Homec4science

Fix incorrect key handling in extended policy filtering

Authored by epriestley <git@epriestley.com> on Jan 11 2016, 13:32.

Description

Fix incorrect key handling in extended policy filtering

Summary:
Via HackerOne. The use of $key here should be $extended_key.

Exploiting this requires a very unusual group of objects to be subjected to extended policy checks. I believe there is no way to actually get anything bad through the policy filter today, but this could have been an issue in the future.

Test Plan:

  • Added a unit test which snuck something through the policy filter.
  • Fixed use of $extended_key.
  • Test now passes.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D14993

Details

Committed
epriestley <git@epriestley.com>Jan 11 2016, 16:04
Pushed
aubortJan 31 2017, 17:16
Parents
rPH0b3d10c3da91: Enforce sensible, unique clone/checkout names for repositories
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHf59ebf4c0959: Fix incorrect key handling in extended policy filtering (authored by epriestley <git@epriestley.com>).Jan 11 2016, 16:04