Page MenuHomePhabricator
Create Task
Maniphest T12470

Store integrity hashes for file blobs in Files
Closed, ResolvedPublic
Actions

Description

Currently, we don't integrity check stored data in Files. We can reasonably do this, and doing so can make some error handling and diagnostics easier (see also T9828, perhaps) and allow us to detect corruption (though we have no evidence that installs currently experience it).

The lack of an integrity check also potentially allows an attacker who has access to the underlying datastore -- but not to any application servers -- to tamper with file data by replacing blobs on the storage service.

A recent HackerOne report (which I'll link here for discussion once it discloses) suggests that this might be possible even for encrypted data. Although I currently believe that this attack is unrealistically difficult, it isn't entirely impossible, and adding an integrity check would defuse it.

Revisions and Commits

rP Phabricator
D17629rP08a42254371f Provide "bin/files integrity" for debugging, maintaining and backfilling…
D17625rP63828f580689 Store and verify content integrity checksums for files

Related Objects

Event Timeline

epriestley created this task.Mar 29 2017, 6:27 PM
Herald added a subscriber: eadler. · View Herald TranscriptMar 29 2017, 6:27 PM
epriestley moved this task from Backlog to vNext on the Files board.Mar 30 2017, 7:28 PM
epriestley added a revision: D17625: Store and verify content integrity checksums for files.Apr 5 2017, 4:56 PM
epriestley added a commit: rP63828f580689: Store and verify content integrity checksums for files.Apr 5 2017, 6:18 PM
epriestley added a comment.Apr 5 2017, 7:28 PM

The security part of this is fixed by D17625, but I'm planning to write a support script like bin/files integrity or similar to do things like "compute hashes for existing files" and "check that a file or set of files match their integrity hashes".

epriestley added a comment.Apr 5 2017, 7:29 PM

The HackerOne issue for this is here:

https://hackerone.com/reports/216746

The researcher hasn't confirmed disclosure at time of writing, but the link will probably start working in the next couple of days.

epriestley mentioned this in T12509: Plan the path forward from HMAC-SHA1.Apr 5 2017, 8:26 PM
epriestley added a revision: D17629: Provide "bin/files integrity" for debugging, maintaining and backfilling integrity hashes.Apr 6 2017, 2:01 PM
epriestley added a commit: rP08a42254371f: Provide "bin/files integrity" for debugging, maintaining and backfilling….Apr 6 2017, 10:42 PM
epriestley closed this task as Resolved.Apr 6 2017, 11:24 PM
epriestley claimed this task.
epriestley mentioned this in T12515: Upgrading: File Integrity Hashing and SHA1.

See T12515 for followup guidance.

Phabricator · Built by Phacility