github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-02-27 04:31:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix arbitary file upload for uploadimage API endpoint

Browse source 
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.

This issue was reported by Thomas Lambertz.

To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.

```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```

Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.

Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.

References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2020-11-23 12:42:19 +01:00 committed by David Mehren
parent 58276ebbf4
commit dc29a286e6
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
lib/web/imageRouter/index.js
View file

@ -20,9 +20,15 @@ imageRouter.post('/uploadimage', function (req, res) {
}
form.parse(req, function (err, fields, files) {
if (err || !files.image || !files.image.path) {
if (err) {
logger.error(`formidable error: ${err}`)
errors.errorForbidden(res)
return errors.errorForbidden(res)
} else if (!files.image || !files.image.path) {
logger.error(`formidable error: Upload didn't contain file)`)
return errors.errorBadRequest(res)
} else if (!config.allowedUploadMimeTypes.includes(files.image.type)) {
logger.error(`formidable error: MIME-type "${files.image.type}" of uploaded file not allowed, only "${config.allowedUploadMimeTypes.join(', ')}" are allowed)`)
return errors.errorBadRequest(res)
} else {
logger.debug(`SERVER received uploadimage: ${JSON.stringify(files.image)}`)