hedgedoc/lib/web/imageRouter/index.js

118 lines
3.5 KiB
JavaScript
Raw Normal View History

'use strict'
const Router = require('express').Router
const formidable = require('formidable')
const path = require('path')
const fs = require('fs')
const { v4: uuidv4 } = require('uuid')
const os = require('os')
const rimraf = require('rimraf')
const isSvg = require('is-svg')
const config = require('../../config')
const logger = require('../../logger')
const errors = require('../../errors')
const imageRouter = (module.exports = Router())
async function checkUploadType (filePath) {
const extension = path.extname(filePath).toLowerCase()
const FileType = await import('file-type')
let typeFromMagic = await FileType.fileTypeFromFile(filePath)
if (extension === '.svg' && (typeFromMagic === undefined || typeFromMagic.mime === 'application/xml')) {
const fileContent = fs.readFileSync(filePath)
if (isSvg(fileContent)) {
typeFromMagic = {
ext: 'svg',
mime: 'image/svg+xml'
}
}
}
if (typeFromMagic === undefined) {
logger.error('Image upload error: Could not determine MIME-type')
return false
}
// .jpeg, .jfif, .jpe files are identified by FileType to have the extension jpg
if (['.jpeg', '.jfif', '.jpe'].includes(extension) && typeFromMagic.ext === 'jpg') {
typeFromMagic.ext = extension.substr(1)
}
if (extension !== '.' + typeFromMagic.ext) {
logger.error(
'Image upload error: Provided file extension does not match MIME-type'
)
return false
}
if (!config.allowedUploadMimeTypes.includes(typeFromMagic.mime)) {
logger.error(
`Image upload error: MIME-type "${
typeFromMagic.mime
}" of uploaded file not allowed, only "${config.allowedUploadMimeTypes.join(
', '
)}" are allowed`
)
return false
}
return true
}
// upload image
imageRouter.post('/uploadimage', function (req, res) {
if (
!req.isAuthenticated() &&
!config.allowAnonymous &&
!config.allowAnonymousEdits
) {
logger.error(
'Image upload error: Anonymous edits and therefore uploads are not allowed'
)
return errors.errorForbidden(res)
}
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hedgedoc-'))
const form = formidable({
keepExtensions: true,
fix(imageRouter): Fix enumerable image upload issue This patch adds an own filename function for `formidable`, which will make sure to generate a random file name, using UUIDv4. This should resolve GHSA-q6vv-2q26-j7rx. This change is required due to a change in behaviour from version 1 to version 2 of formidable. Formidable version 2 will generate predictable filenames by default, which results in potential access to images, that were uploaded while formidable v2 was used in Hedgedoc. This affects the versions `1.9.1` and `1.9.2`. Files generated previous to this commit will look like this: ``` <random string generated on app start><counter>.<file-extension> 38e56506ec2dcab52e9282c00.jpg 38e56506ec2dcab52e9282c01.jpg 38e56506ec2dcab52e9282c02.jpg ``` After this patch it'll look like this: ``` <uuid v4>.<file-extension> a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg 56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg 2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg ``` This patch was implemented using `uuid` since we already utilise this package elsewhere in the project as well as using a secure function to generate random strings. UUIDv4 is ideal for that. In order to be consumable by formidable, it was wrapped in a function that makes sure to keep the file extension. This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/). References: https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574 https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762 https://www.npmjs.com/package/uuid
2022-04-08 20:36:30 -04:00
uploadDir: tmpDir,
filename: function (filename, ext) {
if (typeof ext !== 'string') {
ext = '.invalid'
}
return uuidv4() + ext
fix(imageRouter): Fix enumerable image upload issue This patch adds an own filename function for `formidable`, which will make sure to generate a random file name, using UUIDv4. This should resolve GHSA-q6vv-2q26-j7rx. This change is required due to a change in behaviour from version 1 to version 2 of formidable. Formidable version 2 will generate predictable filenames by default, which results in potential access to images, that were uploaded while formidable v2 was used in Hedgedoc. This affects the versions `1.9.1` and `1.9.2`. Files generated previous to this commit will look like this: ``` <random string generated on app start><counter>.<file-extension> 38e56506ec2dcab52e9282c00.jpg 38e56506ec2dcab52e9282c01.jpg 38e56506ec2dcab52e9282c02.jpg ``` After this patch it'll look like this: ``` <uuid v4>.<file-extension> a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg 56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg 2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg ``` This patch was implemented using `uuid` since we already utilise this package elsewhere in the project as well as using a secure function to generate random strings. UUIDv4 is ideal for that. In order to be consumable by formidable, it was wrapped in a function that makes sure to keep the file extension. This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/). References: https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574 https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762 https://www.npmjs.com/package/uuid
2022-04-08 20:36:30 -04:00
}
})
form.parse(req, async function (err, fields, files) {
if (err) {
logger.error(`Image upload error: formidable error: ${err}`)
rimraf.sync(tmpDir)
return errors.errorForbidden(res)
} else if (!files.image || !files.image.filepath) {
logger.error('Image upload error: Upload didn\'t contain file)')
rimraf.sync(tmpDir)
return errors.errorBadRequest(res)
} else if (!(await checkUploadType(files.image.filepath))) {
rimraf.sync(tmpDir)
return errors.errorBadRequest(res)
} else {
logger.debug(
`SERVER received uploadimage: ${JSON.stringify(files.image)}`
)
const uploadProvider = require('./' + config.imageUploadType)
logger.debug(
`imageRouter: Uploading ${files.image.filepath} using ${config.imageUploadType}`
)
uploadProvider.uploadImage(files.image.filepath, function (err, url) {
rimraf.sync(tmpDir)
if (err !== null) {
logger.error(err)
return res.status(500).end('upload image error')
}
logger.debug(`SERVER sending ${url} to client`)
res.send({
link: url
})
})
}
})
})