Per the parent task, we'll need to allow extensions to add to the array in AbuseFilterProtectedVariables. This could be done via operations/mediawiki-config, or via a hook in AbuseFilter that allows other extensions to provide a list of additional variables. The latter probably makes sense, in that there is some amount of registration code already necessary in an extension defining a variable for use in AbuseFilter.
Description
Description
Details
Details
Related Changes in Gerrit:
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Restricted Task | |||||
| Resolved | kostajh | T294511 2021 Security Team wikireplicas audit | |||
| Declined | None | T284948 Raw IPs of logged-out users disclosed in wiki-replicas | |||
| Resolved | Niharika | T324492 Temporary accounts - MVP | |||
| Open | kostajh | T357776 [Epic] Mitigate abilities to abuse temporary accounts | |||
| Stalled | Feature | None | T380917 Ability to configure a wiki to auto block open proxies | ||
| Stalled | None | T166817 Globally block identifiable open proxies | |||
| Resolved | • Dreamy_Jazz | T354599 [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter | |||
| Duplicate | • Dreamy_Jazz | T380454 Provide ip_reputation_tunnel_operators AbuseFilter | |||
| Duplicate | • Dreamy_Jazz | T380710 Provide ip_reputation_risk_types variable in AbuseFilter | |||
| Open | None | T380711 Provide ip_reputation_tunnel_type AbuseFilter variable | |||
| Resolved | • Dreamy_Jazz | T380918 Provide capability to define new protected variables from other extensions | |||
| Resolved | STran | T385687 Investigate: How should the AbuseFilter variable `user_unnamed_ip` be restricted |
Event Timeline
Comment Actions
This could be done via operations/mediawiki-config, or via a hook in AbuseFilter that allows other extensions to provide a list of additional variables
Given that the config $wgAbuseFilterProtectedVariables already exists, I think it makes sense to use that instead of adding a new hook that only has the purpose of extending an array held as a config variable.
I propose that we do either of the following:
Hook into onRegistration and add the variables to the $wgAbuseFilterProtectedVariables config there, so that the variables by default are protected.We can't reliably use this as the config from AbuseFilter may not have loaded- Define $wgAbuseFilterProtectedVariables to include the variables in operations/mediawiki-config to just hide them for WMF wikis
If we use a hook, it makes it pretty impractical for a wiki to decide that these variables should not be protected. Adding it to the config for just WMF wikis means that third-party wikis need to be aware and add the variable to the config if they want to prevent it's use in public filters.
Comment Actions
I would lean towards a simpler implementation and not make it possible to allow these variables to exist in public filters, ever--so, require them to be protected variables. If a third party wiki has a use case for using these variables in public filters, we could revisit, but I would worry that we'd be spending time and adding code to implement functionality that is unlikely to be used.
Comment Actions
Sure. I'll go with the approach of creating a hook to define these.
The one issue that I thought up of now is that a wiki could have IPReputation uninstalled. However, if this does occur I think that someone would see this and update the AbuseFilter config to include these variables.
Comment Actions
Change #1100552 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):
[mediawiki/extensions/AbuseFilter@master] Add AbuseFilterCustomProtectedVariables hook
Comment Actions
If we're doing this, should we remove the config $wgAbuseFilterProtectedVariables, and make user_unnamed_ip always be protected?
Comment Actions
Blocked on conversations with Legal to figure out whether IPReputation variables should have a different privacy level.
Comment Actions
No longer blocked, as we've concluded discussions with Legal and documented our approach here https://www.mediawiki.org/wiki/Trust_and_Safety_Product/Decision_records/2025-02-04-IPReputation_AbuseFilter_variables_for_registered_users
Comment Actions
Depends on T385687: Investigate: How should the AbuseFilter variable `user_unnamed_ip` be restricted to decide the approach to take, as the hook may need to be able to define additional requirements (such as additional rights etc.)
Comment Actions
Moving this back to "In Progress". In T385687#10562909 we decided to use this hook to define the list of protected variables from other extensions, including additional restrictions (such as user rights and preferences that need to be enabled). The exact method of additional restrictions definitions is not yet decided, but I think we should be able to use some kind of callback mechanism for the time being. If that is disagreed with, we can revisit the idea of using an array structure to define requirements which are then parsed by AbuseFilter.
Comment Actions
Change #1122136 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):
[mediawiki/extensions/AbuseFilter@master] Get list of protected variables from a service
Comment Actions
Change #1122136 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Get list of protected variables from a service
Comment Actions
Change #1100552 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Add AbuseFilterCustomProtectedVariables hook
Comment Actions
For this ticket, I would suggest a regression test that verifies that the user_unnamed_ip variable is still only usable in protected abuse filters. Testing the hook will be done when we add MediaWiki-extensions-IPReputation protected AbuseFilter variables in other tickets.
Comment Actions
QA regression testing is completed, the protected filter of user_unnamed_ip is still only usable in protected abuse filters.