Move the time limit check before the permissions check
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	dom_walden
	Aug 29 2023, 2:07 PM

Description

What is the problem?

As pointed out by @Dreamy_Jazz in T342790#9073530:

To combat the time that a user has to investigate whether a deleted revision was made by them, the check that ensures the API call was made within the last 30 minutes (T342134) could be placed before the check if the performer of the action is deleted.

Otherwise, if you didn't have permission to see the editor of a revision, you could infer whether or not it was created by you (or someone using the same IP as you) depending on what error you got back from the server. If the editor was not you (or your IP) you would fail the permission check and be told you were not the creator of the revision. If the editor was you, you would pass the permission check but fail the timeout check.

Steps to reproduce problem

Install CheckUser (client hints will be enabled by default)
In your LocalSettings.php, add $wgCheckUserClientHintsRestApiMaxTimeLag = 5;
Make two edits to a page with Firefox, one logged out and one logged in
Record the revision IDs of the two edits
Login as an admin, go to the history of the page you just edited
Check the checkboxes next to the two edits and click "Change visibility of selected revisions"
Next to "Editor's username/IP address" check the "Hidden" radio button and submit
Run these two commands, replacing <rev id logged out> and <rev id logged in> with the IDs you found in step 4

curl 'http://localhost:8080/w/rest.php/checkuser/v0/useragent-clienthints/revision/<rev id logged out>' -H 'Content-Type: application/json' --data-raw '{"architecture":"","bitness":"64","brands":[{"version":"24","brand":"Not)A;Brand"},{"brand":"Chromium","version":"116"}],"fullVersionList":[{"version":"24.0.0.0","brand":"Not)A;Brand"},{"brand":"Chromium","version":"116.0.5845.96"}],"mobile":false,"model":"","platform":"Linux","platformVersion":"5.10.0"}'

curl 'http://localhost:8080/w/rest.php/checkuser/v0/useragent-clienthints/revision/<rev id logged in>' -H 'Content-Type: application/json' --data-raw '{"architecture":"","bitness":"64","brands":[{"version":"24","brand":"Not)A;Brand"},{"brand":"Chromium","version":"116"}],"fullVersionList":[{"version":"24.0.0.0","brand":"Not)A;Brand"},{"brand":"Chromium","version":"116.0.5845.96"}],"mobile":false,"model":"","platform":"Linux","platformVersion":"5.10.0"}'

Expected behavior: Both should return The revision <rev id> is too old to allow recording client hints data
Observed behavior:

The <rev id logged out> command returns The revision <rev id> is too old to allow recording client hints data
The <rev id logged in> command returns User 0 is not the author of revision <rev id>

Environment

Wiki(s): CheckUser 2.5 (999417f) 13:47, 28 August 2023.

QA Results - Local

AC	Status	Details
1	✅	https://phabricator.wikimedia.org/T345165

Details

Risk Rating: Low
Author Affiliation: WMF Product

	Subject	Repo	Branch	Lines +/-
	clienthints: Perform timestamp check before user check in REST API	mediawiki/extensions/CheckUser	master	+124 -62

Customize query in gerrit

Related Objects

Mentioned In: T342790: Allow storage of client hints for deleted revisions and revisions with revision deleted performer
Mentioned Here: rECHU9c960544b0c2: Merge "clienthints: Perform timestamp check before user check in REST API"
rMW30b06ec9c86f: Merge "General whitespace clean-up of tabs followed by multiple spaces"
T342134: Limit the ability for other users after the fact storing client hints data using the REST API
T342790: Allow storage of client hints for deleted revisions and revisions with revision deleted performer
rECHU999417f94b81: Merge "Replace use of mw.config.get( 'wgVisualEditorConfig' ).fullRestbaseUrl"

Event Timeline

dom_walden created this task.Aug 29 2023, 2:07 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 29 2023, 2:07 PM

dom_walden added projects: Anti-Harassment, CheckUser, http-client-hints, Vuln-Infoleak.Aug 29 2023, 2:10 PM

dom_walden updated the task description. (Show Details)

dom_walden added subscribers: GMikesell-WMF, Dreamy_Jazz, Tchanders and 5 others.

dom_walden mentioned this in T342790: Allow storage of client hints for deleted revisions and revisions with revision deleted performer.Aug 29 2023, 2:14 PM

@dom_walden can I confirm that the second bullet point was made while logged in? Just that the code should provide the ID of the user making the request, which for a logged in user should not be 0.

In T345165#9127170, @Dreamy_Jazz wrote:

@dom_walden can I confirm that the second bullet point was made while logged in? Just that the code should provide the ID of the user making the request, which for a logged in user should not be 0.

It would have been while logged out. I send the curl requests without any cookies so I guess it just uses the IP address to identify the user. I suppose my reproduction steps could make that more explicit. The edit in step 3 needs to be done from the same IP address that you are running curl from (which I assume will be for most people?)

In T345165#9127176, @dom_walden wrote:

In T345165#9127170, @Dreamy_Jazz wrote:

@dom_walden can I confirm that the second bullet point was made while logged in? Just that the code should provide the ID of the user making the request, which for a logged in user should not be 0.

It would have been while logged out. I send the curl requests without any cookies so I guess it just uses the IP address to identify the user. I suppose my reproduction steps could make that more explicit. The edit in step 3 needs to be done from the same IP address that you are running curl from (which I assume will be for most people?)

Thanks for the clarification. I think I just read the instructions and then assumed the information without thinking.

I don't think this needs a security deploy because this only leaks info if:

You are editing while logged out
You use exactly the same IP address as the editor that had the edit suppressed

This means (except from the user who made the edit seeing they made the edit) this is only really possible to occur when the IP being used is some kind of proxy. This means this won't be the users' actual IP.

Furthermore, this issue is already publicly stated and has been for a while.

This still probably needs to be fixed, but this can probably be done without the need for a security patch.

@sbassett What you think about making this task public and fixing the issue normally based on my comments in T345165#9127248?

In T345165#9130819, @Dreamy_Jazz wrote:

@sbassett What you think about making this task public and fixing the issue normally based on my comments in T345165#9127248?

Yes, I think this seems like a pretty minor Vuln-Infoleak IMO.

This means (except from the user who made the edit seeing they made the edit) this is only really possible to occur when the IP being used is some kind of proxy. This means this won't be the users' actual IP.

Or a shared device, in which case, I can't think of an example where a user wouldn't already confidently know or very strongly suspect who the other users were. And I don't really know what direct advantage could be gained from someone knowing that another person, somewhere in the world, using the same proxy service that they use, made an edit. Still, this would be a good thing to clean up at some point.

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Aug 30 2023, 2:29 PM

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett changed Risk Rating from N/A to Low.

Dreamy_Jazz edited projects, added Anti-Harassment (AHaT Sprint 32 - Baseball Cap); removed Anti-Harassment.Sep 5 2023, 11:04 AM

Dreamy_Jazz moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.

Change 954901 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] clienthints: Perform timestamp check before user check in REST API

https://gerrit.wikimedia.org/r/954901

gerritbot added a project: Patch-For-Review.Sep 5 2023, 11:34 AM

Dreamy_Jazz claimed this task.Sep 5 2023, 11:37 AM

Dreamy_Jazz moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.

kostajh moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.Sep 6 2023, 10:06 AM

Change 954901 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] clienthints: Perform timestamp check before user check in REST API

https://gerrit.wikimedia.org/r/954901

Maintenance_bot removed a project: Patch-For-Review.Sep 6 2023, 10:29 AM

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.26; 2023-09-12).Sep 6 2023, 11:00 AM

@Dreamy_Jazz The revision <rev id> did come back as too old to allow recording client hints data when the time expired. We also talked about the statement within the time for the 2nd part as expected. I will move this to Done. Thanks for all your work!

Status: ✅ PASS
Environment: Local: 1.41.0-alpha (30b06ec)14:14, 6 September 2023. CheckUser: 2.5 (9c96054) 10:22, 6 September 2023
OS: macOS Ventura
Browser: Chrome 116
Device: MBP
Emulated Device:: N/A
Test Link
http://localhost:8080/w/index.php?title=Dog&action=history