From dfc818e8bcafd827f408966a4f0707ab288f907b Mon Sep 17 00:00:00 2001
From: Daimona Eaytoy <daimona.wiki@gmail.com>
Date: Sat, 16 Nov 2019 14:22:46 +0100
Subject: [PATCH] SECURITY: Require view-private or modify for the
 evalexpression API

This is consistent with the "anti-DoS" measures on other API modules.
Although this may not be a serious DoS vector, it makes sense to
restrict this module. Moreover, it's also consistent with
Special:AbuseFilter/tools (which is the corresponding web interface),
which requires the same user rights.

Bug: T238451
Change-Id: Id09fd57195d71884674ac0470f137ca30c56e13c
---
 i18n/api/en.json                              | 1 +
 i18n/api/qqq.json                             | 1 +
 includes/api/ApiAbuseFilterEvalExpression.php | 5 +++++
 3 files changed, 7 insertions(+)

diff --git a/i18n/api/en.json b/i18n/api/en.json
index 15c90fcd..609facb3 100644
--- a/i18n/api/en.json
+++ b/i18n/api/en.json
@@ -57,6 +57,7 @@
 	"apihelp-abuselogprivatedetails-example-1": "Get private details for the AbuseLog entry with ID 1, using the reason \"example\".",
 	"apierror-abusefilter-canttest": "You don't have permission to test abuse filters.",
 	"apierror-abusefilter-cantcheck": "You don't have permission to check syntax of abuse filters.",
+	"apierror-abusefilter-canteval": "You don't have permission to evaluate AbuseFilter expressions.",
 	"apierror-abusefilter-nosuchlogid": "There is no abuselog entry with the id $1.",
 	"apierror-abusefilter-badsyntax": "The filter has invalid syntax."
 }
diff --git a/i18n/api/qqq.json b/i18n/api/qqq.json
index 9655af67..c8cefc26 100644
--- a/i18n/api/qqq.json
+++ b/i18n/api/qqq.json
@@ -89,6 +89,7 @@
 	"apihelp-abuselogprivatedetails-example-1": "{{doc-apihelp-example|abuselogprivatedetails}}",
 	"apierror-abusefilter-canttest": "{{doc-apierror}}",
 	"apierror-abusefilter-cantcheck": "{{doc-apierror}}",
+	"apierror-abusefilter-canteval": "{{doc-apierror}}",
 	"apierror-abusefilter-nosuchlogid": "{{doc-apierror}}\n\nParameters:\n* $1 - AbuseFilter log ID number.",
 	"apierror-abusefilter-badsyntax": "{{doc-apierror}}"
 }
diff --git a/includes/api/ApiAbuseFilterEvalExpression.php b/includes/api/ApiAbuseFilterEvalExpression.php
index 18701670..c8c4534a 100644
--- a/includes/api/ApiAbuseFilterEvalExpression.php
+++ b/includes/api/ApiAbuseFilterEvalExpression.php
@@ -5,6 +5,11 @@ class ApiAbuseFilterEvalExpression extends ApiBase {
 	 * @see ApiBase::execute()
 	 */
 	public function execute() {
+		// "Anti-DoS"
+		if ( !AbuseFilter::canViewPrivate( $this->getUser() ) ) {
+			$this->dieWithError( 'apierror-abusefilter-canteval', 'permissiondenied' );
+		}
+
 		$params = $this->extractRequestParams();
 
 		$result = AbuseFilter::evaluateExpression( $params['expression'] );