Page MenuHomePhabricator
Create Task
Maniphest T326093

Confirm Wikibase REST API are considered by the AbuseFilter
Closed, ResolvedPublic
Actions

Description

Likely similar to investigation done for rate limiting: T322746

Time box: 24 hrs

Related Objects
Search...

Event Timeline

WMDE-leszek created this task.Jan 2 2023, 10:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 2 2023, 10:01 PM
WMDE-leszek updated the task description. (Show Details)Jan 3 2023, 11:36 AM
WMDE-leszek moved this task from Backlog to Sprint 20 on the Wikibase Product Platform (v1) board.
WMDE-leszek edited projects, added Wikibase Product Platform (v1) (Sprint 20); removed Wikibase Product Platform (v1).
Ollie.Shotton_WMDE claimed this task.Jan 11 2023, 10:03 AM
Ollie.Shotton_WMDE moved this task from To Do to Doing on the Wikibase Product Platform (v1) (Sprint 20) board.
Ollie.Shotton_WMDE added a parent task: T316354: Ensure rate limiting and potentially other harm preventions are in place for the Wikibase REST API.Jan 13 2023, 1:29 PM
Ollie.Shotton_WMDE mentioned this in T316354: Ensure rate limiting and potentially other harm preventions are in place for the Wikibase REST API.
Ollie.Shotton_WMDE moved this task from Doing to Peer Review on the Wikibase Product Platform (v1) (Sprint 20) board.Jan 16 2023, 5:09 PM

The Wikibase REST API is covered by the AbuseFilter extension by using the same MediawikiEditEntity::attemptSave() low-level service. This service calls the EditFilterMergedContent hook which is registered by the extension (see extension.json). The error response returned by the Wikibase REST API is a generic 500 unexpected-error.

How I verified this:

  • Created a "Block all" filter where Conditions: was true in order to match on everything and:
    • selected the Prevent the user from performing the action in question checkbox
    • set the System message to use for disallowing: and Page name of other message: to abusefilter-disallowed
  • Tried to add a new Statement via the /entities/items/{item_id}/statements endpoint and noticed it returned a generic 500 unexpected-error response.
  • Added a breakpoint in HookContainer::run() and in the catch block of UnexpectedErrorHandlerMiddleware::run()
  • Made a request with all edit endpoints and verified that the failed hook was EditFilterMergedContent and the unexpected error was due to the "Block all" filter:
    • POST /entities/items/{item_id}/statements
    • PUT /entities/items/{item_id}/statements/{statement_id}
    • PATCH /entities/items/{item_id}/statements/{statement_id}
    • DELETE /entities/items/{item_id}/statements/{statement_id}
    • PUT /entities/items/{item_id}/statements/{statement_id}
    • PATCH /statements/{statement_id}
    • DELETE /statements/{statement_id}
WMDE-leszek moved this task from Sprint 20 to Sprint 21 on the Wikibase Product Platform (v1) board.Jan 17 2023, 12:20 PM
WMDE-leszek edited projects, added Wikibase Product Platform (v1) (Sprint 21); removed Wikibase Product Platform (v1) (Sprint 20).
WMDE-leszek moved this task from To Do to Peer Review on the Wikibase Product Platform (v1) (Sprint 21) board.
Jakob_WMDE moved this task from Peer Review to Done on the Wikibase Product Platform (v1) (Sprint 21) board.Jan 18 2023, 10:52 AM
Jakob_WMDE added a subscriber: Jakob_WMDE.

I was able to verify this following the same steps you described, @Ollie.Shotton_WMDE. Nice work, thanks!

WMDE-leszek closed this task as Resolved.Feb 7 2023, 9:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL