Differential "Show Raw File" feature exposes generated files to unauthorised users

Summary: In certain circumstances, a user or mongoose can see a file from a diff they should not be able to see due to a policy. Preface: We are an app agency using a private Phabricator instance to manage projects. This issue prevents us from allowing clients to access our instance as they would have the ability to see some confidential content for other clients. Spaces and policies seem to work fine other than this issue. Video: Attached is a <8 min video where I show the issue on a fresh Phabricator installation. The first 6 mins is preparation. The issue is visible in the last 30 seconds. You will see I look up ID of the generated file in the database to speed up the demonstration. We could scan through pages automatically with a script to make this bug more viable. Reproduction steps: - Open two different browsers (to simulate two different users) - BROWSER 1: Log in as a user - BROWSER B: Log in as another user - BROWSER 1: Go to differential and create a new diff. Make it visible to just yourself - BROWSER 1: Update the diff a few times (I've seen the bug more reproducible when the diff is long and the update weaves in changes throughout the file, though this may not actually be a factor) - BROWSER B: Visit the diff page, see it is restricted and you cannot see it. - BROWSER 1: On the diff page, click "View Options" > "Show Raw File (Right)". This generates a File. - BROWSER B: Start guessing file number pages (this could be done automatically). - BROWSER B: Eventually you will hit the file number of the new file and can see the private diff from BROWSER 1. Expected result: - The file generated by Phabricator while comparing diffs should not be accessible. It is not inheriting any policy. Actual result: - BROWSER B can download the content of the file, seeing a private diff. Conclusion: We have over 80,000 files in our Phabricator instance from 10s of projects from various clients. If we share our instance with a client that is either malicious or naive in keeping their credentials secure, we would expose some of our other clients code as a consequence of using the "Show Raw File" feature. Thanks Matt Votsikas Calvium Ltd