summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorSheogorath2020-11-23 12:42:19 +0100
committerDavid Mehren2020-12-27 19:51:01 +0100
commitdc29a286e665555cccb92760908e50cd967fd2e7 (patch)
tree57754a3e2b0ed3e1ce00b667f495c76ffc3e5159 /lib
parent58276ebbf4504a682454a3686dcaff88bc1069d4 (diff)
Fix arbitary file upload for uploadimage API endpoint
This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
Diffstat (limited to 'lib')
-rw-r--r--lib/web/imageRouter/index.js10
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js
index aa02e9b0..b5c486c3 100644
--- a/lib/web/imageRouter/index.js
+++ b/lib/web/imageRouter/index.js
@@ -20,9 +20,15 @@ imageRouter.post('/uploadimage', function (req, res) {
}
form.parse(req, function (err, fields, files) {
- if (err || !files.image || !files.image.path) {
+ if (err) {
logger.error(`formidable error: ${err}`)
- errors.errorForbidden(res)
+ return errors.errorForbidden(res)
+ } else if (!files.image || !files.image.path) {
+ logger.error(`formidable error: Upload didn't contain file)`)
+ return errors.errorBadRequest(res)
+ } else if (!config.allowedUploadMimeTypes.includes(files.image.type)) {
+ logger.error(`formidable error: MIME-type "${files.image.type}" of uploaded file not allowed, only "${config.allowedUploadMimeTypes.join(', ')}" are allowed)`)
+ return errors.errorBadRequest(res)
} else {
logger.debug(`SERVER received uploadimage: ${JSON.stringify(files.image)}`)