hedgedoc/lib
Sheogorath dc29a286e6
Fix arbitary file upload for uploadimage API endpoint
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.

This issue was reported by Thomas Lambertz.

To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.

```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```

Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.

Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.

References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
..
config Merge pull request #597 from hedgedoc/fix/install-docs 2020-11-29 15:51:43 +01:00
migrations Add missing catch 2020-12-02 19:39:06 +01:00
models Replace CodiMD with HedgeDoc 2020-11-14 21:18:36 +01:00
ot Fix logging in ot module 2018-11-13 23:30:13 +01:00
web Fix arbitary file upload for uploadimage API endpoint 2020-12-27 19:51:01 +01:00
workers Rework debug logging 2019-06-08 21:27:29 +02:00
csp.js Add missing unsafe-inline CSP directive 2020-08-23 01:29:53 +02:00
errors.js Fix broken redirect on login 2020-03-21 16:56:09 +01:00
history.js Move note actions to their own file. 2019-10-27 13:51:53 +01:00
letter-avatars.js Fix eslint warnings 2019-05-31 00:30:29 +02:00
logger.js Fix eslint warnings 2019-05-31 00:30:29 +02:00
realtime.js remove unused variable to pass ci testing - #58 2019-10-03 09:24:46 -04:00
response.js Replace CodiMD with HedgeDoc 2020-11-14 21:18:36 +01:00
utils.js Makes the mime also work with upper case extension 2020-11-12 21:06:09 +01:00