@thcipriani maybe this is not worth it, from a security perspective? What do you think?

Tools that want a stream of events could implement some crude polling of the recent activity from phabricator, as an alternative.

Just coming across this. I'm noting that we allow webhook traffic from GitLab to toolforge at present. I can't really think why this would be a different case, and it would probably facilitate some useful integrations.

@Dzahn curious if you have any thoughts here...

Hello, so what I can say for now is that in general from production servers to access the web outside you have to go via proxy servers, those can be configured by setting the HTTP_PROXY/HTTPS_PROXY environment variable. But that's just a technical comment, all the other questions to be talked about.

I can talk to en.wikipedia from the phabricator prod machine (without setting a proxy):

phab1004:~] $ curl -s https://en.wikipedia.org/wiki/Main_Page   | tail -c 128

7\/Stamp_of_India_-_1978_-_Colnect_326687_-_Amrita_Sher_Girl.jpeg","headline":"Wikimedia project page"}</script>
</body>

I can also talk to a random external wiki (with setting the proxy):

[phab1004:~] $ HTTPS_PROXY="http://url-downloader.eqiad.wikimedia.org:8080" curl -s https://spongebob.fandom.com/wiki/Encyclopedia_SpongeBobia | grep title | head -c 32

<title>Encyclopedia SpongeBobia

https://secure.phabricator.com/T6755 and https://secure.phabricator.com/D12136 are relevant reading material

In T321790#9540369, @Dzahn wrote:

I can talk to en.wikipedia from the phabricator prod machine (without setting a proxy):

phab1004:~] $ curl -s https://en.wikipedia.org/wiki/Main_Page   | tail -c 128

7\/Stamp_of_India_-_1978_-_Colnect_326687_-_Amrita_Sher_Girl.jpeg","headline":"Wikimedia project page"}</script>
</body>

I can also talk to a random external wiki (with setting the proxy):

[phab1004:~] $ HTTPS_PROXY="http://url-downloader.eqiad.wikimedia.org:8080" curl -s https://spongebob.fandom.com/wiki/Encyclopedia_SpongeBobia | grep title | head -c 32

<title>Encyclopedia SpongeBobia

Hmm. At the time that I filed this, netcat to google.com from a phabricator server didn't work. Not sure what changed since then.

In T321790#9575574, @kostajh wrote:

Hmm. At the time that I filed this, netcat to google.com from a phabricator server didn't work. Not sure what changed since then.

It's because netcat isn't really a specialized HTTP client and won't look at the HTTP_PROXY env variable. While it does have -x option to use a proxy I can't get it to work like that either:

" it expects a SOCKS or HTTPS proxy with the -x argument, specified by -X:"

" -X proxy_protocol

Requests that nc should use the specified protocol when talking
to the proxy server.  Supported protocols are “4” (SOCKS v.4),
“5” (SOCKS v.5) and “connect” (HTTPS proxy).  If the protocol is
not specified, SOCKS version 5 is used.

"

[phab1004:~] $ netcat -x url-downloader.eqiad.wikimedia.org:8080 -X connect www.google.com 80
netcat: Proxy error: "HTTP/1.1 403 Forbidden"

[phab1004:~] $ netcat -x url-downloader.eqiad.wikimedia.org:8080 -Xconnect www.google.com 443
GET index.html
...

BUT, what you can do is talk to the proxy and tell it to fetch google.com for you. This works:

[phab1004:~] $ netcat url-downloader.eqiad.wikimedia.org 8080
GET http://google.com HTTP/1.0

HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/

In T321790#9577659, @Dzahn wrote:

In T321790#9575574, @kostajh wrote:

Hmm. At the time that I filed this, netcat to google.com from a phabricator server didn't work. Not sure what changed since then.

It's because netcat isn't really a specialized HTTP client and won't look at the HTTP_PROXY env variable.

Ah. I see, thanks for clarifying.

One potential security issue is that if someone uses a webhook to subscribe to events as they occur on phab, and a task is retroactively made a security issue, that application would have access to the private task contents. That can be somewhat mitigated by auditing who is allowed to subscribe to task events and seeing how that data is stored.