HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.
This commit sanitizes the username and photo URL by passing them
through the `xss` library.
Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
This makes the behavior consistent with the docs and
saves the user from having to both set
`useSSL` and `protocolUseSSL`.
Signed-off-by: David Mehren <git@herrmehren.de>
The `upgradeInsecureRequests` option of Helmets CSP middleware
was a boolean in Helmet 3, but with Helmet 4,
everything changed to lists.
This commit adjusts the addUpgradeUnsafeRequestsOptionTo
function accordingly.
Closes#1221
See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy
Signed-off-by: David Mehren <git@herrmehren.de>
This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore.
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
Impact
---
An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).
CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
PoC / Quicktest
---
To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.
Analysis
---
The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](78a732abe6/lib/web/note/util.js (L10)) utility function, that will pass it on the the [`parseNoteId()`](78a732abe6/lib/models/note.js (L188-L258))-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.
If no note exists the [note creation-function is called](78a732abe6/lib/models/note.js (L240-L245)), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](78a732abe6/lib/models/note.js (L99)) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.
This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them.
The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.
Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.
For more information
---
If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)
Advisory link
---
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87
Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
This reuses the `realtime.getStatus` method to get the state of the
application state on every prometheus scrape cycle.
Signed-off-by: David Mehren <git@herrmehren.de>
Previously one could override notes in FreeURL-mode by sending multiple POST requests to the /new/<alias> endpoint. This commit adds a check for an already existing note with the requested alias and returns a HTTP 409 Conflict error in case that happens.
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly
Files that got identified as jpg, but have the extension .jpeg get their extension fixed.
The files extensions will work in all cases now.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit removes the need for separate migrations with the sequelize-cli
by running them with umzug on application startup.
This is a port of #384
Co-authored-by: Sheogorath <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
When FreeURL mode is enabled and you called the /download route, the note was created and the user redirected to the blank note.
This is caused because the findNote method automatically creates a note when no existing one is found.
This commit adds a new parameter to the findNote method which allows to disable this behaviour. In that case a HTTP 404 error will be returned.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access.
Co-Authored-By: @evanlinde
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This mitigates unintended note creation by bots or humans through a
simple GET call.
See discussion in #754.
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
This makes sure no unintended files are permanently saved.
Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.
Signed-off-by: David Mehren <git@herrmehren.de>
This patch reworks the error messages for image uploads to make more
sense.
Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.
It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.
This issue was reported by Thomas Lambertz.
To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.
```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```
Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.
Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.
References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash.
This commit adds handling of these cases and improves error logging in `checkAuthorization`.
Fixes#608
Signed-off-by: David Mehren <git@herrmehren.de>
