A change in the minio JS SDK resulted in uploads being stored
with a defect metadata object in minio, resulting in all
files served as application/octet-stream. This was caused as
the fifth argument to putObject is a metadata object and not
the content-type alone anymore.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
New configurations:
- s3folder: (string) folder to save the files inside bucket
- s3publicFiles: (boolean) indicate if should send ACL parameters
Signed-off-by: Lautaro Alvarez <lautarolalvarez@gmail.com>
This patch adds an own filename function for `formidable`, which will
make sure to generate a random file name, using UUIDv4. This should
resolve GHSA-q6vv-2q26-j7rx.
This change is required due to a change in behaviour from version 1 to
version 2 of formidable. Formidable version 2 will generate predictable
filenames by default, which results in potential access to images, that
were uploaded while formidable v2 was used in Hedgedoc. This affects the
versions `1.9.1` and `1.9.2`.
Files generated previous to this commit will look like this:
```
<random string generated on app start><counter>.<file-extension>
38e56506ec2dcab52e9282c00.jpg
38e56506ec2dcab52e9282c01.jpg
38e56506ec2dcab52e9282c02.jpg
```
After this patch it'll look like this:
```
<uuid v4>.<file-extension>
a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg
56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg
2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg
```
This patch was implemented using `uuid` since we already utilise this
package elsewhere in the project as well as using a secure function to
generate random strings. UUIDv4 is ideal for that. In order to be
consumable by formidable, it was wrapped in a function that makes sure
to keep the file extension.
This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/).
References:
https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762https://www.npmjs.com/package/uuid
This patch fixes the swollowing of the actual error message that appears
when a file fails to move, after being uploaded to Hedgedoc on an
instance that is using the upload-method `filesystem` active.
This became apparent when the error messages provided by some users,
where less than helpful.
As a solution the error message of the copy command was added to the
error that is output to the console.
https://community.hedgedoc.org/t/image-upload-fail-docker/439
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
According to the AWS documentation there is no situation that there is a dash in `s3-<region>.amazonaws.com`, the correct way is with a dot `s3.<region>.amazonaws.com`
Source: https://docs.aws.amazon.com/general/latest/gr/s3.html
Signed-off-by: Matej Cotman <matej.cotman@eficode.com>
This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly
Files that got identified as jpg, but have the extension .jpeg get their extension fixed.
The files extensions will work in all cases now.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This makes sure no unintended files are permanently saved.
Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.
Signed-off-by: David Mehren <git@herrmehren.de>
This patch reworks the error messages for image uploads to make more
sense.
Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.
It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.
This issue was reported by Thomas Lambertz.
To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.
```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```
Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.
Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.
References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
Because of circular import problems, this commit also moves the error messages from response.js to errors.js
Signed-off-by: David Mehren <dmehren1@gmail.com>
We have various places with overly simple if statements that could be
handled by our logging library. Also a lot of those logs are not marked
as debug logs but as info logs, which can cause confusion during
debugging.
This patch removed unneeded if clauses around debug logging statements,
reworks debug log messages towards ECMA templates and add some new
logging statements which might be helpful in order to debug things like
image uploads.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.
There should no functional change be introduced.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style
Signed-off-by: Claudius Coenen <opensource@amenthes.de>
In https://github.com/hackmdio/hackmd/issues/834 is described how
starting HackMD crashes when using the wrong working dir.
This is caused by a relative path in our upload routine. This change
should fix it and prevent future crashes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This should make the imageRouter more modular and easier to extent. Also
a lot of code duplication was removed which should simplify maintenance
in future.
In the new setup we only need to provide a new module file which exports
a function called `uploadImage` and takes a filePath and a callback as
argument. The callback itself takes an error and an url as parameter.
This eliminates the need of a try-catch-block around the statement and
re-enabled the optimization in NodeJS.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
