Page MenuHomePhabricator
Create Task
Maniphest T352914

Investigate: Which extensions save IP addresses
Closed, ResolvedPublic
Actions

Description

See also T356430: Investigate: Where does MW core save IP addresses.

This is spun out from T336187: [S] Investigate: Creating temp user on non-EditPage actions, as explained in T336187#9341749:

To guard against accidentally creating an IP actor (because IP actors will now pass permissions checks), do the following:

  • [...]
  • Look for workflows that save the IP address other than through the actor table (e.g. like Flow: T345578#9290889)
Background

If temporary accounts are enabled, the ActorStore throws an error on attempting to create an actor with an IP address. This means that a revision authored by an IP actor won't be able to be saved, and more generally any action that creates an IP actor should not be possible.

We found an exception to this in the Flow extension. Flow saves the comment, along with the IP address (as the author) in a local Flow table. It then attempts to create the IP actor in core but fails - but the damage is already done. The IP address saved in the Flow table will appear in the UI. (More details in T345578#9290889.)

In this task we want to look for other examples of extensions that save IP addresses.

What to investigate
  • Which extensions save IP addresses?
  • Do these cases need fixing, and if so how (or who can tell us how)?

Related Objects
Search...

Event Timeline

Tchanders created this task.Dec 6 2023, 8:51 PM
Tchanders added a comment.Dec 6 2023, 9:07 PM

I performed a search from the string 'ip' in any (WMF deployed) file containing the string 'tables'.

Search: https://codesearch.wmcloud.org/deployed/?q=ip&files=.*tables.*&excludeFiles=

I then read through the results looking for table columns containing 'ip' (ignoring core) and found possible hits in:

  • CheckUser
  • AbuseFilter
  • Echo
  • Flow
  • SecurePoll

...which we should look into.

Tchanders mentioned this in T336187: [S] Investigate: Creating temp user on non-EditPage actions.Dec 6 2023, 9:08 PM
Tchanders removed Tchanders as the assignee of this task.Dec 8 2023, 12:15 PM
Tchanders edited projects, added Trust and Safety Product Sprint; removed Trust and Safety Product Sprint (Sprint Shamisen (20th Nov - 1st Dec. 2023)).
Tchanders mentioned this in T356430: Investigate: Where does MW core save IP addresses.Feb 1 2024, 6:53 PM
Tchanders updated the task description. (Show Details)Feb 1 2024, 8:23 PM
Tchanders updated the task description. (Show Details)
Tchanders added a comment.Feb 1 2024, 8:36 PM
ExtensionDoes it save IP addresses? What for?What should we do?
CheckUserYes. This is the one place where we'll be storing IP addresses, so this is fine.No action needed.
AbuseFilterThis stores IP addresses in abuse_filter_log.afl_ip if $wgAbuseFilterLogIP is true. This happens in WMF production: we currently store IP addresses in the AbuseFilter tables.Needs investigation.
FlowCommenting as a logged out user does not create a temporary account. Instead it saves the IP address in flow_revision.rev_user_ip and displays it in the UI. Does this even if IP actor creation in core errors out. More details: T345578#9290889.Flow needs to be disabled or updated. Growth-Team is working on this in T346108.

To do next

  • Echo
  • SecurePoll
Tchanders mentioned this in T331653: Investigate: Update AbuseFilter for IP Masking.Feb 1 2024, 8:40 PM
Izno subscribed.Feb 1 2024, 11:31 PM
Tchanders added a comment.Jul 15 2024, 4:08 PM
In T352914#9507676, @Tchanders wrote:
ExtensionDoes it save IP addresses? What for?What should we do?
CheckUserYes. This is the one place where we'll be storing IP addresses, so this is fine.No action needed.
AbuseFilterThis stores IP addresses in abuse_filter_log.afl_ip if $wgAbuseFilterLogIP is true. This happens in WMF production: we currently store IP addresses in the AbuseFilter tables.Needs investigation.

AbuseFilter purges IP addresses from logs, similarly to CheckUser. Frequency is controlled by the config AbuseFilterLogIPMaxAge, which is set to 3 months by default (and on production).

This does mean that AbuseFilter is an additional place where we store IPs, but it treats them the same as CheckUser, which is fine.

Tchanders added a comment.Jul 15 2024, 4:16 PM
In T352914#9507676, @Tchanders wrote:

To do next

  • Echo

The column event_agent_ip holds the IP address of an anon user, obtained from their name. It won't be written too once temp accounts are deployed, since isRegistered will return false.

  • SecurePoll

SecurePoll is similar to CheckUser and AbuseFilter: it records IP addresses then purges them after 90 days. Configured here.

kostajh closed this task as Resolved.Sep 8 2024, 8:42 PM
kostajh claimed this task.

Based on @Tchanders' notes here, I am resolving this task.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits