Page MenuHomePhabricator
Create Task
Maniphest T364834

Ensure testing tools that use `user_unnamed_ip` don't reveal it to users without the view right
Closed, ResolvedPublic
Actions

Description

The following AbuseFilter pages can be used to test out/examine filters against existing revisions. Ensure these pages don't accidentally reveal user_ip (eg. if /test uses user_ip in a filter, ensure it fails if the user shouldn't be able to use that variable.

  • /test
  • /tools
  • /examine

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Disallow protected variable access on AbuseFilterViewTestBatchmediawiki/extensions/AbuseFiltermaster+86 -34
Customize query in gerrit

Related Objects
Search...

Event Timeline

STran created this task.May 14 2024, 10:17 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 14 2024, 10:17 AM
STran added a parent task: T357772: Investigate: How will `ip_in_range` and `ip_in_ranges` function when temporary accounts are enabled.May 14 2024, 10:17 AM
STran claimed this task.May 30 2024, 2:31 PM
Tchanders added a project: Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)).Jun 5 2024, 1:03 PM
Tchanders moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)) board.
STran added a comment.Jun 5 2024, 1:34 PM

I ran the following tests using accounts with no permissions (logged out), view private only, and view private + protected:

on /test (no change needed):

  • the page is not available to anyone who doesn't have access to private filters
  • with access to private filters but not protected variables, the specific log is also not accessible if the filter is protected

on /examine (no change needed):

  • user_unnamed_ip isn't loaded when comparing against recent changes
  • tested this against an edit that was warned/blocked/logged only from a temporary account, examined the RC (had to use action = 'edit' to even see an RC) to confirm that even if the original RC had been triggered via IP match it didn't show up here

on /tools (no change needed):

  • this page seems to only check filter syntax, no comparisons to revisions are available

on filter pages (no change needed):

  • the page is gated behind the protected variable view right
  • the filter can be tested, which leads to the /test page, which as noted doesn't need changes

As part of due diligence, I also grepped for other pages in case they were also possible leaks. Most of these were covered by the patch that implemented the protected variable concept but I'll note them here just so it's somewhere:

$ find . | grep AbuseFilterView

./includes/View/AbuseFilterView.php // Base class
./includes/View/AbuseFilterViewTestBatch.php // /test page, see above
./includes/View/AbuseFilterViewList.php // Main page, shows protected filters, hides hits as expected
./includes/View/AbuseFilterViewHistory.php // List of filter changes, hides protected filters as expected
./includes/View/AbuseFilterViewTools.php // /tools, see above
./includes/View/AbuseFilterViewDiff.php // Diff in filter changes, hidden from unprivileged user
./includes/View/AbuseFilterViewExamine.php // /examine, see above
./includes/View/AbuseFilterViewEdit.php // Filter edit page, hidden as expected
./includes/View/AbuseFilterViewImport.php // Import filter page, no revisions
./includes/View/AbuseFilterViewRevert.php // Filter action revert, that the filter has been tripped can be seen (assuming you have revert rights) even if it uses protected vars but this matches the existing private/hidden behavior
STran moved this task from In Progress to Needs QA on the Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)) board.Jun 5 2024, 1:34 PM
dom_walden subscribed.Jun 7 2024, 12:56 PM

@STran I find that if I go to Special:AbuseFilter/test/<id> I can see the rules for the filter even if I do not have permissions to see them going to Special:AbuseFilter/<id>.

STran moved this task from Needs QA to In Progress on the Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)) board.Jun 11 2024, 10:17 AM
gerritbot added a comment.Jun 12 2024, 12:56 PM

Change #1042228 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/AbuseFilter@master] Add protected variable view permission rights

https://gerrit.wikimedia.org/r/1042228

gerritbot added a project: Patch-For-Review.Jun 12 2024, 12:56 PM
STran moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)) board.Jun 12 2024, 12:56 PM
STran moved this task from Needs Review to In Progress on the Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)) board.Jun 13 2024, 9:39 AM
Tchanders renamed this task from Ensure testing tools that use `user_ip` don't reveal it to users without the view right to Ensure testing tools that use `user_unnamed_ip` don't reveal it to users without the view right.Jun 13 2024, 9:58 AM
Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Cajon (Jun 24 - July 5)); removed Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)).Jun 25 2024, 10:43 AM
Tchanders moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Cajon (Jun 24 - July 5)) board.
Tchanders edited parent tasks, added: T363906: [Epic] Ensure filters that use PII-sensitive variables are protected; removed: T357772: Investigate: How will `ip_in_range` and `ip_in_ranges` function when temporary accounts are enabled.Jul 3 2024, 5:07 PM
Tchanders added a project: Temporary accounts (Blockers to testwiki deployment).
gerritbot added a comment.Jul 8 2024, 2:15 PM

Change #1052753 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/AbuseFilter@master] Disallow protected variable access on AbuseFilterViewTestBatch

https://gerrit.wikimedia.org/r/1052753

Tchanders edited projects, added Temporary accounts (Blockers to minor pilot wiki deployment); removed Temporary accounts (Blockers to testwiki deployment).Jul 9 2024, 10:26 AM
STran moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Cajon (Jun 24 - July 5)) board.Jul 9 2024, 10:40 AM
gerritbot added a comment.Jul 10 2024, 6:48 PM

Change #1052753 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Disallow protected variable access on AbuseFilterViewTestBatch

https://gerrit.wikimedia.org/r/1052753

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.14; 2024-07-16).Jul 10 2024, 7:00 PM
Tchanders moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Cajon (Jun 24 - July 5)) board.Jul 13 2024, 5:40 AM
Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Koto (July 15 - July 26)); removed Trust and Safety Product Sprint (Sprint Cajon (Jun 24 - July 5)).Jul 14 2024, 2:07 PM
Tchanders moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Koto (July 15 - July 26)) board.
Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Erhu (August 5th - August 16th)); removed Trust and Safety Product Sprint (Sprint Koto (July 15 - July 26)).Aug 5 2024, 9:36 AM
Tchanders moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Erhu (August 5th - August 16th)) board.
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Erhu (August 5th - August 16th)) board.Aug 21 2024, 8:25 AM
In T364834#9870893, @dom_walden wrote:

@STran I find that if I go to Special:AbuseFilter/test/<id> I can see the rules for the filter even if I do not have permissions to see them going to Special:AbuseFilter/<id>.

I cannot reproduce this anymore.

kostajh closed this task as Resolved.Aug 21 2024, 8:28 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits