mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-10 00:42:41 +01:00
No description
1e43d57c81
Summary: Via HackerOne (<https://hackerone.com/reports/220909>). When we close commits in response to "Fixes Txxx", we currently act as the omnipotent user. This allows users to close tasks they can't see by pushing commits with "Fixes Txxx" in the message. However, we can't actually tell who authored or committed a change: we're just using the "Author" and "Committer" values from Git in most cases, and anyone can forge those. So we can't really get this right, in a security sense. (We can tell who //pushed// a change if we host it, but that's often not the right user. If GPG signing was more prevalent, we could use that. In the future, we could use side channels like having `arc land` tell Phabrcator who was pushing changes.) Since I think the impact of this is fairly minor and this isn't //really// a security issue (more of a confusion/abuse/product issue) I think the behavior is okay more-or-less as-is, but we can do better when we do identify an author: drop permissions, and use their privileges to load the tasks which the commit "fixes". This effectively implements this rule: > If we identify the author of a commit as user X, that commit can only affect tasks which user X can see and edit. Note that: - Commits which we can't identify the author for can still affect any task. - Any user can forge any other user's identity (or an invalid identity) and affect any task. So this is just a guard rail to prevent mistakes by good-faith users who type the wrong task IDs, not a real security measure. Also note that to perform this "attack" you must already have commit access to a repository (or permission to create a repository). Test Plan: - Used `bin/repository reparse --message <commit> --force-autoclose` to run the relevant code. - Made the code `throw` before it actually applied the edit. - Verified that the edit was rejected if the author was recognized and can not see or could not edit the task. - Verified that the edit is accepted if the author can see+edit the task. - Verified that the edit is accepted if we can't figure out who the author is. Reviewers: chad Reviewed By: chad Differential Revision: https://secure.phabricator.com/D17688 |
||
|---|---|---|
| bin | ||
| conf | ||
| externals | ||
| resources | ||
| scripts | ||
| src | ||
| support | ||
| webroot | ||
| .arcconfig | ||
| .arclint | ||
| .arcunit | ||
| .editorconfig | ||
| .gitignore | ||
| LICENSE | ||
| NOTICE | ||
| README.md | ||
Phabricator is a collection of web applications which help software companies build better software.
Phabricator includes applications for:
- reviewing and auditing source code;
- hosting and browsing repositories;
- tracking bugs;
- managing projects;
- conversing with team members;
- assembling a party to venture forth;
- writing stuff down and reading it later;
- hiding stuff from coworkers; and
- also some other things.
You can learn more about the project (and find links to documentation and resources) at Phabricator.org
Phabricator is developed and maintained by Phacility.
SUPPORT RESOURCES
For resources on filing bugs, requesting features, reporting security issues, and getting other kinds of support, see Support Resources.
NO PULL REQUESTS!
We do not accept pull requests through GitHub. If you would like to contribute code, please read our Contributor's Guide.
LICENSE
Phabricator is released under the Apache 2.0 license except as otherwise noted.