CVE-2023-45371: Merging items is not rate limited and only partially protected by AbuseFilter
Closed, ResolvedPublic5 Estimated Story PointsSecurity
Actions

Assigned To

Authored By

	Lucas_Werkmeister_WMDE
	Aug 28 2023, 9:55 AM

Description

As a Wikidata administrator or site operator, I want merging items to be subject to the same rate limits as other edits, and to be checked against AbuseFilter like other edits, so that the amount of damage that vandals can do is limited.

Problem:
ItemMergeInteractor bypasses MediaWikiEditEntity and directly uses the underlying WikiPageEntityStore, probably because it has to edit two entities at once. This means that ItemMergeInteractor is responsible for repeating all the checks done in MediaWikiEntity; it does permission checks, but doesn’t ping the rate limiter nor run the EditFilterMergedContent hook.

Rate limits are, as a result, not checked at all as far as I can tell. (I tested Special:MergeItems, but I assume the wbmergeitems API is equally affected.)

AbuseFilter is still checked at some point, but too late: when testing with a simple AbuseFilter that just blocks all edits unconditionally, there is an error message “EditFilterHook stopped redirect creation” on Special:MergeItems (which apparently comes from the EntityRedirectCreationInteractor) and the last edit (“redirected to target”) doesn’t take place, but the first two edits (“merged item into target”, which clears source the item without redirecting it, and “merged item from source”, which updates the target item with the data from the source item) still happen and aren’t blocked.

To test this, it can be useful to configure a very low rate limit:

LocalSettings.php

$wgRateLimits['edit']['anon'] = [ 1, 60 ]; // 1 per minute

Acceptance criteria:

Special:MergeItems and wbmergeitems don’t make any edits when the user has hit their rate limit
Special:MergeItems and wbmergeitems don’t make any edits when there is an AbuseFilter that blocks all edits

Details

Risk Rating: Medium
Author Affiliation: Wikimedia Deutschland

Subject	Repo	Branch	Lines +/-
SECURITY: Add rate limits and edit filters to item merging	mediawiki/extensions/Wikibase	REL1_39	+100 -20
SECURITY: Add rate limits and edit filters to item merging	mediawiki/extensions/Wikibase	REL1_40	+99 -19
SECURITY: Add rate limits and edit filters to item merging	mediawiki/extensions/Wikibase	master	+100 -19

Customize query in gerrit

Related Objects

Mentioned In: T356764: Merging lexemes is only partially rate limited and protected by AbuseFilter
T356149: Adjust Item and Property Special Pages to not leak IPs when editing and IP masking is enabled
T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1)

Event Timeline

Lucas_Werkmeister_WMDE created this task.Aug 28 2023, 9:55 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 28 2023, 9:55 AM

Lucas_Werkmeister_WMDE added projects: Wikidata, MediaWiki-extensions-WikibaseRepository.Aug 28 2023, 9:55 AM

(The only other place I can see that bypasses MediaWikiEditEntity is PropertyDataTypeChanger – that one doesn’t even check any permissions, but that’s fine because it’s only accessible via a maintenance script. So I think ItemMergeInteractor is the only one we need to worry about.)

Lucas_Werkmeister_WMDE updated the task description. (Show Details)Aug 28 2023, 10:05 AM

Lucas_Werkmeister_WMDE updated the task description. (Show Details)Aug 28 2023, 10:20 AM

I think EntityRedirectCreationInteractor also doesn’t check rate limits, and it probably should – it’s accessible separately from ItemMergeInteractor, after all (via the wbcreateredirect API or Special:RedirectEntity).

Pulling into the sprint, estimated at 5 for now. (I’ll pick it up soon if nobody beats me to it.)

Alright, here’s a patch:

0001-SECURITY-Add-rate-limits-and-edit-filters-to-item-me.patch15 KBDownload

(Guessing at the Vuln- tag, please change if I guessed wrong.)

Michael subscribed.Aug 31 2023, 9:15 AM

It looks good to me (still have to have a closer look at the tests), but I'm confused that these files do the saving by themselves. Don't we have the MediaWikiEditEntity class for exactly that? Its class phpdoc even says:

Handler for editing activity, providing a unified interface for saving modified entities while performing permission checks and handling edit conflicts.

That being said, the current patch is probably the right way to go for a security change.

The changed tests look good to me as well, and they do pass locally on my system.

=> Gives the change their +1

In T345064#9133402, @Michael wrote:

It looks good to me (still have to have a closer look at the tests), but I'm confused that these files do the saving by themselves. Don't we have the MediaWikiEditEntity class for exactly that? Its class phpdoc even says:

Handler for editing activity, providing a unified interface for saving modified entities while performing permission checks and handling edit conflicts.

MediaWikiEditEntity can only save an EntityDocument (currently), not an EntityRedirect, so at least EntityRedirectCreationInteractor can’t use it. I’m not sure if there’s really a reason why ItemMergeInteractor can’t use it to create the two non-redirect revisions; sure, it has to make two edits, but it’s not clear to me that you couldn’t just call MediaWikiEditEntity twice? (Or perhaps you’d have to get two separate instances from the MediaWikiEditEntityFactory, not sure.) But we can look into that after the security change, IMHO.

Lydia_Pintscher subscribed.Aug 31 2023, 12:36 PM

In T345064#9130237, @Lucas_Werkmeister_WMDE wrote:

Alright, here’s a patch:

0001-SECURITY-Add-rate-limits-and-edit-filters-to-item-me.patch15 KBDownload

Deployed.

(I doubt there’s a non-disruptive way to check this in production; I would just rely on the local testing here.)

In T345064#9133866, @Lucas_Werkmeister_WMDE wrote:

(I doubt there’s a non-disruptive way to check this in production; I would just rely on the local testing here.)

At least for the abuse filter part, don't we have any test-focused rules on testwikidata in place?
Though I guess, if 1) someone is scrutinizing your edits closely, and 2) it actually fails to block the edit and it does get saved, then they might be able to work out what we're trying to fix.

True, I was only thinking about the rate limit. AbuseFilter should be testable.

Seems to be working – I changed filter #5 to block edits by myself, then tried to merge Q151357 into Q132000, and got this:

Lucas_Werkmeister_WMDE moved this task from Peer Review to Our work done on the Wikidata Dev Team (Sprint-∞) board.Aug 31 2023, 2:36 PM

In T345064#9134294, @Lucas_Werkmeister_WMDE wrote:

Seems to be working – I changed filter #5 to block edits by myself, then tried to merge Q151357 into Q132000, and got this:

Though this is just identical to the status quo, in that the edit filter only seems to have blocked the redirect creation. But my contributions don’t show any earlier edits either… I think this is just because there was nothing to edit on the source or target item (the source item was already empty, so there was nothing to clear nor anything to add to the target item). Let me try again with a non-blank source item.

Okay, that’s better:

This is an error message that you wouldn’t have gotten before. (And still no edits in my contributions, yay.)

WMDE-leszek added a subscriber: Ifrahkhanyaree_WMDE.Sep 1 2023, 8:29 AM

WMDE-leszek subscribed.

sbassett awarded a token.Sep 1 2023, 9:18 PM

sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).

sbassett triaged this task as Medium priority.Sep 5 2023, 4:45 PM

sbassett moved this task from Incoming to Watching on the Security-Team board.

sbassett added a project: SecTeam-Processed.

sbassett changed Risk Rating from N/A to Medium.

Mstyles added a subscriber: gerritbot.Sep 27 2023, 1:04 AM

Change 961264 had a related patch set uploaded (by Mstyles; author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@master] SECURITY: Add rate limits and edit filters to item merging

https://gerrit.wikimedia.org/r/961264

gerritbot added a project: Patch-For-Review.Sep 27 2023, 1:05 AM

Change 961264 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] SECURITY: Add rate limits and edit filters to item merging

https://gerrit.wikimedia.org/r/961264

roti_WMDE subscribed.Sep 28 2023, 6:09 AM

Mstyles renamed this task from Merging items is not rate limited and only partially protected by AbuseFilter to CVE-2023-45371: Merging items is not rate limited and only partially protected by AbuseFilter.Oct 10 2023, 4:01 PM

Mstyles closed this task as Resolved.

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 10 2023, 5:07 PM

Mstyles changed the edit policy from "Custom Policy" to "All Users".

Maintenance_bot removed a project: Patch-For-Review.Oct 10 2023, 5:11 PM

Lucas_Werkmeister_WMDE mentioned this in T356149: Adjust Item and Property Special Pages to not leak IPs when editing and IP masking is enabled.Jan 31 2024, 3:06 PM

Lucas_Werkmeister_WMDE mentioned this in T356764: Merging lexemes is only partially rate limited and protected by AbuseFilter.Feb 6 2024, 12:19 PM

Change 1002965 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@REL1_40] SECURITY: Add rate limits and edit filters to item merging

https://gerrit.wikimedia.org/r/1002965

gerritbot added a project: Patch-For-Review.Feb 14 2024, 4:07 PM

Change 1003466 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@REL1_39] SECURITY: Add rate limits and edit filters to item merging

https://gerrit.wikimedia.org/r/1003466

Change 1002965 merged by Lucas Werkmeister (WMDE):