Page MenuHomePhabricator
Create Task
Maniphest T326871

Update Security Team-owned products that may be affected by IP Masking
Closed, ResolvedPublic
Actions

Description

IP Masking will affect lots of our products, features, tools, gadgets, etc. This task is for tracking work to update those that are owned by Security-Team, ahead of IP Masking being enabled on WMF sites.

See T326816: Update features for IP Masking, particularly What will be affected.

A preliminary investigation (T326759) has found that the following may be affected:

  • StopForumSpam

Details

SubjectRepoBranchLines +/-
Remove IP assignment via User::getName() for anonymous usersmediawiki/extensions/StopForumSpammaster+1 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tchanders created this task.Jan 12 2023, 9:53 PM
sbassett subscribed.EditedJan 12 2023, 10:12 PM

Hey @Tchanders - Thanks for the notification. ext:StopForumSpam, while enforcing on the beta cluster, is still only in "report-only mode" on a handful of wikis right now (https://gerrit.wikimedia.org/r/823789). It seems like, according to T326759, that there might be two things needed here:

  1. Update this small block of code that tries to find the IP from an anon username. The code pulls the IP from the request context in all other cases.
  2. Wait for various functions from Wikimedia\IPUtils to be updated, if necessary? It looks like the functions used by ext:StopForumSpam might not even be problematic: IPUtils::isIPAddress, IPUtils::formatHex, IPUtils::toHex, IPUtils::sanitizeIP.
sbassett moved this task from Incoming to Watching on the Security-Team board.Jan 17 2023, 5:17 PM
sbassett added projects: SecTeam-Processed, user-sbassett.
sbassett moved this task from Watching to Waiting on the Security-Team board.
sbassett moved this task from Waiting to Watching on the Security-Team board.
sbassett moved this task from Backlog to Waiting on the user-sbassett board.
Niharika moved this task from Backlog to Needs Other Product Teams on the Temporary accounts board.Jan 25 2023, 6:47 PM
sbassett added a comment.Mar 20 2023, 4:47 PM

ext:StopForumSpam also echos back a user's IP address via the following error message (if they're disallowed access by the extension): https://github.com/wikimedia/mediawiki-extensions-StopForumSpam/blob/master/i18n/en.json#L13. It is unclear to me if this sort of thing will be disallowed under the new IP Masking policies.

sbassett moved this task from Watching to Incoming on the Security-Team board.Nov 21 2023, 6:02 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
Tchanders added a comment.Nov 29 2023, 8:04 PM

A similar question was asked on T350116#9358739, and I suspect it's fine. (If not we'll have to audit where else we display a user their own IP address.)

@Niharika Could you confirm whether this is the case?

Niharika added a comment.Dec 2 2023, 12:56 AM

I can confirm that revealing a user's own IP address to themselves should be OK.

sbassett added a comment.Dec 4 2023, 3:23 PM
In T326871#9376638, @Niharika wrote:

I can confirm that revealing a user's own IP address to themselves should be OK.

Ok, so that just leaves the small code updates/questions from T326871#8521975 then, for ext:StopForumSpam.

gerritbot added a comment.Dec 4 2023, 5:49 PM

Change 979952 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/StopForumSpam@master] Remove IP assignment via User::getName() for anonymous users

https://gerrit.wikimedia.org/r/979952

gerritbot added a project: Patch-For-Review.Dec 4 2023, 5:49 PM
Tchanders added a comment.Dec 6 2023, 9:57 PM
In T326871#8521975, @sbassett wrote:
  1. Wait for various functions from Wikimedia\IPUtils to be updated, if necessary? It looks like the functions used by ext:StopForumSpam might not even be problematic: IPUtils::isIPAddress, IPUtils::formatHex, IPUtils::toHex, IPUtils::sanitizeIP.

I agree this looks fine. We included those terms in the search to flag up affected extensions just as indicators that the extension did something with IP addresses. Once it's getting the IP from the context, that should be fine. Thanks!

gerritbot added a comment.Dec 11 2023, 8:03 PM

Change 979952 merged by jenkins-bot:

[mediawiki/extensions/StopForumSpam@master] Remove IP assignment via User::getName() for anonymous users

https://gerrit.wikimedia.org/r/979952

Maintenance_bot removed a project: Patch-For-Review.Dec 11 2023, 8:10 PM
sbassett closed this task as Resolved.Dec 11 2023, 8:25 PM
sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
In T326871#9388491, @Tchanders wrote:

I agree this looks fine. We included those terms in the search to flag up affected extensions just as indicators that the extension did something with IP addresses. Once it's getting the IP from the context, that should be fine. Thanks!

Ok, this change set was just merged. Tentatively resolving this task for now.

sbassett moved this task from Waiting to Done on the user-sbassett board.Dec 11 2023, 8:26 PM
sbassett mentioned this in T353001: api.php?format=json (FormatJson.php) Allowed memory size fatal error in quibble-vendor-mysql-php74-selenium-docker.
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.9; 2023-12-12).Dec 11 2023, 9:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL