Page MenuHomePhabricator
Create Task
Maniphest T344486

Restrict interface parameter of wikimediaeventsblockededit API query module
Closed, ResolvedPublic
Actions

Description

There have been close to 1000 validation errors for events submitted to the mediawiki.editattempt_block stream in the last week (see https://logstash.wikimedia.org/goto/c6e05b596528d6b14ba0863ca423a187). All of the errors are related to spurious values in the interface property of the event, some of which are attempts at injections, e.g.

  • visualeditor'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'
  • yi4AyyfN')) OR 756=(SELECT 756 FROM PG_SLEEP(15))--

The wikimediaeventsblockededit Action API query module defines an interface parameter. During execution, the query module fetches the value of the parameter and passes it to BlockUtils::logBlockedEditAttempt( $user, $title, $interface, $platform ). BlockUtils::logBlockedEditAttempt() submits an event with the interface property set to $interface.

The solution would be to either use the parameter validation baked into the Action API or to update BlockUtils::logBlockedEditAttempt() to validate both the $interface and $platform parameters before submitting an event. Either way, the allowed values for interface parameter are limited (see https://gerrit.wikimedia.org/g/schemas/event/secondary/+/192e1a497d16b3da22817177e7676e342a4494a7/jsonschema/analytics/mediawiki/editattemptsblocked/current.yaml#44).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
wikimediablockededit: Restrict values for interface parametermediawiki/extensions/WikimediaEventsmaster+9 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

phuedx created this task.Aug 18 2023, 7:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 18 2023, 7:46 AM
phuedx mentioned this in T344448: Restrict interface parameter of wikimediaeventsblockededit API query module.Aug 18 2023, 7:48 AM
gerritbot added a comment.Aug 18 2023, 7:50 AM

Change 950134 had a related patch set uploaded (by Phuedx; author: Phuedx):

[mediawiki/extensions/WikimediaEvents@master] wikimediablockededit: Restrict values for interface parameter

https://gerrit.wikimedia.org/r/950134

gerritbot added a project: Patch-For-Review.Aug 18 2023, 7:50 AM
gerritbot added a comment.Aug 18 2023, 2:56 PM

Change 950134 merged by jenkins-bot:

[mediawiki/extensions/WikimediaEvents@master] wikimediablockededit: Restrict values for interface parameter

https://gerrit.wikimedia.org/r/950134

phuedx closed this task as Resolved.Aug 18 2023, 3:02 PM
phuedx claimed this task.
phuedx added a parent task: T310390: Instrument blocked edit attempts.

Being bold.

Maintenance_bot removed a project: Patch-For-Review.Aug 18 2023, 3:10 PM
sbassett merged a task: T344448: Restrict interface parameter of wikimediaeventsblockededit API query module.Aug 21 2023, 5:09 PM
sbassett subscribed.
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.25; 2023-09-05).Aug 29 2023, 8:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits