[ES][SW] Special:NewEntitySchema doesn’t catch AbuseFilter errors
Open, Needs TriagePublicPRODUCTION ERROR
Actions

Assigned To

None

Authored By

	Lucas_Werkmeister_WMDE
	Tue, May 21, 9:55 AM

Description

As mentioned in this security change and T339016#8984703, Special:NewEntitySchema currently produces an uncaught internal error if the EntitySchema creation is blocked by an AbuseFilter:

According to the commit message, other edit scenarios also don’t show any details about the failed AbuseFilter, though at least they don’t crash completely. It would be nice to fix that too, though that might not be part of this task.

Error

mwversion: 1.43.0-wmf.6
reqId: 51fd6757-25d4-4afb-ae2c-5b887f7ec062
Find reqId in Logstash

normalized_message

[{reqId}] {exception_url}   RuntimeException: This action has been automatically identified as harmful, and therefore disallowed.
If you believe your action was constructive, please inform an administrator of what you were trying to do.
A brief descriptio

exception.trace

from /srv/mediawiki/php-1.43.0-wmf.6/extensions/EntitySchema/src/DataAccess/MediaWikiRevisionEntitySchemaInserter.php(124)
#0 /srv/mediawiki/php-1.43.0-wmf.6/extensions/EntitySchema/src/DataAccess/MediaWikiRevisionEntitySchemaInserter.php(100): EntitySchema\DataAccess\MediaWikiRevisionEntitySchemaInserter->saveRevision(MediaWiki\Storage\PageUpdater, EntitySchema\MediaWiki\Content\EntitySchemaContent, MediaWiki\CommentStore\CommentStoreComment)
#1 /srv/mediawiki/php-1.43.0-wmf.6/extensions/EntitySchema/src/MediaWiki/Specials/NewEntitySchema.php(119): EntitySchema\DataAccess\MediaWikiRevisionEntitySchemaInserter->insertSchema(string, string, string, array, string)
#2 [internal function]: EntitySchema\MediaWiki\Specials\NewEntitySchema->submitCallback(array, MediaWiki\HTMLForm\OOUIHTMLForm)
#3 /srv/mediawiki/php-1.43.0-wmf.6/includes/htmlform/HTMLForm.php(792): call_user_func(array, array, MediaWiki\HTMLForm\OOUIHTMLForm)
#4 /srv/mediawiki/php-1.43.0-wmf.6/includes/htmlform/HTMLForm.php(673): MediaWiki\HTMLForm\HTMLForm->trySubmit()
#5 /srv/mediawiki/php-1.43.0-wmf.6/extensions/EntitySchema/src/MediaWiki/Specials/NewEntitySchema.php(84): MediaWiki\HTMLForm\HTMLForm->tryAuthorizedSubmit()
#6 /srv/mediawiki/php-1.43.0-wmf.6/includes/specialpage/SpecialPage.php(719): EntitySchema\MediaWiki\Specials\NewEntitySchema->execute(NULL)
#7 /srv/mediawiki/php-1.43.0-wmf.6/includes/specialpage/SpecialPageFactory.php(1680): MediaWiki\SpecialPage\SpecialPage->run(NULL)
#8 /srv/mediawiki/php-1.43.0-wmf.6/includes/actions/ActionEntryPoint.php(502): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, MediaWiki\Context\RequestContext)
#9 /srv/mediawiki/php-1.43.0-wmf.6/includes/actions/ActionEntryPoint.php(145): MediaWiki\Actions\ActionEntryPoint->performRequest()
#10 /srv/mediawiki/php-1.43.0-wmf.6/includes/MediaWikiEntryPoint.php(200): MediaWiki\Actions\ActionEntryPoint->execute()
#11 /srv/mediawiki/php-1.43.0-wmf.6/index.php(58): MediaWiki\MediaWikiEntryPoint->run()
#12 /srv/mediawiki/w/index.php(3): require(string)
#13 {main}

Impact

While the edit is correctly blocked, users don’t see any useful information with the error. (Also, if the AbuseFilter is set to “warn”, that probably doesn’t work properly, since the user doesn’t get a chance to retry their edit.) Also, minor logspam (volume depends on how often users try to do the blocked activity).

Notes

Details

Request URL: https://test.wikidata.org/wiki/Special:NewEntitySchema

Related Objects

Mentioned Here: T339016: CVE-2023-45368: EntitySchema edits don't run through AbuseFilter

Event Timeline

Lucas_Werkmeister_WMDE created this task.Tue, May 21, 9:55 AM

Restricted Application added a project: wmde-wikidata-tech. · View Herald TranscriptTue, May 21, 9:55 AM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Note: the abuse filter blocking Entityschema creation is currently enabled on Wikidata but disabled on Test Wikidata, so if you want to reproduce the issue on Test Wikidata, enable that AbuseFilter first.

Lucas_Werkmeister_WMDE renamed this task from Special:NewEntitySchema doesn’t catch AbuseFilter errors to [ES][SW] Special:NewEntitySchema doesn’t catch AbuseFilter errors.Thu, May 23, 12:17 PM

Lucas_Werkmeister_WMDE moved this task from Incoming to [DOT] By Project on the wmde-wikidata-tech board.

Lucas_Werkmeister_WMDE added a project: Wikidata Dev Team.

Prio Notes:

Impact Area	Affected
production / end users	yes
monitoring	no
development efforts	no
onboarding efforts	no
additional stakeholders	yes (Wikidata admins who manage the AbuseFilters and/or users who get blocked by the filters)

Lucas_Werkmeister_WMDE moved this task from [DOT] By Project to [DOT] Prioritized on the wmde-wikidata-tech board.Thu, May 23, 12:27 PM

Lucas_Werkmeister_WMDE moved this task from Incoming to [DOT] Tech Backlog on the Wikidata Dev Team board.

brennen moved this task from Untriaged to May 2024 on the Wikimedia-production-error board.Thu, May 23, 3:23 PM

[ES][SW] Special:NewEntitySchema doesn’t catch AbuseFilter errorsOpen, Needs TriagePublicPRODUCTION ERRORActions