search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Correct a parameter order swap in "diffusion.historyquery" for Mercurial
[phabricator.git] / src / applications / config / option / PhabricatorSecurityConfigOptions.php
blob3438d3bd6788be546aafbd35e8de82016a7377ec
1 <?php
2
3 final class PhabricatorSecurityConfigOptions
4 extends PhabricatorApplicationConfigOptions {
5
6 public function getName() {
7 return pht('Security');
8 }
9
10 public function getDescription() {
11 return pht('Security options.');
12 }
13
14 public function getIcon() {
15 return 'fa-lock';
16 }
17
18 public function getGroup() {
19 return 'core';
20 }
21
22 public function getOptions() {
23 $doc_href = PhabricatorEnv::getDoclink('Configuring a File Domain');
24 $doc_name = pht('Configuration Guide: Configuring a File Domain');
25
26 $default_address_blacklist = array(
27 // This is all of the IANA special/reserved blocks in IPv4 space.
28 '0.0.0.0/8',
29 '10.0.0.0/8',
30 '100.64.0.0/10',
31 '127.0.0.0/8',
32 '169.254.0.0/16',
33 '172.16.0.0/12',
34 '192.0.0.0/24',
35 '192.0.2.0/24',
36 '192.88.99.0/24',
37 '192.168.0.0/16',
38 '198.18.0.0/15',
39 '198.51.100.0/24',
40 '203.0.113.0/24',
41 '224.0.0.0/4',
42 '240.0.0.0/4',
43 '255.255.255.255/32',
44
45 // And these are the IANA special/reserved blocks in IPv6 space.
46 '::/128',
47 '::1/128',
48 '::ffff:0:0/96',
49 '100::/64',
50 '64:ff9b::/96',
51 '2001::/32',
52 '2001:10::/28',
53 '2001:20::/28',
54 '2001:db8::/32',
55 '2002::/16',
56 'fc00::/7',
57 'fe80::/10',
58 'ff00::/8',
59 );
60
61 $keyring_type = 'custom:PhabricatorKeyringConfigOptionType';
62 $keyring_description = $this->deformat(pht(<<<EOTEXT
63 The keyring stores master encryption keys. For help with configuring a keyring
64 and encryption, see **[[ %s | Configuring Encryption ]]**.
65 EOTEXT
66 ,
67 PhabricatorEnv::getDoclink('Configuring Encryption')));
68
69 $require_mfa_description = $this->deformat(pht(<<<EOTEXT
70 By default, Phabricator allows users to add multi-factor authentication to
71 their accounts, but does not require it. By enabling this option, you can
72 force all users to add at least one authentication factor before they can use
73 their accounts.
74
75 Administrators can query a list of users who do not have MFA configured in
76 {nav People}:
77
78 - **[[ %s | %s ]]**
79 EOTEXT
80 ,
81 '/people/?mfa=false',
82 pht('List of Users Without MFA')));
83
84 return array(
85 $this->newOption('security.alternate-file-domain', 'string', null)
86 ->setLocked(true)
87 ->setSummary(pht('Alternate domain to serve files from.'))
88 ->setDescription(
89 pht(
90 'By default, Phabricator serves files from the same domain '.
91 'the application is served from. This is convenient, but '.
92 'presents a security risk.'.
93 "\n\n".
94 'You should configure a CDN or alternate file domain to mitigate '.
95 'this risk. Configuring a CDN will also improve performance. See '.
96 '[[ %s | %s ]] for instructions.',
97 $doc_href,
98 $doc_name))
99 ->addExample('https://files.phabcdn.net/', pht('Valid Setting')),
100 $this->newOption(
101 'security.hmac-key',
102 'string',
103 '[D\t~Y7eNmnQGJ;rnH6aF;m2!vJ8@v8C=Cs:aQS\.Qw')
104 ->setHidden(true)
105 ->setSummary(
106 pht('Key for HMAC digests.'))
107 ->setDescription(
108 pht(
109 'Default key for HMAC digests where the key is not important '.
110 '(i.e., the hash itself is secret). You can change this if you '.
111 'want (to any other string), but doing so will break existing '.
112 'sessions and CSRF tokens. This option is deprecated. Newer '.
113 'code automatically manages HMAC keys.')),
114 $this->newOption('security.require-https', 'bool', false)
115 ->setLocked(true)
116 ->setSummary(
117 pht('Force users to connect via HTTPS instead of HTTP.'))
118 ->setDescription(
119 pht(
120 "If the web server responds to both HTTP and HTTPS requests but ".
121 "you want users to connect with only HTTPS, you can set this ".
122 "to `true` to make Phabricator redirect HTTP requests to HTTPS.".
123 "\n\n".
124 "Normally, you should just configure your server not to accept ".
125 "HTTP traffic, but this setting may be useful if you originally ".
126 "used HTTP and have now switched to HTTPS but don't want to ".
127 "break old links, or if your webserver sits behind a load ".
128 "balancer which terminates HTTPS connections and you can not ".
129 "reasonably configure more granular behavior there.".
130 "\n\n".
131 "IMPORTANT: Phabricator determines if a request is HTTPS or not ".
132 "by examining the PHP `%s` variable. If you run ".
133 "Apache/mod_php this will probably be set correctly for you ".
134 "automatically, but if you run Phabricator as CGI/FCGI (e.g., ".
135 "through nginx or lighttpd), you need to configure your web ".
136 "server so that it passes the value correctly based on the ".
137 "connection type.".
138 "\n\n".
139 "If you configure Phabricator in cluster mode, note that this ".
140 "setting is ignored by intracluster requests.",
141 "\$_SERVER['HTTPS']"))
142 ->setBoolOptions(
143 array(
144 pht('Force HTTPS'),
145 pht('Allow HTTP'),
146 )),
147 $this->newOption('security.require-multi-factor-auth', 'bool', false)
148 ->setLocked(true)
149 ->setSummary(
150 pht('Require all users to configure multi-factor authentication.'))
151 ->setDescription($require_mfa_description)
152 ->setBoolOptions(
153 array(
154 pht('Multi-Factor Required'),
155 pht('Multi-Factor Optional'),
156 )),
157 $this->newOption(
158 'uri.allowed-protocols',
159 'set',
160 array(
161 'http' => true,
162 'https' => true,
163 'mailto' => true,
164 ))
165 ->setSummary(
166 pht(
167 'Determines which URI protocols are valid for links and '.
168 'redirects.'))
169 ->setDescription(
170 pht(
171 'When users write comments which have URIs, they will be '.
172 'automatically turned into clickable links if the URI protocol '.
173 'appears in this set.'.
174 "\n\n".
175 'This set of allowed protocols is primarily intended to prevent '.
176 'security issues with "javascript:" and other potentially '.
177 'dangerous URI handlers.'.
178 "\n\n".
179 'This set is also used to enforce valid redirect URIs. '.
180 'Phabricator will refuse to issue a HTTP "Location" redirect to a '.
181 'URI with a protocol not on this set.'.
182 "\n\n".
183 'Usually, "http" and "https" should be present in this set. If '.
184 'you remove one or both protocols, some Phabricator features '.
185 'which rely on links or redirects may not work.'))
186 ->addExample("http\nhttps", pht('Valid Setting'))
187 ->setLocked(true),
188 $this->newOption(
189 'uri.allowed-editor-protocols',
190 'set',
191 array(
192 'http' => true,
193 'https' => true,
194
195 // This handler is installed by Textmate.
196 'txmt' => true,
197
198 // This handler is for MacVim.
199 'mvim' => true,
200
201 // Unofficial handler for Vim.
202 'vim' => true,
203
204 // Unofficial handler for Sublime.
205 'subl' => true,
206
207 // Unofficial handler for Emacs.
208 'emacs' => true,
209
210 // This isn't a standard handler installed by an application, but
211 // is a reasonable name for a user-installed handler.
212 'editor' => true,
213
214 // This handler is for Visual Studio Code.
215 'vscode' => true,
216
217 // This is for IntelliJ IDEA.
218 'idea' => true,
219 ))
220 ->setSummary(pht('Whitelists editor protocols for "Open in Editor".'))
221 ->setDescription(
222 pht(
223 'Users can configure a URI pattern to open files in a text '.
224 'editor. The URI must use a protocol on this whitelist.'))
225 ->setLocked(true),
226 $this->newOption('remarkup.enable-embedded-youtube', 'bool', false)
227 ->setBoolOptions(
228 array(
229 pht('Embed YouTube videos'),
230 pht("Don't embed YouTube videos"),
231 ))
232 ->setSummary(
233 pht('Determines whether or not YouTube videos get embedded.'))
234 ->setDescription(
235 pht(
236 "If you enable this, linked YouTube videos will be embedded ".
237 "inline. This has mild security implications (you'll leak ".
238 "referrers to YouTube) and is pretty silly (but sort of ".
239 "awesome).")),
240 $this->newOption(
241 'security.outbound-blacklist',
242 'list<string>',
243 $default_address_blacklist)
244 ->setLocked(true)
245 ->setSummary(
246 pht(
247 'Blacklist subnets to prevent user-initiated outbound '.
248 'requests.'))
249 ->setDescription(
250 pht(
251 'Phabricator users can make requests to other services from '.
252 'the Phabricator host in some circumstances (for example, by '.
253 'creating a repository with a remote URL or having Phabricator '.
254 'fetch an image from a remote server).'.
255 "\n\n".
256 'This may represent a security vulnerability if services on '.
257 'the same subnet will accept commands or reveal private '.
258 'information over unauthenticated HTTP GET, based on the source '.
259 'IP address. In particular, all hosts in EC2 have access to '.
260 'such a service.'.
261 "\n\n".
262 'This option defines a list of netblocks which Phabricator '.
263 'will decline to connect to. Generally, you should list all '.
264 'private IP space here.'))
265 ->addExample(array('0.0.0.0/0'), pht('No Outbound Requests')),
266 $this->newOption('security.strict-transport-security', 'bool', false)
267 ->setLocked(true)
268 ->setBoolOptions(
269 array(
270 pht('Use HSTS'),
271 pht('Do Not Use HSTS'),
272 ))
273 ->setSummary(pht('Enable HTTP Strict Transport Security (HSTS).'))
274 ->setDescription(
275 pht(
276 'HTTP Strict Transport Security (HSTS) sends a header which '.
277 'instructs browsers that the site should only be accessed '.
278 'over HTTPS, never HTTP. This defuses an attack where an '.
279 'adversary gains access to your network, then proxies requests '.
280 'through an unsecured link.'.
281 "\n\n".
282 'Do not enable this option if you serve (or plan to ever serve) '.
283 'unsecured content over plain HTTP. It is very difficult to '.
284 'undo this change once users\' browsers have accepted the '.
285 'setting.')),
286 $this->newOption('keyring', $keyring_type, array())
287 ->setHidden(true)
288 ->setSummary(pht('Configure master encryption keys.'))
289 ->setDescription($keyring_description),
290 );
291 }
292
293 protected function didValidateOption(
294 PhabricatorConfigOption $option,
295 $value) {
296
297 $key = $option->getKey();
298 if ($key == 'security.alternate-file-domain') {
299
300 $uri = new PhutilURI($value);
301 $protocol = $uri->getProtocol();
302 if ($protocol !== 'http' && $protocol !== 'https') {
303 throw new PhabricatorConfigValidationException(
304 pht(
305 "Config option '%s' is invalid. The URI must start with ".
306 "'%s' or '%s'.",
307 $key,
308 'http://',
309 'https://'));
310 }
311
312 $domain = $uri->getDomain();
313 if (strpos($domain, '.') === false) {
314 throw new PhabricatorConfigValidationException(
315 pht(
316 "Config option '%s' is invalid. The URI must contain a dot ('.'), ".
317 "like '%s', not just a bare name like '%s'. ".
318 "Some web browsers will not set cookies on domains with no TLD.",
319 $key,
320 'http://example.com/',
321 'http://example/'));
322 }
323
324 $path = $uri->getPath();
325 if ($path !== '' && $path !== '/') {
326 throw new PhabricatorConfigValidationException(
327 pht(
328 "Config option '%s' is invalid. The URI must NOT have a path, ".
329 "e.g. '%s' is OK, but '%s' is not. Phabricator must be installed ".
330 "on an entire domain; it can not be installed on a path.",
331 $key,
332 'http://phabricator.example.com/',
333 'http://example.com/phabricator/'));
334 }
335 }
336 }
337
338
339 }
Open software engineering platform