recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Hide "notification.servers" configuration and don't follow redirects from Aphlict

Summary:
See <https://hackerone.com/reports/850114>.

An attacker with administrator privileges can configure "notification.servers" to connect to internal services, either directly or with chosen parameters by selecting an attacker-controlled service and having it issue a "Location" redirect.

Generally, we allow this attack to occur. The same administrator can use an authentication provider or a VCS repository to perform the same attack, and we can't reasonably harden these workflows without breaking things that users expect to be able to do.

There's no reason this particular variation of the attack needs to be allowable, though, and the current behavior isn't consistent with how other similar things work.

- Hide the "notification.servers" configuration, which also locks it. This is similar to other modern service/server configuration.
- Don't follow redirects on these requests. Aphlict should never issue a "Location" header, so if we encounter one something is misconfigured. Declining to follow this header likely makes the issue easier to debug.

Test Plan:
- Viewed configuration in web UI.
- Configured a server that "Location: ..." redirects, got a followed redirect before and a failure afterward.

{F7365973}

Differential Revision: https://secure.phabricator.com/D21123

epriestley 45665dd3 b52fa962

+34 -5
+1
src/applications/config/option/PhabricatorNotificationConfigOptions.php
··· 52 52 53 53 return array( 54 54 $this->newOption('notification.servers', $servers_type, array()) 55 + ->setHidden(true) 55 56 ->setSummary(pht('Configure real-time notifications.')) 56 57 ->setDescription($servers_help) 57 58 ->addExample(
+25 -4
src/applications/notification/client/PhabricatorNotificationServerRef.php
··· 209 209 210 210 $server_uri = $this->getURI('/status/'); 211 211 212 - list($body) = id(new HTTPSFuture($server_uri)) 213 - ->setTimeout(2) 212 + list($body) = $this->newFuture($server_uri) 214 213 ->resolvex(); 215 214 216 215 return phutil_json_decode($body); ··· 225 224 $server_uri = $this->getURI('/'); 226 225 $payload = phutil_json_encode($data); 227 226 228 - id(new HTTPSFuture($server_uri, $payload)) 227 + $this->newFuture($server_uri, $payload) 229 228 ->setMethod('POST') 230 - ->setTimeout(2) 231 229 ->resolvex(); 230 + } 231 + 232 + private function newFuture($uri, $data = null) { 233 + if ($data === null) { 234 + $future = new HTTPSFuture($uri); 235 + } else { 236 + $future = new HTTPSFuture($uri, $data); 237 + } 238 + 239 + $future->setTimeout(2); 240 + 241 + // At one point, a HackerOne researcher reported a "Location:" redirect 242 + // attack here (if the attacker can gain control of the notification 243 + // server or the configuration). 244 + 245 + // Although this attack is not particularly concerning, we don't expect 246 + // Aphlict to ever issue a "Location:" header, so receiving one indicates 247 + // something is wrong and declining to follow the header may make debugging 248 + // easier. 249 + 250 + $future->setFollowLocation(false); 251 + 252 + return $future; 232 253 } 233 254 234 255 }
+6
src/docs/user/configuration/configuration_locked.diviner
··· 147 147 file. Usually, you'll do this by first copying the value from the database: 148 148 149 149 ``` 150 + phabricator/ $ ./bin/config get <key> 151 + ``` 152 + 153 + ...into local configuration: 154 + 155 + ``` 150 156 phabricator/ $ ./bin/config set <key> <value> 151 157 ``` 152 158
+2 -1
src/docs/user/configuration/notifications.diviner
··· 156 156 ======================= 157 157 158 158 After configuring `notification.servers`, navigate to 159 - {nav Config > Notification Servers} to verify that things are operational. 159 + {nav Config > Services > Notification Servers} to verify that things are 160 + operational. 160 161 161 162 162 163 Troubleshooting