Page MenuHomePhabricator
Create Task
Maniphest T290313

Batch purge pages with a high limit like >= 11, can be slow and might timeout (The number of batch purge pages should be reduced to 10)
Closed, DeclinedPublicSecurity
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):
Sends a post request to the server:

https://en.wikibooks[.]org/w/api.php?action=purge&format=json&forcelinkupdate=1&forcerecursivelinkupdate=1&titles=History%20of%20wireless%20telegraphy%20and%20broadcasting%20in%20Australia%2FTopical%2FStations%2F2KY%20Sydney%2FNotes%7CMirad%20Grammar%2FEnglish-Mirad%20Dictionary%20A-M%7CMirad%20Grammar%2FMirad-English%20Dictionary%20N-Z%7CMirad-English%20Lexicon%20N-Z%7CMirad%20Grammar%2FMirad-English%20Dictionary%20A-M%7CDatabase%20Design%2FOrders%20and%20Data%7CEnglish-Mirad%20Lexicon%20N-Z%7CMirad%20Grammar%2FEnglish-Mirad%20Dictionary%20N-Z%7CChinese%20(Classical%20Mandarin)%2FGlossary%7CHistory%20of%20wireless%20telegraphy%20and%20broadcasting%20in%20Australia%2FTopical%2FBiographies%2FWilliam%20Tamillas%20Stephen%20Crawford%2FNotes%7CHistory%20of%20wireless%20telegraphy%20and%20broadcasting%20in%20Australia%2FTopical%2FBiographies%2FWilliam%20Philip%20Bechervaise%2FNotes%2F1880s%7CSalute%2C%20Jonathan!%2FSingle%20page

What happens?:

Error loading API response: time out

What should have happened instead?:

There are no error.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc:

Screenshot_2021-09-14-14-59-38-57.jpg (277×1 px, 62 KB)

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Event Timeline

IN created this task.Sep 3 2021, 10:18 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 3 2021, 10:18 AM
IN renamed this task from Sending specific content in the API sandbox results is time out to Sending specific content in the API sandbox causes the API response to time out.Sep 3 2021, 10:19 AM
IN updated the task description. (Show Details)
IN moved this task from 尚未分类 Not yet classified to 漏洞 Glitch on the User-IN board.
IN added a project: API Platform.Sep 3 2021, 10:21 AM
Aklapper closed this task as Invalid.Sep 3 2021, 5:42 PM

If this is about https://en.wikipedia.org/wiki/Special:ApiSandbox (please always include URLs), then I cannot reproduce:

Screenshot from 2021-09-03 19-39-17.png (363×1 px, 38 KB)

Please read and follow https://www.mediawiki.org/wiki/How_to_report_a_bug strictly and always. Or ask in support forums first instead. Thanks.

Aklapper removed a project: API Platform.Sep 3 2021, 5:42 PM

(Unrelated to API Platform, see its project description.)

IN updated the task description. (Show Details)Sep 14 2021, 6:47 AM
IN reopened this task as Open.EditedSep 14 2021, 6:49 AM

@Aklapper I have provided the link (api.php and the previous content is fixed). It only needs to put the request in the English Wikipedia to execute, and this link will must be cause a timeout.

IN updated the task description. (Show Details)Sep 14 2021, 6:50 AM
IN updated the task description. (Show Details)Sep 14 2021, 6:57 AM
IN updated the task description. (Show Details)
IN updated the task description. (Show Details)
IN updated the task description. (Show Details)Sep 14 2021, 7:00 AM
Aklapper changed the task status from Open to Stalled.Sep 14 2021, 8:03 AM

Send API request in enwiki:

How exactly? Where exactly? What to do with that long string you posted and where?
Please do always read https://www.mediawiki.org/wiki/How_to_report_a_bug and leave no room for interpretation when creating tickets. Thanks.

IN updated the task description. (Show Details)Sep 17 2021, 4:28 AM
IN updated the task description. (Show Details)Sep 17 2021, 5:15 AM
IN changed the task status from Stalled to In Progress.Sep 17 2021, 5:34 AM
IN updated the task description. (Show Details)

Page to use for purge are some of the longest in Wikipedia, when the server processes such huge pages in batches, it timeout.

Aklapper added a comment.Sep 17 2021, 6:05 AM

@IN: Do you work on fixing this task? If not, then why did you set "In Progress" status?

IN changed the task status from In Progress to Open.Sep 17 2021, 6:08 AM
In T290313#7360952, @Aklapper wrote:

@IN: Do you work on fixing this task? If not, then why did you set "In Progress" status?

Well, since there's nothing else to ask, so let's keep this mission open.

IN added a project: MediaWiki-Action-API.Sep 17 2021, 6:09 AM
Aklapper changed the task status from Open to Stalled.Sep 17 2021, 3:09 PM
Aklapper triaged this task as Lowest priority.

Does the same problem happen with a way shorter list of pages (for example, 2 pages)?

Aklapper closed this task as Declined.Oct 10 2021, 9:01 PM

Unfortunately closing this Phabricator task as no further information has been provided. After you have provided the information asked for, please set the status of this task back to "Open" via the Add Action...Change Status dropdown. Thanks.

IN reopened this task as Open.Jan 20 2022, 11:49 AM
In T290313#7362184, @Aklapper wrote:

Does the same problem happen with a way shorter list of pages (for example, 2 pages)?

17 pages is the minimum number of pages that can guarantee this vulnerability, and fewer pages not cause this error. This seems to be because the total size of the page to be purged is so large that the server cannot safely dispose of it within the time allowed.

Aklapper renamed this task from Sending specific content in the API sandbox causes the API response to time out to API response times out when sending purge request to >16 pages in API sandbox.Jan 20 2022, 12:06 PM

I'm proposing to decline this ticket - software and performance have limits.

IN renamed this task from API response times out when sending purge request to >16 pages in API sandbox to API response times out when sending purge request to >11 pages in API sandbox.Jan 20 2022, 12:13 PM
IN updated the task description. (Show Details)

I just tried again and this time I only used 12 pages and timed out the server.

IN raised the priority of this task from Lowest to Needs Triage.May 29 2022, 7:29 AM
IN set Security to Software security bug.
IN added projects: Security, Security-Team.
IN changed the visibility from "Public (No Login Required)" to "Custom Policy".
IN changed the subtype of this task from "Bug Report" to "Security Issue".

I thought the vulnerability would be exploited and cause DoS to appear, so I upgraded it to a security issue.

IN renamed this task from API response times out when sending purge request to >11 pages in API sandbox to Batch purge pages with a high limit like >= 11, can be slow and might timeout.May 29 2022, 7:30 AM
IN added a project: Vuln-DoS.
Mstyles changed Risk Rating from N/A to Low.Jun 13 2022, 3:57 PM
Mstyles subscribed.Jun 13 2022, 3:59 PM

The security team has reviewed this and since the page returns an error but doesn't crash or stop working, we can consider this pretty low risk. If you have a patch or suggested workaround we can discuss further, but if not this ticket should be closed.

sbassett moved this task from Incoming to In Progress on the Security-Team board.Jun 13 2022, 4:19 PM
sbassett added a project: SecTeam-Processed.
IN added a comment.Jun 15 2022, 10:56 AM
In T290313#7999303, @Mstyles wrote:

If you have a patch or suggested workaround we can discuss further, but if not this ticket should be closed.

My solution is, the maximum number of batch purge pages should be set to 10 instead of the current default.

IN renamed this task from Batch purge pages with a high limit like >= 11, can be slow and might timeout to Batch purge pages with a high limit like >= 11, can be slow and might timeout (The number of batch purge pages should be reduced to 10).Jun 15 2022, 11:00 AM
Aklapper added a comment.Jun 15 2022, 11:50 AM

Proposing to decline this ticket.

sbassett closed this task as Declined.EditedJun 16 2022, 4:48 PM
sbassett triaged this task as Lowest priority.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett subscribed.

Testing the link within the description (unauth'd) I'm not even able to generate a timeout error. I'm seeing some higher run times, in the 30 to 40 second range, but at worst, this seems like it may occasionally trigger some low-risk resource exhaustion. I concur that this should be declined for now, unless it can be demonstrated that the action api url in question consistently causes significant resource exhaustion to the point of being a much more viable DoS vector.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.Jun 22 2022, 3:09 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL