etherpad-lite/src/node/hooks/express/importexport.js

const assert = require('assert').strict;
var hasPadAccess = require("../../padaccess");
var settings = require('../../utils/Settings');
var exportHandler = require('../../handler/ExportHandler');
var importHandler = require('../../handler/ImportHandler');
var padManager = require("../../db/PadManager");
var readOnlyManager = require("../../db/ReadOnlyManager");
var authorManager = require("../../db/AuthorManager");
const rateLimit = require("express-rate-limit");
const securityManager = require("../../db/SecurityManager");
const webaccess = require("./webaccess");

settings.importExportRateLimiting.onLimitReached = function(req, res, options) {
  // when the rate limiter triggers, write a warning in the logs
  console.warn(`Import/Export rate limiter triggered on "${req.originalUrl}" for IP address ${req.ip}`);
}

var limiter = rateLimit(settings.importExportRateLimiting);

exports.expressCreateServer = function (hook_name, args, cb) {

  // handle export requests
  args.app.use('/p/:pad/:rev?/export/:type', limiter);
  args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) {
    var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"];
    //send a 404 if we don't support this filetype
    if (types.indexOf(req.params.type) == -1) {
      return next();
    }

    // if abiword is disabled, and this is a format we only support with abiword, output a message
    if (settings.exportAvailable() == "no" &&
       ["odt", "pdf", "doc"].indexOf(req.params.type) !== -1) {
      console.error(`Impossible to export pad "${req.params.pad}" in ${req.params.type} format. There is no converter configured`);

      // ACHTUNG: do not include req.params.type in res.send() because there is no HTML escaping and it would lead to an XSS
      res.send("This export is not enabled at this Etherpad instance. Set the path to Abiword or soffice (LibreOffice) in settings.json to enable this feature");
      return;
    }

    res.header("Access-Control-Allow-Origin", "*");

    if (await hasPadAccess(req, res)) {
      let padId = req.params.pad;

      let readOnlyId = null;
      if (readOnlyManager.isReadOnlyId(padId)) {
        readOnlyId = padId;
        padId = await readOnlyManager.getPadId(readOnlyId);
      }

      let exists = await padManager.doesPadExists(padId);
      if (!exists) {
        console.warn(`Someone tried to export a pad that doesn't exist (${padId})`);
        return next();
      }

      console.log(`Exporting pad "${req.params.pad}" in ${req.params.type} format`);
      exportHandler.doExport(req, res, padId, readOnlyId, req.params.type);
    }
  });

  // handle import requests
  args.app.use('/p/:pad/import', limiter);
  args.app.post('/p/:pad/import', async function(req, res, next) {
    const {session: {user} = {}} = req;
    const {accessStatus} = await securityManager.checkAccess(
        req.params.pad, req.cookies.sessionID, req.cookies.token, user);
    if (accessStatus !== 'grant' || !webaccess.userCanModify(req.params.pad, req)) {
      return res.status(403).send('Forbidden');
    }
    await importHandler.doImport(req, res, req.params.pad);
  });

  return cb();
}
import: Use the correct author ID when using sessions There are two different ways an author ID becomes associated with a user: either bound to a token or bound to a session ID. (The token and session ID come from the `token` and `sessionID` cookies, or, in the case of socket.io messages, from the `token` and `sessionID` message properties.) When `settings.requireSession` is true or the user is accessing a group pad, the session ID should be used. Otherwise the token should be used. Before this change, the `/p/:pad/import` handler was always using the token, even when `settings.requireSession` was true. This caused the following error because a different author ID was bound to the token versus the session ID: > Unable to import file into ${pad}. Author ${authorID} exists but he > never contributed to this pad This bug was reported in issue #4006. PR #4012 worked around the problem by binding the same author ID to the token as well as the session ID. This change does the following: * Modifies the import handler to use the session ID to obtain the author ID (when appropriate). * Expands the documentation for the SecurityManager checkAccess function. * Removes the workaround from PR #4012. * Cleans up the `bin/createUserSession.js` test script. 2020-09-02 17:16:02 -04:00			`const assert = require('assert').strict;`
Moved all the hooks into a hooks directory 2012-02-25 17:23:44 +01:00			`var hasPadAccess = require("../../padaccess");`
			`var settings = require('../../utils/Settings');`
			`var exportHandler = require('../../handler/ExportHandler');`
			`var importHandler = require('../../handler/ImportHandler');`
check pad exists before importing / exporting 2018-04-04 21:48:32 +01:00			`var padManager = require("../../db/PadManager");`
Fix readOnly pad export The export request hook wasn't testing if the pad's id was from a read-only pad before validating with the pad manager. This includes an extra step that makes the read-only id verification and also avoids setting the original pad's id as the file's name. 2020-09-16 14:57:27 -03:00			`var readOnlyManager = require("../../db/ReadOnlyManager");`
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled. 2020-04-04 21:43:33 +00:00			`var authorManager = require("../../db/AuthorManager");`
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting. 2020-04-04 20:39:33 +00:00			`const rateLimit = require("express-rate-limit");`
import: Use the correct author ID when using sessions There are two different ways an author ID becomes associated with a user: either bound to a token or bound to a session ID. (The token and session ID come from the `token` and `sessionID` cookies, or, in the case of socket.io messages, from the `token` and `sessionID` message properties.) When `settings.requireSession` is true or the user is accessing a group pad, the session ID should be used. Otherwise the token should be used. Before this change, the `/p/:pad/import` handler was always using the token, even when `settings.requireSession` was true. This caused the following error because a different author ID was bound to the token versus the session ID: > Unable to import file into ${pad}. Author ${authorID} exists but he > never contributed to this pad This bug was reported in issue #4006. PR #4012 worked around the problem by binding the same author ID to the token as well as the session ID. This change does the following: * Modifies the import handler to use the session ID to obtain the author ID (when appropriate). * Expands the documentation for the SecurityManager checkAccess function. * Removes the workaround from PR #4012. * Cleans up the `bin/createUserSession.js` test script. 2020-09-02 17:16:02 -04:00			`const securityManager = require("../../db/SecurityManager");`
import: Replace the `allowAnyoneToImport` check with `userCanModify` This reduces the number of hoops a user or tool must jump through to import. 2020-10-01 15:49:04 -04:00			`const webaccess = require("./webaccess");`
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting. 2020-04-04 20:39:33 +00:00
			`settings.importExportRateLimiting.onLimitReached = function(req, res, options) {`
			`// when the rate limiter triggers, write a warning in the logs`
			console.warn(`Import/Export rate limiter triggered on "${req.originalUrl}" for IP address ${req.ip}`);
			`}`

			`var limiter = rateLimit(settings.importExportRateLimiting);`
Moved importexport 2012-02-25 16:06:08 +01:00
			`exports.expressCreateServer = function (hook_name, args, cb) {`
importexport: improved logging This is in preparation to the next activities about import/export securization. 2020-04-13 01:33:43 +02:00
			`// handle export requests`
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting. 2020-04-04 20:39:33 +00:00			`args.app.use('/p/:pad/:rev?/export/:type', limiter);`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 16:29:36 +00:00			`args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) {`
semi working requires browser refresh 2014-12-29 20:57:58 +01:00			`var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"];`
Moved importexport 2012-02-25 16:06:08 +01:00			`//send a 404 if we don't support this filetype`
			`if (types.indexOf(req.params.type) == -1) {`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 16:29:36 +00:00			`return next();`
Moved importexport 2012-02-25 16:06:08 +01:00			`}`

prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ``` 2019-02-08 23:20:57 +01:00			`// if abiword is disabled, and this is a format we only support with abiword, output a message`
Use new exportAvailable() check to include check for SOffice along with Abiword in importexport hook 2015-12-18 00:14:13 -06:00			`if (settings.exportAvailable() == "no" &&`
Moved importexport 2012-02-25 16:06:08 +01:00			`["odt", "pdf", "doc"].indexOf(req.params.type) !== -1) {`
importexport: improved logging This is in preparation to the next activities about import/export securization. 2020-04-13 01:33:43 +02:00			console.error(`Impossible to export pad "${req.params.pad}" in ${req.params.type} format. There is no converter configured`);

			`// ACHTUNG: do not include req.params.type in res.send() because there is no HTML escaping and it would lead to an XSS`
			`res.send("This export is not enabled at this Etherpad instance. Set the path to Abiword or soffice (LibreOffice) in settings.json to enable this feature");`
Moved importexport 2012-02-25 16:06:08 +01:00			`return;`
			`}`

			`res.header("Access-Control-Allow-Origin", "*");`

access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 16:29:36 +00:00			`if (await hasPadAccess(req, res)) {`
Fix readOnly pad export The export request hook wasn't testing if the pad's id was from a read-only pad before validating with the pad manager. This includes an extra step that makes the read-only id verification and also avoids setting the original pad's id as the file's name. 2020-09-16 14:57:27 -03:00			`let padId = req.params.pad;`

			`let readOnlyId = null;`
			`if (readOnlyManager.isReadOnlyId(padId)) {`
			`readOnlyId = padId;`
			`padId = await readOnlyManager.getPadId(readOnlyId);`
			`}`

			`let exists = await padManager.doesPadExists(padId);`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 16:29:36 +00:00			`if (!exists) {`
Fix readOnly pad export The export request hook wasn't testing if the pad's id was from a read-only pad before validating with the pad manager. This includes an extra step that makes the read-only id verification and also avoids setting the original pad's id as the file's name. 2020-09-16 14:57:27 -03:00			console.warn(`Someone tried to export a pad that doesn't exist (${padId})`);
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 16:29:36 +00:00			`return next();`
			`}`
check pad exists before importing / exporting 2018-04-04 21:48:32 +01:00
importexport: improved logging This is in preparation to the next activities about import/export securization. 2020-04-13 01:33:43 +02:00			console.log(`Exporting pad "${req.params.pad}" in ${req.params.type} format`);
Fix readOnly pad export The export request hook wasn't testing if the pad's id was from a read-only pad before validating with the pad manager. This includes an extra step that makes the read-only id verification and also avoids setting the original pad's id as the file's name. 2020-09-16 14:57:27 -03:00			`exportHandler.doExport(req, res, padId, readOnlyId, req.params.type);`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 16:29:36 +00:00			`}`
Moved importexport 2012-02-25 16:06:08 +01:00			`});`

prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ``` 2019-02-08 23:20:57 +01:00			`// handle import requests`
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting. 2020-04-04 20:39:33 +00:00			`args.app.use('/p/:pad/import', limiter);`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 16:29:36 +00:00			`args.app.post('/p/:pad/import', async function(req, res, next) {`
security: Check authentication in SecurityManager checkAccess In addition to providing defense in depth, this change makes it easier to implement future enhancements such as support for read-only users. 2020-09-11 17:12:29 -04:00			`const {session: {user} = {}} = req;`
import: Replace the `allowAnyoneToImport` check with `userCanModify` This reduces the number of hoops a user or tool must jump through to import. 2020-10-01 15:49:04 -04:00			`const {accessStatus} = await securityManager.checkAccess(`
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178) This will be a breaking change for some people. We removed all internal password control logic. If this affects you, you have two options: 1. Use a plugin for authentication and use session based pad access (recommended). 1. Use a plugin for password setting. The reasoning for removing this feature is to reduce the overall security footprint of Etherpad. It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own). 2020-10-07 13:43:54 +01:00			`req.params.pad, req.cookies.sessionID, req.cookies.token, user);`
import: Replace the `allowAnyoneToImport` check with `userCanModify` This reduces the number of hoops a user or tool must jump through to import. 2020-10-01 15:49:04 -04:00			`if (accessStatus !== 'grant' \|\| !webaccess.userCanModify(req.params.pad, req)) {`
			`return res.status(403).send('Forbidden');`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 16:29:36 +00:00			`}`
import: Replace the `allowAnyoneToImport` check with `userCanModify` This reduces the number of hoops a user or tool must jump through to import. 2020-10-01 15:49:04 -04:00			`await importHandler.doImport(req, res, req.params.pad);`
Moved importexport 2012-02-25 16:06:08 +01:00			`});`
hooks: Call the callback when done If a hook function neither calls the callback nor returns a (non-undefined) value then there's no way for the hook system to know if/when the hook function has finished. 2020-10-10 22:51:26 -04:00
			`return cb();`
Moved importexport 2012-02-25 16:06:08 +01:00			`}`