Page MenuHomePhabricator
Create Task
Maniphest T298955

Return different data from IPInfo api based on context [M]
Closed, ResolvedPublic
Actions

Description

We need to log access at the PHP level but can't currently distinguish levels of access at the api level atm. If we only logged at an access level (eg. via JS on the front-end) then someone could bypass our logging by navigating directly to the API url. Since the API returns all information a user has access to for a given IP regardless of whether or not the front-end intends to show it and because we intend to log when people access a limited amount of information vs when they access the full set we should 1. enforce the limitations and 2. track it at the API level.

AC:

  • API returns a different set of data depending on whether or not the popup or the widget calls it. This should be done via a parameter (probably failing when no value or an unrecognized value is passed along).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add dataContext parameter to filter returned datamediawiki/extensions/IPInfomaster+99 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

STran created this task.Jan 11 2022, 11:30 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 11 2022, 11:30 AM
STran added a subtask: T294658: Create a log entry when the RevisionHandler is called.Jan 11 2022, 11:31 AM
STran added a subtask: T294657: Create a log entry when the LogHandler is called.
STran moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment-Team board.
ARamirez_WMF renamed this task from Return different data from IPInfo api based on context to Return different data from IPInfo api based on context [M].Jan 11 2022, 4:50 PM
ARamirez_WMF moved this task from Triage/To be Estimated to Cards ready for development on the Anti-Harassment-Team board.
STran updated the task description. (Show Details)Jan 11 2022, 4:51 PM
STran updated the task description. (Show Details)
STran claimed this task.Jan 11 2022, 7:41 PM
STran moved this task from Cards ready for development to The Letter Song on the Anti-Harassment-Team board.
STran edited projects, added Anti-Harassment-Team (The Letter Song); removed Anti-Harassment-Team.
STran moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment-Team (The Letter Song) board.
gerritbot added a comment.Jan 13 2022, 11:37 AM

Change 753708 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/IPInfo@master] Add dataContext parameter to filter returned data

https://gerrit.wikimedia.org/r/753708

gerritbot added a project: Patch-For-Review.Jan 13 2022, 11:37 AM
STran moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment-Team (The Letter Song) board.Jan 13 2022, 12:30 PM
gerritbot added a comment.Jan 14 2022, 4:28 PM

Change 753708 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@master] Add dataContext parameter to filter returned data

https://gerrit.wikimedia.org/r/753708

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.18; 2022-01-17).Jan 14 2022, 5:00 PM
Maintenance_bot removed a project: Patch-For-Review.Jan 14 2022, 5:10 PM
Tchanders moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment-Team (The Letter Song) board.Jan 18 2022, 4:16 AM
dom_walden moved this task from QA/Testing 🐞 to Done: Q2 2021-22 on the Anti-Harassment-Team (The Letter Song) board.Jan 20 2022, 11:14 AM
dom_walden subscribed.

What you can now see at each permission level and context:

ipinfo-view-full

popup:

  • organisation/ASO
  • country
  • location (city, region, etc.)
  • number of active blocks
  • number of edits (all time and last 24 hours)

infobox:

  • organisation/ASO
  • country
  • location (city, region, etc.)
  • ISP
  • Connection Type (Connection Method)
  • User Type (Connection Owner)
  • Proxy Type
  • number of active blocks
  • number of edits (all time and last 24 hours)
ipinfo-view-basic

popup:

  • country
  • number of active blocks
  • number of edits (all time and last 24 hours)

infobox:

  • country
  • Connection Type (Connection Method)
  • User Type (Connection Owner)
  • Proxy Type
  • number of active blocks
  • number of edits (all time and last 24 hours)

I believe the above is consistent with T292626, but it would be good if someone double checked.

If you pass an invalid value for dataContext, it returns only the IP, with no other information.

If you do not pass the dataContext parameter to the API, it returns 400 with the message The \"dataContext\" parameter must be set.

I briefly attempted to fuzz the dataContext parameter (using ZAP). I didn't find anything interesting, but I don't think the list of naughty strings I used was designed specifically for PHP vulnerabilities.

We seem to use a standard way to get the dataContext parameter (getValidatedParams()) which is used in lots of other places, so I don't think this is a security risk.

Test Environment: local docker IP Info 0.0.0 (b2f2568) 08:17, 20 January 2022.

Niharika subscribed.Feb 17 2022, 1:40 AM

I believe the above is consistent with T292626, but it would be good if someone double checked.

Done. I think it matches up fine.

Niharika closed this task as Resolved.Feb 17 2022, 1:40 AM
Niharika closed subtask T294658: Create a log entry when the RevisionHandler is called as Resolved.Feb 18 2022, 8:11 PM
Niharika closed subtask T294657: Create a log entry when the LogHandler is called as Resolved.Mar 1 2022, 7:20 AM
Niharika moved this task from Backlog to Closed on the IP Info board.Aug 8 2022, 7:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits