Page MenuHomePhabricator
Create Task
Maniphest T385734

Account auto-creations caused by import of page caused actor table rows and CheckUser result rows but no associated user table row
Closed, ResolvedPublicSecurity
Actions

Description

Summary

There are several actor table rows on testwiki with a defined user ID that does not exist in the user table. These entries appear to have been created due to an import of a page to testwiki. This action additionally caused two cu_private_event rows to exist for the auto-creation of the accounts, with duplicated details.

Background

  • At 21:39 there were about 1000 warnings created regarding users having no central ID as shown in this logstash query
    • Selecting a random selection of the users mentioned in these log entries shows that they appear to have no account on testwiki
  • Running the query select * from actor where actor_user not in (select user_id from user); on testwiki shows about 400 actor table rows where the actor_ids are pretty much completely sequential, the actor_user column has a value which does not correspond to an ID in the user table, and the actor_name values appear to match the usernames in the logstash query
  • Running the query select * from cu_private_event where cupe_actor = X; (where X is an actor ID from the above query) showed two cu_private_event rows where both indicated an auto-creation of an account had occurred
  • The logstash query for other queries around the warning for no central ID finds that this appears to be related to the importing of a page to testwiki

Acceptance criteria

  • Ensure that orphaned actor and cu_private_event table rows are not created if the attempts to create the user rows fail

Details

Risk Rating
Low
Author Affiliation
WMF Technology
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
phpunit: Test CheckUser behavior on transaction rollbackmediawiki/extensions/CheckUsermaster+87 -4
Avoid writing to CU tables if the main transaction round failedmediawiki/extensions/CheckUsermaster+63 -53
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.Feb 5 2025, 6:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 5 2025, 6:04 PM
Dreamy_Jazz added projects: SUL3, MediaWiki-extensions-CentralAuth.EditedFeb 5 2025, 6:09 PM
Dreamy_Jazz added a subscriber: Tgr.

@Tgr, do you know if this could have anything to do with SUL3? The path that this took doesn't seem very clear based on looking at logstash, but it seems that this probably has something to do with MediaWiki-extensions-CentralAuth given that it's auto-creations on a call to api.php with the referrer being a different wiki.

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptFeb 5 2025, 6:09 PM
Dreamy_Jazz renamed this task from 400 accounts already existing accounts auto-created on test.wikipedia.org using the same non-WMF IP address within the span of a minute to 400 already existing accounts auto-created on test.wikipedia.org using the same non-WMF IP address within the span of a minute.Feb 5 2025, 6:10 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz renamed this task from 400 already existing accounts auto-created on test.wikipedia.org using the same non-WMF IP address within the span of a minute to 400 auto-creations on test.wikipedia.org using the same non-WMF IP address within the span of a minute which caused actor table rows but no user table rows.Feb 5 2025, 6:14 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz renamed this task from 400 auto-creations on test.wikipedia.org using the same non-WMF IP address within the span of a minute which caused actor table rows but no user table rows to 400 auto-creations on testwiki using the same non-WMF IP address within the span of a minute which caused actor table rows pointing to missing user table rows.Feb 5 2025, 6:22 PM
Dreamy_Jazz renamed this task from 400 auto-creations on testwiki using the same non-WMF IP address within the span of a minute which caused actor table rows pointing to missing user table rows to 400 auto-creations on testwiki using the same non-WMF IP address within the span of a minute causing actor table rows pointing to missing user table rows.
Dreamy_Jazz updated the task description. (Show Details)Feb 5 2025, 6:26 PM
Dreamy_Jazz added a project: DBA.

Adding DBA as these rows will probably need to be fixed at some point.

Dreamy_Jazz added subscribers: mszabo, Tchanders, hector.arroyo and 2 others.Feb 5 2025, 6:33 PM
Tgr added a subscriber: ArielGlenn.Feb 5 2025, 6:46 PM

Possibly caused by T378401: Start running backfillLocalAccounts.php? (cc @ArielGlenn)

mszabo added a comment.Feb 5 2025, 6:48 PM

Logs from one of the requests with repeating stuff filtered: https://logstash.wikimedia.org/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:[…]val:auto,query:(language:lucene,query:''),sort:!())

Note the reference to "Trondheim" being slow to parse. I think this is Jon Harald Soby importing articles from nowiki. The timing seems to match with https://test.wikipedia.org/wiki/Special:Log/import (although this import appears to have unsurprisingly failed).

Tgr added a comment.Feb 5 2025, 6:53 PM

That script uses AuthManager::autoCreateUser() so if it results in incomplete autocreations, there is something broken at a deeper point (T380500: CentralAuthUser returning outdated data after user creation, maybe?), but it would explain the burst of auto-creations, and the lack of client hint data (that's T381128: backfillLocalAccounts.php should fill Client Hints, on the back burner right now). All accounts having the same IP address / browser UA is probably a separate bug (no idea how it could happen though; that part of the code looks straightforward).

Dreamy_Jazz removed projects: MediaWiki-Platform-Team, SUL3.Feb 5 2025, 6:53 PM

Thanks @mszabo for finding that. Then this isn't related to SUL3, so untagging that.

Tgr added a comment.Feb 5 2025, 6:54 PM
In T385734#10526741, @Tgr wrote:

Possibly caused by T378401: Start running backfillLocalAccounts.php? (cc @ArielGlenn)

On second thought that doesn't make sense, that script is only running on meta & loginwiki.

Tgr added a comment.Feb 5 2025, 6:56 PM
In T385734#10526749, @mszabo wrote:

I think this is Jon Harald Soby importing articles from nowiki.

Secondary errors caused by T383962: Special:Import revision duplication and unprefixed usernames then?

Dreamy_Jazz added a comment.EditedFeb 5 2025, 6:58 PM
In T385734#10526798, @Tgr wrote:
In T385734#10526749, @mszabo wrote:

I think this is Jon Harald Soby importing articles from nowiki.

Secondary errors caused by T383962: Special:Import revision duplication and unprefixed usernames then?

Yeah, that seems to make sense.

Given that, I think this task can be unprotected when the security team has a chance to do that. I had protected this initially as I couldn't see why one IP address was causing all of these auto-creations in such a short space of time (and was concerned that maybe someone found out how to auto-create accounts on behalf of other users en-masse using a method not specifically intended).

Dreamy_Jazz updated the task description. (Show Details)Feb 5 2025, 7:00 PM
Dreamy_Jazz edited projects, added CheckUser, MediaWiki-Core-Snapshots; removed MediaWiki-extensions-CentralAuth.Feb 5 2025, 7:06 PM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptFeb 5 2025, 7:06 PM
Dreamy_Jazz added a parent task: T374994: CheckUser is attempting to write to cuci_user for users which have no central account.Feb 5 2025, 7:06 PM
Dreamy_Jazz renamed this task from 400 auto-creations on testwiki using the same non-WMF IP address within the span of a minute causing actor table rows pointing to missing user table rows to Account auto-creations caused by import of page caused actor table rows with no associated user table row.Feb 5 2025, 7:09 PM
Dreamy_Jazz renamed this task from Account auto-creations caused by import of page caused actor table rows with no associated user table row to Account auto-creations caused by import of page caused actor table rows and CheckUser result rows but no associated user table row.
Dreamy_Jazz updated the task description. (Show Details)Feb 5 2025, 7:13 PM
Dreamy_Jazz added a project: Patch-For-Review.Feb 5 2025, 7:41 PM
Dreamy_Jazz added a subscriber: gerritbot.
gerritbot added a comment.Feb 5 2025, 7:58 PM

Change #1117605 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Avoid writing to CU tables if the main transaction round failed

https://gerrit.wikimedia.org/r/1117605

sbassett changed the task status from Open to In Progress.Feb 5 2025, 8:03 PM
sbassett edited projects, added SecTeam-Processed; removed Security, Security-Team.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Pppery subscribed.Feb 5 2025, 9:30 PM

This is another manifestation of T385646

Jdforrester-WMF added a project: MW-1.44-notes (1.44.0-wmf.16; 2025-02-11).Feb 5 2025, 10:06 PM
Ladsgroup subscribed.Feb 6 2025, 3:14 PM
In T385734#10526659, @Dreamy_Jazz wrote:

Adding DBA as these rows will probably need to be fixed at some point.

if this task is about CU tables, they would be automatically purged after 90 days, right? Am I missing something super obvious? (apologies if I do)

Dreamy_Jazz added a comment.EditedFeb 6 2025, 3:22 PM
In T385734#10529015, @Ladsgroup wrote:
In T385734#10526659, @Dreamy_Jazz wrote:

Adding DBA as these rows will probably need to be fixed at some point.

if this task is about CU tables, they would be automatically purged after 90 days, right? Am I missing something super obvious? (apologies if I do)

The rows needing fixed are the associated actor table rows where the actor_user column is set to a user_id that does not exist in the user table. Maybe this would be automatically fixed if the user visits test.wikipedia.org to be auto-created, but I'm not sure if this would be the case.

The CheckUser tables will fix themselves after 90 days.

Tgr added a comment.Feb 6 2025, 4:21 PM
In T385734#10529059, @Dreamy_Jazz wrote:

The rows needing fixed are the associated actor table rows where the actor_user column is set to a user_id that does not exist in the user table. Maybe this would be automatically fixed if the user visits test.wikipedia.org to be auto-created, but I'm not sure if this would be the case.

That's more related to T383962: Special:Import revision duplication and unprefixed usernames than this task. I don't think it will work - the actor table entry will block the creation of another actor record with the same username, but the existing record is linked to a user ID that will never be used (new users just get the next autoincrement value). ActorStore::acquireActorId() doesn't even have reasonable error handling for the case when there is an actor for the given username, but with an ID mismatch.
And if we are extra unlucky, whetever prevented the creation of the user record did not autoincrement so the ID just gets assigned to the next user who signs up.

gerritbot added a comment.Feb 7 2025, 1:58 PM

Change #1118117 had a related patch set uploaded (by Máté Szabó; author: Máté Szabó):

[mediawiki/extensions/CheckUser@master] phpunit: Test CheckUser behavior on transaction rollback

https://gerrit.wikimedia.org/r/1118117

gerritbot added a comment.Feb 7 2025, 3:28 PM

Change #1118117 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] phpunit: Test CheckUser behavior on transaction rollback

https://gerrit.wikimedia.org/r/1118117

RhinosF1 subscribed.Feb 9 2025, 12:46 PM
A_smart_kitten moved this task from Backlog to Snapshot import on the MediaWiki-Core-Snapshots board.Feb 10 2025, 10:48 AM
Dreamy_Jazz mentioned this in T374994: CheckUser is attempting to write to cuci_user for users which have no central account.Feb 11 2025, 10:58 AM
Ladsgroup added a comment.Mar 19 2025, 6:55 PM

@Dreamy_Jazz Do you want me to delete those rows in production? It's testwiki, anything goes.

Dreamy_Jazz added a comment.Mar 20 2025, 4:58 PM
In T385734#10654014, @Ladsgroup wrote:

@Dreamy_Jazz Do you want me to delete those rows in production? It's testwiki, anything goes.

Might be worth doing that. AFAICS it would cause issues if any of these users open testwiki?

Ladsgroup added a comment.Mar 25 2025, 6:42 PM
In T385734#10657965, @Dreamy_Jazz wrote:
In T385734#10654014, @Ladsgroup wrote:

@Dreamy_Jazz Do you want me to delete those rows in production? It's testwiki, anything goes.

Might be worth doing that. AFAICS it would cause issues if any of these users open testwiki?

if the users exist globally, we can also force create them locally via createLocalAccount.php in CentralAuth? I don't know if it would work.

Dreamy_Jazz added a comment.Mar 25 2025, 6:44 PM
In T385734#10675680, @Ladsgroup wrote:
In T385734#10657965, @Dreamy_Jazz wrote:
In T385734#10654014, @Ladsgroup wrote:

@Dreamy_Jazz Do you want me to delete those rows in production? It's testwiki, anything goes.

Might be worth doing that. AFAICS it would cause issues if any of these users open testwiki?

if the users exist globally, we can also force create them locally via createLocalAccount.php in CentralAuth? I don't know if it would work.

It should be fine to delete the actor rows, I think the issues would only occur if we left the rows in testwiki.

Ladsgroup moved this task from Triage to In progress on the DBA board.Apr 1 2025, 6:37 PM

I wrote this horrible thing to get rid of the rows:

for i in $(seq 1 410);
do
   id=$(db-mysql db1223 testwiki -ss -e "select actor_id from actor where actor_user not in (select user_id from user) limit 1;")
   if [ "${id:0:1}" == "1" ]; then
       db-mysql db1223 testwiki -ss -e "delete from actor where actor_id = $id limit 1;"
       echo $id
   fi
   sleep 1
done

It's empty now:

cumin2024@db1223.eqiad.wmnet[testwiki]> select * from actor where actor_user not in (select user_id from user);
Empty set (0.144 sec)

Anything else needed from your friendly neighborhood DBAs?

Dreamy_Jazz added a comment.Apr 1 2025, 6:38 PM
In T385734#10700705, @Ladsgroup wrote:

I wrote this horrible thing to get rid of the rows:

for i in $(seq 1 410);
do
   id=$(db-mysql db1223 testwiki -ss -e "select actor_id from actor where actor_user not in (select user_id from user) limit 1;")
   if [ "${id:0:1}" == "1" ]; then
       db-mysql db1223 testwiki -ss -e "delete from actor where actor_id = $id limit 1;"
       echo $id
   fi
   sleep 1
done

It's empty now:

cumin2024@db1223.eqiad.wmnet[testwiki]> select * from actor where actor_user not in (select user_id from user);
Empty set (0.144 sec)

Anything else needed from your friendly neighborhood DBAs?

I don't think so. Thanks for that!

Dreamy_Jazz closed this task as Resolved.Apr 1 2025, 6:42 PM

Given that, I think we can resolve this task as:

  1. The code causing these extra actor rows has been fixed in e209ae5a07cade91fb7a1d5320e9e6c6a8168bc9
  2. No more of these rows appear to exist elsewhere
Maintenance_bot moved this task from In progress to Done on the DBA board.Apr 1 2025, 7:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits