recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

When closing tasks with "Fixes xxx", try to act more authentically as the acting user

Summary:
Via HackerOne (<https://hackerone.com/reports/220909>). When we close commits in response to "Fixes Txxx", we currently act as the omnipotent user. This allows users to close tasks they can't see by pushing commits with "Fixes Txxx" in the message.

However, we can't actually tell who authored or committed a change: we're just using the "Author" and "Committer" values from Git in most cases, and anyone can forge those. So we can't really get this right, in a security sense.

(We can tell who //pushed// a change if we host it, but that's often not the right user. If GPG signing was more prevalent, we could use that. In the future, we could use side channels like having `arc land` tell Phabrcator who was pushing changes.)

Since I think the impact of this is fairly minor and this isn't //really// a security issue (more of a confusion/abuse/product issue) I think the behavior is okay more-or-less as-is, but we can do better when we do identify an author: drop permissions, and use their privileges to load the tasks which the commit "fixes".

This effectively implements this rule:

> If we identify the author of a commit as user X, that commit can only affect tasks which user X can see and edit.

Note that:

- Commits which we can't identify the author for can still affect any task.
- Any user can forge any other user's identity (or an invalid identity) and affect any task.

So this is just a guard rail to prevent mistakes by good-faith users who type the wrong task IDs, not a real security measure.

Also note that to perform this "attack" you must already have commit access to a repository (or permission to create a repository).

Test Plan:
- Used `bin/repository reparse --message <commit> --force-autoclose` to run the relevant code.
- Made the code `throw` before it actually applied the edit.
- Verified that the edit was rejected if the author was recognized and can not see or could not edit the task.
- Verified that the edit is accepted if the author can see+edit the task.
- Verified that the edit is accepted if we can't figure out who the author is.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D17688

epriestley 1e43d57c 69053a40

+48 -3
+48 -3
src/applications/repository/worker/commitmessageparser/PhabricatorRepositoryCommitMessageParserWorker.php
··· 163 163 $author_phid, 164 164 id(new PhabricatorDiffusionApplication())->getPHID()); 165 165 166 + $acting_user = $this->loadActingUser($actor, $acting_as_phid); 167 + 166 168 $conn_w = id(new DifferentialRevision())->establishConnection('w'); 167 169 168 170 // NOTE: The `differential_commit` table has a unique ID on `commitPHID`, ··· 263 265 $acting_as_phid, 264 266 $repository, 265 267 $commit, 266 - $message); 268 + $message, 269 + $acting_user); 267 270 } 268 271 269 272 $data->save(); ··· 287 290 $acting_as, 288 291 PhabricatorRepository $repository, 289 292 PhabricatorRepositoryCommit $commit, 290 - $message) { 293 + $message, 294 + PhabricatorUser $acting_user = null) { 295 + 296 + // If we we were able to identify an author for the commit, we try to act 297 + // as that user when loading tasks marked with "Fixes Txxx". This prevents 298 + // mistakes where a user accidentally writes the wrong task IDs and affects 299 + // tasks they can't see (and thus can't undo the status changes for). 300 + 301 + // This is just a guard rail, not a security measure. An attacker can still 302 + // forge another user's identity trivially by forging author or committer 303 + // emails. We also let commits with unrecognized authors act on any task to 304 + // make behavior less confusing for new installs. 305 + 306 + if (!$acting_user) { 307 + $acting_user = $actor; 308 + } 291 309 292 310 $maniphest = 'PhabricatorManiphestApplication'; 293 311 if (!PhabricatorApplication::isClassInstalled($maniphest)) { ··· 321 339 } 322 340 323 341 $tasks = id(new ManiphestTaskQuery()) 324 - ->setViewer($actor) 342 + ->setViewer($acting_user) 325 343 ->withIDs(array_keys($task_statuses)) 326 344 ->needProjectPHIDs(true) 345 + ->requireCapabilities( 346 + array( 347 + PhabricatorPolicyCapability::CAN_VIEW, 348 + PhabricatorPolicyCapability::CAN_EDIT, 349 + )) 327 350 ->execute(); 328 351 329 352 foreach ($tasks as $task_id => $task) { ··· 368 391 $editor->applyTransactions($task, $xactions); 369 392 } 370 393 } 394 + 395 + private function loadActingUser(PhabricatorUser $viewer, $user_phid) { 396 + if (!$user_phid) { 397 + return null; 398 + } 399 + 400 + $user_type = PhabricatorPeopleUserPHIDType::TYPECONST; 401 + if (phid_get_type($user_phid) != $user_type) { 402 + return null; 403 + } 404 + 405 + $user = id(new PhabricatorPeopleQuery()) 406 + ->setViewer($viewer) 407 + ->withPHIDs(array($user_phid)) 408 + ->executeOne(); 409 + if (!$user) { 410 + return null; 411 + } 412 + 413 + return $user; 414 + } 415 + 371 416 372 417 }