Page MenuHomePhabricator

Build a Phacility cluster service tier to sandbox Graphviz and Cowsay
Closed, WontfixPublic


Phabricator Graphviz support is really great, but if you try using it on Phacility then

Unable to locate the dot binary. Install Graphviz.

If it's reasonable to do this and safe then it'd be really nice to bring it to Phacility.

Event Timeline

tel raised the priority of this task from to Needs Triage.
tel updated the task description. (Show Details)
tel added a project: Phacility Support.
tel added a subscriber: tel.

I'm vaguely concerned about installing dot (and cowsay) because it's possible that they include features which can execute arbitrary commands and compromise the security of a host. Mercurial had such a vulnerability recently, see D12112 for some discussion. It is is unlikely that dot or cowsay have such issues, but I suspect neither program (particularly cowsay) was developed with malicious input at the forefront of design considerations, and the more binaries we execute directly, the greater our exposure.

I'd like to sandbox these commands by exposing them as a service which runs on a tier without any access to the VPC or instance data. This is straightforward technically (both commands accept well-defined inputs and emit a single well-defined output), which is part of why I want to sandbox them (we reasonably can, and doing so strictly improves security). However, a lot of pieces are missing: we don't currently run other services outside of the VPC, the authentication and API primitives Phabricator exposes aren't perfect fits, and we don't have much of the glue we'd need written yet.

These challenges are surmountable and we can cheat pretty aggressively on some of them (worst case is that dot doesn't work until I can go kick the service, which isn't a big deal), but definitely more work than apt-get install dot.

epriestley renamed this task from Install Graphviz to Build a Phacility cluster service tier to sandbox Graphviz and Cowsay.Apr 8 2015, 6:24 PM
epriestley triaged this task as Normal priority.
epriestley added a project: Phacility.

I appreciate your concern for safety!

I don't think the need for dot is strong enough to risk opening a hole. But cowsay... ;)

Yeah, this is definitely motivated mostly by cowsay, we'd just get dot for free.

epriestley claimed this task.

See T9408. A security researcher found a low-severity but practical attack against our implementation of dot.

cowsay and figlet are simple (a few hundred lines) and now have native implementations, and will be available in the cluster once they promote to stable (next weekend). There is no reasonable-effort approach available on dot (it is enormous and not practical to reimplement). We could do this API + sandboxing stuff in the cluster, conceivably, but we can't put the rule in the upstream in any reasonable way.

I imagine we'll find some other similar tool (with a PHP or JS implementation) in the future and provide that instead, but don't have any immediate plans to pursue this.