Commit graph

1881 commits

Author SHA1 Message Date
STran a5dbd74017 Allow all users to see protected filters on Special:AbuseFilter
Why:
T367390 hid protected filters from users who didn't have the right to see them
because users with access to private filters also had access to search against
filters and were inadvertantly allowed to search against protected filters regardless
of whether or not they had the right to see them.

Now, in order to be consistent with how AbuseFilter displays private filters, reveal
protected filters to all users but continue to restrict access to their details.

What:
- Only hide protected filters when a user runs a search and doesn't have permission
  to access them.

Bug: T381470
Change-Id: I2acb7e066885f6da18b29876c21c5d7d199b9886
2024-12-06 00:59:46 -08:00
jenkins-bot d81c3f4c3a Merge "Migrate 'ArticleDelete' hook to 'PageDelete' to fix error display" 2024-11-24 16:51:33 +00:00
Isabelle Hurbain-Palatin 3ad70ec182 Replace uses of deprecated ParserOutput::getText()
Bug: T293512
Change-Id: Idf94eb65e0cf915792442458abba618c5feef86b
2024-11-21 14:15:38 +01:00
jenkins-bot bf8d8243fd Merge "Improve workflow for protecting filters with protected variables" 2024-11-15 15:08:06 +00:00
jenkins-bot 7bfc37c300 Merge "AbuseFilterViewEdit: Expose status object to form builder" 2024-11-15 15:06:34 +00:00
Bartosz Dziewoński e5ec6ee907 Fix Phan error related to message parameters
Caused by type hints added in MediaWiki core in
I3e0df790ff9db2fa630f82408a7254a359fe61ca.

Change-Id: Ica40a9db2f9fde7c989fbdb1680b526c144dd73c
2024-11-15 00:24:45 +01:00
Thalia 8de5b4e1aa Improve workflow for protecting filters with protected variables
Why:

* Protected variables were introduced to support temporary accounts
  so that temporary users could be filtered based on their IP address.
* Filters that use protected variables are protected in order to
  preserve privacy. This can't be undone.
* The current workflow for protecting filters is to have a 'protect'
  checkbox that can be checked for any filter, even one without
  protected variables, to the discretion of the editor. This has
  led to mistakes (see T37765).

What:

* Do not show the 'protect' checkbox on the form by default. Instead,
  show it when saving a filter with protected variables, after form
  submission. The user must check it to save the filter.
* Still show the checkbox in a disabled state with a warning message
  if a filter is already protected, so that the editor can easily see
  it is protected.

Bug: T377765
Change-Id: Ie5c94ac1399860ccdca4482508dd37ff07309764
2024-11-14 18:24:27 +00:00
Thalia 6a14ea54fb AbuseFilterViewEdit: Expose status object to form builder
Why:

* For improvements to the protected filters workflow (T377765),
  a checkbox needs to be displayed conditionally on the status
  of a previously submitted form.

What:

* Pass a status object into ::buildFilterEditor, and build the
  HTML for any warnings or errors in that function, instead of
  first building the HTML and passing it.
* This also allows more than one error and/or warning to be
  shown if present, though this may not happen in practice yet.

Change-Id: I37da49711e7fc192856f013cd931c05379f8e8c6
2024-11-14 18:23:25 +00:00
Dreamy Jazz 774f4f02ef Create protected variable access logs POSTSEND
Why:
* The ProtectedVarsAccessLogger::logViewProtectedVariableValue
  method creates a debounced log entry for accessing protected
  variable values.
* This log can be created when a user calls the 'abuselog' query
  API. This API query is made using a GET request.
* Because the ProtectedVarsAccessLogger creates the log
  when it is called, the TransactionProfiler raises a warning
  about writing to the primary DB on a GET request.
* We should address this warning by creating the log entry on
  POSTSEND, in a similar way to how the CheckUser extension
  creates CheckUser log entries.

What:
* Wrap the call to ProtectedVarsAccessLogger::log in
  ::logViewProtectedVariableValue with a DeferredUpdate callback
  that is run POSTSEND.
** As part of this, the expectations that the code only uses the
   replica DBs are silenced inside the DeferredUpdate as the
   PostSend-GET expectations do not usually allow for writes.
   The only other method would to be create the log via a job,
   but we want the log creation to occur quickly and reliably.

Bug: T379083
Change-Id: If14e65b27b0bdd4fd0b99319024ffa281bf44656
2024-11-11 14:33:47 +00:00
Anne Haunime 2f4ca44adf Add code comments to help find dynamically-generated IDs in the codebase
Bug: T378319
Change-Id: Id5dd2dc1a979423f2ec4e0f091fb854b2ff185cb
2024-10-29 03:10:27 +00:00
jenkins-bot 5a930d59d3 Merge "Simplify code by replacing isset() with falsy check" 2024-10-28 17:02:32 +00:00
Umherirrender 6252afcac7 Simplify code by replacing isset() with falsy check
Conditional set of variable is not easy to read.
Instead set the variable to null before try/catch
Reported by a new phan plugin (2efea9f989)
This bypass a false positive from phan (T378271)

Change-Id: I037efe8465747b8c915405f38546fc1ea4405a03
2024-10-27 13:20:18 +01:00
Umherirrender a02fe0a2dd Use a local variable for hitcount in AbuseFilterViewEdit
Assist static code analyzer that null is not passed to
Message::numParams

Change-Id: Ic0369493b274de3379067745573e1f8baed56dcb
2024-10-26 21:41:16 +02:00
Andre Klapper 63de22357d Use explicit nullable type on parameter arguments (for PHP 8.4)
Implicitly marking parameter $... as nullable is deprecated in PHP
8.4. The explicit nullable type must be used instead.

Bug: T376276
Change-Id: I303342cf1a002d5f0afc77ce147ce9453ea5282e
2024-10-26 14:38:46 +02:00
Umherirrender 6757ee9d32 Use type-declaration on api module constructor
Parent class constructor gets type-declaration in 1145328459
Remove simple doc-blocks without further information

Change-Id: I5d2179af0c7b826ca48df239152412205702cd77
2024-10-25 19:02:04 +02:00
Bartosz Dziewoński 3b2b1c4fee AbuseLogPager: Fix passing false as message parameter
Bug: T377917
Change-Id: I1e4eee10d7ee0cac777f89dd85f2e8bd364b8475
2024-10-23 17:53:07 +02:00
jenkins-bot ad516227f4 Merge "Protected variable logs: fallback to accountname if user_name is not set" 2024-10-21 20:18:15 +00:00
Bartosz Dziewoński 6b0c6609d1 Migrate 'ArticleDelete' hook to 'PageDelete' to fix error display
Bug: T377384
Change-Id: Ia8df47ffc9a77dabd00c97731b2e335901897bf0
2024-10-21 21:35:27 +02:00
Kosta Harlan 05da3118aa
Protected variable logs: fallback to accountname if user_name is not set
Why:

- For account creations and account autocreations, the user_name
  property is deliberately unset, to avoid displaying the IP address of
  an unregistered user. Instead, `accountname` is set with the newly
  created account name
- For logging that someone has seen a protected variable value, we need
  to record the username that was seen

What:

- Use `accountname` as a fallback in case `user_name` is not set, when
  logging protected variable access
- Update tests to cover this case.

Bug: T376885
Change-Id: I688a3529fac0ad8455977a0cfdb950f0105f550d
2024-10-21 21:15:51 +02:00
Umherirrender 57ecef75c5 Use namespaced classes
Changes to the use statements done automatically via script
Addition of missing use statement done manually

Change-Id: If80031678a474157e4cc78a3d3621dab53aded67
2024-10-19 21:55:40 +02:00
Reedy a98249d8f7 Blocked Domains: Minor tweaks
Change-Id: I424726677910911094ec28b152be267a7f494469
2024-10-05 22:56:17 +01:00
jenkins-bot 743bb64924 Merge "Log specific views of protected variables" 2024-10-03 14:37:48 +00:00
STran b66daede0a Log specific views of protected variables
Like CheckUser, AbuseFilter should also log when specific protected
logs are viewed.

- Add support for debouncing logs to reduce log spam
- Log when AbuseFilterViewExamine with protected variables available
  is accessed
- Log when SpecialAbuseLog with protected variables available is
  accessed
- Log when QueryAbuseLog with protected variables available is accessed

Bug: T365743
Change-Id: If31a71ea5c7e2dd7c5d26ad37dc474787a7d5b1a
2024-10-02 00:53:34 -07:00
Dreamy Jazz 48b26792a9 SECURITY: abusefiltercheckmatch: Check if user can see log details
CVE-2024-PENDING

Why:
* The 'abusefiltercheckmatch' API allows callers to match
  arbitary filter conditions against existing AbuseFilter logs
* The API does not check if the performer has the ability to
  see the log details for the given filter, so can allow a user
  to bypass hidden and protected visibility settings.

What:
* Call AbuseFilterPermissionManager::canSeeLogDetailsForFilter
  before attempting to match a filter against a given AbuseFilter
  log.
* Add a test to verify that this security fix works.

Bug: T372998
Change-Id: I4a2467dc4e0d1f8401d5428a89c7f6d6ebcdfa70
2024-10-01 00:18:55 +01:00
Ed Sanders 48b5da806d Add missing typehints
Change-Id: I3003d40e641b1ebfff8fd986a58cbc2c4f8f18d6
2024-09-23 14:25:50 +01:00
STran 51381f0067 Bugfix: Fix minor issues with protected vars logging
- Fix an issue where if a user didn't have view permissions they could
  get the preference check error (a preference they wouldn't have) on
  SpecialAbuseLog
- Fix an issue where the `change-access` hadn't been updated to the used
  disabled/enabled log types
- Fix an issue where a ProtectedVarsAccessLoggerTest test wasn't
  correctly using the data provider data
- Improve naming since ProtectedVarsAccessLogger exists in its own test
  file instead of being a subset of tests on AbuseLoggerTest

Bug: T371798
Change-Id: I53f22855e63d9e1339361a5c9ee7886e0f74714a
2024-09-23 03:42:41 -07:00
STran 0b3d0b3b6d Write protected variables access logs to CheckUser if installed
Write logs related to temporary accounts to CheckUser if the extension
is available so that logs are topically centralized.

Bug: T373525
Depends-On: I35d50df7cd6754e29d964cc716fb3c42406272df
Change-Id: Ic95f211f4db7ce6dc2d769d2f3af206f4a3935e4
2024-09-18 07:59:05 -07:00
Matěj Suchánek 3ec6902f41 Make PreferencesHandler implement the hook interface
Follow-up to Ic7024d9c5f369eb33c4198a59638de9a1d58b04b.

Change-Id: I143dc53806eda8424440803833ef2a25b2893d1d
2024-09-13 18:45:30 +02:00
jenkins-bot 2ef2257922 Merge "Log changes to protected variables access" 2024-09-13 12:49:19 +00:00
jenkins-bot 4f272aeb02 Merge "Add preference for viewing protected variables in AbuseFilter" 2024-09-13 12:27:36 +00:00
STran cbfaaa591d Log changes to protected variables access
Similar to how CheckUser logs access to IP information about temporary
accounts, AbuseFilter needs to log whenever protected variables are
accessed.

- Implement ProtectedVarsAccessLogger which handles access logging
- Log whenever a user changes their ability to access protected
  variables via Special:Preferences

Bug: T371798
Change-Id: Ic7024d9c5f369eb33c4198a59638de9a1d58b04b
2024-09-13 01:39:09 -07:00
STran bd819b98a2 Add preference for viewing protected variables in AbuseFilter
Users need to enable a preference before gaining access to the IPs
from `user_unnamed_ip`, a protected variable.

- Add a preference that the user can check to toggle their access
- Check for the preference and the view right for logs that reveal
  protected variables on:
  + AbuseFilterViewExamine
  + SpecialAbuseLog
  + QueryAbuseLog

Bug: T371798
Change-Id: I5363380d999118982b216585ea73ee4274a6eac1
2024-09-12 07:59:24 -07:00
Anne Haunime 69ea21dc99 Support named capturing groups in get_matches()
AF rules don't support associative arrays, so the named capturing groups are provided in the array only by their numeric keys.

Bug: T374294
Change-Id: I53b39917e6677f3a5b8f68bcf0faebf48668ea27
2024-09-07 11:25:48 +00:00
Erik Bernhardson 65c10f5fa0 Skip auth checks when autocreate is allowed by provider
Session providers can provide a `canAlwaysAutocreate` flag which
indicates account creation is exempt from autocreate permission
checks. This is used, for example, for providers that provide
users for supporting applications in a wiki farm.

Check the flag and exempt the auto creation from abuse filter
checks as well.

Bug: T373778
Change-Id: Id89358930b92cb8dd05c2b031e764412ee641269
2024-09-05 11:17:16 -07:00
jenkins-bot db67b31db2 Merge "Log entry IDs should not have thousands separators" 2024-09-05 08:00:34 +00:00
Daimona Eaytoy dcc271b636 Api: Avoid type error in AbuseLogPrivateDetails
Make the `reason` parameter default to the empty string, so that we
don't end up passing null to ManualLogEntry::setComment.

Bug: T373010
Change-Id: Ifca828401628368bdddae14df2bbeb7391b2c02d
2024-08-21 14:31:46 +02:00
Bartosz Dziewoński 237d54d545 Replace gettype() with get_debug_type() in exception messages etc.
get_debug_type() does the same thing but better (spelling type names
in the same way as in type declarations, and including names of
object classes and resource types). It was added in PHP 8, but the
symfony/polyfill-php80 package provides it while we still support 7.4.

Also remove uses of get_class() where the new method already provides
the same information.

For reference:
https://www.php.net/manual/en/function.get-debug-type.php
https://www.php.net/manual/en/function.gettype.php

Change-Id: I5e65a0759df7fa0c10bfa26ebc3cda436630f456
2024-08-12 23:05:16 +02:00
jenkins-bot 963a1fc114 Merge "Use ConnectionProvider instead of LoadBalancerFactory" 2024-08-11 16:25:06 +00:00
thiemowmde 0afb81f8da Use ConnectionProvider instead of LoadBalancerFactory
This requires 1.42. That works as this codebase already requires
1.43 via extension.json.

Change-Id: If1f194a3cea3b8d45d98183e294d65fe8568f7ab
2024-08-11 17:27:28 +02:00
thiemowmde 861b1bf05b Fix broken PHPDoc comment
Also bring @var comments in a canonical form.

Change-Id: I9916bde1d3aa5fb44753109112bb898811cbf0ac
2024-08-11 17:23:37 +02:00
Anne Haunime 335dbff81e Log entry IDs should not have thousands separators
Per discussion, as a compromise (that I’m fine with), I’m leaving these IDs localized (i.e. the digits may be other than arabic), and I’m only removing the thousands separators.

Bug: T348717
Change-Id: I77b484fec2071267c53a139104c23755a13f0129
2024-08-09 05:58:23 +00:00
jenkins-bot de16ec7509 Merge "ConsequencesExecutor: Use Message objects in the Status" 2024-07-30 00:21:19 +00:00
jenkins-bot 0c51fbd3e6 Merge "Use namespaced MessageSpecifier" 2024-07-28 21:30:01 +00:00
Bartosz Dziewoński 80f56e599b ConsequencesExecutor: Use Message objects in the Status
In my recent change c458651370, which used Status::getMessages()
in FilteredActionsHandler, I overlooked the fact that it returns
MessageSpecifier objects instead of Message objects, and the return
value of MessageSpecifier::getParams() is not exactly specified
(the docs only promise that it's an array).

Now I'm working on a MediaWiki core change (I625a48a6ec) that
causes a different MessageSpecifier to be used, which stores
parameters in a different format, and would break that code.

To avoid problems, ConsequencesExecutor now stores Message objects
in the Status, which guarantees that FilteredActionsHandler will
get the same objects back.

Change-Id: I2c1bc8dde9a078d03badecf6d89443b65eeb92c5
2024-07-28 20:08:56 +00:00
Bartosz Dziewoński 517beb3c0d Use namespaced MessageSpecifier
Depends-On: I9ff4ff7beb098b60c92f564591937c7d789c6684
Change-Id: I7097b4d80df790ef14a5bc053306dc2f1fd195da
2024-07-28 21:59:35 +02:00
Umherirrender e88494212e Use expression builder to avoid IDatabase::makeList
Bug: T350968
Change-Id: Iacb407a9aef293f401e0dbf754bb1f51f6b390c5
2024-07-22 21:42:28 +00:00
Umherirrender 91b369b7af Use expression builder instead of raw sql
Bug: T350968
Change-Id: Ibad11ea11e7955172d35d4499372d0fcd726bf74
2024-07-21 22:07:58 +02:00
Bartosz Dziewoński 3df92fcbe4 Use stable andExpr() / orExpr() methods
Change-Id: I0010a7c9d273e63acbed78190f0c23283a192ef2
2024-07-11 18:36:04 +02:00
STran 30227231f6 Disallow protected variable access on AbuseFilterViewTestBatch
A filter using a protected variable can be loaded via filter id
using testing tools even though the user might not have the right
to view protected variables. This can potentially leak PII and as
such, testing tools should check for the right before allowing
protected filters to be seen.

- Unload a filter asap if it uses protected variables and the
  requestor doesn't have viewing rights. This:
    + disallows loading of existing protected filters on page load
    + disallows testing against rules that use protected variables
    + disallows subsequent requests for protected filters (via API)

There is a known bug (see T369620) where no user feedback is
provided if an API request for a filter returns no result (typically
when no filter matches the requested id). This commit adds another
pathway to that bug (the filter exists but is protected and not
returned by the API) but does not update this UI/UX.

Bug: T364834
Change-Id: I6a572790edd743596d70c9c4a2ee52b4561e25f3
2024-07-10 05:31:03 -07:00
jenkins-bot 218627233b Merge "Only return filters visible to user in search" 2024-07-09 09:45:55 +00:00