hedgedoc/lib
Sheogorath 9e2f9e21e9 fix(imageRouter): Fix enumerable image upload issue
This patch adds an own filename function for `formidable`, which will
make sure to generate a random file name, using UUIDv4. This should
resolve GHSA-q6vv-2q26-j7rx.

This change is required due to a change in behaviour from version 1 to
version 2 of formidable. Formidable version 2 will generate predictable
filenames by default, which results in potential access to images, that
were uploaded while formidable v2 was used in Hedgedoc. This affects the
versions `1.9.1` and `1.9.2`.

Files generated previous to this commit will look like this:

```
<random string generated on app start><counter>.<file-extension>
38e56506ec2dcab52e9282c00.jpg
38e56506ec2dcab52e9282c01.jpg
38e56506ec2dcab52e9282c02.jpg
```

After this patch it'll look like this:

```
<uuid v4>.<file-extension>
a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg
56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg
2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg
```

This patch was implemented using `uuid` since we already utilise this
package elsewhere in the project as well as using a secure function to
generate random strings. UUIDv4 is ideal for that. In order to be
consumable by formidable, it was wrapped in a function that makes sure
to keep the file extension.

This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/).

References:
https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574
https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762
https://www.npmjs.com/package/uuid
2022-04-10 21:08:32 +02:00
..
config Allow SAML authentication provider to be named 2022-03-20 19:59:53 +01:00
migrations Add missing catch 2020-12-02 19:39:06 +01:00
models Use libravatar image if email address is defined 2022-01-07 14:01:32 +01:00
ot Fix logging in ot module 2018-11-13 23:30:13 +01:00
web fix(imageRouter): Fix enumerable image upload issue 2022-04-10 21:08:32 +02:00
workers Linter: Fix all lint errors 2021-02-15 12:15:14 +01:00
csp.js Refactor existing code to add the configured domain to connect-src 2021-09-16 19:43:20 +02:00
errors.js Check for existing notes on POST and dont override them 2021-03-29 23:00:34 +02:00
history.js Linter: Fix all lint errors 2021-02-15 12:15:14 +01:00
letter-avatars.js Use identicons as fallback for libravatar 2022-01-07 14:03:26 +01:00
logger.js Fix eslint warnings 2019-05-31 00:30:29 +02:00
prometheus.js Add custom prometheus metrics 2021-04-25 20:06:56 +02:00
realtime.js Linter: Fix all lint errors 2021-02-15 12:15:14 +01:00
response.js Don't throw error if gitlab response is not okay-ish 2021-10-29 20:57:20 +02:00
utils.js Exclude /metrics and /status routes from session initialization 2021-07-20 23:56:54 +02:00