Page MenuHomePhabricator
Create Task
Maniphest T390873

AbuseFilter protected variables: Make it possible for protected variable values expire when the IP address expires
Closed, ResolvedPublic
Actions

Description

Summary

We should expire MediaWiki-extensions-IPReputation AbuseFilter variable data when the IP address expires. To do this we need to add support for protected variable values to be purged when the IP address is purged.

Background

  • It is not a WMF Legal requirement to purge MediaWiki-extensions-IPReputation variable data, but it was considered that there is a risk in keeping this data when the IP address has purged.
    • This is especially the case when the action is an account creation, as it would tie data about an IP address to a registered user forever if an AbuseFilter matched on their account creation
    • This also could be an issue for temporary accounts, where their IP address expires after 90 days
  • We need to consider when the MediaWiki-extensions-IPReputation protected variables need to be expired, and whether we should expire in all cases for consistency
  • To do this we need a mechanism to store some protected variable values in the database
    • This mechanism should ideally not be too specific to MediaWiki-extensions-IPReputation AbuseFilter variables, to avoid the need to undo existing work if other variables are added
    • However, we need to consider that we would likely need to expire the data at the same time as the IP address so may still need to bound this expiration to a standard retention period
  • This solution may also be useful to consider for the existing user_unnamed_ip variable, as we could then remove some of it's specific handling code in favour of using this method

Technical notes

  • We will need a schema change to support this to the abuse_filter_log table
    • The schema change would likely involve adding a column that acts in a similar way to the log_params column (a serialised PHP array of parameters, in this case variable names to values)
    • When reading or writing the variable dump, the protected variables that need to have their values expire would be written to this new column instead of the blob used for all other variables
  • We can re-use the afl_var_dump column by making it a JSON array if the log contains variables that need purging
    • When the values are purged, the column could be reverted back to no longer use JSON as a space saving measure. Alternatively, we could make all afl_var_dump column values use a JSON array to be consistent.
  • We will need code to remove protected variables from afl_var_dump when they should be expired
    • To support this, we need a index which partially indexes afl_var_dump (just one character should be fine) and afl_timestamp. Then the query would look for the character { at the start of afl_var_dump. If it exists then the field should be in JSON and have protected variables to purge.
      • The other methods of doing this like adding a new tinyint column or making afl_ip nullable were less liked by DBAs.

Acceptance criteria

  • AbuseFilter supports protected variables being configured to have their associated values be purged when the IP address associated with the log is purged
  • MediaWiki-extensions-IPReputation variables are configured in this way to purge their values, which should at least be used when an account creation causes a log entry

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Purge protected variables stored in the DBmediawiki/extensions/AbuseFiltermaster+262 -21
Rename PurgeOldLogIPData.php to PurgeOldLogData.phpmediawiki/extensions/AbuseFiltermaster+182 -87
Store protected variables in DB instead of BlobStoremediawiki/extensions/AbuseFiltermaster+126 -55
Add afl_var_dump_timestamp index to allow searching for JSON arraysmediawiki/extensions/AbuseFiltermaster+368 -0
Update PurgeOldLogIPData to set afl_ip to nullmediawiki/extensions/AbuseFiltermaster+15 -3
Drop the UpdateVarDumps.php maintenance scriptmediawiki/extensions/AbuseFiltermaster+0 -749
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.Apr 2 2025, 2:16 PM
Restricted Application added a project: Data-Engineering. · View Herald TranscriptApr 2 2025, 2:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Dreamy_Jazz mentioned this in T390874: IPReputation: Create the initial IPReputation AbuseFilter variables.Apr 2 2025, 2:17 PM
Marostegui edited projects, added Data-Persistence; removed DBA.Apr 2 2025, 2:31 PM
Bugreporter subscribed.Apr 2 2025, 4:00 PM

Alternatively we can introduce a new table like abuse_filter_protected_variable, since adding a new column to abuse_filter_log will take much more disk space.

Dreamy_Jazz added a comment.EditedApr 2 2025, 7:06 PM
In T390873#10704740, @Bugreporter wrote:

Alternatively we can introduce a new table like abuse_filter_protected_variable, since adding a new column to abuse_filter_log will take much more disk space.

DBA usually recommend against adding a new table unless necessary as each table causes more files to be opened. For example, T359309#9614963. However I can check with them what they prefer.

Johannnes89 subscribed.Apr 2 2025, 8:04 PM
Dreamy_Jazz moved this task from Inbox to Blocked/Stalled on the Trust and Safety Product Team board.Apr 3 2025, 11:18 AM
Dreamy_Jazz moved this task from Blocked/Stalled to Engineering on the Trust and Safety Product Team board.
Ladsgroup subscribed.Apr 3 2025, 6:11 PM

I'm reviewing the schema of abuse filter and I have several notes:

  • A lot of work in this regard is not done yet. I'm still seeing afl_user_text and afl_user, can we finish these migrations please?
  • Currently the tables are not that big (9.5G abuse_filter_log.ibd in enwiki. It is big but not end of the world big) but the fact that it keeps everything forever and is growing without bound is concerning. Do you think it'd make sense to remove old abuse filter logs where the action is warn or tag? what's the point of keeping them forever. Definitely keep any row that's disallowed or block
    • Do we really use afl_patrolled_by?
  • I don't know the code well enough but maybe we can store the parameter in afl_var_dump itself instead of introducing a new column?
  • can we use hard-coded smallint values for afl_action and afl_actions?
  • "a serialised PHP array of parameters" <- please don't store php serialization. We did this mistake twenty years ago and at that time json didn't exist. We are already migrating as much as possible to json instead.

This table needs a lot of love :(

Dreamy_Jazz added a subscriber: matej_suchanek.Apr 3 2025, 6:22 PM
In T390873#10709849, @Ladsgroup wrote:

I'm reviewing the schema of abuse filter and I have several notes:

  • A lot of work in this regard is not done yet. I'm still seeing afl_user_text and afl_user, can we finish these migrations please?

Hmm. I see that T188180 was recently resolved by @matej_suchanek. Any thoughts on this?

  • Currently the tables are not that big (9.5G abuse_filter_log.ibd in enwiki. It is big but not end of the world big) but the fact that it keeps everything forever and is growing without bound is concerning. Do you think it'd make sense to remove old abuse filter logs where the action is warn or tag? what's the point of keeping them forever. Definitely keep any row that's disallowed or block
  • Do we really use afl_patrolled_by?

Doesn't look like it to me. Probably could be removed.

  • I don't know the code well enough but maybe we can store the parameter in afl_var_dump itself instead of introducing a new column?

afl_var_dump is a blob store address. We could re-use this column and store the blob store address in a JSON array when protected variables are stored. Then when purging we would modify afl_var_dump instead of blanking it, such that the field is back to just being the blob store address.

  • can we use hard-coded smallint values for afl_action and afl_actions?

Not easily, because other extensions can define actions. We could convert that if wanted but there could be issues with collisions for the integers that are selected. Plus, uninstalling an extension which defines an action would break those logs.

  • "a serialised PHP array of parameters" <- please don't store php serialization. We did this mistake twenty years ago and at that time json didn't exist. We are already migrating as much as possible to json instead.

Sure. Perhaps a JSON array in afl_var_dump would work.

This table needs a lot of love :(

Yeah, unfortunately.

Dreamy_Jazz added a comment.EditedApr 3 2025, 6:26 PM

Given the idea of re-using afl_var_dump was suggested, I will run with that and come back to a new column if that doesn't work for any reason. I'll file a task about afl_patrolled_by.

The abuse_filter_log table is not public per T375751: Public wiki replicas contain abuse filter logs for filters that are private or protected, so we can re-use this column and someone will need to consider this if it's ever made public again. That would likely be through making all protected filter logs be hidden.

Dreamy_Jazz added a comment.Apr 3 2025, 6:33 PM
This comment was removed by Dreamy_Jazz.
matej_suchanek added a comment.Apr 3 2025, 6:35 PM
In T390873#10709896, @Dreamy_Jazz wrote:
In T390873#10709849, @Ladsgroup wrote:

I'm reviewing the schema of abuse filter and I have several notes:

  • A lot of work in this regard is not done yet. I'm still seeing afl_user_text and afl_user, can we finish these migrations please?

Hmm. I see that T188180 was recently resolved by @matej_suchanek. Any thoughts on this?

I didn't initiate that migration simply because it's more complicated. You need to deal with non-IP afl_user_text where afl_user = 0, and references from metawiki for global filter hits. I was hoping to collect all the ideas on this table in a new task to kick it off, but I never got to it and you guys were faster.

This table needs a lot of love :(

Yeah, unfortunately.

^

Dreamy_Jazz added a comment.Apr 3 2025, 6:42 PM

I've filed T391027 for the afl_patrolled_by column.

Dreamy_Jazz updated the task description. (Show Details)Apr 3 2025, 6:45 PM
Dreamy_Jazz removed a project: Schema-change.

Removing Schema-change from this ticket based on the updates.

Ladsgroup added a comment.Apr 3 2025, 7:06 PM

Something to note is that once you write to blob store, you can't change the content of it anymore. Our external storage databases are append-only and will become read only once they get filled. Think of it like blockchain but actually useful. We can store a new entry and set that though. Would that be good enoughTM?

Dreamy_Jazz added a comment.EditedApr 3 2025, 7:17 PM
In T390873#10710226, @Ladsgroup wrote:

Would that be good enoughTM?

Maybe, but I'm thinking not. We want to permanently purge the value of the variables after 90 days to be consistent with how afl_ip is purged. If we write the values to the append-only storage, then we can't properly purge the data. Just unlinking the entry won't be enough, as I presume you could search through the blob store entries and find the one that matches variables in the new blob store (i.e. match the value of the new_wikitext variable).

A scenario is a user creates their account using an VPN, where the specific VPN provider is noted in the variable value. That data would never be fully purged, which I think would be an issue for wikis where some users are being targeted and some kind of leak of the blob store occurs.

Purging isn't a strict requirement, so if it's not possible to do the JSON values in afl_var_dump then it could be re-considered.

Ladsgroup added a comment.Apr 3 2025, 7:24 PM
In T390873#10710253, @Dreamy_Jazz wrote:
In T390873#10710226, @Ladsgroup wrote:

Would that be good enoughTM?

Maybe, but I'm thinking not. We want to permanently purge the value of the variables after 90 days to be consistent with how afl_ip is purged. If we write the values to the append-only storage, then we can't properly purge the data. Just unlinking the entry won't be enough, as I presume you could search through the blob store entries and find the one that matches variables in the new blob store (i.e. match the value of the new_wikitext variable).

We have roughly 50-60TB of gzipped text in ES. Searching in it is not really feasible. Unless you have the key to the row.

A scenario is a user creates their account using an VPN, where the specific VPN provider is noted in the variable value. That data would never be fully purged, which I think would be an issue for wikis where some users are being targeted and some kind of leak of the blob store occurs.

Purging isn't a strict requirement, so if it's not possible to do the JSON values in afl_var_dump then it could be re-considered.

One thing that you can do is to put the ip in afl_var_dump too. so it'll be like {'var_name_ip': 127.0.0.1, 'purge_timestamp': 1234, 'the rest of values': 'tt:1234'} if afl_var_dump can take it, that should work?

Ladsgroup added a comment.Apr 3 2025, 7:25 PM

It's a blob:

`afl_var_dump` blob NOT NULL

Go crazy.

Dreamy_Jazz added a comment.Apr 3 2025, 7:26 PM

Thanks. In which case, we will store JSON in afl_var_dump when we need to expire the variable value. Given that, I'd say that DBA input is no longer needed given that we won't be making a Schema-change.

Dreamy_Jazz updated the task description. (Show Details)Apr 3 2025, 7:28 PM
Ladsgroup added a comment.Apr 3 2025, 7:34 PM

Awesome! I stay subscribed in case you need any help!

Bugreporter added a comment.Apr 4 2025, 1:52 AM

As I said above, we can alternatively introduce a new table for protected variable so this can be more easily purged (without enumbrating the abuse_filter_log table).

Ladsgroup added a comment.Apr 4 2025, 11:22 AM
In T390873#10711407, @Bugreporter wrote:

As I said above, we can alternatively introduce a new table for protected variable so this can be more easily purged (without enumbrating the abuse_filter_log table).

I saw and as Dreamy Jazz pointed out, it shouldn't be done.

Ahoelzl removed a project: Data-Engineering.Apr 8 2025, 5:52 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)); removed Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)).Apr 14 2025, 2:54 PM
Dreamy_Jazz added a comment.Apr 28 2025, 10:58 PM

Having looked at this task further the requirement to purge these variables is not mandated by WMF Legal. Given that we still want to purge the data we can use the easiest solution where the data isn't technically fully purged from blob store but is no longer associated with the AbuseFilter log entry:

  1. Saving all variables to the blob store and then placing that address in afl_var_dump
  2. When afl_ip is purged then create a new blob store address that no longer has the IPReputation variables

This will be the easiest technically to achieve, given that using a JSON string would require modifying the UpdateVarDumps.php maintenance scripts to support this JSON format. Plus it adds more tech debt.

Dreamy_Jazz claimed this task.Apr 28 2025, 10:58 PM
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)) board.
Ladsgroup added a comment.Apr 29 2025, 11:09 AM

If you're sure that it only gets done on logged-out edits/edit attempts. Then it's fine but if it accidentally starts creating two ES blobs for every afl entry, then I'd really prefer having the json blobs in afl_var_dump. ES is horizontally scalable but it's not that cheap.

Dreamy_Jazz added a comment.EditedApr 29 2025, 1:11 PM
In T390873#10775983, @Ladsgroup wrote:

If you're sure that it only gets done on logged-out edits/edit attempts. Then it's fine but if it accidentally starts creating two ES blobs for every afl entry, then I'd really prefer having the json blobs in afl_var_dump. ES is horizontally scalable but it's not that cheap.

We intend to at the moment only set it for logged-out editors and for account creations. However, we have a long-term plan to support these variables for registered users if T234155: Create CheckUser-level abuse filters is implemented.

Given that I'll proceed with the JSON approach to avoid having to undo work in the future.

gerritbot added a comment.Apr 30 2025, 2:40 PM

Change #1140198 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@master] [Very WIP] Store protected variable values in DB

https://gerrit.wikimedia.org/r/1140198

gerritbot added a project: Patch-For-Review.Apr 30 2025, 2:40 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)); removed Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)).May 5 2025, 6:50 AM
kostajh moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.
Titore subscribed.May 7 2025, 9:34 PM
gerritbot added a comment.May 20 2025, 6:11 PM

Change #1148412 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@master] Drop the UpdateVarDumps.php maintenance script

https://gerrit.wikimedia.org/r/1148412

kostajh moved this task from Backlog to 2024-2025 Q4 on the WE4.2 Anti-abuse board.May 20 2025, 6:29 PM
gerritbot added a comment.May 21 2025, 9:58 AM

Change #1148412 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Drop the UpdateVarDumps.php maintenance script

https://gerrit.wikimedia.org/r/1148412

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.3; 2025-05-27).May 21 2025, 11:00 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 25 2025, 6:59 PM
kostajh moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.
gerritbot added a comment.May 29 2025, 9:18 PM

Change #1152154 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@master] Make afl_ip in abuse_filter_log nullable

https://gerrit.wikimedia.org/r/1152154

Dreamy_Jazz added projects: DBA, Schema-change.May 29 2025, 9:33 PM
Dreamy_Jazz moved this task from Unsorted to Change on the Schema-change board.
Dreamy_Jazz updated the task description. (Show Details)
gerritbot added a comment.May 29 2025, 10:11 PM

Change #1152162 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@master] [WIP] Store protected variables in DB instead of BlobStore

https://gerrit.wikimedia.org/r/1152162

gerritbot added a comment.May 29 2025, 10:33 PM

Change #1152164 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@master] Update PurgeOldLogIPData to set afl_ip to null

https://gerrit.wikimedia.org/r/1152164

Dreamy_Jazz removed a project: DBA.May 30 2025, 11:04 AM
gerritbot added a comment.May 30 2025, 3:14 PM

Change #1152164 abandoned by Dreamy Jazz:

[mediawiki/extensions/AbuseFilter@master] Update PurgeOldLogIPData to set afl_ip to null

https://gerrit.wikimedia.org/r/1152164

Dreamy_Jazz updated the task description. (Show Details)May 30 2025, 10:27 PM
gerritbot added a comment.Jun 3 2025, 8:33 PM

Change #1152154 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Add afl_var_dump_timestamp index to allow searching for JSON arrays

https://gerrit.wikimedia.org/r/1152154

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.5; 2025-06-10); removed MW-1.45-notes (1.45.0-wmf.3; 2025-05-27).Jun 3 2025, 9:00 PM
gerritbot added a comment.Jun 4 2025, 11:43 AM

Change #1152162 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Store protected variables in DB instead of BlobStore

https://gerrit.wikimedia.org/r/1152162

Dreamy_Jazz mentioned this in T396079: Support generation of IPReputation AbuseFilter variables for temporary accounts and account creation.Jun 4 2025, 9:44 PM
Dreamy_Jazz mentioned this in T396130: Add afl_ip_hex column and afl_var_dump_timestamp index to abuse_filter_log.Jun 5 2025, 3:07 PM
Dreamy_Jazz mentioned this in rEIPR5ab7fa0a5552: Expand IPReputation data to temp accounts and account creation.Jun 8 2025, 6:37 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)); removed Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).Jun 16 2025, 6:13 AM
kostajh moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.
gerritbot added a comment.Jun 20 2025, 2:21 PM

Change #1161978 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@master] [WIP] Rename PurgeOldLogIPData.php to PurgeOldLogData.php

https://gerrit.wikimedia.org/r/1161978

Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.Jun 20 2025, 4:09 PM
gerritbot added a comment.Jun 23 2025, 8:19 PM

Change #1161978 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Rename PurgeOldLogIPData.php to PurgeOldLogData.php

https://gerrit.wikimedia.org/r/1161978

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.8; 2025-07-01); removed MW-1.45-notes (1.45.0-wmf.5; 2025-06-10).Jun 24 2025, 4:01 PM
gerritbot added a comment.Jun 25 2025, 1:01 PM

Change #1140198 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Purge protected variables stored in the DB

https://gerrit.wikimedia.org/r/1140198

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.Jun 25 2025, 1:06 PM
Maintenance_bot removed a project: Patch-For-Review.Jun 25 2025, 1:31 PM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.Jul 4 2025, 7:30 AM
dom_walden subscribed.

I ran the maintenance script with $wgAbuseFilterLogProtectedVariablesMaxAge = 1 to remove all the IP Reputation variables on my local wiki. I then checked that:

  • rows in abuse_filter_log with IP Reputation variables have their afl_var_dump column changed to just show the ID of the associated row in the text table
  • the associated row in the text table is unchanged
  • only users with the appropriate rights can access these abuse logs, and when they do it is logged

When you now look at a purged abuse log (e.g. in Special:AbuseLog/<log id>) all the IP Reputation variables show as true regardless of their value before purging.

Test environment: local docker Abuse Filter – (101543f) 07:51, 3 July 2025. IPReputation – (c04418c) 02:27, 21 June 2025.

kostajh closed this task as Resolved.Jul 7 2025, 9:34 AM
OKryva-WMF added a project: OKR-Work.Oct 3 2025, 4:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits