Commit graph

602 commits

Author SHA1 Message Date
David Mehren
59f669e593
Merge pull request from GHSA-p528-555r-pf87
Fix Relative Path Traversal Attack on note creation
2021-04-25 21:28:18 +02:00
Sheogorath
44b7f607a5
Fix Relative Path Traversal Attack on note creation
Impact
---

An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).

CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

PoC / Quicktest
---

To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.

Analysis
---

The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](78a732abe6/lib/web/note/util.js (L10)) utility function, that will pass it on the the [`parseNoteId()`](78a732abe6/lib/models/note.js (L188-L258))-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.

If no note exists the [note creation-function is called](78a732abe6/lib/models/note.js (L240-L245)), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](78a732abe6/lib/models/note.js (L99)) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.

This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also  observes changes to them.

The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.

Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.

For more information
---

If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)

Advisory link
---

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87

Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
2021-04-25 20:40:17 +02:00
David Mehren
5c70cc021f
Add custom prometheus metrics
This reuses the `realtime.getStatus` method to get the state of the
application state on every prometheus scrape cycle.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-04-25 20:06:56 +02:00
Philip Molares
f34d927e8c ImageRouterImgur: Replace imgur library with note-fetch request
This kinda is a backport of https://github.com/hedgedoc/hedgedoc/pull/961

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-04-22 21:23:27 +02:00
Erik Michelson
f948de1d48
Remove yahoo domain from default CSP rules
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-03-29 23:35:12 +02:00
Yannick Bungers
1534d7029b
Merge pull request #1079 from hedgedoc/fix/mimeTypes 2021-03-29 23:14:53 +02:00
Erik Michelson
dcea082286
Add better logging messages
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-03-29 23:07:11 +02:00
Erik Michelson
124b064252
Check for existing notes on POST and dont override them
Previously one could override notes in FreeURL-mode by sending multiple POST requests to the /new/<alias> endpoint. This commit adds a check for an already existing note with the requested alias and returns a HTTP 409 Conflict error in case that happens.

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-03-29 23:00:34 +02:00
Philip Molares
5dbe99b4c7 ImageUpload: Fix errors with .jpeg and .svg
This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly
Files that got identified as jpg, but have the extension .jpeg get their extension fixed.
The files extensions will work in all cases now.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-03-29 22:38:42 +02:00
Philip Molares
be3eee1603 Config: Remove image/jpg
This was done because both .jpg and .jpeg get the mime type 'image/jpeg' by FileType

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-03-28 22:28:35 +02:00
Erik Michelson
731fb24500
Replace request library with node-fetch
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-03-12 22:27:49 +01:00
David Mehren
0db862f3c9
Run database migrations automatically on startup
This commit removes the need for separate migrations with the sequelize-cli
by running them with umzug on application startup.

This is a port of #384

Co-authored-by: Sheogorath <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-27 21:33:05 +01:00
David Mehren
d98393e431
Merge pull request #889 from hedgedoc/renovate/master-uuid-8.x 2021-02-25 20:49:03 +01:00
Erik Michelson
7e597226ec
Add HTTP 404 error on non-existent note downloads
When FreeURL mode is enabled and you called the /download route, the note was created and the user redirected to the blank note.
This is caused because the findNote method automatically creates a note when no existing one is found.
This commit adds a new parameter to the findNote method which allows to disable this behaviour. In that case a HTTP 404 error will be returned.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-02-17 22:02:47 +01:00
David Mehren
67cb3c89f5
Use new uuid export
Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-16 22:25:38 +01:00
Philip Molares
136d895d15 Linter: Fix all lint errors
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 12:15:14 +01:00
David Mehren
252141560f
Switch to minio v7 API
The secure parameter is now called useSSL
https://github.com/minio/minio-js/releases/tag/7.0.0

Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-12 23:11:37 +01:00
David Mehren
4655e9c785
Fix SAML auth error logging
As stated in https://github.com/node-saml/passport-saml/blob/master/CHANGELOG.md#v200-2020-11-03
and the corresponding PR https://github.com/node-saml/passport-saml/pull/412
passport-saml now always throws error objects instead of strings.
This fixes our error logging to accommodate this change.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-11 22:00:22 +01:00
Erik Michelson
3808c08c2d
Fix note creation in FreeURL mode not using template
As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access.

Co-Authored-By: @evanlinde
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-02-02 00:38:54 +01:00
Nicolas Dietrich
ad056d7dbb Don't add new config option in hackmd compatibility layer
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2021-01-23 16:20:03 +01:00
Nicolas Dietrich
5e269e4af9 Keep JS and env varibale name in sync (requireFreeURLAuthentication)
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2021-01-23 14:14:47 +01:00
Nicolas Dietrich
497569fee4 Add config option which requires authentication in FreeURL mode
This mitigates unintended note creation by bots or humans through a
simple GET call.

See discussion in #754.

Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2021-01-22 16:52:49 +01:00
Nicolas Dietrich
3331c0947c Minor refactoring of freeURL condition check
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2021-01-22 16:52:49 +01:00
David Mehren
6932cc4df7
Always save uploads to a tmpdir first and cleanup afterwards
This makes sure no unintended files are permanently saved.

Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:51:14 +01:00
David Mehren
cf4344d9e0
Improve MIME-type checks of uploaded files
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:51:12 +01:00
Sheogorath
f83e4d66ed
Rework error messages for image uploads
This patch reworks the error messages for image uploads to make more
sense.

Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:02 +01:00
Sheogorath
d097211c54
Fix unauthenticated file uploads
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.

It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
Sheogorath
dc29a286e6
Fix arbitary file upload for uploadimage API endpoint
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.

This issue was reported by Thomas Lambertz.

To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.

```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```

Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.

Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.

References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
David Mehren
0989ae426e
Merge pull request #609 from hedgedoc/fix/oauth2-auth
Fix crash when OAuth2 config parameters are missing
2020-12-02 20:48:12 +01:00
Tilman Vatteroth
0318ce3e83
Add missing catch
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-12-02 19:39:06 +01:00
Tilman Vatteroth
120225947f
Catch more errors
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-12-02 17:22:27 +01:00
Tilman Vatteroth
4ae80a3ed0
[Migrations] Replace similar code
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-11-30 17:39:50 +01:00
Tilman Vatteroth
a157599884
[Migrations] Add variant of error message to catch block
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-11-30 17:31:55 +01:00
David Mehren
cc7fa947bf
Fix crash when OAuth2 config parameters are missing
If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash.

This commit adds handling of these cases and improves error logging in `checkAuthorization`.

Fixes #608

Signed-off-by: David Mehren <git@herrmehren.de>
2020-11-30 15:04:30 +01:00
David Mehren
a5d835cb74
Merge pull request #597 from hedgedoc/fix/install-docs 2020-11-29 15:51:43 +01:00
David Mehren
0b44a40d1a
Replace mentions of config.js with config.json
Signed-off-by: David Mehren <git@herrmehren.de>
2020-11-27 22:41:54 +01:00
David Mehren
61f54db63e
Merge pull request #596 from hedgedoc/remove-pdf-export-code
Remove pdf export code
2020-11-27 18:31:19 +01:00
Tilman Vatteroth
97312b5ed3
Remove pdf export code
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-11-26 21:09:23 +01:00
Joachim Mathes
729b387536 Add oauth2 authorization
Signed-off-by: Joachim Mathes <joachim_mathes@web.de>
2020-11-25 19:23:55 +01:00
Tilman Vatteroth
cdc5a89cd7
apply review suggestions 2020-11-15 20:12:39 +01:00
Tilman Vatteroth
978538c0de
Correct repo name
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-11-14 22:24:44 +01:00
Erik Michelson
b28839484d
Replace CodiMD with HedgeDoc
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in public/views

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in README

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in SECURITY.md

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in LICENSE

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in docs/configuration.md

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in bin/setup

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/guides

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/dev

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/guides/auth

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/setup

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update various links in code to the new GitHub org.

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/setup/yunohost

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rebrand to HedgeDoc: Add banner and logo

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Remove note in docs/guides/auth/github

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Replace links in public/docs/features

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Add todo placeholder in docs/history

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Replace github link in public/views/index/body

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Replace github link in README

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Add logo to README

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Add note about the renaming to the front page

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Removed Travis from README.md and change CodiMD to HedgeDoc in some places

Signed-off-by: Yannick Bungers <git@innay.de>

Some more renaming to HedgeDoc
- Fixed capitalization of HedgeDoc
- Added renaming for etherpad migration doc

Signed-off-by: Yannick Bungers <git@innay.de>

Changed Repo name to hedgedoc

Signed-off-by: Yannick Bungers <git@innay.de>
2020-11-14 21:18:36 +01:00
David Mehren
dcdb6c1f96
Merge pull request #509 from pierreozoux/quick-fix
Makes the mime also work with upper case extension
2020-11-13 17:17:47 +01:00
pierreozoux
afc801b1c3 Makes the mime also work with upper case extension
Signed-off-by: pierreozoux <pierre@ozoux.net>
2020-11-12 21:06:09 +01:00
David Mehren
9dd74da17f
Save note title to database when creating a note
Currently, when creating a note with content via the API, a title is only saved to the database after visiting the note with the browser. This commit makes sure that a title is saved at creation time.

Closes #306

Signed-off-by: David Mehren <git@herrmehren.de>
2020-11-11 21:24:55 +01:00
Dexter Chua
a88b4aff2a Generic OAuth2: Set state: true
The OAuth2 specification RECOMMENDS setting the state to protect against
CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to
authenticate without the state set.

This is a cherry-pick of 852868419d.

Signed-off-by: haslersn <sebastian.hasler@gmx.net>
2020-10-22 22:50:34 +02:00
David Mehren
3461993ee0
Merge pull request #486 from codimd/feature/cookie-policy 2020-09-25 22:39:30 +02:00
Erik Michelson
4ece86f0ef
Update documentation and messages to new default value
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-09-08 09:58:15 +02:00
Erik Michelson
387e668275
Changed default policy from 'strict' to 'lax' due to the reasons mentioned in 3d1fab05
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-27 09:05:17 +02:00
Erik Michelson
824f910bfe
Add config option for cookie SameSite policy
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-27 02:04:49 +02:00