Page MenuHomePhabricator

Return different data from IPInfo api based on context [M]
Closed, ResolvedPublic

Description

We need to log access at the PHP level but can't currently distinguish levels of access at the api level atm. If we only logged at an access level (eg. via JS on the front-end) then someone could bypass our logging by navigating directly to the API url. Since the API returns all information a user has access to for a given IP regardless of whether or not the front-end intends to show it and because we intend to log when people access a limited amount of information vs when they access the full set we should 1. enforce the limitations and 2. track it at the API level.

AC:

  • API returns a different set of data depending on whether or not the popup or the widget calls it. This should be done via a parameter (probably failing when no value or an unrecognized value is passed along).

Event Timeline

ARamirez_WMF renamed this task from Return different data from IPInfo api based on context to Return different data from IPInfo api based on context [M].Jan 11 2022, 4:50 PM
STran updated the task description. (Show Details)

Change 753708 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/IPInfo@master] Add dataContext parameter to filter returned data

https://gerrit.wikimedia.org/r/753708

Change 753708 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@master] Add dataContext parameter to filter returned data

https://gerrit.wikimedia.org/r/753708

dom_walden added a subscriber: dom_walden.

What you can now see at each permission level and context:

ipinfo-view-full

popup:

  • organisation/ASO
  • country
  • location (city, region, etc.)
  • number of active blocks
  • number of edits (all time and last 24 hours)

infobox:

  • organisation/ASO
  • country
  • location (city, region, etc.)
  • ISP
  • Connection Type (Connection Method)
  • User Type (Connection Owner)
  • Proxy Type
  • number of active blocks
  • number of edits (all time and last 24 hours)
ipinfo-view-basic

popup:

  • country
  • number of active blocks
  • number of edits (all time and last 24 hours)

infobox:

  • country
  • Connection Type (Connection Method)
  • User Type (Connection Owner)
  • Proxy Type
  • number of active blocks
  • number of edits (all time and last 24 hours)

I believe the above is consistent with T292626, but it would be good if someone double checked.

If you pass an invalid value for dataContext, it returns only the IP, with no other information.

If you do not pass the dataContext parameter to the API, it returns 400 with the message The \"dataContext\" parameter must be set.

I briefly attempted to fuzz the dataContext parameter (using ZAP). I didn't find anything interesting, but I don't think the list of naughty strings I used was designed specifically for PHP vulnerabilities.

We seem to use a standard way to get the dataContext parameter (getValidatedParams()) which is used in lots of other places, so I don't think this is a security risk.

Test Environment: local docker IP Info 0.0.0 (b2f2568) 08:17, 20 January 2022.

I believe the above is consistent with T292626, but it would be good if someone double checked.

Done. I think it matches up fine.