Page MenuHomePhabricator
Create Task
Maniphest T9408

Upgrading: `dot` (Graphviz) support removed, changes to `figlet` and `cowsay`
Closed, ResolvedPublic
Actions

Assigned To
epriestley
Authored By
epriestley
Sep 13 2015, 7:21 PM
Tags
Referenced Files
None
Subscribers
andypuettmann
cburroughs
chad
cspeckmim
eadler
epriestley
revi
tycho.tatitscheff
Tokens
"Heartbreak" token, awarded by mpadourek."Heartbreak" token, awarded by cspeckmim."Heartbreak" token, awarded by tycho.tatitscheff."Heartbreak" token, awarded by cburroughs.

Description

Summary

The dot, figlet and cowsay remarkup rules are implemented in a way that creates a security risk, and a low-severity (but highly practical) attack has been developed against dot.

The figlet and cowsay rules have been reimplemented safely.

The dot rule can not easily be reimplemented safely and has been removed.

Installs are encouraged to upgrade Phabricator or uninstall dot (Graphviz). Uninstalling dot will defuse the known attack. Upgrading Phabricator will defuse this class of attack.

Installs that rely on the dot rule may install it as an extension. This does not mitigate or defuse the risks. If you do this, you are making your install vulnerable.

Installs with custom Figlet fonts or cows may need to adjust how they are installed (see below).

Details

Phabricator currently ships with three "interpreter" rules in Remarkup: dot (Graphviz), figlet, and cowsay. These rules are invoked like this:

cowsay {{{
Moo!
}}}

These rules are implemented by executing arbitrary binaries on the system. This approach is inherently risky, because executing unsandboxed binaries exposes a huge amount of surface area to attackers. The rules are as safe as possible, given the approach: they are careful about argument handling, the binaries normally need to be explicitly installed by an administrator, and these binaries seemed unlikely to permit arbitrary code execution. But this approach still harbors substantial risk.

A security researcher recently found a practical attack against the dot interpreter which allows an attacker to disclose information about a system and potentially render images on the system into graphs. Although this attack is not especially severe, there is no way to prevent it or other similar attacks (which might be far more severe) under the "execute arbitrary unsandboxed binaries" approach these rules currently employ. You can read the details of the report here once it is disclosed:

https://hackerone.com/reports/88395

In response, we are removing all rules of this type from the upstream: empirically, the risks presented by this approach are too great. The figlet and cowsay rules are simple parsers and could be safely rewritten, but the dot rule is complex. We do not have a safe alternative to the dot rule at this time, and do not have immediate plans to provide one.

Upgrading: Figlet

The figlet rule has been rewritten to only execute trusted code. It is now available on all systems without requiring the figlet binary to be installed.

If you have custom .flf fonts, drop them into phabricator/resources/figlet/custom/ to make them available.

Upgrading: Cowsay

The cowsay rule has been rewritten to only execute trusted code. It is now available on all systems without requiring the cowsay binary to be installed.

If you have custom .cow cows, drop them into phabricator/resources/cows/custom/ to make them available.

Upgrading: dot/Graphviz

This rule has been removed, because we can not easily rewrite it to execute only trusted code or otherwise make it safe.

If you rely on this rule, you may install it as an extension by dropping this file into phabricator/src/extensions/: P1853

IMPORTANT: This extension does not defuse or mitigate the vulnerability this rule creates. Running this extension makes your install vulnerable to attack. Installs are strongly discouraged from running this code.

Revisions and Commits

rPHU libphutil
ClosedD14099 Implement Cowsay in PHP
rP Phabricator
ClosedD14100 Use PHP implementation of Cowsay for cowsay rule
ClosedD14101 Include "Figlet" and PEAR "Text_Figlet" in externals
ClosedD14102 Use PEAR Text_Figlet to render figlet fonts
D14248rP5a874ba0a840 Put cows and figlet bannners in <pre> in HTML mail bodies
D14103rPc02f750267f8 Remove dot/Graphviz Remarkup rule

Related Objects

Event Timeline

epriestley created this task.Sep 13 2015, 7:21 PM
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added projects: Installing & Upgrading, Security, Remarkup.
epriestley added a subscriber: epriestley.
Herald added a subscriber: andypuettmann. · View Herald TranscriptSep 13 2015, 7:21 PM
epriestley added a revision: D14103: Remove dot/Graphviz Remarkup rule.Sep 13 2015, 7:22 PM
epriestley mentioned this in T7785: Build a Phacility cluster service tier to sandbox Graphviz and Cowsay.Sep 13 2015, 7:26 PM
epriestley added revisions: D14102: Use PEAR Text_Figlet to render figlet fonts, D14101: Include "Figlet" and PEAR "Text_Figlet" in externals, D14100: Use PHP implementation of Cowsay for cowsay rule, D14099: Implement Cowsay in PHP.
epriestley added a subscriber: chad.
epriestley mentioned this in rPHU880c0fb3448f: Implement Cowsay in PHP.Sep 13 2015, 7:27 PM
epriestley added a commit: rPc02f750267f8: Remove dot/Graphviz Remarkup rule.
epriestley mentioned this in rPc705c8011e96: Use PHP implementation of Cowsay for cowsay rule.
epriestley updated the task description. (Show Details)Sep 13 2015, 7:30 PM
epriestley mentioned this in rP935ced1eddbe: Include "Figlet" and PEAR "Text_Figlet" in externals.Sep 13 2015, 7:31 PM
epriestley mentioned this in rP6bd8ee861ca7: Use PEAR Text_Figlet to render figlet fonts.
cspeckmim added a subscriber: cspeckmim.Sep 14 2015, 1:47 AM
cburroughs awarded a token.Sep 14 2015, 12:03 PM
cburroughs added a subscriber: cburroughs.
tycho.tatitscheff awarded a token.Sep 14 2015, 12:24 PM
tycho.tatitscheff added a subscriber: tycho.tatitscheff.
cspeckmim awarded a token.Sep 15 2015, 6:19 AM
epriestley added a comment.Sep 19 2015, 12:08 PM
_________ < Moooooo > --------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || ||
epriestley mentioned this in 2015 Week 38 (Late September).Sep 19 2015, 12:20 PM
cspeckmim added a comment.Sep 19 2015, 5:35 PM

Does the new PHP cowsay implementation need to convert the escaped backslashes to single backslashes?

epriestley added a comment.Sep 19 2015, 6:08 PM

Ah, I think you're right. I thought that cow just had a nice thick neck (a sign of good breeding), but her tail is a little bristly.

cspeckmim mentioned this in T9471: New cowsay implementation renders .cow escape sequences.Sep 26 2015, 2:47 AM
epriestley mentioned this in T8720: files created from dot via remarkup in phriction should follow phriction view policy and not default view policy.Sep 27 2015, 12:04 PM
cspeckmim added a comment.Oct 9 2015, 2:25 AM

@epriestley - I'm not familiar with how email should work (or how it used to) but I think figlet text (and probably cowsays) are not html-ized for html emails -- they might look better in fixed-width fontstyle but it looks like regular-type. Adding figlet text for test:

____ ____________________________ ____ ________ __ ____ / __ \/ ____/ ____/ ____/ ___/ ___/ / __ )/ ____/ / / / / / / / /_/ / __/ / / / __/ \__ \\__ \ / __ / __/ / / / / / / / / _, _/ /___/ /___/ /___ ___/ /__/ / / /_/ / /___/ /___/ /___/_/_/ /_/ |_/_____/\____/_____//____/____/ /_____/_____/_____/_____(_)_)
Herald added a subscriber: revi. · View Herald TranscriptOct 9 2015, 2:25 AM
epriestley added a comment.Oct 9 2015, 2:56 AM

Yeah -- at least in HTML mail, the cows aren't getting properly linebreak'd either. I don't think that's new but it should be pretty easy to fix.

cspeckmim added a comment.Oct 9 2015, 3:00 AM

OK Thanks! Created T9538: HTML Emails which contain figlet and cowsay content should render respective code blocks in fixed-width font

epriestley added a revision: D14248: Put cows and figlet bannners in <pre> in HTML mail bodies.Oct 9 2015, 3:01 AM
epriestley added a commit: rP5a874ba0a840: Put cows and figlet bannners in <pre> in HTML mail bodies.Oct 9 2015, 3:03 AM
epriestley closed this task as Resolved.Oct 18 2015, 3:20 PM
epriestley claimed this task.

There are a couple of minor followups between this original announcement and HEAD which improve some behaviors, but this has been in stable for about a month now.

avivey mentioned this in T6609: Support math (LaTeX) equation in Remarkup.Nov 23 2015, 5:44 AM
epriestley mentioned this in T9900: Figlet does not properly render apostrophes with some characters.Aug 22 2016, 8:07 PM
avivey mentioned this in Z1336: General Chat.Jan 16 2017, 9:41 AM
avivey mentioned this in T12285: uml support.Feb 17 2017, 12:09 PM
mpadourek awarded a token.May 18 2017, 11:51 AM
Herald added a subscriber: eadler. · View Herald TranscriptMay 18 2017, 11:51 AM
epriestley added a comment.Aug 12 2017, 11:02 PM

In https://hackerone.com/reports/259246 (not currently disclosed) a researcher found an actual issue with figlet. Although it would probably be hard to develop into a practical attack, it does make me feel better about the decision to pull all this stuff into PHP (not just dot) when the dot issue was originally identified.

epriestley mentioned this in T13105: Plans: Rich presentation and diff rendering pipelines for various file types.Mar 14 2018, 6:43 AM
Phabricator · Built by Phacility