Impact
---
An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).
CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
PoC / Quicktest
---
To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.
Analysis
---
The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](78a732abe6/lib/web/note/util.js (L10)) utility function, that will pass it on the the [`parseNoteId()`](78a732abe6/lib/models/note.js (L188-L258))-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.
If no note exists the [note creation-function is called](78a732abe6/lib/models/note.js (L240-L245)), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](78a732abe6/lib/models/note.js (L99)) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.
This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them.
The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.
Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.
For more information
---
If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)
Advisory link
---
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87
Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
This reuses the `realtime.getStatus` method to get the state of the
application state on every prometheus scrape cycle.
Signed-off-by: David Mehren <git@herrmehren.de>
Previously one could override notes in FreeURL-mode by sending multiple POST requests to the /new/<alias> endpoint. This commit adds a check for an already existing note with the requested alias and returns a HTTP 409 Conflict error in case that happens.
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly
Files that got identified as jpg, but have the extension .jpeg get their extension fixed.
The files extensions will work in all cases now.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit removes the need for separate migrations with the sequelize-cli
by running them with umzug on application startup.
This is a port of #384
Co-authored-by: Sheogorath <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
When FreeURL mode is enabled and you called the /download route, the note was created and the user redirected to the blank note.
This is caused because the findNote method automatically creates a note when no existing one is found.
This commit adds a new parameter to the findNote method which allows to disable this behaviour. In that case a HTTP 404 error will be returned.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access.
Co-Authored-By: @evanlinde
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This mitigates unintended note creation by bots or humans through a
simple GET call.
See discussion in #754.
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
This makes sure no unintended files are permanently saved.
Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.
Signed-off-by: David Mehren <git@herrmehren.de>
This patch reworks the error messages for image uploads to make more
sense.
Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.
It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.
This issue was reported by Thomas Lambertz.
To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.
```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```
Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.
Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.
References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash.
This commit adds handling of these cases and improves error logging in `checkAuthorization`.
Fixes#608
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in public/views
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in README
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in SECURITY.md
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in LICENSE
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in docs/configuration.md
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in bin/setup
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/guides
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/dev
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/guides/auth
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/setup
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update various links in code to the new GitHub org.
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/setup/yunohost
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rebrand to HedgeDoc: Add banner and logo
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Remove note in docs/guides/auth/github
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace links in public/docs/features
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add todo placeholder in docs/history
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace github link in public/views/index/body
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace github link in README
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add logo to README
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add note about the renaming to the front page
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Removed Travis from README.md and change CodiMD to HedgeDoc in some places
Signed-off-by: Yannick Bungers <git@innay.de>
Some more renaming to HedgeDoc
- Fixed capitalization of HedgeDoc
- Added renaming for etherpad migration doc
Signed-off-by: Yannick Bungers <git@innay.de>
Changed Repo name to hedgedoc
Signed-off-by: Yannick Bungers <git@innay.de>
Currently, when creating a note with content via the API, a title is only saved to the database after visiting the note with the browser. This commit makes sure that a title is saved at creation time.
Closes#306
Signed-off-by: David Mehren <git@herrmehren.de>
The OAuth2 specification RECOMMENDS setting the state to protect against
CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to
authenticate without the state set.
This is a cherry-pick of 852868419d.
Signed-off-by: haslersn <sebastian.hasler@gmx.net>