Page MenuHomePhabricator
Create Task
Maniphest T340185

The MW Rest API does not normalize its string request parameters
Closed, ResolvedPublic
Actions

Description

When using the rest.php endpoint it appears that string parameters are not normalized the same way than the action API.

  • no NFC normalization
  • no � replacement on control chars such as the NUL character

Basically everything that \UtfNormal\Validator::cleanUp would usually do is not done when going through rest.php.

I believe that most of the internal MW apis do expect parameters to be normalized the same way as the action API.

Concretely the Search rest endpoint allows the NUL char to be passed through the internal SearchEngine class and then fails when hitting the search backend.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Normalise string params in MW Rest APImediawiki/coremaster+132 -7
Customize query in gerrit

Related Objects

Event Timeline

dcausse created this task.Jun 23 2023, 9:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 23 2023, 9:50 AM
dcausse mentioned this in P48637 cirrus error handling opensearch dashboard filtering query.Jun 23 2023, 9:52 AM
dcausse updated the task description. (Show Details)
dcausse added a comment.Jun 23 2023, 10:18 AM

Pinging Wikibase REST API (WPP) as it might possibly introduce discrepancies between edits made via action=wb* APIs and the new REST api.

dcausse added a project: Wikibase REST API (archieved).Jun 23 2023, 10:19 AM
WMDE-leszek subscribed.Jun 23 2023, 12:27 PM
Tgr subscribed.Jun 23 2023, 4:41 PM
WMDE-leszek updated the task description. (Show Details)Jun 26 2023, 3:04 PM
dcausse mentioned this in T339293: Wikimedia\Assert\PostconditionException: Postcondition failed: Regex failed: 4.Jun 26 2023, 3:56 PM
dcausse updated the task description. (Show Details)Jun 27 2023, 10:27 AM
BPirkle added subscribers: codebug, FGoodwin, Atieno and 2 others.Aug 1 2023, 10:36 PM

API Platform dug into this issue in Code Mob today, using the specific error from T339293: Wikimedia\Assert\PostconditionException: Postcondition failed: Regex failed: 4 as a concrete example of this issue. tl;dr: @dcausse is correct.

The call chain that Action API uses to validate this parameter is:

api.php =>
ApiMain::execute =>
ApiMain::executeActionWithErrorHandling =>
ApiMain::executeAction =>
ApiOpenSearch::execute =>
ApiBase::ExtractRequestParams =>
ApiBase::getParameterFromSettings =>
ApiParamValidator::getValue =>
ParamValidator::getValue =>
TypeDef::getValue =>
ApiParamValidatorCallback::getValue =>
WebRequest::normalizeUnicode =>
Language::normalize =>
UtfNormal\Validator::cleanUp

The warning David mentioned in T339293 triggers in ApiParamValidatorCallback::getValue, if it detects that the raw and normalized strings differ.

I'm no Action API expert, but from what I can tell, the "search" parameter by which the unhappy value is passed to the endpoint is registered in SearchApi::BuildCommonApiParams, with the "sr" prefix being added in ApiQuerSearch.php. The notable thing here is this block in SearchApi.php:

			'search' => [
				ParamValidator::PARAM_TYPE => 'string',
				ParamValidator::PARAM_REQUIRED => true,
			],

There's nothing in the special about this parameter being associated with searches. It is just defined as a string. In other words, this is the same validation that is being done by the Action API on every string parameter, not just search strings. This is confirmed by hitting a completely unrelated Action API endpoint, while passing the same problematic value as a string parameter there:

https://www.mediawiki.org/w/api.php?action=searchtranslations&language=fr&query=%88

You'll see the same warning, indicating that the same validation is being done. This means that for rest.php, we could have run into similar errors with any of the endpoints that accept a string. This is just the one we happened to notice it on first.

This all confirms that the fix (per the task description written by @dcausse, thank you) is to add similar validation to the rest.php parameter validation system.

Tgr added a comment.Aug 1 2023, 11:01 PM

FWIW the REST API uses MediaWiki\Rest\Validator\ParamValidatorCallbacks so the question is how similar should that be to MediaWiki\Api\Validator\ApiParamValidatorCallbacks (especially in how it implements getValue() and recordCondition())?

The REST API also has a different mechanism for validating data passed in the POST body, see MediaWiki\Rest\Validator\BodyValidator and MediaWiki\Rest\Validator\JsonBodyValidator. Probably that should have similar behavior.

dcausse added a comment.Aug 2 2023, 8:45 AM

@BPirkle thanks for the investigations! Your conclusions do seem correct to me, I'm not being very knowledgeable in the MW API subsystems but I'm with you and Gergo here and I believe that since the REST api is "relatively new" it might be safer to apply the same normalization steps for all string params that the action API does. In fact in this case I believe that we somehow got "lucky" that CirrusSearch was very picky (not very robust to be more correct :) by failing on such utf8 sequences but I imagine that in other scenarios/endpoint the internal MW API could simply silently accept such strings and possibly update the database with them and pollute our datastores with these "bad" utf chars and sequences.

Ifrahkhanyaree_WMDE edited projects, added Wikibase REST API (WPP); removed Wikibase REST API (archieved).Aug 2 2023, 2:43 PM
BPirkle added a comment.Aug 2 2023, 10:56 PM
In T340185#9061276, @Tgr wrote:

FWIW the REST API uses MediaWiki\Rest\Validator\ParamValidatorCallbacks

Yeah, in fact there's this fun little comment in ParamValidatorCallbacks.php, in the getValue function:

		// @todo Should normalization to NFC UTF-8 be done here (much like in the
		// action API and the rest of MW), or should it be left to handlers to
		// do whatever normalization they need?
Ifrahkhanyaree_WMDE removed a project: Wikibase REST API (WPP).Aug 3 2023, 9:51 AM
Ifrahkhanyaree_WMDE subscribed.
Lydia_Pintscher subscribed.Aug 3 2023, 11:58 AM
WMDE-leszek mentioned this in T343420: Ensure WB REST API does UTF character normalization as expected.Mar 7 2024, 11:42 AM
dancy subscribed.Apr 16 2024, 3:54 PM

Just a little ping to note that I'm on train duty this week and the Postcondition failed: Regex failed: 4 error is showing up as the first or second most common error in logspam-watch at the moment.

BPirkle edited projects, added MW-Interfaces-Team; removed Platform Engineering.Apr 17 2024, 3:20 PM
daniel subscribed.Apr 17 2024, 4:23 PM
In T340185#9064841, @BPirkle wrote:
In T340185#9061276, @Tgr wrote:

FWIW the REST API uses MediaWiki\Rest\Validator\ParamValidatorCallbacks

Yeah, in fact there's this fun little comment in ParamValidatorCallbacks.php, in the getValue function:

		// @todo Should normalization to NFC UTF-8 be done here (much like in the
		// action API and the rest of MW), or should it be left to handlers to
		// do whatever normalization they need?

Sounds like we are getting to the point where we should just go ahead and do that.

daniel triaged this task as High priority.Apr 17 2024, 4:23 PM
daniel moved this task from Incoming (Needs Triage) to Backlog (Triaged and Ready) on the MW-Interfaces-Team board.
FJoseph-WMF changed the task status from Open to In Progress.Apr 25 2024, 3:32 PM
FJoseph-WMF moved this task from Backlog (Triaged and Ready) to In Progress on the MW-Interfaces-Team board.
daniel added a subtask: T358560: Rest: Deprecate BodyValidator .Apr 25 2024, 4:49 PM
FJoseph-WMF assigned this task to daniel.May 23 2024, 3:25 PM
daniel added a parent task: T366833: REST: Request Body Validation (tracking).Jun 6 2024, 7:02 PM
daniel removed daniel as the assignee of this task.Jun 20 2024, 3:17 PM
daniel lowered the priority of this task from High to Medium.
daniel removed a parent task: T366833: REST: Request Body Validation (tracking).
daniel moved this task from In Progress to Backlog (Triaged and Ready) on the MW-Interfaces-Team board.
dancy unsubscribed.Jun 20 2024, 3:50 PM
codebug claimed this task.Jun 25 2024, 8:30 AM
daniel added a comment.Jun 25 2024, 9:50 AM
In T340185#9061236, @BPirkle wrote:

The call chain that Action API uses to validate this parameter is:
[...]
ApiParamValidator::getValue =>
ParamValidator::getValue =>
TypeDef::getValue =>
ApiParamValidatorCallback::getValue =>
WebRequest::normalizeUnicode =>
Language::normalize =>
UtfNormal\Validator::cleanUp

This is 9only the handling for the if ( substr( $rawValue, 0, 1 ) === "\x1f" ) special case. The "normal" validation is hidden in the call to $value = $this->apiMain->getVal( $name, $default ); at the top of ApiParamValidatorCallback::getValue:

  • ApiParamValidatorCallback::getValue ->
  • ApiMain::getVal ->
  • WebRequest::getVal ->
  • WebRequest::getGPCVal ->
  • WebRequest::normalizeUnicode ->
  • Language::normalize ->
  • UtfNormal\Validator::cleanUp

In MediaWiki\Rest\Validator\ParamValidatorCallbacks::getValue we can probably just call UtfNormal\Validator::cleanUp for now. But:

  • we should have a TODO there for applying language specific cleanup based on the content language
  • We should have a TODO saying that we should somehow warn if normalization was applied (do we want to introduce warning headers?)
  • Like ApiParamValidatorCallback::getValue, we need to skip cleanup if $options['raw'] is set
  • We should skip this step if $options['source'] is 'body', and implement normalization for the request body in Handler::parseBodyData instead.

For Handler::parseBodyData, there is two cases:

  • reyling on $request->getPostParams(). In that case, we should process each field in the same way we do in MediaWiki\Rest\Validator\ParamValidatorCallbacks::getValue
  • using json_decode - in that case, we should apply unicode normalization before decoding.
  • again, we need a TODO about warning when nromalization weas applied
daniel removed a subtask: T358560: Rest: Deprecate BodyValidator .Jun 26 2024, 6:22 PM
codebug moved this task from Backlog (Triaged and Ready) to In Progress on the MW-Interfaces-Team board.Jun 30 2024, 6:31 PM
gerritbot added a comment.Jul 2 2024, 10:24 AM

Change #1051158 had a related patch set uploaded (by WQuarshie; author: WQuarshie):

[mediawiki/core@master] Normalise string params in MW Rest API

https://gerrit.wikimedia.org/r/1051158

gerritbot added a project: Patch-For-Review.Jul 2 2024, 10:24 AM
gerritbot added a comment.Jul 8 2024, 5:20 PM

Change #1051158 had a related patch set uploaded (by Daniel Kinzler; author: WQuarshie):

[mediawiki/core@master] Normalise string params in MW Rest API

https://gerrit.wikimedia.org/r/1051158

gerritbot added a comment.Jul 8 2024, 5:45 PM

Change #1051158 merged by jenkins-bot:

[mediawiki/core@master] Normalise string params in MW Rest API

https://gerrit.wikimedia.org/r/1051158

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.13; 2024-07-09).Jul 8 2024, 6:00 PM
FJoseph-WMF closed this task as Resolved.Jul 11 2024, 2:39 PM
FJoseph-WMF moved this task from In Progress to Done on the MW-Interfaces-Team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits