You are browsing a read-only backup copy of Wikitech. The live site can be found at

Incidents/2022-06-16 MariaDB password leak

From Wikitech-static
< Incidents
Revision as of 14:33, 27 June 2022 by imported>Marostegui (Scorecard)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

document status: draft


Incident metadata (see Incident Scorecard)
Incident ID 2022-06-16 MariaDB password leak Start 13:00
Task End 15:00
People paged 0 Responder count 8
Coordinators moritz Affected metrics/SLOs
Impact No user-facing impact. This incident broke a very important security boundary but other boundaries (specifically, prod host access) prevented actual data compromise.

While troubleshooting database issue on labtestwikitech, I (Andrew) dumped some internal data structures to stdout using debug print() lines. These data structures contained database credentials. It took a bit for me to remember that because of how PHP works, 'print' statements also display for all web clients.

As soon as Sam Reed noticed the leakage there was a quick response and the password was rotated. Due to incomplete automation, rotating the password took quite some time (maybe 60-90 minutes with several SREs participating).

Because of firewalls and host-selective database grants, the leaked passwords are only useful from production hosts (10.64.% and 10.192.%) so data integrity was not affected.


  • document the repool script for dbctl in wikitech
  • reconsider labtestwikitech. Decommission, or standardize to some degree so it isn't managed as an afterthought
  • Improve automation:
    • upgrade & document password-rotation script
    • productionize repool script
  • Consider improved pw redaction:
    • The data shown by var_dump(), print_r() etc. has theoretically been configurable via the __debugInfo() magic method since PHP 5.4 (RFC). T277618 proposed using this mechanism (originally to reduce the size of the output, rather than to redact sensitive information), but found PHP bug 80894, which is only fixed in PHP 7.4 or later. Once WMF is on PHP 7.4 (T271736), we should consider using __debugInfo() to remove the password from the debug output of database objects. (And $wgDBpassword from globals / config?)
    • In PHP 8.2, the \SensitiveParameter attribute can be used to redact function parameters from stack traces (RFC), though that’s less relevant for us since (I think?) we never show stack traces with values anyways (only value types).


Incident Engagement™ ScoreCard
Question Answer


People Were the people responding to this incident sufficiently different than the previous five incidents? No
Were the people who responded prepared enough to respond effectively Yes
Were fewer than five people paged? No pages were sent
Were pages routed to the correct sub-team(s)? No pages were sent
Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours. No pages were sent
Process Was the incident status section actively updated during the incident? No need
Was the public status page updated? No need
Is there a phabricator task for the incident? Yes
Are the documented action items assigned? No
Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence? Yes
Tooling To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are

open tasks that would prevent this incident or make mitigation easier if implemented.

Were the people responding able to communicate effectively during the incident with the existing tooling? Yes
Did existing monitoring notify the initial responders? No We have no monitoring for this sort of issue
Were the engineering tools that were to be used during the incident, available and in service? Yes
Were the steps taken to mitigate guided by an existing runbook? No
Total score (count of all “yes” answers above)