Write a unique `var_dump` to each filter hit when necessary
Closed, ResolvedPublic
Actions

Description

Summary

Background and Technical notes

When multiple filters trigger a hit, they all share the same var_dump. This is causing problems, as public filters can have var_dumps with protected variables and privileged information the user may not have access to. We've been solving this problem by filtering out variable values based on view rights but as we add more granular controls around what rights can view what types of information, it makes more sense to control it at the time of write instead of time of display.

For instance:

Given the following filters:
- Filter A is a public filter (action = 'edit')
- Filter B is a protected filter with no additional restrictions (as of writing, this is hypothetical and refers to IP Reputation variables)
- Filter C is a protected filter using user_unnamed_ip, which is additionally protected (user_unnamed_ip = '1.2.3.4')
A user edits from IP 1.2.3.4, hitting all 3 filters (ids 1, 2, 3, corresponding to A, B, C)
Filter C is updated to no longer use user_unnamed_ip (action = 'edit' - This is a duplicate of Filter A but as Filter C has been protected before, it remains protected now)
A user edits, also hitting all 3 filters (ids 4, 5, 6)

We expect:

Filter ID	Public View	Protected Var View	Protected Var + IP Access
1	✅	✅	✅
2	❌	✅	✅
3	❌	❌	✅
4	✅	✅	✅
5	❌	✅	✅
6	❌	✅	✅

Right now, there is no good way to gate access to 3 as expected/wanted, as filter logs are associated to a filter id, not a filter revision. Ensuring that access to log 3 remains restricted as expected can only be done by either:

Checking the blob store for the used variable and restricting view on a per-log basis
Associating a filter revision w/the log and checking against variables used in that revision

Given that either will solve it, unique blobs will solve the product problem faster.

Acceptance criteria

AbuseFilter logs use a var dump which contains only the protected variables used in the associated filter

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Exclude protected variables from var dumps unless used by filter	mediawiki/extensions/AbuseFilter	master	+210 -91

Customize query in gerrit

Related Objects

Mentioned In: T390224: AbuseFilter protected variables: Remove value redaction code only used for backwards compatibility once no longer needed
Mentioned Here: T234155: Create CheckUser-level abuse filters

Event Timeline

STran created this task.Mar 26 2025, 5:09 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 26 2025, 5:09 PM

Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.Mar 26 2025, 5:12 PM

Change #1131341 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@master] [WIP] Exclude protected variables from var dumps unless used by filter

https://gerrit.wikimedia.org/r/1131341

gerritbot added a project: Patch-For-Review.Mar 26 2025, 5:12 PM

SpecialAbuseLog ideally does not have to filter out protected values anymore, as the blob should be accurate to the used variables; implementor to check if this needs to remain for historical reasons

Based on my investigation, we will need to keep this check because we cannot remove the user_unnamed_ip variable from the var dump for public logs. Therefore, we will need to keep this check for logs created before the patch in this task is merged and applied to WMF wikis.

We may be able to remove this check after 3 months of this patch being merged, because the value for user_unnamed_ip would no longer be stored.

While the check is extra code, I think it is still good to keep as a way to prevent issues if we have missed any edge cases with how var dumps are stored. As such, I'd suggest leaving this as it is but happy to create a follow-up ticket to remove if during review it is determined to be necessary.

Dreamy_Jazz updated the task description. (Show Details)Mar 26 2025, 6:24 PM

Dreamy_Jazz updated the task description. (Show Details)

Dreamy_Jazz updated the task description. (Show Details)Mar 26 2025, 6:28 PM

Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.

Dreamy_Jazz mentioned this in T390224: AbuseFilter protected variables: Remove value redaction code only used for backwards compatibility once no longer needed.Mar 27 2025, 5:54 PM

Change #1131341 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Exclude protected variables from var dumps unless used by filter

https://gerrit.wikimedia.org/r/1131341

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.23; 2025-04-01).Mar 28 2025, 3:00 PM

Maintenance_bot removed a project: Patch-For-Review.Mar 28 2025, 3:30 PM

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.Mar 31 2025, 2:21 PM

For QA I would suggest the following steps:

Create the following testing filters
- Filter A is a public filter (action = 'edit')
- Filter B is a protected filter using user_unnamed_ip (user_unnamed_ip = '1.2.3.4')
Edit using a temporary account from the IP in Filter B
Log into an account with access to AbuseFilter logs and protected variables (an admin account is usually good enough for this)
Open Special:AbuseLog and verify that two AbuseFilter logs are present for the edit made in step 2, one for Filter A and the other for Filter B
Open the log for Filter B and assert that the user_unnamed_ip variable is present in the variable dump
Open the log for Filter A and assert that user_unnamed_ip is not present in the variable dump

Alternatively we can still reuse the same variable dump, but protected variable will be stored in another table like abuse_filter_protected_variable.

Note current variable dump is stored in external storage, which can not be purged or redacted.

In T390086#10704762, @Bugreporter wrote:

Alternatively we can still reuse the same variable dump, but protected variable will be stored in another table like abuse_filter_protected_variable.

I don't think we can do this. We want to expire the value but not remove that the variable was previously stored for the log entry. Having the variable name set with no value set allows this to be the view shown when expired. It also allows us to work out if we need to attempt to populate the value (because we would only read the data from the new table if we needed to populate the data).

Having the variable name set with no value set allows this to be the view shown when expired.

However, external storage is immutable, see T234155#9789762

In T390086#10706492, @Bugreporter wrote:

Having the variable name set with no value set allows this to be the view shown when expired.

However, external storage is immutable, see T234155#9789762

Yes. We won't need to modify the value in the var dump because it's set to nothing. This what is already done for the existing user_unnamed_ip variable.

Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Apr 3 2025, 11:22 AM

QA is completed, I have verified the new code has been implemented and is functioning Per the Acceptance Criteria (The AbuseFilter logs use a var dump which contains only the protected variables used in the associated filter). Thank you for the QA Steps @Dreamy_Jazz.

kostajh closed this task as Resolved.Apr 14 2025, 8:06 AM

Write a unique `var_dump` to each filter hit when necessaryClosed, ResolvedPublicActions