mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-24 18:56:32 -05:00
9e2f9e21e9
This patch adds an own filename function for `formidable`, which will make sure to generate a random file name, using UUIDv4. This should resolve GHSA-q6vv-2q26-j7rx. This change is required due to a change in behaviour from version 1 to version 2 of formidable. Formidable version 2 will generate predictable filenames by default, which results in potential access to images, that were uploaded while formidable v2 was used in Hedgedoc. This affects the versions `1.9.1` and `1.9.2`. Files generated previous to this commit will look like this: ``` <random string generated on app start><counter>.<file-extension> 38e56506ec2dcab52e9282c00.jpg 38e56506ec2dcab52e9282c01.jpg 38e56506ec2dcab52e9282c02.jpg ``` After this patch it'll look like this: ``` <uuid v4>.<file-extension> a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg 56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg 2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg ``` This patch was implemented using `uuid` since we already utilise this package elsewhere in the project as well as using a secure function to generate random strings. UUIDv4 is ideal for that. In order to be consumable by formidable, it was wrapped in a function that makes sure to keep the file extension. This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/). References: https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574 https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762 https://www.npmjs.com/package/uuid |
||
---|---|---|
.. | ||
config | ||
migrations | ||
models | ||
ot | ||
web | ||
workers | ||
csp.js | ||
errors.js | ||
history.js | ||
letter-avatars.js | ||
logger.js | ||
prometheus.js | ||
realtime.js | ||
response.js | ||
utils.js |