Phabricator Graphviz support is really great, but if you try using it on Phacility then
Unable to locate the dot binary. Install Graphviz.
If it's reasonable to do this and safe then it'd be really nice to bring it to Phacility.
Description
Description
Revisions and Commits
Revisions and Commits
| rPHU libphutil | |||
| D14099 | rPHU880c0fb3448f Implement Cowsay in PHP | ||
| rP Phabricator | |||
| D14102 | rP6bd8ee861ca7 Use PEAR Text_Figlet to render figlet fonts | ||
| D14101 | rP935ced1eddbe Include "Figlet" and PEAR "Text_Figlet" in externals | ||
| D14100 | rPc705c8011e96 Use PHP implementation of Cowsay for cowsay rule | ||
Related Objects
Related Objects
- Mentioned In
- T13105: Plans: Rich presentation and diff rendering pipelines for various file types
T8685: Move secure.phabriactor.com halfway into the cluster - Mentioned Here
- T9408: Upgrading: `dot` (Graphviz) support removed, changes to `figlet` and `cowsay`
D12112: Fix Mercurial command injection vulnerability
Event Timeline
Comment Actions
I'm vaguely concerned about installing dot (and cowsay) because it's possible that they include features which can execute arbitrary commands and compromise the security of a host. Mercurial had such a vulnerability recently, see D12112 for some discussion. It is is unlikely that dot or cowsay have such issues, but I suspect neither program (particularly cowsay) was developed with malicious input at the forefront of design considerations, and the more binaries we execute directly, the greater our exposure.
I'd like to sandbox these commands by exposing them as a service which runs on a tier without any access to the VPC or instance data. This is straightforward technically (both commands accept well-defined inputs and emit a single well-defined output), which is part of why I want to sandbox them (we reasonably can, and doing so strictly improves security). However, a lot of pieces are missing: we don't currently run other services outside of the VPC, the authentication and API primitives Phabricator exposes aren't perfect fits, and we don't have much of the glue we'd need written yet.
These challenges are surmountable and we can cheat pretty aggressively on some of them (worst case is that dot doesn't work until I can go kick the service, which isn't a big deal), but definitely more work than apt-get install dot.
Comment Actions
I appreciate your concern for safety!
I don't think the need for dot is strong enough to risk opening a hole. But cowsay... ;)
Comment Actions
See T9408. A security researcher found a low-severity but practical attack against our implementation of dot.
cowsay and figlet are simple (a few hundred lines) and now have native implementations, and will be available in the cluster once they promote to stable (next weekend). There is no reasonable-effort approach available on dot (it is enormous and not practical to reimplement). We could do this API + sandboxing stuff in the cluster, conceivably, but we can't put the rule in the upstream in any reasonable way.
I imagine we'll find some other similar tool (with a PHP or JS implementation) in the future and provide that instead, but don't have any immediate plans to pursue this.