Page MenuHomePhabricator
Create Task
Maniphest T318166

CVE-2022-39193: CheckUser API can expose the suppressed performer
Closed, ResolvedPublicSecurity
Actions

Description

Splitting from T311337. Special:CheckUser has been fixed, but the API has not been. The logic for the fix of the API should be similar.

Status:

  • Performer of edits shown in API respects RevisionDeletion status - Deployed
  • Performer of log events shown in API results respects RevisionDeletion status
    • Schema change to store the log ID - T324907

The fix for logged actions will require a Schema-change in T145265 / T253796. This task should remain private until the fix for logged actions is implemented.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: Do not show suppressed usernames on edits in the APImediawiki/extensions/CheckUserREL1_35+7 -0
SECURITY: Do not show suppressed usernames on edits in the APImediawiki/extensions/CheckUserREL1_38+7 -0
SECURITY: Do not show suppressed usernames on edits in the APImediawiki/extensions/CheckUserREL1_39+7 -0
SECURITY: Do not show suppressed usernames on edits in the APImediawiki/extensions/CheckUsermaster+7 -0
Customize query in gerrit

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
ResolvedSecurityZabeT311337 CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension
ResolvedSecurityDreamy_JazzT318166 CVE-2022-39193: CheckUser API can expose the suppressed performer
ResolvedDreamy_JazzT253796 Make CheckUser record the log_id of logged actions
· · ·

Event Timeline

Dreamy_Jazz created this task.Sep 20 2022, 2:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 20 2022, 2:20 PM
Dreamy_Jazz added a project: CheckUser.Sep 20 2022, 2:20 PM
Dreamy_Jazz updated the task description. (Show Details)Sep 20 2022, 2:26 PM
Dreamy_Jazz added a parent task: T311337: CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension.
Dreamy_Jazz added a subtask: T145265: Store check user data action text in structured format.
Dreamy_Jazz added a comment.EditedSep 20 2022, 3:00 PM

Patch for review:

T318166.patch1 KBDownload

Tested locally using the following steps running mariadb with replication:

  • Made a test edit
  • Gave myself suppressor rights
  • Suppressed the edit
  • Loaded Special:ApiSandbox
  • Used the following query:
{
	"action": "query",
	"format": "json",
	"list": "checkuser",
	"curequest": "edits",
	"cutarget": "Exampleuser-who-made-the-edit",
	"cutoken": "Exampletoken"
}
  • Verified that the "user" for the edit shows the username as I have rights to see it
  • Removed suppressor rights from myself
  • Ran the API query again
  • Verified that the "user" for the edit is shown as "(username removed)" as I do not have rights to see it
Dreamy_Jazz added a project: Patch-For-Review.Sep 20 2022, 3:00 PM
Dreamy_Jazz updated the task description. (Show Details)Sep 20 2022, 3:05 PM
Zabe subscribed.Sep 20 2022, 6:40 PM
In T318166#8248278, @Dreamy_Jazz wrote:

T318166.patch1 KBDownload

+2

Dreamy_Jazz moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Sep 20 2022, 8:35 PM
sbassett added a project: SecTeam-Processed.Sep 20 2022, 9:29 PM
sbassett subscribed.

The patch looks good, though I didn't test locally. Thanks, @Dreamy_Jazz. We should be able to get this deployed during the next security window.

sbassett triaged this task as Medium priority.Sep 20 2022, 9:29 PM
sbassett changed Risk Rating from N/A to Medium.
Dreamy_Jazz moved this task from General / Unsorted to Patches for review on the CheckUser board.Sep 23 2022, 9:31 PM
Dreamy_Jazz moved this task from Patches for review to General / Unsorted on the CheckUser board.
Dreamy_Jazz removed a project: Patch-For-Review.
Dreamy_Jazz moved this task from General / Unsorted to API on the CheckUser board.Sep 23 2022, 10:01 PM
Dreamy_Jazz moved this task from API to General / Unsorted on the CheckUser board.
Dreamy_Jazz updated the task description. (Show Details)Sep 29 2022, 6:14 PM
sbassett mentioned this in T318974: Write and send supplementary release announcement for extensions and skins with security patches (1.35.9/1.38.4/1.39.1).Oct 5 2022, 4:21 PM
sbassett mentioned this in T311337: CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension.Oct 11 2022, 2:35 PM
Mstyles subscribed.Oct 17 2022, 9:46 PM

this is now deployed in production on php-1.40.0-wmf.5

Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Oct 17 2022, 9:48 PM
sbassett updated the task description. (Show Details)Oct 17 2022, 10:13 PM
Dreamy_Jazz added a comment.EditedNov 11 2022, 10:51 AM

Tested on testwiki using wmf.8 following the steps:

  • Made a test edit
  • Got granted OS and CU by steward on testwiki
  • Suppressed the test edit
  • Opened Special:ApiSandbox
  • Ran a check on Dreamy Jazz (myself) using the get edits mode and pressing the auto-fill token button
  • Verified that I could see my username
  • Had OS removed from me on testwiki
  • Ran the same check
  • Verified that I could not see my username (instead showing username hidden)
  • Had OS granted again to remove the test suppression
  • Had CU and OS removed.

I can provide screenshots of the results (these results were designed to only include my edits) but will leave them not published here because this will go public eventually. The test was successful and so the patch worked.

Dreamy_Jazz updated the task description. (Show Details)Nov 15 2022, 9:20 PM

For items stored in the logging table https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/856930 is open to add a new column called cuc_log_id that would store the log ID for any associated entry. This would then be used to find the RevisionDeletion status on the entry in the logging table and would address this issue for logged items.

Dreamy_Jazz edited subtasks, added: T253796: Make CheckUser record the log_id of logged actions; removed: T145265: Store check user data action text in structured format.Nov 15 2022, 9:25 PM
Mstyles mentioned this in T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).Jan 10 2023, 6:08 PM
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 12 2023, 2:37 AM
Mstyles changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Jan 12 2023, 9:56 AM

Change 879073 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Do not show suppressed usernames on edits in the API

https://gerrit.wikimedia.org/r/879073

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.19; 2023-01-16).Jan 12 2023, 10:01 AM
gerritbot added a comment.Jan 12 2023, 2:31 PM

Change 879541 had a related patch set uploaded (by Zabe; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Do not show suppressed usernames on edits in the API

https://gerrit.wikimedia.org/r/879541

gerritbot added a project: Patch-For-Review.Jan 12 2023, 2:31 PM

Change 879543 had a related patch set uploaded (by Zabe; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_38] SECURITY: Do not show suppressed usernames on edits in the API

https://gerrit.wikimedia.org/r/879543

gerritbot added a comment.Jan 12 2023, 2:34 PM

Change 879541 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Do not show suppressed usernames on edits in the API

https://gerrit.wikimedia.org/r/879541

gerritbot added a comment.Jan 12 2023, 2:35 PM

Change 879543 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_38] SECURITY: Do not show suppressed usernames on edits in the API

https://gerrit.wikimedia.org/r/879543

gerritbot added a comment.Jan 12 2023, 2:48 PM

Change 879569 had a related patch set uploaded (by Zabe; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_35] SECURITY: Do not show suppressed usernames on edits in the API

https://gerrit.wikimedia.org/r/879569

Dreamy_Jazz claimed this task.Jan 12 2023, 2:55 PM
gerritbot added a comment.Jan 12 2023, 3:33 PM

Change 879569 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_35] SECURITY: Do not show suppressed usernames on edits in the API

https://gerrit.wikimedia.org/r/879569

Mstyles closed this task as Resolved.Jan 12 2023, 6:00 PM
Dreamy_Jazz reopened this task as Open.Jan 12 2023, 6:39 PM

This isn't resolved. Edits are fixed but not log actions.

Mstyles added a comment.Jan 12 2023, 6:59 PM

@Dreamy_Jazz is there a separate ticket for log actions? perhaps we should open one for that and then close these?

Mstyles added a comment.Jan 12 2023, 7:01 PM

and is the change here: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/866684 not sufficient

Dreamy_Jazz added a comment.EditedJan 12 2023, 7:28 PM
In T318166#8520985, @Mstyles wrote:

@Dreamy_Jazz is there a separate ticket for log actions? perhaps we should open one for that and then close these?

There doesn't yet exist separate tickets for log events - I kept them together as the attack vector is very similar. I wouldn't oppose creating new tickets, but as these stand they have checkboxes for progress on fixing log actions in the task description. I guess as this task contains information about log actions not respecting revision deletion status, the new tasks won't need to be hidden from public view (as the cat is out of the bag).

In T318166#8521010, @Mstyles wrote:

and is the change here: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/866684 not sufficient

No. This only added the tables that would allow storing the log ID to look up revision deletion status, but did not add any support for reading from them or writing to them nor fix the issue at hand here. There are https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/876360 and https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/877182 (which are yet to be reviewed) that only adds code to write to the new tables when the config is set. Reading from these tables and switching to writing/reading on WMF wikis would be needed before a fix would work. I'm not yet fully sure how to fix log actions as I'm not sure how the code will read from the tables.

Everything before "Move log entries in cu_changes to cu_private_event" in T324907 will need to be done before a fix would work for log entries.

Dreamy_Jazz added a comment.Jan 12 2023, 7:40 PM

One thing I would note is that there would be no foolproof method to match items in the cu_changes table to the logging table. My intention is to just move these to the table created for events that only CheckUser's can see. This means that even if this was kept private until the fix was in place, 3 months would have to pass before WMF production CheckUser had no leakage.

Dreamy_Jazz updated the task description. (Show Details)Jan 12 2023, 7:45 PM
sbassett added a comment.Jan 12 2023, 8:19 PM

@Mstyles @Dreamy_Jazz - I'd support the idea of creating a separate task or tasks to track the related log events issue. It makes things more granular, which is generally a good idea, and won't block us form resolving these tasks as disclosed security issues, as they just went out with the latest supplemental security release at T318974.

Dreamy_Jazz added a comment.Jan 12 2023, 8:34 PM

Okay. I'll look at creating separate tasks.

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jan 12 2023, 8:34 PM
sbassett removed a project: Patch-For-Review.
Dreamy_Jazz closed this task as Resolved.Jan 12 2023, 9:08 PM
Dreamy_Jazz mentioned this in T326867: CheckUser API can expose suppressed information for log events.

Re-closing as separate tickets filed.

sbassett added a comment.Jan 12 2023, 9:26 PM
In T318166#8521571, @Dreamy_Jazz wrote:

Re-closing as separate tickets filed.

Thanks!

sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 4 2023, 7:48 PM
sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Jul 6 2023, 3:27 PM
sbassett mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 2 2023, 10:31 PM
Dreamy_Jazz closed subtask T253796: Make CheckUser record the log_id of logged actions as Resolved.Wed, Apr 10, 1:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL