Separate access to tools and test features from ability to view private filters
Open, LowestPublicSecurity
Actions

Description

As a user who does not have access to view private filters on some wikis,
It should be possible for users who cannot view private filters to be able to use the /test and /tools abuse filter features

Currently, AbuseFilter::canViewPrivate is used to restrict access to the tools and test utilities.
As noted in {T230320}, "private" is the highest (and only) possible restriction on viewing abuse filters.
In a vein similar to T230103: Systematize wgRestrictionLevels, the ability to use /test and /tools should not be restricted based on other rights.

Proposal: Create a new right (or two?) abusefilter-test, to be able to use the /test and /tools utilities.
Just as abusefilter-modify implies abusefilter-view-private, both should imply abusefilter-test for backwards compatibility (at least for now)

Filed as a security task in case there are security issues pertinent to expanding access, given that the views are restricted in the first place

Details

Author Affiliation: Wikimedia Communities

	Subject	Repo	Branch	Lines +/-
	Create a new method for authorizing access to test tools	mediawiki/extensions/AbuseFilter	master	+34 -9

Customize query in gerrit

Related Objects

Mentioned Here: T230103: Systematize wgRestrictionLevels

Event Timeline

DannyS712 created this task.Jan 15 2020, 3:25 AM

Restricted Application added a project: User-DannyS712. · View Herald TranscriptJan 15 2020, 3:25 AM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

DannyS712 moved this task from Unsorted to Abuse Filter on the User-DannyS712 board.Jan 15 2020, 3:26 AM

DannyS712 added projects: AbuseFilter, MediaWiki-User-management.

DannyS712 changed Author Affiliation from N/A to Wikimedia Communities.

DannyS712 added subscribers: Daimona, Huji, Urbanecm.

Why is this security?

In T242821#5804476, @Urbanecm wrote:

Why is this security?

"Filed as a security task in case there are security issues pertinent to expanding access, given that the views are restricted in the first place" - I don't have access to security tasks, so I don't know the full history / can't tell if there is some other issue that may be relevant. Filed as security to err on the side of caution.

Thanks, missed that. @Daimona and @sbassett , what do you think?

I think it's good to have this task protected as sectask as a precaution. However, I don't really think it should stay protected. I believe there's nothing exploitable in the various test features, as they don't give any access to private filters, in any way. Either way, it'd be good to have Scott or someone else on the Sec Team speak their mind.

As for the subject of the task, I'm fine with that, we can introduce a new right (as long as the change is back-compat for WMF wikis).

• Dsharpe moved this task from Incoming to Watching on the Security-Team board.Jan 22 2020, 5:22 PM

• chasemp added a project: Security.Feb 10 2020, 10:50 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM

Daimona added a project: User-Daimona.Aug 30 2020, 5:25 PM

Daimona moved this task from Backlog to Ideas for overhaul on the User-Daimona board.

Daimona added a subscriber: matej_suchanek.Sep 16 2020, 1:27 PM

Daimona triaged this task as Lowest priority.Sep 16 2020, 1:32 PM

Daimona edited projects, added AbuseFilter (Overhaul-2020); removed User-Daimona, AbuseFilter.

Daimona moved this task from Backlog to Discussion on the AbuseFilter (Overhaul-2020) board.

Just want to note that the restrictions on access to /test separate from the ability to view private filters came up in a discussion at https://en.wikipedia.org/w/index.php?title=Wikipedia_talk:Edit_filter_helper#Nomination_requirement? - allowing a separate right would make it easier to expand access to the testing interface without the potential consequences of expanding access to viewing private filters.

In T242821#5804775, @Daimona wrote:

I think it's good to have this task protected as sectask as a precaution. However, I don't really think it should stay protected. I believe there's nothing exploitable in the various test features, as they don't give any access to private filters, in any way. Either way, it'd be good to have Scott or someone else on the Sec Team speak their mind.

{{ping}} any objections to making this public @sbassett?

In T242821#6714343, @DannyS712 wrote:

{{ping}} any objections to making this public @sbassett?

None from me. I agree with @Daimona that the task and the proposed solution do not expose anything particularly security-sensitive and/or not already-known by interested parties. I'll make this task public now.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 5 2021, 8:07 PM

RhinosF1 subscribed.Jan 5 2021, 8:34 PM

Perryprog subscribed.Jan 6 2021, 3:04 AM

taavi subscribed.Jan 6 2021, 7:00 AM

The only concern that came up on the enwp discussion was to ensure that someone could not overload the tool with either rate or size of test cases, with a corresponding effect on the wiki itself since the tool does run the regex against the live database. So some sort of rate limit or query condition limit may be desirable.

Please reset the edit policy.

JJMC89 unsubscribed.Jan 7 2021, 8:40 PM

Legoktm changed the edit policy from "Custom Policy" to "All Users".Jan 8 2021, 1:14 AM

Instead of a rate limit, what if unprivileged uses of /test were limited to at most N cores and M bytes of memory? Then the only "service" anyone could "deny" is /test itself, which doesn't seem like a worthwhile target. Something similar is done with regex and Special:Search, if I recall.

Daimona moved this task from Discussion to In progress on the AbuseFilter (Overhaul-2020) board.Feb 5 2021, 3:20 PM

Change 665374 had a related patch set uploaded (by Matěj Suchánek; owner: Matěj Suchánek):
[mediawiki/extensions/AbuseFilter@master] Use a new method for using

https://gerrit.wikimedia.org/r/665374

gerritbot added a project: Patch-For-Review.Feb 19 2021, 6:36 PM

As a reminder, Special:AbuseFilter/test still allows you to view private filters with a URL like https://en.wikipedia.org/wiki/Special:AbuseFilter/test/2.

In T242821#6844239, @suffusion_of_yellow wrote:

As a reminder, Special:AbuseFilter/test still allows you to view private filters with a URL like https://en.wikipedia.org/wiki/Special:AbuseFilter/test/2.

But only if you have abusefilter-modify or abusefilter-view-private.

@sbassett: I thought the idea was to have canTestTools(), in the future, also allow users some new right (abusefilter-test, etc.). If that's done, then users with that new right will also be able to view private filters, with an URL like the one above.

Not saying anything is broken now, or even with this patch.

In T242821#6844336, @suffusion_of_yellow wrote:

Not saying anything is broken now, or even with this patch.

Right, I just wanted to avoid any confusion if someone thought /test wasn't currently locked down via af user rights.

Change 665374 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Create a new method for authorizing access to test tools

https://gerrit.wikimedia.org/r/665374

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.32; 2021-02-23).Feb 22 2021, 6:00 PM

Maintenance_bot removed a project: Patch-For-Review.Feb 22 2021, 6:10 PM

Untagged team task in cleanup meeting in https://office.wikimedia.org/wiki/Wikimedia_Security_Team/Phabricator_Workboard_Maintenance

Zabe subscribed.Oct 6 2021, 10:49 AM

Separate access to tools and test features from ability to view private filtersOpen, LowestPublicSecurityActions

Description

Details

Related Objects

Event Timeline

Separate access to tools and test features from ability to view private filters
Open, LowestPublicSecurity
Actions