[Epic] Temporary account AbuseFilter support
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	tstarling
	Apr 28 2022, 1:44 AM

Description

AbuseFilter should work when IP masking is enabled ($wgAutoCreateTempUser['enabled'] = true).

AbuseFilter handles the EditFilterMergedContent hook. When a user is anonymous with IP masking enabled, the user passed to EditFilterMergedContent is an unsaved account (user ID = 0) with an automatically generated prospective name. I'm concerned about loading various kinds of user data using this unusual kind of User object. For example the variables user-editcount, user-emailconfirm, user-groups, user-rights, user-block and user-age. We need to confirm that these variables return something reasonable. Ideally they shouldn't do DB queries looking for rows with user_id=0.

The "block" action in this scenario is probably broken -- it will try to block a non-existent user by name. Maybe the autoblock flag could be used to block the IP address while preserving privacy. If that doesn't work, it's better to fail than to leak the IP address.

The "rangeblock" action uses WebRequest::getIP() and so apparently has the potential to leak IP addresses. If so, it's an issue not specific to temporary accounts.

There has been some talk of adding an IP address variable for temporary users while somehow maintaining privacy. I think that's out of scope for now. The first thing is to make sure AbuseFilter doesn't throw exceptions or do anything stupid.

Adding a boolean variable that reflects User::isTemp() (or its UserIdentity equivalent) could be done at this stage and would be nice to have.

Related Objects
Search...

Status	Subtype	Assigned	Task
			Restricted Task
Resolved		kostajh	T294511 2021 Security Team wikireplicas audit
Declined		None	T284948 Raw IPs of logged-out users disclosed in wiki-replicas
In Progress		Niharika	T324492 Temporary accounts - MVP
Open		None	T326816 [Epic] Update features for temporary accounts
Open		Tchanders	T326869 Update TSP-owned products that may be affected by IP Masking
Resolved		• lbowmaker	T262321 IP Masking
Resolved		tstarling	T300263 [IP Masking] Create temporary account on first edit
Open		None	T307060 [Epic] Temporary account AbuseFilter support
Resolved		STran	T331653 Investigate: Update AbuseFilter for IP Masking
Resolved		Umherirrender	T328311 Special:AbuseLog is missing the `mw-tempuserlink` class from temporary account user links
Resolved		• AGueyte	T335062 Update AbuseFilter with the right user verification
Duplicate		• AGueyte	T335064 Investigate AbuseFilter Hook with CheckUser
Resolved		STran	T334623 How do we log unsuccessful first edits for temporary users?
Resolved		Dreamy_Jazz	T357615 Create filters to distinguish anonymous/temporary/registered users
Resolved		STran	T357772 Investigate: How will `ip_in_range` and `ip_in_ranges` function when temporary accounts are enabled
Resolved		STran	T364833 Add `user_unnamed_ip` variable
Resolved		STran	T363906 [Epic] Ensure filters that use PII-sensitive variables are protected
Resolved		STran	T364465 Display changes to protected status and flags on AbuseFilter history and diff pages
Resolved		STran	T364485 Alert a filter editor that a filter must be protected if it is saved with a protected variable
Resolved		kostajh	T365049 Investigate what to do about the AbuseFilter log revealing someone's IP address via historical logs
Resolved		STran	T365743 Log when AbuseFilter user sees IP address associated with temp account via user_unnamed_ip variable trigger
Resolved		Tchanders	T364902 How should access to IPs of temporary accounts be logged?
Resolved		STran	T367390 Add granular query restrictions for AbuseFilter filter search
Resolved		STran	T364834 Ensure testing tools that use `user_unnamed_ip` don't reveal it to users without the view right
Open		STran	T369610 Give the `abusefilter-access-protected-vars` right to global maintainers
Open		sgrabarczuk	T369611 Coordinate the updates of IP-using AbuseFilter filters to use `user_unnamed_ip`
Resolved		STran	T357774 Investigate: What to do with existing filters that temporary accounts will break
Resolved	BUG REPORT	Dreamy_Jazz	T358632 CannotCreateActorException when creating a temporary account on an edit which causes an abuse filter log
Open		STran	T365740 Document the changes introduced for temporary accounts

Event Timeline

tstarling created this task.Apr 28 2022, 1:44 AM

For your convenience, variables related to users are set in VariableGenerator::generateUserVars and computed in LazyVariableComputer.

The "rangeblock" action uses WebRequest::getIP() and so apparently has the potential to leak IP addresses. If so, it's an issue not specific to temporary accounts.

Indeed, but this feature should be disabled on Wikimedia wikis.

In T307060#7886798, @matej_suchanek wrote:

The "rangeblock" action uses WebRequest::getIP() and so apparently has the potential to leak IP addresses. If so, it's an issue not specific to temporary accounts.

Indeed, but this feature should be disabled on Wikimedia wikis.

It's enabled on fawiki and fawikiquote.

You are right, I must have once convinced myself about that.

Related: T280413, T152394. I'm not sure what the best way of fixing those could be. But perhaps, the time has come to find one.

Tchanders moved this task from Inbox to Needs Product/Legal/Design/MoveComms on the Temporary accounts board.Dec 6 2022, 4:27 PM

Tchanders added a parent task: T326869: Update TSP-owned products that may be affected by IP Masking.Jan 30 2023, 2:39 PM

Niharika mentioned this in T331653: Investigate: Update AbuseFilter for IP Masking.Mar 10 2023, 10:37 PM

The "block" action in this scenario is probably broken -- it will try to block a non-existent user by name. Maybe the autoblock flag could be used to block the IP address while preserving privacy. If that doesn't work, it's better to fail than to leak the IP address.

Testing on dewiki beta trying to edit as an anonymous user:

if the AbuseFilter blocks the autocreateaccount action the IP is blocked but the temporary user is recorded in the AbuseFilter log (although the temp user is not actually created).
if the edit action is blocked the IP is blocked and is recorded in the AB log (T328403)

Jules78120 subscribed.May 16 2023, 6:20 PM

Jules78120 unsubscribed.May 16 2023, 6:31 PM

Tchanders merged a task: T335062: Update AbuseFilter with the right user verification.May 25 2023, 5:54 PM

Tchanders mentioned this in T335062: Update AbuseFilter with the right user verification.

Tchanders added subscribers: • AGueyte, ARamirez_WMF.

Tchanders merged a task: T335064: Investigate AbuseFilter Hook with CheckUser.May 25 2023, 6:04 PM

Tchanders mentioned this in T335064: Investigate AbuseFilter Hook with CheckUser.

Jules78120 subscribed.Sep 3 2023, 11:13 PM

Titore subscribed.Sep 16 2023, 2:05 AM

Tchanders added a subtask: T331653: Investigate: Update AbuseFilter for IP Masking.Feb 7 2024, 10:23 AM

matej_suchanek added a subtask: T334623: How do we log unsuccessful first edits for temporary users?.Feb 7 2024, 10:58 AM

STran added a subtask: T357615: Create filters to distinguish anonymous/temporary/registered users.Feb 16 2024, 2:09 PM

STran added a subtask: T234155: Create CheckUser-level abuse filters.

STran added a subtask: T357772: Investigate: How will `ip_in_range` and `ip_in_ranges` function when temporary accounts are enabled.

STran added a subtask: T357774: Investigate: What to do with existing filters that temporary accounts will break.Feb 16 2024, 2:11 PM

STran closed subtask T331653: Investigate: Update AbuseFilter for IP Masking as Resolved.Feb 16 2024, 2:18 PM

Johannnes89 subscribed.Feb 16 2024, 2:38 PM

Dreamy_Jazz added a subtask: T358632: CannotCreateActorException when creating a temporary account on an edit which causes an abuse filter log.Feb 28 2024, 12:11 AM

Dreamy_Jazz closed subtask T358632: CannotCreateActorException when creating a temporary account on an edit which causes an abuse filter log as Resolved.Feb 29 2024, 9:19 PM

Tchanders renamed this task from [IP Masking] Temporary account AbuseFilter support to [Epic] Temporary account AbuseFilter support.Mar 1 2024, 10:51 AM

kostajh added a parent task: T359043: Enable temp account creation in CI and local development environments via DevelopmentSettings.php.Mar 4 2024, 1:36 PM

kostajh removed a parent task: T359043: Enable temp account creation in CI and local development environments via DevelopmentSettings.php.

kostajh mentioned this in T359405: Create temporary account early in edit cycle for all edit attempts.Mar 6 2024, 3:03 PM

Dreamy_Jazz closed subtask T357615: Create filters to distinguish anonymous/temporary/registered users as Resolved.Mar 14 2024, 1:40 PM

Daimona mentioned this in T359933: Audit attemptSave, onEditFilter and onEditFilterMergedContent implementations to see which ones check for IP user specifically.Mar 18 2024, 3:31 PM

kostajh closed subtask T334623: How do we log unsuccessful first edits for temporary users? as Resolved.May 22 2024, 1:51 PM

STran removed a subtask: T234155: Create CheckUser-level abuse filters.Jun 11 2024, 10:23 AM

STran closed subtask T357774: Investigate: What to do with existing filters that temporary accounts will break as Resolved.Jun 11 2024, 10:27 AM

Tchanders removed a subtask: T357682: Investigate: Is AbuseFilter in accordance with the IP address reveal policy.Jun 12 2024, 8:57 AM

Tchanders edited projects, added Temporary accounts (Blockers to minor pilot wiki deployment); removed Temporary accounts.Jul 3 2024, 5:02 PM

Tchanders closed subtask T357772: Investigate: How will `ip_in_range` and `ip_in_ranges` function when temporary accounts are enabled as Resolved.Jul 9 2024, 10:20 AM

kostajh moved this task from Backlog to Epics in progress on the Temporary accounts (Blockers to minor pilot wiki deployment) board.Sep 15 2024, 4:59 PM