mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-19 01:35:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove PDF export

Browse source 
As we already decleared in earlier versions, this patch removes PDF
export entirely. It's a not acceptable security risk for every CodiMD
instance.

The current implementation allowed to extract arbitary files from the
CodiMD host and therefore leaking secrets from a `/etc/passwd` to
CodiMD's own config files and all secrets contained in it.

Thanks to Joona for finding this vulnerability in August last year,
which lead to an emergency disabling of PDF exports in 1.5.0.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2020-02-26 14:52:55 +01:00
parent 37923d11f8
commit a2522888b2
No known key found for this signature in database
GPG key ID: C9B1C80737B9CE18
18 changed files with 5 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

32
lib/web/note/actions.js
View file

@ -4,7 +4,6 @@ const config = require('../../config')
const errors = require('../../errors')
const fs = require('fs')
const shortId = require('shortid')
const markdownpdf = require('markdown-pdf')
const moment = require('moment')
const querystring = require('querystring')
@ -33,37 +32,6 @@ exports.getInfo = function getInfo (req, res, note) {
res.send(data)
}
exports.createPDF = function createPDF (req, res, note) {
const url = config.serverURL || 'http://' + req.get('host')
const body = note.content
const extracted = models.Note.extractMeta(body)
let content = extracted.markdown
const title = models.Note.decodeTitle(note.title)
if (!fs.existsSync(config.tmpPath)) {
fs.mkdirSync(config.tmpPath)
}
const path = config.tmpPath + '/' + Date.now() + '.pdf'
content = content.replace(/\]\(\//g, '](' + url + '/')
markdownpdf().from.string(content).to(path, function () {
if (!fs.existsSync(path)) {
logger.error('PDF seems to not be generated as expected. File doesn\'t exist: ' + path)
return errors.errorInternalError(res)
}
const stream = fs.createReadStream(path)
let filename = title
// Be careful of special characters
filename = encodeURIComponent(filename)
// Ideally this should strip them
res.setHeader('Content-disposition', 'attachment; filename="' + filename + '.pdf"')
res.setHeader('Cache-Control', 'private')
res.setHeader('Content-Type', 'application/pdf; charset=UTF-8')
res.setHeader('X-Robots-Tag', 'noindex, nofollow') // prevent crawling
stream.pipe(res)
fs.unlinkSync(path)
})
}
exports.createGist = function createGist (req, res, note) {
const data = {
client_id: config.github.clientID,