Log when AbuseFilter user sees IP address associated with temp account via user_unnamed_ip variable trigger
Closed, ResolvedPublic2 Estimated Story Points
Actions

Description

Context

See the parent task for context about the user_unnamed_ip variable and the need to restrict access to it: T363906.

Scope

This does not concern logging access to the IPs visible to users via the abusefilter-privatedetails right (which already exists and is independent to the new work we are doing on temporary accounts).

This concerns access to IP addresses by users with the abusefilter-access-protected-vars. This right will be given to a subset of users who are able to reveal IP addresses, in accordance with the IP address access policy, introduced for temporary accounts.

The log

What do we need to log?

As described in more detail in T364902: How should access to IPs of temporary accounts be logged?, we are supposed to log whenever a user with the right to reveal IP addresses for temporary accounts actually chooses to reveal one.

The ability to reveal an IP is already implemented via the CheckUser extension. Here's a screenshot of what is logged:

The log is debounced by 24 hours.

We need something similar in AbuseFilter, whenever a user sees the precise IP address for a temporary user who triggered a filter.

How should we log?

The screenshot above shows an on-wiki log, which is the current implementation in CheckUser (at the time of writing). We hope to log via the event platform instead.

This conversation with Legal is ongoing, and tracked via T364902. That task is a dependency of this one.

When should we log?

We would need to do something like one of the following:

Log whenever a user with the right to see an IP address loads a page that contains that IP address
- Special:AbuseFilter/examine/log/
- Are there any other pages?
Don't show the IP address by default on these pages; instead show a "reveal IP" button, and make the log when the user clicks on it

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Log specific views of protected variables	mediawiki/extensions/AbuseFilter	master	+442 -59

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
		Restricted Task
Resolved	kostajh	T294511 2021 Security Team wikireplicas audit
Declined	None	T284948 Raw IPs of logged-out users disclosed in wiki-replicas
Resolved	Niharika	T324492 Temporary accounts - MVP
Open	None	T326816 [Epic] Update features for temporary accounts
Resolved	Tchanders	T326869 Update TSP-owned products that may be affected by IP Masking
Resolved	• lbowmaker	T262321 IP Masking
Resolved	tstarling	T300263 [IP Masking] Create temporary account on first edit
Open	None	T307060 [Epic] Temporary account AbuseFilter support
Resolved	STran	T357772 Investigate: How will `ip_in_range` and `ip_in_ranges` function when temporary accounts are enabled
Resolved	STran	T363906 [Epic] Ensure filters that use PII-sensitive variables are protected
Resolved	STran	T365743 Log when AbuseFilter user sees IP address associated with temp account via user_unnamed_ip variable trigger
Resolved	Tchanders	T364902 How should access to IPs of temporary accounts be logged?

Event Timeline

Tchanders created this task.May 23 2024, 5:23 PM

Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptMay 23 2024, 5:23 PM

Tchanders added a subtask: T364902: How should access to IPs of temporary accounts be logged?.May 23 2024, 5:23 PM

kostajh moved this task from Sprint Shekere (13th May - 24th May) to Sprint Melodica (Jun 3 - Jun 14) on the Trust and Safety Product Sprint board.Jun 3 2024, 10:13 AM

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)); removed Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)).

kostajh renamed this task from Ensure that access to an IP address via the user_unnamed_ip variable is logged to Log when AbuseFilter user sees IP address associated with temp account via user_unnamed_ip variable trigger.Jun 11 2024, 11:11 AM

kostajh updated the task description. (Show Details)

kostajh mentioned this in T365049: Investigate what to do about the AbuseFilter log revealing someone's IP address via historical logs.Jun 11 2024, 11:48 AM

kostajh moved this task from Sprint Melodica (Jun 3 - Jun 14) to Sprint Koto (July 15 - July 26) on the Trust and Safety Product Sprint board.Jun 25 2024, 10:53 AM

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Koto (July 15 - July 26)); removed Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)).

Dreamy_Jazz attached a referenced file: F42399181: image.png. (Show Details)Jun 25 2024, 1:39 PM

Tchanders closed subtask T364902: How should access to IPs of temporary accounts be logged? as Resolved.Jul 3 2024, 5:16 PM

Tchanders mentioned this in T364902: How should access to IPs of temporary accounts be logged?.

Tchanders added a project: Temporary accounts (Blockers to testwiki deployment).

Tchanders edited projects, added Temporary accounts (Blockers to minor pilot wiki deployment); removed Temporary accounts (Blockers to testwiki deployment).Jul 9 2024, 10:24 AM

Stalled on legal conversations. FAO @Madalina

We need something similar in AbuseFilter, whenever a user sees the precise IP address for a temporary user who triggered a filter.

I think this is the question for legal-- do we actually need something similar to temp account IP reveal logging in AbuseFilter, or is it OK to not log anything in this scenario?

STran claimed this task.Jul 22 2024, 10:40 AM

Tchanders changed the task status from Stalled to Open.Aug 5 2024, 10:23 AM

Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Erhu (August 5th - August 16th)); removed Trust and Safety Product Sprint (Sprint Koto (July 15 - July 26)).

Tchanders moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Erhu (August 5th - August 16th)) board.

STran mentioned this in T371798: Add preference to enable viewing `user_unnamed_ip` IPs.Aug 5 2024, 11:46 AM

STran moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Erhu (August 5th - August 16th)) board.Aug 6 2024, 9:45 AM

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)); removed Trust and Safety Product Sprint (Sprint Erhu (August 5th - August 16th)).Aug 26 2024, 9:18 AM

• JayCano set the point value for this task to 2.Aug 26 2024, 10:21 AM

STran mentioned this in T373524: Support temporary account-related logs from other extensions in CheckUser.Aug 28 2024, 1:55 PM

STran mentioned this in T373525: Write temporary account logs from AbuseFilter to CheckUser when CheckUser is enabled.

STran moved this task from Priority Backlog to Needs review on the Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)) board.Aug 29 2024, 1:58 PM

kostajh moved this task from Backlog to In progress on the Temporary accounts (Blockers to minor pilot wiki deployment) board.Sep 16 2024, 8:42 AM

STran moved this task from Needs review to In Progress on the Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)) board.Sep 16 2024, 9:59 AM

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)); removed Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)).Sep 16 2024, 10:15 AM

STran moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Sep 16 2024, 10:16 AM

STran moved this task from In Progress to Needs review on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Sep 23 2024, 9:04 AM

Change #1074725 had a related patch set uploaded (by Dreamy Jazz; author: STran):

[mediawiki/extensions/CheckUser@master] Add support for AbuseFilter's protected var view log

https://gerrit.wikimedia.org/r/1074725

gerritbot added a project: Patch-For-Review.Sep 23 2024, 11:20 AM

Change #1072555 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/AbuseFilter@master] Log specific views of protected variables

https://gerrit.wikimedia.org/r/1072555

Change #1072555 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Log specific views of protected variables

https://gerrit.wikimedia.org/r/1072555

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.26; 2024-10-08).Oct 3 2024, 3:00 PM

kostajh moved this task from Needs review to Needs QA on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Oct 4 2024, 8:05 AM

Dreamy_Jazz moved this task from Sprint Beatboxing (Sept 16-27) to Sprint Cello (Oct 7 - 18) on the Trust and Safety Product Sprint board.Oct 8 2024, 10:14 AM

Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)); removed Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)).

Dreamy_Jazz moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)) board.

Dreamy_Jazz removed a project: Patch-For-Review.

Titore subscribed.Oct 9 2024, 12:03 AM

Querying the API[1] can trigger a lot of logs being inserted. I did this and checked that every temporary user whose AbuseFilter log was included in the API response also had a log generated in the logging table.

While testing T371798#10228836, when I was using PHPUnit to simulate accessing various combinations of filter and logs via Special:AbuseLog/<log id> I also checked that a row was inserted into the logging table each access.

I notice that a new INSERT is created for each temp user returned by the API. I wonder if they could be batched together in some way. I also get the constraint violation each time, but I think we already know about that:

[rdbms] Expectation (writes <= 0) by MediaWiki\Actions\ActionEntryPoint::execute not met (actual: 1) in trx #a24b0ad46e:
INSERT INTO `logging` (log_type,log_action,log_timestamp,log_actor,log_namespace,log_title,log_page,log_params,log_comment_id) VALUES '?'
...

We might need to do more testing after this has been fixed.

I briefly tested a wiki without temporary accounts, accessing AbuseFilter logs for IP actions (including Special:AbuseFilter/examine/log/).

If protected variables are included in the log of a filter which is not protected, viewing them is also logged.

Notes:

api.php?action=query&format=json&list=abuselog&formatversion=2&aflprop=ids|user|title|action|result|timestamp|hidden|revid|filter|details&wrappedhtml=1&afllimit=5000

kostajh closed this task as Resolved.Oct 28 2024, 11:15 AM

Log when AbuseFilter user sees IP address associated with temp account via user_unnamed_ip variable triggerClosed, ResolvedPublic2 Estimated Story PointsActions