"Upload file" in remarkup text fields should attach by default
Open, NormalPublic
Actions

Assigned To

None

Authored By

	rraval
	Aug 17 2022, 14:56

Description

Our local Phabricator install was recently impacted by the upstream 2022 Week 21 (Late May) update, which mitigated a permission escalation issue with file references.

The security guidance task mentions some limitations in passing:

Some reasonable cases where Phabricator should be able to determine that an attachment is safe (e.g., using the "Upload File" dialog, and some unmodernized interfaces in various applicatinos) are not yet automatically identified as safe and must be manually attached. See T13682 for some discussion of future work.

It appears that some workflows do indeed work as they did before, i.e. they both upload the file and attach it to the parent object, granting implicit visibility of the file to anyone that can see the parent object. From experiments on our local install, I've assembled the following truth table:

Where Upload to files application and reference {Fxxxx} "Upload File" in text box Paste into text box Drag & drop into text box

Task description Yes No Yes Yes

Task comment Yes No Yes Yes

Revision summary from arc Yes N/A N/A N/A

Revision test plan from arc Yes N/A N/A N/A

Revision summary from web Yes No Yes Yes

Revision test plan from web Yes No Yes Yes

Revision comment Yes No Yes Yes

NOTE: The Upload to files application and reference {Fxxxx} used the defaults at https://phabricator.internal.encircleapp.com/file/upload/ where Visible To was set to All Users.

Where	Upload to files application and reference {Fxxxx}	"Upload File" in text box	Paste into text box	Drag & drop into text box
Task description	Yes	No	Yes	Yes
Task comment	Yes	No	Yes	Yes
Revision summary from arc	Yes	N/A	N/A	N/A
Revision test plan from arc	Yes	N/A	N/A	N/A
Revision summary from web	Yes	No	Yes	Yes
Revision test plan from web	Yes	No	Yes	Yes
Revision comment	Yes	No	Yes	Yes

In particular, the "Upload File" in text box workflow seems to be glaringly broken. I have no idea if upstream plans to fix this as a charity or whether this'll have to be fixed through the community (and maybe contributed back upstream if epriestley accepts).

Similar discussions downstream:

https://phabricator.wikimedia.org/T310833

Revisions and Commits

rP Phorge
	Concern Raised	D25052	rP90f9da643d16 Add and use new RemarkupMetadata class

Related Objects
Search...

Status	Assigned	Task
Open	None	T15106 "Upload file" in remarkup text fields should attach by default
Resolved	valerio.bozzolan	T15272 RemarkupMetadata.js - Error: Empty ID passed to JX.$()!
Open	None	T15293 Try to avoid message: Transaction (of type "core:file") has no effect

Event Timeline

rraval created this task.Aug 17 2022, 14:56

Herald added subscribers: Matthew, chris, speck, tobiaswiese. · View Herald TranscriptAug 17 2022, 14:56

https://phabricator.wikimedia.org/D1203 is my fix for this issue at Wikimedia's install.

avivey mentioned this in 2022-08-23.Aug 27 2022, 14:36

Cigaryno subscribed.Sep 10 2022, 11:15

@avivey what would be required to merge @Dylsss 's patch into phorge stable?
(This thing has been annoying our team for the past few weeks)

Dylsss added a revision: D25052: Add and use new RemarkupMetadata class.Sep 18 2022, 17:06

Auto file attachments are also not working when editing a comment.

pasik subscribed.Sep 20 2022, 19:53

@kwisatz I'll try to review the diff this week, and that will probably get to master/stable soon...

Ekubischta mentioned this in Q20: After uploading an image to a task, rights are not inherited. Image in status Restricted (Answer 15).Oct 26 2022, 21:35

For completeness: The security breaches mentioned in the security guidance task are all about exposing an existing file that the attacker has new view access to; This flow is only relevant to explicitly uploading a new file, so it doesn't have the same security implications.

Cigaryno added a project: Remarkup.Oct 29 2022, 11:08

mainframe98 subscribed.Nov 20 2022, 10:29

valerio.bozzolan subscribed.Mar 8 2023, 14:44

valerio.bozzolan mentioned this in Q39: New behaviour when we add picture in Phriction page (Answer 43).Mar 16 2023, 15:57

Cigaryno added a project: Files (archived).Mar 27 2023, 08:38

valerio.bozzolan edited projects, added Files; removed Files (archived).Apr 6 2023, 11:59

valerio.bozzolan mentioned this in Q49: File uploads - default permissions (Answer 60).Apr 20 2023, 13:42

I start triaging this to Normal priority since this problem creates situations that don't happen with many proprietary weird alternatives like Trello, Asana etc., where their Drag & Drop "just works" since their file are always visible to all members and so it's considered as "working" for their end-users (well, thanks to the fact that Trello etc. have a terrible permission management system, thousand years back from Phorge, and they really have no concept of "single file permission", and so they win easy in these confrontations where the user expects something basic and it doesn't happen as default by some of our "attach to something" corner cases).

Dylan F <git@dylanfarrar.com> added a commit: rP90f9da643d16: Add and use new RemarkupMetadata class.Apr 24 2023, 01:53

valerio.bozzolan mentioned this in Next Up (since Week 18).Apr 25 2023, 13:46

Ekubischta mentioned this in T15273: Cannot Attach Restricted files to Phame Posts.Apr 25 2023, 20:29

valerio.bozzolan closed subtask T15272: RemarkupMetadata.js - Error: Empty ID passed to JX.$()! as Resolved.Apr 26 2023, 07:51

valerio.bozzolan updated the task description. (Show Details)May 4 2023, 15:18

nicodoggie subscribed.May 5 2023, 08:10

Another use case: Drag & Drop on a new Object description, even if the Object is not already created, should attach by default to it.

avivey mentioned this in 2023 Week 23.Jun 10 2023, 07:44

avivey mentioned this in Q73: File Visibility (Answer 99).Thu, Aug 31, 07:07