Page MenuHomePhabricator
Create Task
Maniphest T297731

CVE-2022-28203: Requesting Special:NewFiles in commons with actor as a condition can bring the whole database down
Closed, ResolvedPublicSecurity
Actions

Description

I have been seeing a lot of slow queries like this:

wikiadmin@10.64.16.175(commonswiki)> explain SELECT  /*! STRAIGHT_JOIN */ img_name,img_timestamp,actor_user,actor_name  FROM `image` JOIN `actor` ON ((actor_id=img_actor)) LEFT JOIN `user_groups` ON (ug_group = 'bot' AND (ug_user = actor_user) AND (ug_expiry IS NULL OR ug_expiry >= '20211214173620'))   WHERE actor_name = 'Gov.mm' AND (ug_group IS NULL) AND (((img_timestamp<'20211214000000')))  ORDER BY img_timestamp DESC LIMIT 51  ;
+------+-------------+-------------+--------+-----------------------------------+---------------+---------+------------------------------------+----------+-------------------------+
| id   | select_type | table       | type   | possible_keys                     | key           | key_len | ref                                | rows     | Extra                   |
+------+-------------+-------------+--------+-----------------------------------+---------------+---------+------------------------------------+----------+-------------------------+
|    1 | SIMPLE      | image       | range  | img_timestamp,img_actor_timestamp | img_timestamp | 14      | NULL                               | 29263285 | Using where             |
|    1 | SIMPLE      | actor       | const  | PRIMARY,actor_name                | actor_name    | 257     | const                              | 1        | Using where             |
|    1 | SIMPLE      | user_groups | eq_ref | PRIMARY,ug_group,ug_expiry        | PRIMARY       | 261     | commonswiki.actor.actor_user,const | 1        | Using where; Not exists |
+------+-------------+-------------+--------+-----------------------------------+---------------+---------+------------------------------------+----------+-------------------------+
3 rows in set (0.004 sec)

The straight join is actually problematic, if you remove it, MySQL realizes the user doesn't exists and return with empty result right away:

wikiadmin@10.64.16.175(commonswiki)> explain SELECT  img_name,img_timestamp,actor_user,actor_name  FROM `image` JOIN `actor` ON ((actor_id=img_actor)) LEFT JOIN `user_groups` ON (ug_group = 'bot' AND (ug_user = actor_user) AND (ug_expiry IS NULL OR ug_expiry >= '20211214173620'))   WHERE actor_name = 'Gov.mm' AND (ug_group IS NULL) AND (((img_timestamp<'20211214000000')))  ORDER BY img_timestamp DESC LIMIT 51  ;
+------+-------------+-------+------+---------------+------+---------+------+------+-----------------------------------------------------+
| id   | select_type | table | type | possible_keys | key  | key_len | ref  | rows | Extra                                               |
+------+-------------+-------+------+---------------+------+---------+------+------+-----------------------------------------------------+
|    1 | SIMPLE      | NULL  | NULL | NULL          | NULL | NULL    | NULL | NULL | Impossible WHERE noticed after reading const tables |
+------+-------------+-------+------+---------------+------+---------+------+------+-----------------------------------------------------+
1 row in set (0.001 sec)

wikiadmin@10.64.16.175(commonswiki)> SELECT  img_name,img_timestamp,actor_user,actor_name  FROM `image` JOIN `actor` ON ((actor_id=img_actor)) LEFT JOIN `user_groups` ON (ug_group = 'bot' AND (ug_user = actor_user) AND (ug_expiry IS NULL OR ug_expiry >= '20211214173620'))   WHERE actor_name = 'Gov.mm' AND (ug_group IS NULL) AND (((img_timestamp<'20211214000000')))  ORDER BY img_timestamp DESC LIMIT 51  ;
Empty set (0.001 sec)

You can replace "Gov.mm" with any gibberish and it would still goes in direction of reading 29M rows. Suggestion: Just run a check if the actor exists before making the query.

Details

SubjectRepoBranchLines +/-
SECURITY: pagers: Don't make a straight join if the user is setmediawiki/coremaster+4 -1
SECURITY: pagers: Don't make a straight join if the user is setmediawiki/coreREL1_38+4 -1
SECURITY: pagers: Don't make a straight join if the user is setmediawiki/coreREL1_37+4 -1
SECURITY: pagers: Don't make a straight join if the user is setmediawiki/coreREL1_36+4 -1
SECURITY: pagers: Don't make a straight join if the user is setmediawiki/coreREL1_35+4 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Ladsgroup created this task.Dec 14 2021, 5:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2021, 5:58 PM
Ladsgroup added a comment.Dec 14 2021, 6:01 PM

It is the same with existing actors too:

wikiadmin@10.64.16.175(commonswiki)> explain SELECT  /*! STRAIGHT_JOIN */ img_name,img_timestamp,actor_user,actor_name  FROM `image` JOIN `actor` ON ((actor_id=img_actor)) LEFT JOIN `user_groups` ON (ug_group = 'bot' AND (ug_user = actor_user) AND (ug_expiry IS NULL OR ug_expiry >= '20211214173620'))   WHERE actor_name = 'Ladsgroup' AND (ug_group IS NULL) AND (((img_timestamp<'20211214000000')))  ORDER BY img_timestamp DESC LIMIT 51  ;
+------+-------------+-------------+--------+-----------------------------------+---------------+---------+------------------------------------+----------+-------------------------+
| id   | select_type | table       | type   | possible_keys                     | key           | key_len | ref                                | rows     | Extra                   |
+------+-------------+-------------+--------+-----------------------------------+---------------+---------+------------------------------------+----------+-------------------------+
|    1 | SIMPLE      | image       | range  | img_timestamp,img_actor_timestamp | img_timestamp | 14      | NULL                               | 29263338 | Using where             |
|    1 | SIMPLE      | actor       | const  | PRIMARY,actor_name                | actor_name    | 257     | const                              | 1        | Using where             |
|    1 | SIMPLE      | user_groups | eq_ref | PRIMARY,ug_group,ug_expiry        | PRIMARY       | 261     | commonswiki.actor.actor_user,const | 1        | Using where; Not exists |
+------+-------------+-------------+--------+-----------------------------------+---------------+---------+------------------------------------+----------+-------------------------+
3 rows in set (0.001 sec)

While without STRAIGHT_JOIN it's much faster:

wikiadmin@10.64.16.175(commonswiki)> explain SELECT img_name,img_timestamp,actor_user,actor_name  FROM `image` JOIN `actor` ON ((actor_id=img_actor)) LEFT JOIN `user_groups` ON (ug_group = 'bot' AND (ug_user = actor_user) AND (ug_expiry IS NULL OR ug_expiry >= '20211214173620'))   WHERE actor_name = 'Ladsgroup' AND (ug_group IS NULL) AND (((img_timestamp<'20211214000000')))  ORDER BY img_timestamp DESC LIMIT 51  ;
+------+-------------+-------------+-------+-----------------------------------+---------------------+---------+-------------+------+--------------------------+
| id   | select_type | table       | type  | possible_keys                     | key                 | key_len | ref         | rows | Extra                    |
+------+-------------+-------------+-------+-----------------------------------+---------------------+---------+-------------+------+--------------------------+
|    1 | SIMPLE      | actor       | const | PRIMARY,actor_name                | actor_name          | 257     | const       | 1    |                          |
|    1 | SIMPLE      | user_groups | const | PRIMARY,ug_group,ug_expiry        | PRIMARY             | 261     | const,const | 0    | Unique row not found     |
|    1 | SIMPLE      | image       | range | img_timestamp,img_actor_timestamp | img_actor_timestamp | 22      | NULL        | 395  | Using where; Using index |
+------+-------------+-------------+-------+-----------------------------------+---------------------+---------+-------------+------+--------------------------+
3 rows in set (0.003 sec)
Ladsgroup claimed this task.Dec 14 2021, 6:02 PM
Ladsgroup triaged this task as High priority.
Ladsgroup added a project: DBA.
Restricted Application added a project: User-Ladsgroup. · View Herald TranscriptDec 14 2021, 6:02 PM
Ladsgroup moved this task from Triage to In progress on the DBA board.Dec 14 2021, 6:02 PM
Ladsgroup added a comment.Dec 14 2021, 6:04 PM

It needs a simple join decomposition. I will never understand the fascination of mediawiki with join. Each purge makes around 200 queries with warm cache and 1k with cold one and we are worried about one more really fast query, it's not making them across the Atlantic ocean, the network latency is small.

Ladsgroup added subscribers: tstarling, Krinkle, daniel, Pchelolo.Dec 14 2021, 6:22 PM

Here is the fix. I think we need to roll this out to all pagers that set the user and do straight join but that's for later. I appreciate code review on this.

T297731.patch1 KBDownload

Marostegui added a comment.Dec 14 2021, 6:30 PM

It would be nice to roll this out this week before the code freeze - great catch Amir!

Ladsgroup renamed this task from Requesting Special:NewFiles in commons with non-existentant actors can bring the whole database down to Requesting Special:NewFiles in commons with actor as a condition can bring the whole database down .Dec 14 2021, 6:49 PM
Jdforrester-WMF subscribed.EditedDec 14 2021, 6:50 PM
In T297731#7570609, @Ladsgroup wrote:

Here is the fix. I think we need to roll this out to all pagers that set the user and do straight join but that's for later. I appreciate code review on this.

T297731.patch1 KBDownload

That seems fine for now, yes. C+2.

Reedy added a project: Performance Issue.Dec 15 2021, 11:43 AM
Ladsgroup added a comment.Dec 15 2021, 4:41 PM

This is deployed now.

Ladsgroup added a comment.Dec 15 2021, 4:45 PM

We should monitor https://logstash.wikimedia.org/goto/7d3662149d8277dd9a9574c833b41163 to see if it's fully stopped.

sbassett subscribed.Dec 15 2021, 9:56 PM

Thanks for the deploy, @Ladsgroup. Now tracked at T276237 and will eventually be part of the next security release, due out around the end of March 2022.

Ladsgroup moved this task from In progress to Done on the DBA board.Dec 16 2021, 11:11 AM
In T297731#7572893, @Ladsgroup wrote:

We should monitor https://logstash.wikimedia.org/goto/7d3662149d8277dd9a9574c833b41163 to see if it's fully stopped.

Log is clean. I move this to done but won't close it so it gets properly processed by security team.

sbassett moved this task from Incoming to Watching on the Security-Team board.Dec 20 2021, 4:34 PM
sbassett added a project: SecTeam-Processed.
Ladsgroup closed this task as Resolved.Dec 21 2021, 9:16 AM

Log is fully cleaned up. This is done.

sbassett added a parent task: T297830: Tracking bug for MediaWiki 1.35.6/1.36.4/1.37.2.Dec 21 2021, 3:37 PM
Reedy mentioned this in T297830: Tracking bug for MediaWiki 1.35.6/1.36.4/1.37.2.Mar 20 2022, 12:46 PM
Reedy added a subscriber: gerritbot.Mar 28 2022, 1:32 PM
Reedy renamed this task from Requesting Special:NewFiles in commons with actor as a condition can bring the whole database down to CVE-2022-: Requesting Special:NewFiles in commons with actor as a condition can bring the whole database down .Mar 28 2022, 1:52 PM
Reedy mentioned this in T297831: Obtain CVEs for 1.35.6/1.36.4/1.37.2 security releases.
Reedy renamed this task from CVE-2022-: Requesting Special:NewFiles in commons with actor as a condition can bring the whole database down to CVE-2022-28203: Requesting Special:NewFiles in commons with actor as a condition can bring the whole database down .Mar 30 2022, 6:03 PM
gerritbot added a comment.Mar 31 2022, 9:43 PM

Change 775972 had a related patch set uploaded (by Reedy; author: Amir Sarabadani):

[mediawiki/core@REL1_35] SECURITY: pagers: Don't make a straight join if the user is set

https://gerrit.wikimedia.org/r/775972

gerritbot added a project: Patch-For-Review.Mar 31 2022, 9:43 PM
gerritbot added a comment.Mar 31 2022, 9:53 PM

Change 775972 merged by jenkins-bot:

[mediawiki/core@REL1_35] SECURITY: pagers: Don't make a straight join if the user is set

https://gerrit.wikimedia.org/r/775972

gerritbot added a comment.Mar 31 2022, 9:56 PM

Change 775977 had a related patch set uploaded (by Reedy; author: Amir Sarabadani):

[mediawiki/core@REL1_36] SECURITY: pagers: Don't make a straight join if the user is set

https://gerrit.wikimedia.org/r/775977

gerritbot added a comment.Mar 31 2022, 10:07 PM

Change 775983 had a related patch set uploaded (by Reedy; author: Amir Sarabadani):

[mediawiki/core@REL1_37] SECURITY: pagers: Don't make a straight join if the user is set

https://gerrit.wikimedia.org/r/775983

gerritbot added a comment.Mar 31 2022, 10:08 PM

Change 775977 merged by jenkins-bot:

[mediawiki/core@REL1_36] SECURITY: pagers: Don't make a straight join if the user is set

https://gerrit.wikimedia.org/r/775977

gerritbot added a comment.Mar 31 2022, 10:19 PM

Change 775983 merged by jenkins-bot:

[mediawiki/core@REL1_37] SECURITY: pagers: Don't make a straight join if the user is set

https://gerrit.wikimedia.org/r/775983

gerritbot added a comment.Mar 31 2022, 10:19 PM

Change 775991 had a related patch set uploaded (by Reedy; author: Amir Sarabadani):

[mediawiki/core@master] SECURITY: pagers: Don't make a straight join if the user is set

https://gerrit.wikimedia.org/r/775991

gerritbot added a comment.Mar 31 2022, 10:21 PM

Change 775994 had a related patch set uploaded (by Reedy; author: Amir Sarabadani):

[mediawiki/core@REL1_38] SECURITY: pagers: Don't make a straight join if the user is set

https://gerrit.wikimedia.org/r/775994

gerritbot added a comment.Mar 31 2022, 10:34 PM

Change 775994 merged by jenkins-bot:

[mediawiki/core@REL1_38] SECURITY: pagers: Don't make a straight join if the user is set

https://gerrit.wikimedia.org/r/775994

gerritbot added a comment.Mar 31 2022, 10:39 PM

Change 775991 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: pagers: Don't make a straight join if the user is set

https://gerrit.wikimedia.org/r/775991

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2022, 11:05 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
Maintenance_bot removed a project: Patch-For-Review.Mar 31 2022, 11:10 PM
Zabe subscribed.Mar 31 2022, 11:12 PM
Maintenance_bot moved this task from Incoming to Done on the User-Ladsgroup board.Mar 31 2022, 11:15 PM
matej_suchanek mentioned this in T124214: Allow filtering based on tag on Special:NewFiles.Feb 17 2023, 11:49 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL