Page MenuHomePhabricator

Hide "notification.servers" configuration and don't follow redirects from Aphlict
ClosedPublic

Authored by epriestley on Apr 15 2020, 1:50 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 21, 6:12 PM
Unknown Object (File)
Tue, Nov 19, 2:46 PM
Unknown Object (File)
Mon, Nov 18, 2:13 AM
Unknown Object (File)
Wed, Nov 13, 4:37 PM
Unknown Object (File)
Sat, Nov 9, 8:49 PM
Unknown Object (File)
Sat, Nov 9, 8:02 PM
Unknown Object (File)
Wed, Nov 6, 6:01 AM
Unknown Object (File)
Mon, Oct 28, 1:57 AM
Subscribers
None

Details

Summary

See https://hackerone.com/reports/850114.

An attacker with administrator privileges can configure "notification.servers" to connect to internal services, either directly or with chosen parameters by selecting an attacker-controlled service and having it issue a "Location" redirect.

Generally, we allow this attack to occur. The same administrator can use an authentication provider or a VCS repository to perform the same attack, and we can't reasonably harden these workflows without breaking things that users expect to be able to do.

There's no reason this particular variation of the attack needs to be allowable, though, and the current behavior isn't consistent with how other similar things work.

  • Hide the "notification.servers" configuration, which also locks it. This is similar to other modern service/server configuration.
  • Don't follow redirects on these requests. Aphlict should never issue a "Location" header, so if we encounter one something is misconfigured. Declining to follow this header likely makes the issue easier to debug.
Test Plan
  • Viewed configuration in web UI.
  • Configured a server that "Location: ..." redirects, got a followed redirect before and a failure afterward.

Screen Shot 2020-04-15 at 6.46.58 AM.png (277×922 px, 32 KB)

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

This revision was not accepted when it landed; it landed in state Needs Review.Apr 15 2020, 2:00 PM
This revision was automatically updated to reflect the committed changes.