Improve granluarity and defaults of `security.allow-outbound-http`


Improve granluarity and defaults of security.allow-outbound-http

Ref T6755. This is a partial fix, but:

  • Allow netblocks to be blacklisted instead of making the feature all-or-nothing.
  • Default to disallow requests to all reserved private/local/special IP blocks. This should generally be a "safe" setting.
  • Explain the risks better.
  • Improve the errors rasied by Macro when failing.
  • Removed security.allow-outbound-http, as it is superseded by this setting and is somewhat misleading.
    • We still make outbound HTTP requests to OAuth.
    • We still make outbound HTTP requests for repositories.

From a technical perspective:

  • Separate URIs that are safe to link to or redirect to (basically, not "javascript://") from URIs that are safe to fetch (nothing in a private block).
  • Add the default blacklist.
  • Be more careful with response data in Macro fetching, and don't let the user see it if it isn't ultimately valid.


  • I want to do this check before pulling repositories, but that's enough of a mess that it should go in a separate diff.
  • The future implementation of T4190 needs to perform the fetch check.

Test Plan:

  • Fetched a valid macro.
  • Fetched a non-image, verified it didn't result in a viewable file.
  • Fetched a private-ip-space image, got an error.
  • Fetched a 404, got a useful-enough error without additional revealing response content (which is usually HTML anyway and not useful).
  • Fetched a bad protocol, got an error.
  • Linked to a local resource, a phriction page, a valid remote site, all worked.
  • Linked to private IP space, which worked fine (we want to let you link and redierect to other private services, just not fetch them).
  • Added and executed unit tests.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6755

Differential Revision: https://secure.phabricator.com/D12136