Page MenuHomePhabricator
Create Task
Maniphest T133109

Add basic abuse prevention to UrlShortener
Closed, ResolvedPublic
Actions

Description

If I read the spec correctly, UrlShortener will not produce deterministic short urls. As such, they should be lazy created as needed afaik.

Overhead should be minimal, but one possible way (depending on the implementation) may be to add a basic ping limiter so that a single user cannot submit 100s of urls at the same time. Attackers may do that in attempt to poison the database and take all smaller keys, or in an effort to arrive at a specific short id (if it's based on auto-increment internally, to try and spell some word).

Details

SubjectRepoBranchLines +/-
Add the 'urlshortener-manage-url' right and enable it for stewardsoperations/mediawiki-configmaster+2 -0
Add SpecialManageShortUrlsmediawiki/extensions/UrlShortenermaster+259 -4
Prevent blocked users from making short URLsmediawiki/extensions/UrlShortenermaster+28 -0
Support hiding short URLsmediawiki/extensions/UrlShortenermaster+106 -33
Set default rate limitsmediawiki/extensions/UrlShortenermaster+7 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Krinkle created this task.Apr 19 2016, 9:19 PM
Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald TranscriptApr 19 2016, 9:19 PM
Legoktm subscribed.Apr 19 2016, 9:57 PM

The extension already has a ping limiter set up?

Legoktm added a comment.Jul 1 2016, 6:48 AM

@Krinkle ?

Legoktm added a comment.Jul 6 2016, 8:56 PM

We currently have ping limiter functionality implemented, but no rate limits set. What would you suggest we make the default be?

As for trying to spell words, I think it would be more likely that an attacker just waits for other people to fill up the database until it gets near their word, and then create their url. Of course, since we only hand out new short codes for unique URLs, they'd have to submit unique things each time, giving them only once chance (or they include a dummy query string or anchor that is unique). All that said, I'm not sure it's an attack we should necessarily be worried about since many external URL shorteners (e.g. tinyurl, bit.ly) allow you to pick your own word when shortening.

Krinkle added a comment.EditedJul 6 2016, 9:04 PM
In T133109#2434858, @Legoktm wrote:

We currently have ping limiter functionality implemented, but no rate limits set. What would you suggest we make the default be?

I suggest no more than 10 per 2 minutes by default anon and newbie. - applying to the API POST module and/or dedicated special page.

There'd be no rate limit for native requests that shorten canonical page view urls, which would presumably happen automatically whenever a new page is first viewed, rendered and/or requested through the Query GET API.

MZMcBride subscribed.Jul 31 2016, 4:29 AM
Jalexander subscribed.Dec 14 2016, 4:21 AM

yeah, I think a rate limit could prevent the biggest amount of this. That makes it a lot harder to try and force a problematic, specific, url to use. 10 per 2 is probably ok for anon/newbie (building it in allows us to adjust if we see people trying to abuse anyway). Honestly for users without rate limit exemption (or higher limits in general) I would think it doesn't need to be set crazy high either (50-100?) but could certainly be higher then 10.

Jalexander added a comment.Dec 14 2016, 4:24 AM

Also: How hard is it to deactivate a url if worst comes to worst? Is it just a db row being dropped (or changed) or is it something more massively pita?

Legoktm added a comment.Dec 14 2016, 6:17 AM
In T133109#2871635, @Jalexander wrote:

Also: How hard is it to deactivate a url if worst comes to worst? Is it just a db row being dropped (or changed) or is it something more massively pita?

Technically: Dropping a database row and having someone in ops purge the URL from varnish.

However, one of the problems with URL shorteners that we're trying to fix is that they are a reliability concern, so I would like to set the expectation that once created, w.wiki URLs will never break. Given that we have a whitelist of domains, what scenarios are you thinking of that would require breaking short links?

Legoktm added a parent task: T108557: Review and deploy UrlShortener extension to Wikimedia wikis.Dec 16 2016, 8:24 AM
gerritbot subscribed.Dec 16 2016, 8:34 AM

Change 327707 had a related patch set uploaded (by Legoktm):
Set default rate limits

https://gerrit.wikimedia.org/r/327707

gerritbot added a project: Patch-For-Review.Dec 16 2016, 8:34 AM
MarcoAurelio subscribed.Dec 20 2016, 11:28 AM
Multichill subscribed.Dec 21 2016, 3:03 PM
In T133109#2871738, @Legoktm wrote:
In T133109#2871635, @Jalexander wrote:

Also: How hard is it to deactivate a url if worst comes to worst? Is it just a db row being dropped (or changed) or is it something more massively pita?

Technically: Dropping a database row and having someone in ops purge the URL from varnish.

However, one of the problems with URL shorteners that we're trying to fix is that they are a reliability concern, so I would like to set the expectation that once created, w.wiki URLs will never break. Given that we have a whitelist of domains, what scenarios are you thinking of that would require breaking short links?

If people can abuse it, they will. People will create urls like en.wikipedia.org/wiki/The_real_name_of_Legoktm_is_Santa_Claus that could give privacy concerns. I would counter abuse with the existing tools we have: Make it possible to use abusefilter rules (so you don't have to mess in software) and make it possible for meta admins to delete an entry. Delete should of course not deleting the actual row, but just set a field like rev_deleted in the revision table (see https://www.mediawiki.org/wiki/Manual:Revision_table#rev_deleted ).

Does the extension keep track of who created an url? If true, where?

gerritbot added a comment.Jan 31 2017, 11:21 PM

Change 327707 merged by jenkins-bot:
Set default rate limits

https://gerrit.wikimedia.org/r/327707

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2017-02-07_(1.29.0-wmf.11)).Feb 1 2017, 12:01 AM
MZMcBride mentioned this in T108557: Review and deploy UrlShortener extension to Wikimedia wikis.Feb 23 2017, 7:06 AM
Ladsgroup subscribed.Feb 27 2017, 7:59 PM
In T133109#2893515, @Multichill wrote:
In T133109#2871738, @Legoktm wrote:
In T133109#2871635, @Jalexander wrote:

Also: How hard is it to deactivate a url if worst comes to worst? Is it just a db row being dropped (or changed) or is it something more massively pita?

Technically: Dropping a database row and having someone in ops purge the URL from varnish.

However, one of the problems with URL shorteners that we're trying to fix is that they are a reliability concern, so I would like to set the expectation that once created, w.wiki URLs will never break. Given that we have a whitelist of domains, what scenarios are you thinking of that would require breaking short links?

If people can abuse it, they will. People will create urls like en.wikipedia.org/wiki/The_real_name_of_Legoktm_is_Santa_Claus that could give privacy concerns. I would counter abuse with the existing tools we have: Make it possible to use abusefilter rules (so you don't have to mess in software) and make it possible for meta admins to delete an entry. Delete should of course not deleting the actual row, but just set a field like rev_deleted in the revision table (see https://www.mediawiki.org/wiki/Manual:Revision_table#rev_deleted ).

Does the extension keep track of who created an url? If true, where?

I have a rather wild idea how to do this, I don't know how hard it would be to implement my idea but it seems to me that: 1- Implementing an admin system is too much work 2- currently you can scan through short urls (by incrementing the id). So Instead of adding the admin system, let's make it hard to scan through short urls. For example I can make a short url in bitly for https://en.wikipedia.org/wiki/The_real_name_of_Legoktm_is_Santa_Claus but it will be useless because it makes a random (?) id for that url. So the url shortner will make something like https://w.wiki/rYEDA3JcQqw instead of a number.

Krinkle removed projects: MW-1.29-release (WMF-deploy-2017-02-07_(1.29.0-wmf.11)), Patch-For-Review.May 25 2017, 2:05 PM
Lucas_Werkmeister_WMDE subscribed.Nov 13 2017, 1:26 PM
Lydia_Pintscher subscribed.Feb 7 2018, 11:20 AM
Lea_Lacroix_WMDE subscribed.Feb 7 2018, 11:21 AM
Legoktm claimed this task.Feb 21 2018, 8:59 PM

I looked into what other URL shorteners do for abuse prevention...and it doesn't look like much. So to resolve this (as the last blocker before deployment), I will create a Special:ManageShortUrls page, which allows privileged users (meta sysops?) to disable a short url by setting urlshortcodes.usc_deleted = 1. If that field is set, then the URL will no longer redirect, and will be redacted from future dumps.

Lea_Lacroix_WMDE added a comment.Feb 22 2018, 8:58 AM

Thanks @Legoktm for helping moving this forward :)

gerritbot added a comment.Mar 26 2018, 9:55 PM

Change 422070 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/extensions/UrlShortener@master] [WIP] Support hiding short URLs

https://gerrit.wikimedia.org/r/422070

gerritbot added a project: Patch-For-Review.Mar 26 2018, 9:55 PM
Krinkle unsubscribed.Mar 28 2018, 11:01 PM
Legoktm mentioned this in T191592: Design review for UrlShortener.Apr 6 2018, 4:22 AM
Smalyshev subscribed.Aug 21 2018, 9:29 PM
gerritbot added a comment.Mar 15 2019, 12:08 PM

Change 422070 merged by jenkins-bot:
[mediawiki/extensions/UrlShortener@master] Support hiding short URLs

https://gerrit.wikimedia.org/r/422070

gerritbot added a comment.Mar 15 2019, 3:31 PM

Change 496805 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/extensions/UrlShortener@master] Add SpecialManageShortUrls

https://gerrit.wikimedia.org/r/496805

gerritbot added a comment.Mar 15 2019, 3:42 PM

Change 496808 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/extensions/UrlShortener@master] Prevent blocked users from making short URLs

https://gerrit.wikimedia.org/r/496808

Lydia_Pintscher mentioned this in T112715: Enable different URL shorteners for WDQS.Mar 16 2019, 12:33 PM
ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.22; 2019-03-19).Mar 17 2019, 4:02 AM
Smalyshev awarded a token.Mar 17 2019, 7:02 PM
Marostegui closed subtask T218397: Add usc_deleted to urlshortcodes as Resolved.Mar 18 2019, 6:10 AM
gerritbot added a comment.Mar 21 2019, 11:14 PM

Change 496805 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/extensions/UrlShortener@master] Add SpecialManageShortUrls

https://gerrit.wikimedia.org/r/496805

Smalyshev triaged this task as Medium priority.Mar 25 2019, 10:31 PM
gerritbot added a comment.Mar 26 2019, 11:29 AM

Change 496808 merged by jenkins-bot:
[mediawiki/extensions/UrlShortener@master] Prevent blocked users from making short URLs

https://gerrit.wikimedia.org/r/496808

ReleaseTaggerBot edited projects, added MW-1.33-notes (1.33.0-wmf.23; 2019-03-26); removed MW-1.33-notes (1.33.0-wmf.22; 2019-03-19).Mar 26 2019, 12:01 PM
Ladsgroup claimed this task.Mar 28 2019, 10:57 AM
Restricted Application added a project: User-Ladsgroup. · View Herald TranscriptMar 28 2019, 10:57 AM
gerritbot added a comment.Mar 28 2019, 1:31 PM

Change 496805 merged by jenkins-bot:
[mediawiki/extensions/UrlShortener@master] Add SpecialManageShortUrls

https://gerrit.wikimedia.org/r/496805

ReleaseTaggerBot edited projects, added MW-1.33-notes (1.33.0-wmf.24; 2019-04-02); removed MW-1.33-notes (1.33.0-wmf.23; 2019-03-26).Mar 28 2019, 2:01 PM
gerritbot added a comment.Mar 28 2019, 2:20 PM

Change 499777 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[operations/mediawiki-config@master] Add the 'urlshortener-manage-url' right and enable it for stewards

https://gerrit.wikimedia.org/r/499777

Quiddity subscribed.Mar 29 2019, 6:01 PM
gerritbot added a comment.Apr 2 2019, 11:08 AM

Change 499777 merged by jenkins-bot:
[operations/mediawiki-config@master] Add the 'urlshortener-manage-url' right and enable it for stewards

https://gerrit.wikimedia.org/r/499777

Stashbot added a comment.Apr 2 2019, 11:21 AM

Mentioned in SAL (#wikimedia-operations) [2019-04-02T11:21:02Z] <ladsgroup@deploy1001> Synchronized wmf-config/CommonSettings.php: SWAT: [[gerrit:499777|Add the urlshortener-manage-url right and enable it for stewards (T133109)]], Part I (duration: 00m 53s)

Stashbot added a comment.Apr 2 2019, 11:22 AM

Mentioned in SAL (#wikimedia-operations) [2019-04-02T11:22:26Z] <ladsgroup@deploy1001> Synchronized wmf-config/InitialiseSettings.php: SWAT: [[gerrit:499777|Add the urlshortener-manage-url right and enable it for stewards (T133109)]], Part I (duration: 00m 51s)

Ladsgroup closed this task as Resolved.Apr 2 2019, 11:24 AM
Quiddity added a comment.Apr 2 2019, 7:30 PM

@Ladsgroup Is there documentation about this new user-right and specialpage? I see the basics are covered in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UrlShortener/+/496805/10/i18n/en.json
But I'm not sure if there's more details that show up for the stewards themselves in https://en.wikipedia.beta.wmflabs.org/wiki/Special:ManageShortUrls (which we obviously cannot see), or if it's mentioned anywhere onwiki yet. Thanks!

Ladsgroup added a comment.Apr 3 2019, 10:05 AM
In T133109#5079141, @Quiddity wrote:

@Ladsgroup Is there documentation about this new user-right and specialpage? I see the basics are covered in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UrlShortener/+/496805/10/i18n/en.json
But I'm not sure if there's more details that show up for the stewards themselves in https://en.wikipedia.beta.wmflabs.org/wiki/Special:ManageShortUrls (which we obviously cannot see), or if it's mentioned anywhere onwiki yet. Thanks!

We just put up https://meta.wikimedia.org/wiki/Wikimedia_URL_Shortener#Delete_a_link, I will improve it later.

Ladsgroup removed a subtask: Restricted Task.Aug 8 2019, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL