Team.Aug 4 2021, 7:23 PM
Dsharpe subscribed.

Untagged team task in cleanup meeting in https://office.wikimedia.org/wiki/Wikimedia_Security_Team/Phabricator_Workboard_Maintenance

Zabe subscribed.Oct 6 2021, 10:49 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL