Change Details

**Summary** The `dot`, `figlet` and `cowsay` remarkup rules are implemented in a way that creates a security risk, and a low-severity (but highly practical) attack has been developed against `dot`. The `figlet` and `cowsay` rules have been reimplemented safely. The `dot` rule can not easily be reimplemented safely and has been removed. Installs are encouraged to upgrade Phabricator or uninstall `dot` (Graphviz). Uninstalling `dot` will defuse the known attack. Upgrading Phabricator will defuse this class of attack. Installs that rely on the `dot` rule may install it as an extension. **This does not mitigate or defuse the risks. If you do this, you are making your install vulnerable.** Installs with custom Figlet fonts or cows may need to adjust how they are installed (see below). **Details** Phabricator currently ships with three "interpreter" rules in Remarkup: `dot` (Graphviz), `figlet`, and `cowsay`. These rules are invoked like this: ``` cowsay {{{ Moo! }}} ``` These rules are implemented by executing arbitrary binaries on the system. This approach is inherently risky, because executing unsandboxed binaries exposes a huge amount of surface area to attackers. The rules are as safe as possible, given the approach: they are careful about argument handling, the binaries normally need to be explicitly installed by an administrator, and these binaries seemed unlikely to permit arbitrary code execution. But this approach still harbors substantial risk. A security researcher recently found a practical attack against the `dot` interpreter which allows an attacker to disclose information about a system and potentially render images on the system into graphs. Although this attack is not especially severe, there is no way to prevent it or other similar attacks (which might be far more severe) under the "execute arbitrary unsandboxed binaries" approach these rules currently employ. You can read the details of the report here once it is disclosed: https://hackerone.com/reports/88395 In response, we are removing all rules of this type from the upstream: empirically, the risks presented by this approach are too great. The `figlet` and `cowsay` rules are simple parsers and could be safely rewritten, but the `dot` rule is complex. We do not have a safe alternative to the `dot` rule at this time, and do not have immediate plans to provide one. **Upgrading: Figlet** The `figlet` rule has been rewritten to only execute trusted code. It is now available on all systems without requiring the `figlet` binary to be installed. If you have custom `.flf` fonts, drop them into `phabricator/resources/figlet/custom/` to make them available. **Upgrading: Cowsay** The `cowsay` rule has been rewritten to only execute trusted code. It is now available on all systems without requiring the `cowsay` binary to be installed. If you have custom `.cow` cows, drop them into `phabricator/resources/cows/custom/` to make them available. **Upgrading: dot/Graphviz** This rule has been removed, because we can not easily rewrite it to execute only trusted code or otherwise make it safe. If you rely on this rule, you may install it as an extension by dropping this file into `phabricator/src/extensions/`: P1853 **This does not defuse or mitigate the vulnerability this rule creates. Running this extension makes your install vulnerable to attack.** Installs are strongly discouraged from running this code.

**Summary** The `dot`, `figlet` and `cowsay` remarkup rules are implemented in a way that creates a security risk, and a low-severity (but highly practical) attack has been developed against `dot`. The `figlet` and `cowsay` rules have been reimplemented safely. The `dot` rule can not easily be reimplemented safely and has been removed. Installs are encouraged to upgrade Phabricator or uninstall `dot` (Graphviz). Uninstalling `dot` will defuse the known attack. Upgrading Phabricator will defuse this class of attack. Installs that rely on the `dot` rule may install it as an extension. **This does not mitigate or defuse the risks. If you do this, you are making your install vulnerable.** Installs with custom Figlet fonts or cows may need to adjust how they are installed (see below). **Details** Phabricator currently ships with three "interpreter" rules in Remarkup: `dot` (Graphviz), `figlet`, and `cowsay`. These rules are invoked like this: ``` cowsay {{{ Moo! }}} ``` These rules are implemented by executing arbitrary binaries on the system. This approach is inherently risky, because executing unsandboxed binaries exposes a huge amount of surface area to attackers. The rules are as safe as possible, given the approach: they are careful about argument handling, the binaries normally need to be explicitly installed by an administrator, and these binaries seemed unlikely to permit arbitrary code execution. But this approach still harbors substantial risk. A security researcher recently found a practical attack against the `dot` interpreter which allows an attacker to disclose information about a system and potentially render images on the system into graphs. Although this attack is not especially severe, there is no way to prevent it or other similar attacks (which might be far more severe) under the "execute arbitrary unsandboxed binaries" approach these rules currently employ. You can read the details of the report here once it is disclosed: https://hackerone.com/reports/88395 In response, we are removing all rules of this type from the upstream: empirically, the risks presented by this approach are too great. The `figlet` and `cowsay` rules are simple parsers and could be safely rewritten, but the `dot` rule is complex. We do not have a safe alternative to the `dot` rule at this time, and do not have immediate plans to provide one. **Upgrading: Figlet** The `figlet` rule has been rewritten to only execute trusted code. It is now available on all systems without requiring the `figlet` binary to be installed. If you have custom `.flf` fonts, drop them into `phabricator/resources/figlet/custom/` to make them available. **Upgrading: Cowsay** The `cowsay` rule has been rewritten to only execute trusted code. It is now available on all systems without requiring the `cowsay` binary to be installed. If you have custom `.cow` cows, drop them into `phabricator/resources/cows/custom/` to make them available. **Upgrading: dot/Graphviz** This rule has been removed, because we can not easily rewrite it to execute only trusted code or otherwise make it safe. If you rely on this rule, you may install it as an extension by dropping this file into `phabricator/src/extensions/`: P1853 IMPORTANT: **This extension does not defuse or mitigate the vulnerability this rule creates. Running this extension makes your install vulnerable to attack.** Installs are strongly discouraged from running this code.

**Summary** The `dot`, `figlet` and `cowsay` remarkup rules are implemented in a way that creates a security risk, and a low-severity (but highly practical) attack has been developed against `dot`. The `figlet` and `cowsay` rules have been reimplemented safely. The `dot` rule can not easily be reimplemented safely and has been removed. Installs are encouraged to upgrade Phabricator or uninstall `dot` (Graphviz). Uninstalling `dot` will defuse the known attack. Upgrading Phabricator will defuse this class of attack. Installs that rely on the `dot` rule may install it as an extension. **This does not mitigate or defuse the risks. If you do this, you are making your install vulnerable.** Installs with custom Figlet fonts or cows may need to adjust how they are installed (see below). **Details** Phabricator currently ships with three "interpreter" rules in Remarkup: `dot` (Graphviz), `figlet`, and `cowsay`. These rules are invoked like this: ``` cowsay {{{ Moo! }}} ``` These rules are implemented by executing arbitrary binaries on the system. This approach is inherently risky, because executing unsandboxed binaries exposes a huge amount of surface area to attackers. The rules are as safe as possible, given the approach: they are careful about argument handling, the binaries normally need to be explicitly installed by an administrator, and these binaries seemed unlikely to permit arbitrary code execution. But this approach still harbors substantial risk. A security researcher recently found a practical attack against the `dot` interpreter which allows an attacker to disclose information about a system and potentially render images on the system into graphs. Although this attack is not especially severe, there is no way to prevent it or other similar attacks (which might be far more severe) under the "execute arbitrary unsandboxed binaries" approach these rules currently employ. You can read the details of the report here once it is disclosed: https://hackerone.com/reports/88395 In response, we are removing all rules of this type from the upstream: empirically, the risks presented by this approach are too great. The `figlet` and `cowsay` rules are simple parsers and could be safely rewritten, but the `dot` rule is complex. We do not have a safe alternative to the `dot` rule at this time, and do not have immediate plans to provide one. **Upgrading: Figlet** The `figlet` rule has been rewritten to only execute trusted code. It is now available on all systems without requiring the `figlet` binary to be installed. If you have custom `.flf` fonts, drop them into `phabricator/resources/figlet/custom/` to make them available. **Upgrading: Cowsay** The `cowsay` rule has been rewritten to only execute trusted code. It is now available on all systems without requiring the `cowsay` binary to be installed. If you have custom `.cow` cows, drop them into `phabricator/resources/cows/custom/` to make them available. **Upgrading: dot/Graphviz** This rule has been removed, because we can not easily rewrite it to execute only trusted code or otherwise make it safe. If you rely on this rule, you may install it as an extension by dropping this file into `phabricator/src/extensions/`: P1853 IMPORTANT: **Thiss extension does not defuse or mitigate the vulnerability this rule creates. Running this extension makes your install vulnerable to attack.** Installs are strongly discouraged from running this code.