@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Forbid disabled devices from authenticating via SSH or HTTP
Summary:
Ref T13641. Phabricator sometimes makes intracluster requests that authenticate as a device.
Forbid these requests from authenticating as a disabled device.
Test Plan:
- Ran `bin/ssh-exec --phabricator-ssh-device ...` as an enabled/disabled device (worked; sensible error).
- Made Conduit calls as an enable/disabled device (worked; sensible error).
Maniphest Tasks: T13641
Differential Revision: https://secure.phabricator.com/D21635
+18
+8
scripts/ssh/ssh-exec.php
+8
scripts/ssh/ssh-exec.php
···
146
146
$device_name));
147
147
}
148
148
149
+
if ($device->isDisabled()) {
150
+
throw new Exception(
151
+
pht(
152
+
'This request has authenticated as a device ("%s"), but this '.
153
+
'device is disabled.',
154
+
$device->getName()));
155
+
}
156
+
149
157
// We're authenticated as a device, but we're going to read the user out of
150
158
// the command below.
151
159
$is_cluster_request = true;
+10
src/applications/conduit/controller/PhabricatorConduitAPIController.php
+10
src/applications/conduit/controller/PhabricatorConduitAPIController.php
···
238
238
if ($object instanceof PhabricatorUser) {
239
239
$user = $object;
240
240
} else {
241
+
if ($object->isDisabled()) {
242
+
return array(
243
+
'ERR-INVALID-AUTH',
244
+
pht(
245
+
'The key which signed this request is associated with a '.
246
+
'disabled device ("%s").',
247
+
$object->getName()),
248
+
);
249
+
}
250
+
241
251
if (!$stored_key->getIsTrusted()) {
242
252
return array(
243
253
'ERR-INVALID-AUTH',