1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-19 03:50:54 +01:00
No description
Find a file
epriestley d401036bd8 Prevent the use of file:// URIs in Diffusion
Summary:
Via HackerOne. There are two attacks here:

  - Configuring mirroring to a `file://` URI to place files on disk or overwrite another repository. This is not particularly severe.
  - Configuring cloning from a `file://` URI to read repositories you should not have access to. This is more severe.

Historically, repository creation and editing explicitly supported `file://` URIs to deal with use cases where you had something else managing repositories on the same machine. Since there were no permissions, repository management was admin-only, and you couldn't mirror, this was fine.

As we've evolved, this use case is a tiny minority use case and the security implications of `file://` URIs overwhelm the utility it provides. Prevent the use of `file://` URIs. Existing configured repositories won't stop working, you just can't add any new ones.

Also prevent `localPath` from being set via Conduit (see T4039).

Test Plan:
  - Tried to create a `file://` repository.
  - Tried to create a `file://` mirror.
  - Tried to create a `file://` repository via Conduit.
  - Created a non-`file://` repository.
  - Created a non-`file://` mirror.
  - Created a non-`file://` repository via Conduit.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9513
2014-06-13 07:07:00 -07:00
bin Add a bin/hunks script to manage migrations of hunk data 2014-06-03 18:01:23 -07:00
conf Expose "Abandon Revision" to non-authors with a config flag. 2014-06-02 16:58:48 -07:00
externals Update JsShrink external library. 2014-06-07 11:26:20 -07:00
resources Allow entire dashboards to be copied 2014-06-12 21:49:19 -07:00
scripts Applied various linter fixes. 2014-06-09 16:04:12 -07:00
src Prevent the use of file:// URIs in Diffusion 2014-06-13 07:07:00 -07:00
support Implement unsubscription in the Aphlict client. 2014-06-11 20:02:01 -07:00
webroot Add a way to get to the home dashboard on mobile 2014-06-12 19:16:53 -07:00
.arcconfig Update .arclint in Phabricator for phutil-library lint 2014-05-12 06:01:30 -07:00
.arclint Restore test-sensitive whitespace to some test cases 2014-06-10 16:39:16 -07:00
.editorconfig Specify config for text editors 2012-11-03 22:34:44 -07:00
.gitignore Rate limit requests by IP 2014-04-08 18:36:21 -07:00
LICENSE Delete license headers from files 2012-11-05 11:16:51 -08:00
NOTICE Increment year. 2013-01-03 05:45:08 -08:00
README Modernize README 2014-01-24 12:28:54 -08:00

Phabricator is an open source collection of web applications which help
software companies build better software.

Phabricator includes applications for:

  - reviewing and auditing source code;
  - hosting and browsing repositories;
  - assembling a party to venture forth;
  - tracking bugs;
  - hiding stuff from coworkers; and
  - also some other things.

You can learn more about the project (and find links to documentation and
resources) here:

  http://phabricator.org/

Phabricator is developed and maintained by Phacility. The first version of
Phabricator was originally built at Facebook.

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.