recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Fix incorrect key handling in extended policy filtering

Summary:
Via HackerOne. The use of `$key` here should be `$extended_key`.

Exploiting this requires a very unusual group of objects to be subjected to extended policy checks. I believe there is no way to actually get anything bad through the policy filter today, but this could have been an issue in the future.

Test Plan:
- Added a unit test which snuck something through the policy filter.
- Fixed use of `$extended_key`.
- Test now passes.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D14993

epriestley f59ebf4c 0b3d10c3

+75 -3
+72
src/applications/policy/__tests__/PhabricatorPolicyTestCase.php
··· 285 285 pht('Extended Policy with Cycle')); 286 286 } 287 287 288 + 289 + /** 290 + * Test bulk checks of extended policies. 291 + * 292 + * This is testing an issue with extended policy filtering which allowed 293 + * unusual inputs to slip objects through the filter. See D14993. 294 + */ 295 + public function testBulkExtendedPolicies() { 296 + $object1 = $this->buildObject(PhabricatorPolicies::POLICY_USER) 297 + ->setPHID('PHID-TEST-1'); 298 + $object2 = $this->buildObject(PhabricatorPolicies::POLICY_USER) 299 + ->setPHID('PHID-TEST-2'); 300 + $object3 = $this->buildObject(PhabricatorPolicies::POLICY_USER) 301 + ->setPHID('PHID-TEST-3'); 302 + 303 + $extended = $this->buildObject(PhabricatorPolicies::POLICY_ADMIN) 304 + ->setPHID('PHID-TEST-999'); 305 + 306 + $object1->setExtendedPolicies( 307 + array( 308 + PhabricatorPolicyCapability::CAN_VIEW => array( 309 + array( 310 + $extended, 311 + array( 312 + PhabricatorPolicyCapability::CAN_VIEW, 313 + PhabricatorPolicyCapability::CAN_EDIT, 314 + ), 315 + ), 316 + ), 317 + )); 318 + 319 + $object2->setExtendedPolicies( 320 + array( 321 + PhabricatorPolicyCapability::CAN_VIEW => array( 322 + array($extended, PhabricatorPolicyCapability::CAN_VIEW), 323 + ), 324 + )); 325 + 326 + $object3->setExtendedPolicies( 327 + array( 328 + PhabricatorPolicyCapability::CAN_VIEW => array( 329 + array( 330 + $extended, 331 + array( 332 + PhabricatorPolicyCapability::CAN_VIEW, 333 + PhabricatorPolicyCapability::CAN_EDIT, 334 + ), 335 + ), 336 + ), 337 + )); 338 + 339 + $user = $this->buildUser('user'); 340 + 341 + $visible = id(new PhabricatorPolicyFilter()) 342 + ->setViewer($user) 343 + ->requireCapabilities( 344 + array( 345 + PhabricatorPolicyCapability::CAN_VIEW, 346 + )) 347 + ->apply( 348 + array( 349 + $object1, 350 + $object2, 351 + $object3, 352 + )); 353 + 354 + $this->assertEqual(array(), $visible); 355 + } 356 + 357 + 288 358 /** 289 359 * An omnipotent user should be able to see even objects with invalid 290 360 * policies. ··· 430 500 $object->setCapabilities( 431 501 array( 432 502 PhabricatorPolicyCapability::CAN_VIEW, 503 + PhabricatorPolicyCapability::CAN_EDIT, 433 504 )); 434 505 $object->setPolicies( 435 506 array( 436 507 PhabricatorPolicyCapability::CAN_VIEW => $policy, 508 + PhabricatorPolicyCapability::CAN_EDIT => $policy, 437 509 )); 438 510 439 511 return $object;
+3 -3
src/applications/policy/filter/PhabricatorPolicyFilter.php
··· 321 321 $objects_in = array(); 322 322 foreach ($structs as $struct) { 323 323 $extended_key = $struct['key']; 324 - if (empty($extended_objects[$key])) { 324 + if (empty($extended_objects[$extended_key])) { 325 325 // If this object has already been rejected by an earlier filtering 326 326 // pass, we don't need to do any tests on it. 327 327 continue; ··· 335 335 // We weren't able to load the corresponding object, so just 336 336 // reject this result outright. 337 337 338 - $reject = $extended_objects[$key]; 339 - unset($extended_objects[$key]); 338 + $reject = $extended_objects[$extended_key]; 339 + unset($extended_objects[$extended_key]); 340 340 341 341 // TODO: This could be friendlier. 342 342 $this->rejectObject($reject, false, '<bad-ref>');