1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 10:22:42 +01:00
phorge-phorge/src/applications
epriestley ae7324fd5b Fix an anchor redirect issue with OAuth server, plus modernize the application a bit
Summary:
Ref T4593. Via HackerOne. An attacker can use the anchor reattachment, combined with the Facebook token workflow, combined with redirection on OAuth errors to capture access tokens. The attack works roughly like this:

  - Create an OAuth application on Phabricator.
  - Set the domain to `evil.com`.
  - Grab the OAuth URI for it (something like `https://phabricator.com/oauthserver/auth/?redirect_uri=http://evil.com&...`).
  - Add an invalid `scope` parameter (`scope=xyz`).
  - Use //that// URI to build a Facebook OAuth URI (something like `https://facebook.com/oauth/?redirect_uri=http://phabricator.com/...&response_type=token`).
  - After the user authorizes the application on Facebook (or instantly if they've already authorized it), they're redirected to the OAuth server, which processes the request. Since this is the 'token' workflow, it has auth information in the URL anchor/fragment.
  - The OAuth server notices the `scope` error and 302's to the attacker's domain, preserving the anchor in most browsers through anchor reattachment.
  - The attacker reads the anchor in JS and can do client workflow stuff.

To fix this, I've made several general changes/modernizations:

  - Add a new application and make it beta. This is mostly cleanup, but also turns the server off for typical installs (it's not generally useful quite yet).
  - Add a "Console" page to make it easier to navigate.
  - Modernize some of the UI, since I was touching most of it anyways.

Then I've made specific security-focused changes:

  - In the web-based OAuth workflow, send back a human-readable page when errors occur. I //think// this is universally correct. Previously, humans would get a blob of JSON if they entered an invalid URI, etc. This type of response is correct for the companion endpoint ("ServerTokenController") since it's called by programs, but I believe not correct for this endpoint ("AuthController") since it's used by humans. Most of this is general cleanup (give humans human-readable errors instead of JSON blobs).
  - Never 302 off this endpoint automatically. Previously, a small set of errors (notably, bad `scope`) would cause a 302 with 'error'. This exposes us to anchor reattachment, and isn't generally helpful to anyone, since the requesting application did something wrong and even if it's prepared to handle the error, it can't really do anything better than we can.
  - The only time we'll 'error' back now from this workflow is if a user explicitly cancels the workflow. This isn't a 302, but a normal link (the cancel button), so the anchor is lost.
  - Even if the application is already approved, don't blindly 302. Instead, show the user a confirmation dialog with a 'continue' link. This is perhaps slightly less user-friendly than the straight redirect, but I think it's pretty reasonable in general, and it gives us a lot of protection against these classes of attack. This redirect is then through a link, not a 302, so the anchor is again detached.
  -

Test Plan: I attempted to hit everything I touched. See screenshots.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: aran, epriestley

Maniphest Tasks: T4593

Differential Revision: https://secure.phabricator.com/D8517
2014-03-13 12:59:10 -07:00
..
arcanist/conduit Move Conduit methods inside applications 2012-12-21 12:21:59 -08:00
audit Adding author information to AuditListView 2014-03-07 08:40:35 -08:00
auth Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00
base Whitelist controllers which can receive a 'code' parameter 2014-03-12 11:30:04 -07:00
cache Minor, mark SERIALIZATION_PHP fields as BINARY in Lisk 2014-02-23 16:35:51 -08:00
calendar Make "My Events" default on Calendar 2014-03-05 08:24:45 -08:00
chatlog Various linter fixes. 2014-02-26 12:44:58 -08:00
conduit Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
config Remove DifferentialFieldSelector 2014-03-11 13:02:13 -07:00
conpherence Fix three minor edge case behaviors in Conpherence 2014-03-10 16:21:28 -07:00
countdown [Countdown] fix undefined variable errors 2014-02-05 05:33:31 -08:00
daemon Do not perform write in PhabricatorDaemonLogQuery by default 2014-01-21 14:04:12 -08:00
dashboard Add edit/view plumbing for dashboards and panels 2014-02-03 10:52:15 -08:00
differential Fix parsing of "Reviewed By" field 2014-03-12 18:11:09 -07:00
diffusion Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00
diviner Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00
doorkeeper Move PhabricatorTagView to PHUITagView 2014-01-14 14:09:52 -08:00
draft/storage Differential - add DifferentialDraft to track whether revisions have draft feedback or not 2014-02-18 16:25:16 -08:00
drydock Various linter fixes. 2014-02-26 12:44:58 -08:00
fact Extend all "ManagementWorkflow" classes from a base class 2013-12-27 13:15:40 -08:00
feed Fail feed story renders individually, instead of in aggregate 2014-03-10 18:22:24 -07:00
files Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00
flag Various linter fixes. 2014-02-26 12:44:58 -08:00
harbormaster Truncate logSource in Harbormaster to the database column limit 2014-03-07 17:43:46 -08:00
help/controller Make Differential views capability-sensitive 2013-09-26 18:45:04 -07:00
herald Fix a small typo when creating a Herald rule 2014-03-12 16:12:43 -07:00
home Remove field selector on Diff view and Revision List View 2014-03-11 13:02:10 -07:00
legalpad Maniphest Tasks + Project Boards - some polish 2014-03-04 17:01:33 -08:00
lipsum Use DifferentialRevisionEditor in lipsum 2014-03-11 13:02:00 -07:00
macro Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00
mailinglists Extract textual object list parsing from Differential 2014-03-07 17:44:44 -08:00
maniphest Workboards - add task create + improve task placement wrt priority edits 2014-03-05 18:40:28 -08:00
meta Various linter fixes. 2014-02-26 12:44:58 -08:00
metamta Port Differential mail features forward to transactions 2014-03-11 13:02:06 -07:00
notification Add a "Send Test Notification" button to make testing the server easier 2014-02-17 16:00:33 -08:00
nuance Various linter fixes. 2014-02-26 12:44:58 -08:00
oauthserver Fix an anchor redirect issue with OAuth server, plus modernize the application a bit 2014-03-13 12:59:10 -07:00
owners Various linter fixes. 2014-02-26 12:44:58 -08:00
passphrase Fix some collateral damage from SSH Keypair generation 2014-03-13 07:31:45 -07:00
paste Maniphest Tasks + Project Boards - some polish 2014-03-04 17:01:33 -08:00
people Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00
phame Reject Phame domains which include a port number 2014-03-11 15:53:15 -07:00
phid Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
phlux Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00
pholio Let Herald activation depend on which transactions are being applied, and generate transactions 2014-03-05 12:06:59 -08:00
phortune Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
phpast Remove phpast.* Conduit methods 2014-03-12 11:30:22 -07:00
phragment Various linter fixes. 2014-02-26 12:44:58 -08:00
phrequent Various linter fixes. 2014-02-26 12:44:58 -08:00
phriction Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
policy Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
ponder Maniphest Tasks + Project Boards - some polish 2014-03-04 17:01:33 -08:00
project Hovercard - add project images 2014-03-10 17:10:32 -07:00
releeph Clean up various pieces of dead/obsolete Differential code 2014-03-11 13:02:19 -07:00
remarkup/conduit Support processing Remarkup in bulk with remarkup.processbulk Conduit method 2013-11-02 16:30:11 -07:00
repository Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00
search Extract textual object list parsing from Differential 2014-03-07 17:44:44 -08:00
settings Add a "Generate Keypair" option on the SSH Keys panel 2014-03-12 18:17:11 -07:00
slowvote Various linter fixes. 2014-02-26 12:44:58 -08:00
subscriptions Various linter fixes. 2014-02-26 12:44:58 -08:00
system Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
tokens Wrap the feed text rendering stuff with htmlspecialchars_decode 2014-02-03 17:05:30 -08:00
transactions Port Differential mail features forward to transactions 2014-03-11 13:02:06 -07:00
typeahead Various linter fixes. 2014-02-26 12:44:58 -08:00
uiexample PHUITimelineView 2014-02-12 09:02:05 -08:00
xhprof Use JSON, not PHP serialization, for XHProf profiles. 2014-02-24 04:16:52 -08:00