Page MenuHomePhorge
Create Task
Maniphest T15106

"Upload file" in remarkup text fields should attach by default
Open, HighPublic
Actions

Description

Our local Phabricator install was recently impacted by the upstream 2022 Week 21 (Late May) update, which mitigated a permission escalation issue with file references.

The security guidance task mentions some limitations in passing:

Some reasonable cases where Phabricator should be able to determine that an attachment is safe (e.g., using the "Upload File" dialog, and some unmodernized interfaces in various applicatinos) are not yet automatically identified as safe and must be manually attached. See T13682 for some discussion of future work.

It appears that some workflows do indeed work as they did before, i.e. they both upload the file and attach it to the parent object, granting implicit visibility of the file to anyone that can see the parent object. From experiments on our local install, I've assembled the following truth table:

WhereUpload to files application and reference {Fxxxx}"Upload File" in text boxPaste into text boxDrag & drop into text box
Task descriptionYesNoYesYes
Task commentYesNoYesYes
Revision summary from arcYesN/AN/AN/A
Revision test plan from arcYesN/AN/AN/A
Revision summary from webYesNoYesYes
Revision test plan from webYesNoYesYes
Revision commentYesNoYesYes
NOTE: The Upload to files application and reference {Fxxxx} used the defaults at https://phabricator.internal.encircleapp.com/file/upload/ where Visible To was set to All Users.

In particular, the "Upload File" in text box workflow seems to be glaringly broken. I have no idea if upstream plans to fix this as a charity or whether this'll have to be fixed through the community (and maybe contributed back upstream if epriestley accepts).

Similar discussions downstream:

Revisions and Commits

rP Phorge
Concern RaisedD25052rP90f9da643d16 Add and use new RemarkupMetadata class

Related Objects
Search...

Event Timeline

rraval created this task.Aug 17 2022, 14:56
Herald added subscribers: Matthew, chris, speck, tobiaswiese. · View Herald TranscriptAug 17 2022, 14:56
Dylsss subscribed.Aug 18 2022, 15:32

https://phabricator.wikimedia.org/D1203 is my fix for this issue at Wikimedia's install.

avivey mentioned this in 2022-08-23.Aug 27 2022, 14:36
Cigaryno subscribed.Sep 10 2022, 11:15
kwisatz added a subscriber: avivey.Sep 18 2022, 16:29
kwisatz subscribed.

@avivey what would be required to merge @Dylsss 's patch into phorge stable?
(This thing has been annoying our team for the past few weeks)

Dylsss added a revision: D25052: Add and use new RemarkupMetadata class.Sep 18 2022, 17:06
Dylsss added a comment.Sep 19 2022, 19:16

Auto file attachments are also not working when editing a comment.

pasik subscribed.Sep 20 2022, 19:53
avivey added a comment.Sep 23 2022, 07:12

@kwisatz I'll try to review the diff this week, and that will probably get to master/stable soon...

Ekubischta mentioned this in Q20: After uploading an image to a task, rights are not inherited. Image in status Restricted (Answer 15).Oct 26 2022, 21:35
avivey added a comment.Oct 29 2022, 07:07

For completeness: The security breaches mentioned in the security guidance task are all about exposing an existing file that the attacker has new view access to; This flow is only relevant to explicitly uploading a new file, so it doesn't have the same security implications.

Cigaryno added a project: Remarkup.Oct 29 2022, 11:08
mainframe98 subscribed.Nov 20 2022, 10:29
valerio.bozzolan subscribed.Mar 8 2023, 14:44
valerio.bozzolan mentioned this in Q39: New behaviour when we add picture in Phriction page (Answer 43).Mar 16 2023, 15:57
Cigaryno added a project: Files (archived).Mar 27 2023, 08:38
valerio.bozzolan edited projects, added Files; removed Files (archived).Apr 6 2023, 11:59
valerio.bozzolan mentioned this in Q49: File uploads - default permissions (Answer 60).Apr 20 2023, 13:42
valerio.bozzolan triaged this task as Normal priority.EditedApr 20 2023, 13:55

I start triaging this to Normal priority since this problem creates situations that don't happen with many proprietary weird alternatives like Trello, Asana etc., where their Drag & Drop "just works" since their file are always visible to all members and so it's considered as "working" for their end-users (well, thanks to the fact that Trello etc. have a terrible permission management system, thousand years back from Phorge, and they really have no concept of "single file permission", and so they win easy in these confrontations where the user expects something basic and it doesn't happen as default by some of our "attach to something" corner cases).

Restricted Repository Identity added a commit: rP90f9da643d16: Add and use new RemarkupMetadata class.Apr 24 2023, 01:53
valerio.bozzolan mentioned this in Next Up (since Week 18).Apr 25 2023, 13:46
Ekubischta mentioned this in T15273: Cannot Attach Restricted files to Phame Posts.Apr 25 2023, 20:29
valerio.bozzolan closed subtask T15272: RemarkupMetadata.js - Error: Empty ID passed to JX.$()! as Resolved.Apr 26 2023, 07:51
valerio.bozzolan updated the task description. (Show Details)May 4 2023, 15:18
nicodoggie subscribed.May 5 2023, 08:10
valerio.bozzolan added a comment.May 29 2023, 10:11

Another use case: Drag & Drop on a new Object description, even if the Object is not already created, should attach by default to it.

avivey mentioned this in 2023 Week 23.Jun 10 2023, 07:44
avivey mentioned this in Q73: File Visibility (Answer 99).Aug 31 2023, 07:07
valerio.bozzolan mentioned this in T15163: The Task Cover Image is visible only to the uploader (invisible to Task participants).Oct 25 2023, 19:33
speck added a comment.Oct 25 2023, 21:33

I had communicated these upstream (almost exactly a year ago~) and some helpful information was provided

@speck wrote:

Ref: https://secure.phabricator.com/T13683

Per that description filing these notices here.

A user ran into a case where pasting an image from system clipboard into a text field (specifically an inline comment) would not attach the file to the object as expected. I have not yet tested this (did not realize images in clipboard could be pasted into fields).

Additionally the phorge project has had a few related issues reported

  1. Deleting files leaves leftover "unknown object" references (on diff revisions)
  2. Deleting a file object via ./bin/remove destroy results in an exception due to a missing edge

If you prefer I can post this on https://secure.phabricator.com/T13682 instead

epriestley wrote:

Thanks -- I think these are known elsewhere (the inline comment thing is just "inline comment text never attaches files", and probably not specific to pasting images), I just haven't had a chance to collect them in https://secure.phabricator.com/T13683 and fix them yet since the amount of software development I'm doing these days rounds down to zero. My plan is:

  1. Deleting a file should delete all corresponding PhabricatorFileAttachment objects.
  2. When an object is destroyed, attached edges should be destroyed even if their edge type is unknown, perhaps with a console warning.
  3. Inline comments should attach files.

...but no clue when I'll get there.

(1) is probably simple and straightforward -- a patch using PhabricatorFileAttachmentQuery, following the PhabricatorQueryIterator pattern in DifferentialRevision->destroyObjectPermanently(), seems likely reasonable to me.

(2) may be tricky since I think the code raising the error is far-removed from the knowledge that a deletion is occurring. Alternate but less-pure remedies are "restore stub edge type definitions for the removed edges" or "migrate to destroy all those edges", but I think those are a fairly big step down from "don't fail when destroying unknown edge types".

(3) is probably moderately complicated, I think the patch has several pieces and probably doesn't closely resemble other file attachment patches.

epriestley wrote:

...perhaps with a console warning.

While reviewing this, one note mostly for my own sake: although the current console behavior says "exception", it does continue and actually destroy the object (but not the outdated edge).

I noted the rest of this in T13682.

kornrunner subscribed.Jan 2 2024, 20:02
valerio.bozzolan added a comment.Feb 28 2024, 15:02

This feature is not complete also for Conpherence AFAIK

valerio.bozzolan closed subtask T15293: Try to avoid message: Transaction (of type "core:file") has no effect as Resolved.Feb 29 2024, 08:17
avivey raised the priority of this task from Normal to High.Thu, Apr 11, 10:41
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0