Page MenuHomePhabricator
Create Task
Maniphest T6960

Support %P in qsprintf()
Closed, ResolvedPublic
Actions

Description

  • In the Phacility deployment workflow, we have a couple of cases where we GRANT with a password. It would be cleaner to use %P to keep this out of --trace, but qsprintf() does not currently support %P.
  • Supporting %P requires returning an object from qsprintf().
    • In both the qsprintf() and csprintf() cases, we could implement more phutil_tag()-like semantics and make these objects respond to conversion with %s correctly (without escaping). This would let us dramatically reduce the amount of %Q and %C we use, which is highly desirable.
    • However, we do a lot of manual string mangling with qsprintf() in Query classes right now, e.g. implode(') OR (', $clauses). This won't work if we make the semantics safer.
    • Fix is probably something similar to phutil_implode_html(), maybe qsprintf_join($conn_r, $pattern, $query_parts, $between) or something:
qsprintf_join($conn_r, '(%s)', $clauses, ') OR (');

Maybe cleaner as:

qsprintf_join(conn, clauses, before, between, after);
qsprintf_join($conn_r, $clauses, '(', ') OR (', ')');

Or maybe that's overthinking it, this seems OK:

$clauses = qsprintf_implode($conn_r, $clauses, ') OR (');
$clauses = qsprintf($conn_r, '(%s)', $clauses);

In 95% of cases, we should be able to bury that in a buildJoinClause() or buildWhereClause() call anyway, so the simpler method is probably cleaner.

So overall approach is probably:

  • Implement qsprintf_implode() with current semantics.
  • Go through Phabricator and convert all manual mangling of queries to use qsprintf() or qsprintf_implode(). Most of this can be accomplished by lifting clauses construction into the base query class, probably.
  • Change qsprintf() semantics so it returns an object.
  • Allow %s (or maybe a new conversion, since %s has some level of existing semantics -- but the important part is that this would be a safe conversion, not %Q) to convert this object without double-escaping.
  • Convert as many %Q to %s (or the new conversion) as possible.
  • Implement %P for queries.

Beyond giving us %P, this would significantly improve our resistance to SQL injection (by reducing manual query manipulation to near-zero and making it very difficult to get wrong).

Revisions and Commits

Restricted Differential RevisionRestricted Diffusion Commit
rPHU libphutil
D19811rPHU35d0ec2dfa59 Keep the new "%P" query conversion out of the service call profiler by…
D19783rPHUbe5a87463ac5 Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to…
D19782rPHUf842247de41a Support %P (Password or Secret) in qsprintf()
rP Phabricator
D19812rP49483bdb4823 Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole

Related Objects

Event Timeline

epriestley created this task.Jan 13 2015, 3:28 PM
epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added projects: Infrastructure, Phacility, Security.
epriestley added a subscriber: epriestley.
epriestley moved this task from Backlog to Do After Launch on the Phacility board.Jan 13 2015, 3:31 PM
epriestley moved this task from Do After Launch to Do Eventually on the Phacility board.Jan 20 2015, 10:03 PM
asherkin added a subscriber: asherkin.Jun 21 2016, 3:37 PM
Herald added subscribers: cburroughs, andypuettmann, eadler, revi. · View Herald TranscriptJun 21 2016, 3:37 PM
Krinkle added a subscriber: Krinkle.Mar 30 2017, 2:52 AM
epriestley mentioned this in T12678: Bring sanity to the world of all MySQL data being string-typed.May 5 2017, 4:11 PM
epriestley removed a project: Phacility.Feb 14 2018, 1:09 PM
20after4 added a subscriber: 20after4.Mar 17 2018, 12:30 AM
epriestley mentioned this in T13210: Plans: 2018 Week 41-44 Bonus Content.Oct 25 2018, 8:22 PM
epriestley mentioned this in T13217: Upgrading: Hardening of qsprintf().Nov 7 2018, 12:19 AM
epriestley added a revision: D19782: Support %P (Password or Secret) in qsprintf().Nov 7 2018, 12:34 AM
epriestley added a revision: D19783: Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to improve safety.Nov 7 2018, 12:45 AM
epriestley closed this task as Resolved by committing rPHUf842247de41a: Support %P (Password or Secret) in qsprintf().Nov 13 2018, 4:48 PM
epriestley added a commit: rPHUf842247de41a: Support %P (Password or Secret) in qsprintf().
epriestley added a commit: rPHUbe5a87463ac5: Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to….
epriestley added a revision: D19811: Keep the new "%P" query conversion out of the service call profiler by unmasking later.Nov 15 2018, 1:28 PM
epriestley added a revision: D19812: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.Nov 15 2018, 1:31 PM
epriestley added a commit: rP49483bdb4823: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.Nov 16 2018, 8:36 PM
epriestley added a revision: Restricted Differential Revision.Nov 17 2018, 1:21 AM
epriestley added a commit: Restricted Diffusion Commit.Nov 19 2018, 3:39 PM
epriestley added a commit: rPHU35d0ec2dfa59: Keep the new "%P" query conversion out of the service call profiler by….Nov 21 2018, 3:55 PM
Phabricator · Built by Phacility