d401036bd8
Summary: Via HackerOne. There are two attacks here: - Configuring mirroring to a `file://` URI to place files on disk or overwrite another repository. This is not particularly severe. - Configuring cloning from a `file://` URI to read repositories you should not have access to. This is more severe. Historically, repository creation and editing explicitly supported `file://` URIs to deal with use cases where you had something else managing repositories on the same machine. Since there were no permissions, repository management was admin-only, and you couldn't mirror, this was fine. As we've evolved, this use case is a tiny minority use case and the security implications of `file://` URIs overwhelm the utility it provides. Prevent the use of `file://` URIs. Existing configured repositories won't stop working, you just can't add any new ones. Also prevent `localPath` from being set via Conduit (see T4039). Test Plan: - Tried to create a `file://` repository. - Tried to create a `file://` mirror. - Tried to create a `file://` repository via Conduit. - Created a non-`file://` repository. - Created a non-`file://` mirror. - Created a non-`file://` repository via Conduit. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D9513
Phabricator is an open source collection of web applications which help software companies build better software. Phabricator includes applications for: - reviewing and auditing source code; - hosting and browsing repositories; - assembling a party to venture forth; - tracking bugs; - hiding stuff from coworkers; and - also some other things. You can learn more about the project (and find links to documentation and resources) here: http://phabricator.org/ Phabricator is developed and maintained by Phacility. The first version of Phabricator was originally built at Facebook. LICENSE Phabricator is released under the Apache 2.0 license except as otherwise noted.