Page MenuHomePhabricator
Create Task
Maniphest T348237

Combining throttling edit filters causes multiple false positives for single IP edits
Open, Needs TriagePublicSecurity
Actions

Description

(This is not a security issue, but it involves private filters. If there's a better way to report these than using the security issue form, please let me know.)

The following AbuseFilter log entry should never have been created: https://en.wikipedia.org/wiki/Special:AbuseLog/36059143

What happened? Let's have a look at the filter log of the IP address: https://en.wikipedia.org/w/index.php?title=Special:AbuseLog&wpSearchUser=88.230.103.208

There are 10 filter hits from only 2 filters for the 2023-10-05T09:53:29 contribution. It was submitted after 10 hours of no editing by the IP and on the page ( https://en.wikipedia.org/wiki/Special:Contributions/88.230.103.208?offset=20231005095330 , https://en.wikipedia.org/w/index.php?title=Foreign_relations_of_Hungary&action=history&offset=20231005095330 )

These are the two involved filters:

To my understanding, neither of them should have logged even a single hit.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

ToBeFree created this task.Oct 5 2023, 11:55 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 5 2023, 11:55 AM
ToBeFree added a subscriber: Zzuuzz.Oct 5 2023, 11:56 AM
ToBeFree updated the task description. (Show Details)Oct 5 2023, 12:00 PM
ToBeFree updated the task description. (Show Details)Oct 5 2023, 12:07 PM
ToBeFree added a comment.Oct 5 2023, 3:01 PM

https://en.wikipedia.org/w/index.php?title=Special:AbuseLog&wpSearchUser=88.230.103.208 keeps getting multiple entries per edit (2023-10-05T14:55:08), this time through https://en.wikipedia.org/wiki/Special:AbuseFilter/1199 alone.

sbassett added a project: AbuseFilter.Oct 5 2023, 5:38 PM
sbassett added a subscriber: Daimona.
ToBeFree added a subscriber: Samwalton9.Oct 6 2023, 12:44 AM
ToBeFree added a subscriber: suffusion_of_yellow.Oct 6 2023, 12:48 AM
suffusion_of_yellow added a comment.EditedOct 6 2023, 8:48 PM

I set up public filter https://en.wikipedia.org/wiki/Special:AbuseFilter/1269 to test this. It currently trips on any three edits, by the same user, to the same page, within one second. It already has almost 100 hits in less than a day. I have no idea what the other users are doing, but I was able to trip it by attempting repeated identical edits:

for(let i = 0; i < 5; i++) (new mw.Api()).postWithToken("csrf", {assert: "user", action : "edit", title: "User:Suffusion of Yellow/sandbox", text: "y"})

Note that there's only one actual edit being committed here; there others are all null edits which should not be tripping the filter.

Of course, this is a contrived example; the real cause may be unrelated.

suffusion_of_yellow added a comment.Oct 6 2023, 8:49 PM

It looks like almost nothing has been said about private filters so far, beyond a few throttle settings. I think this task can be made public.

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Oct 6 2023, 9:22 PM
sbassett removed a project: Security.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
matej_suchanek subscribed.Oct 9 2023, 8:38 AM

others are all null edits which should not be tripping the filter.

This sounds a bit like T198651: Abuse filter log is showing wrong information. AbuseFilter does sometimes detect null edits when they reach its methods.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL