Page MenuHomePhabricator
Create Task
Maniphest T366991

CVE-2024-47848: User can review/unreview articles while blocked
Closed, ResolvedPublicSecurity
Actions

Assigned To
Kgraessle
Authored By
Soda
Jun 8 2024, 3:48 PM
Tags
Referenced Files
F57631883: 0001-Prevent-blocked-users-from-being-able-to-review-unre.patch
Oct 21 2024, 11:50 PM
F55895742: 0001-Prevent-blocked-users-from-being-able-to-review-unre.patch
Jun 26 2024, 2:05 PM
F55272462: 0001-Prevent-blocked-users-from-being-able-to-review-unre.patch
Jun 12 2024, 10:58 PM
F55069337: 0001-Prevent-blocked-users-from-being-able-to-review-unre.patch
Jun 8 2024, 4:39 PM
Subscribers
Aklapper
gerritbot
jsn.sherman
Kgraessle
Mstyles
Novem_Linguae
sbassett
View All 9 Subscribers

Description

Steps to replicate the issue (include links if applicable):

  • Have PageTriage installed on a test wiki
  • Have two accounts, one with patroller permission and one with admin permission
  • Logout of both accounts and create a new page
  • Using the account with admin permissions block the one with patroller permission
  • Using the account with patroller permission, navigate to the newly created page and try to mark the page as reviewed

What happens?:

  • The page gets marked as reviewed

What should have happened instead?:

  • The page should not have been marked as reviewed

Notes:

Details

Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Prevent blocked users from being able to review/unreview articlesmediawiki/extensions/PageTriagewmf/1.43.0-wmf.28+95 -5
Prevent blocked users from being able to review/unreview articlesmediawiki/extensions/PageTriageREL1_42+96 -5
Prevent blocked users from being able to review/unreview articlesmediawiki/extensions/PageTriagemaster+95 -5
Customize query in gerrit

Related Objects

Event Timeline

Soda created this task.Jun 8 2024, 3:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 8 2024, 3:48 PM
Soda added a project: PageTriage.Jun 8 2024, 3:48 PM
Soda added a subscriber: Novem_Linguae.
Restricted Application added a project: Moderator-Tools-Team. · View Herald TranscriptJun 8 2024, 3:48 PM
Soda updated the task description. (Show Details)Jun 8 2024, 3:49 PM
Soda updated the task description. (Show Details)
Soda added a comment.Jun 8 2024, 4:39 PM

Potential fix:

0001-Prevent-blocked-users-from-being-able-to-review-unre.patch4 KBDownload

Soda added subscribers: jsn.sherman, Scardenasmolinar.Jun 8 2024, 4:57 PM

Adding @jsn.sherman, @Scardenasmolinar and @Novem_Linguae could you guys take a look and provide a review :)

jsn.sherman triaged this task as High priority.Jun 10 2024, 3:28 PM
jsn.sherman moved this task from Inbox to Code review requests on the Moderator-Tools-Team board.
sbassett moved this task from Incoming to In Progress on the Security-Team board.Jun 10 2024, 4:56 PM
sbassett added projects: SecTeam-Processed, Vuln-MissingAuthz.
jsn.sherman edited projects, added Moderator-Tools-Team (Kanban); removed Moderator-Tools-Team.Jun 12 2024, 12:32 PM
jsn.sherman moved this task from Ready to Eng review on the Moderator-Tools-Team (Kanban) board.
Scardenasmolinar added a subscriber: Kgraessle.Jun 12 2024, 6:01 PM
Kgraessle added a comment.EditedJun 12 2024, 6:19 PM

Hi @Soda
Thanks for your work!

I have one suggestion to move the blocked check before the role check so that it accounts for anyone who is blocked even if they are autoPatrolled or patroller. How it is coded It will never run the is blocked check for those users. Is there a specific reason for this? If that's the case then we should add a test case for people who are blocked even if they are autopatroller and patroller.

if (
        $patrolPermissionStatus->isBlocked() ||
       $autopatrolledPermissionStatus->isBlocked()
) {
       $this->dieBlocked( $patrolPermissionStatus->getBlock() );
        return false;
}

 if ( $isPatroller && $isAutopatrolled ) {
         return true;
 }
Novem_Linguae renamed this task from User can be review/unreview article while blocked to User can review/unreview articles while blocked.Jun 12 2024, 6:23 PM
Novem_Linguae added a comment.Jun 12 2024, 6:26 PM

nit: unnecessary extra space at the end of $pageId = $this->makeDraft( 'Test ' ); (after the word Test) in two places

Kgraessle moved this task from Eng review to Reviewed (waiting for changes) on the Moderator-Tools-Team (Kanban) board.Jun 12 2024, 9:34 PM
Soda added a comment.EditedJun 12 2024, 10:58 PM
In T366991#9886099, @Kgraessle wrote:

Hi @Soda
Thanks for your work!

I have one suggestion to move the blocked check before the role check so that it accounts for anyone who is blocked even if they are autoPatrolled or patroller. How it is coded It will never run the is blocked check for those users. Is there a specific reason for this? If that's the case then we should add a test case for people who are blocked even if they are autopatroller and patroller.

if (
        $patrolPermissionStatus->isBlocked() ||
       $autopatrolledPermissionStatus->isBlocked()
) {
       $this->dieBlocked( $patrolPermissionStatus->getBlock() );
        return false;
}

 if ( $isPatroller && $isAutopatrolled ) {
         return true;
 }

I think we should be fine since $this->getAuthority()->definitelyCan(...) also evaluates blocks and will never allow

if ( $isPatroller && $isAutopatrolled ) {
        return true;
}

to execute and return with true. The added integration test also tests for this case since it uses sysop which has both autopatrolled and patrolled rights on a default instance.

However, that being said, the code doesn't make sense from a semantic/readability POV and I've changed it.

In T366991#9886134, @Novem_Linguae wrote:

nit: unnecessary extra space at the end of $pageId = $this->makeDraft( 'Test ' ); (after the word Test) in two places

Fixed :)

0001-Prevent-blocked-users-from-being-able-to-review-unre.patch4 KBDownload

Kgraessle moved this task from Reviewed (waiting for changes) to Eng review on the Moderator-Tools-Team (Kanban) board.Jun 13 2024, 4:44 PM
Kgraessle added a comment.EditedJun 14 2024, 6:04 PM
In T366991#9886912, @Soda wrote:
In T366991#9886099, @Kgraessle wrote:

Hi @Soda
Thanks for your work!

I have one suggestion to move the blocked check before the role check so that it accounts for anyone who is blocked even if they are autoPatrolled or patroller. How it is coded It will never run the is blocked check for those users. Is there a specific reason for this? If that's the case then we should add a test case for people who are blocked even if they are autopatroller and patroller.

if (
        $patrolPermissionStatus->isBlocked() ||
       $autopatrolledPermissionStatus->isBlocked()
) {
       $this->dieBlocked( $patrolPermissionStatus->getBlock() );
        return false;
}

 if ( $isPatroller && $isAutopatrolled ) {
         return true;
 }

I think we should be fine since $this->getAuthority()->definitelyCan(...) also evaluates blocks and will never allow

if ( $isPatroller && $isAutopatrolled ) {
        return true;
}

to execute and return with true. The added integration test also tests for this case since it uses sysop which has both autopatrolled and patrolled rights on a default instance.

However, that being said, the code doesn't make sense from a semantic/readability POV and I've changed it.

In T366991#9886134, @Novem_Linguae wrote:

nit: unnecessary extra space at the end of $pageId = $this->makeDraft( 'Test ' ); (after the word Test) in two places

Fixed :)

0001-Prevent-blocked-users-from-being-able-to-review-unre.patch4 KBDownload

Hello Soda, thanks for your work, I took another look and it looks great!
I have one minor review comment:
The false is unreachable here after the dieBlocked function is called.

if ( $patrolPermissionStatus->isBlocked() ||$autopatrolledPermissionStatus->isBlocked() ) {
			$this->dieBlocked( $patrolPermissionStatus->getBlock() );
			return false;
}
Kgraessle moved this task from Eng review to Reviewed (waiting for changes) on the Moderator-Tools-Team (Kanban) board.Jun 14 2024, 6:05 PM
sbassett subscribed.Jun 18 2024, 4:45 PM

Happy to help get this deployed to Wikimedia production, if we can come to consensus on the return false; issue above and upload a new patch.

Soda moved this task from Backlog to Priority security on the PageTriage board.Jun 26 2024, 2:02 PM
Soda added a comment.Jun 26 2024, 2:05 PM
In T366991#9894076, @Kgraessle wrote:
In T366991#9886912, @Soda wrote:
In T366991#9886099, @Kgraessle wrote:

Hi @Soda
Thanks for your work!

I have one suggestion to move the blocked check before the role check so that it accounts for anyone who is blocked even if they are autoPatrolled or patroller. How it is coded It will never run the is blocked check for those users. Is there a specific reason for this? If that's the case then we should add a test case for people who are blocked even if they are autopatroller and patroller.

if (
        $patrolPermissionStatus->isBlocked() ||
       $autopatrolledPermissionStatus->isBlocked()
) {
       $this->dieBlocked( $patrolPermissionStatus->getBlock() );
        return false;
}

 if ( $isPatroller && $isAutopatrolled ) {
         return true;
 }

I think we should be fine since $this->getAuthority()->definitelyCan(...) also evaluates blocks and will never allow

if ( $isPatroller && $isAutopatrolled ) {
        return true;
}

to execute and return with true. The added integration test also tests for this case since it uses sysop which has both autopatrolled and patrolled rights on a default instance.

However, that being said, the code doesn't make sense from a semantic/readability POV and I've changed it.

In T366991#9886134, @Novem_Linguae wrote:

nit: unnecessary extra space at the end of $pageId = $this->makeDraft( 'Test ' ); (after the word Test) in two places

Fixed :)

0001-Prevent-blocked-users-from-being-able-to-review-unre.patch4 KBDownload

Hello Soda, thanks for your work, I took another look and it looks great!
I have one minor review comment:
The false is unreachable here after the dieBlocked function is called.

if ( $patrolPermissionStatus->isBlocked() ||$autopatrolledPermissionStatus->isBlocked() ) {
			$this->dieBlocked( $patrolPermissionStatus->getBlock() );
			return false;
}

Sorry for the delay, I got stuck on some other things IRL. I've fixed the return false issue in this latest patch.

0001-Prevent-blocked-users-from-being-able-to-review-unre.patch4 KBDownload

Scardenasmolinar moved this task from Reviewed (waiting for changes) to Eng review on the Moderator-Tools-Team (Kanban) board.Jun 26 2024, 7:04 PM
Kgraessle added a comment.Jun 27 2024, 8:11 PM

Hello Soda, thanks for your work, I tested this locally and it looks to be working great.
You have my +1. (and plus 2 if you need, but want to give others a chance to review as well).

Novem_Linguae added a comment.Jun 27 2024, 8:17 PM

Sounds like you tested it locally, so we can treat it as +2 to keep things moving :)

jsn.sherman moved this task from Eng review to Done on the Moderator-Tools-Team (Kanban) board.Jun 27 2024, 9:50 PM

This looks good to me, too. I also tested and verified that an alert explaining the block now pops up as expected; CR +2!
@sbassett this is good to go.

sbassett moved this task from In Progress to Security Patch To Deploy on the Security-Team board.Jun 27 2024, 10:30 PM
Mstyles subscribed.Jul 1 2024, 9:57 PM
In T366991#9926607, @Soda wrote:
In T366991#9894076, @Kgraessle wrote:
In T366991#9886912, @Soda wrote:
In T366991#9886099, @Kgraessle wrote:

Hi @Soda
Thanks for your work!

I have one suggestion to move the blocked check before the role check so that it accounts for anyone who is blocked even if they are autoPatrolled or patroller. How it is coded It will never run the is blocked check for those users. Is there a specific reason for this? If that's the case then we should add a test case for people who are blocked even if they are autopatroller and patroller.

if (
        $patrolPermissionStatus->isBlocked() ||
       $autopatrolledPermissionStatus->isBlocked()
) {
       $this->dieBlocked( $patrolPermissionStatus->getBlock() );
        return false;
}

 if ( $isPatroller && $isAutopatrolled ) {
         return true;
 }

I think we should be fine since $this->getAuthority()->definitelyCan(...) also evaluates blocks and will never allow

if ( $isPatroller && $isAutopatrolled ) {
        return true;
}

to execute and return with true. The added integration test also tests for this case since it uses sysop which has both autopatrolled and patrolled rights on a default instance.

However, that being said, the code doesn't make sense from a semantic/readability POV and I've changed it.

In T366991#9886134, @Novem_Linguae wrote:

nit: unnecessary extra space at the end of $pageId = $this->makeDraft( 'Test ' ); (after the word Test) in two places

Fixed :)

0001-Prevent-blocked-users-from-being-able-to-review-unre.patch4 KBDownload

Hello Soda, thanks for your work, I took another look and it looks great!
I have one minor review comment:
The false is unreachable here after the dieBlocked function is called.

if ( $patrolPermissionStatus->isBlocked() ||$autopatrolledPermissionStatus->isBlocked() ) {
			$this->dieBlocked( $patrolPermissionStatus->getBlock() );
			return false;
}

Sorry for the delay, I got stuck on some other things IRL. I've fixed the return false issue in this latest patch.

0001-Prevent-blocked-users-from-being-able-to-review-unre.patch4 KBDownload

deployed

Kgraessle closed this task as Resolved.Jul 8 2024, 3:19 PM
Kgraessle claimed this task.
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Jul 8 2024, 9:04 PM
sbassett mentioned this in T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2).Jul 8 2024, 9:16 PM
Mstyles added a subscriber: gerritbot.Sep 30 2024, 9:06 PM
Mstyles added a comment.Sep 30 2024, 9:11 PM

I uploaded this patch to gerrit for the supplemental release announcement and it looks like there are some test failures. @Soda please take a look when you get a chance: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/1076839.

sbassett added a comment.EditedOct 1 2024, 4:17 PM
In T366991#10189732, @Mstyles wrote:

I uploaded this patch to gerrit for the supplemental release announcement and it looks like there are some test failures. @Soda please take a look when you get a chance: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/1076839.

Just FYI, I added a phan suppress comment in PS2 on that change set and it tests fine now. I don't really know what phan's problem is with this. The code tells me that getBlock returns a block and that dieBlocked takes one. I don't understand where phan is finding the type ?\MediaWiki\Block\Block|?\MediaWiki\DAO\WikiAwareEntity...

gerritbot added a comment.Oct 1 2024, 6:00 PM

Change #1077081 had a related patch set uploaded (by Mstyles; author: Sohom Datta):

[mediawiki/extensions/PageTriage@REL1_42] Prevent blocked users from being able to review/unreview articles

https://gerrit.wikimedia.org/r/1077081

gerritbot added a project: Patch-For-Review.Oct 1 2024, 6:01 PM
Mstyles added a comment.Oct 1 2024, 6:01 PM

@sbassett thank you!

Mstyles renamed this task from User can review/unreview articles while blocked to CVE-2024-47848: User can review/unreview articles while blocked.Oct 4 2024, 11:54 PM
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
Mstyles moved this task from Watching to Our Part Is Done on the Security-Team board.
dduvall subscribed.Oct 21 2024, 10:27 PM

Hey folks. It appears this patch no longer applies cleanly due to a conflict with https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/1081612 which merged a few hours ago. We'll need an updated patch from you all.

dduvall added a comment.Oct 21 2024, 11:50 PM

I went ahead and resolved the conflicts so our presync job doesn't fail tonight.

Updated patch:

0001-Prevent-blocked-users-from-being-able-to-review-unre.patch4 KBDownload

sbassett added a comment.Oct 22 2024, 2:08 PM
In T366991#10248602, @dduvall wrote:

Hey folks. It appears this patch no longer applies cleanly due to a conflict with https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/1081612 which merged a few hours ago. We'll need an updated patch from you all.

Oh yikes, not sure what happened here. This should have been released with the most recent supplemental security release (T368628) but it looks like the backport to master was never merged? That's not good. We should get the new patch up to gerrit asap as this should no longer be an embargoed security patch.

In T366991#10248777, @dduvall wrote:

Updated patch:

0001-Prevent-blocked-users-from-being-able-to-review-unre.patch4 KBDownload

This doesn't seem to apply to current master for me in ext:PageTriage:

extensions/PageTriage [master] (⩾﹏⩽)> git apply --check ~/Downloads/01-T366991-rev2.patch 
error: patch failed: includes/Api/ApiPageTriageAction.php:14
error: includes/Api/ApiPageTriageAction.php: patch does not apply
error: patch failed: tests/phpunit/integration/ApiPageTriageActionTest.php:3
error: tests/phpunit/integration/ApiPageTriageActionTest.php: patch does not apply

Looks like there were a few use-related conflicts? I've fixed those and sent a new PS up to https://gerrit.wikimedia.org/r/1076839.

gerritbot added a comment.Oct 22 2024, 3:23 PM

Change #1076839 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@master] Prevent blocked users from being able to review/unreview articles

https://gerrit.wikimedia.org/r/1076839

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.1; 2024-10-29).Oct 22 2024, 4:00 PM
gerritbot added a comment.Oct 22 2024, 4:20 PM

Change #1082243 had a related patch set uploaded (by SBassett; author: Sohom Datta):

[mediawiki/extensions/PageTriage@wmf/1.43.0-wmf.28] Prevent blocked users from being able to review/unreview articles

https://gerrit.wikimedia.org/r/1082243

gerritbot added a comment.Oct 22 2024, 4:32 PM

Change #1077081 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@REL1_42] Prevent blocked users from being able to review/unreview articles

https://gerrit.wikimedia.org/r/1077081

gerritbot added a comment.Oct 22 2024, 6:01 PM

Change #1082243 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@wmf/1.43.0-wmf.28] Prevent blocked users from being able to review/unreview articles

https://gerrit.wikimedia.org/r/1082243

Stashbot added a comment.Oct 22 2024, 6:01 PM

Mentioned in SAL (#wikimedia-operations) [2024-10-22T18:01:32Z] <dancy@deploy2002> Started scap sync-world: Backport for [[gerrit:1082243|Prevent blocked users from being able to review/unreview articles (T366991)]]

Stashbot added a comment.Oct 22 2024, 6:04 PM

Mentioned in SAL (#wikimedia-operations) [2024-10-22T18:04:04Z] <dancy@deploy2002> dancy, sbassett: Backport for [[gerrit:1082243|Prevent blocked users from being able to review/unreview articles (T366991)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

dduvall unsubscribed.Oct 22 2024, 6:04 PM
Stashbot added a comment.Oct 22 2024, 6:08 PM

Mentioned in SAL (#wikimedia-operations) [2024-10-22T18:08:59Z] <dancy@deploy2002> Finished scap sync-world: Backport for [[gerrit:1082243|Prevent blocked users from being able to review/unreview articles (T366991)]] (duration: 07m 26s)

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.28; 2024-10-22).Oct 22 2024, 7:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits