shortid is deprecated and they recommend nanoid instead.
We're not sure if this has to do with possible name
collisions or enumerability, but to be sure and on the
safe side, we're changing this. nanoid seems quite safe
since it uses node's crypto module underneath.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
MySQLs string comparisons are case-insensitive by default.
This allows to hide notes by creating a new note with an alias that
equals the lower-cased alias of another note.
The new note is returned first by MySQL, so the original one is not
accessible anymore.
This fixes the problem by using an explicit binary comparison in the
affected queries.
See https://dev.mysql.com/doc/refman/8.0/en/case-sensitivity.html
Signed-off-by: David Mehren <git@herrmehren.de>
Impact
---
An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).
CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
PoC / Quicktest
---
To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.
Analysis
---
The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](78a732abe6/lib/web/note/util.js (L10)) utility function, that will pass it on the the [`parseNoteId()`](78a732abe6/lib/models/note.js (L188-L258))-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.
If no note exists the [note creation-function is called](78a732abe6/lib/models/note.js (L240-L245)), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](78a732abe6/lib/models/note.js (L99)) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.
This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them.
The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.
Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.
For more information
---
If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)
Advisory link
---
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87
Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access.
Co-Authored-By: @evanlinde
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in public/views
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in README
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in SECURITY.md
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in LICENSE
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in docs/configuration.md
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in bin/setup
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/guides
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/dev
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/guides/auth
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/setup
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update various links in code to the new GitHub org.
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/setup/yunohost
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rebrand to HedgeDoc: Add banner and logo
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Remove note in docs/guides/auth/github
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace links in public/docs/features
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add todo placeholder in docs/history
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace github link in public/views/index/body
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace github link in README
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add logo to README
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add note about the renaming to the front page
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Removed Travis from README.md and change CodiMD to HedgeDoc in some places
Signed-off-by: Yannick Bungers <git@innay.de>
Some more renaming to HedgeDoc
- Fixed capitalization of HedgeDoc
- Added renaming for etherpad migration doc
Signed-off-by: Yannick Bungers <git@innay.de>
Changed Repo name to hedgedoc
Signed-off-by: Yannick Bungers <git@innay.de>
This does some more in depth check on the error message and minimizes
the log noise that is caused by LZString.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
When we delete a user we should delete all the notes that belong to this
user including the revisions of these notes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Right now we only flag notes as deleted. This is no longer allowed under
GDPR. Make sure you do regular backups!
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
As we know the length of an UUID we can check if the base64 string
of the provided UUID is long enough for a legacy base64 encoded nodeId
and stop processing it in legacy mode, if it's not the case.
This should make the ugly warning way less common.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
