mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 23:46:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
etherpad-lite/src/node/hooks/express/importexport.js

95 lines
4.1 KiB
JavaScript
Raw Normal View History

import: Use the correct author ID when using sessions There are two different ways an author ID becomes associated with a user: either bound to a token or bound to a session ID. (The token and session ID come from the `token` and `sessionID` cookies, or, in the case of socket.io messages, from the `token` and `sessionID` message properties.) When `settings.requireSession` is true or the user is accessing a group pad, the session ID should be used. Otherwise the token should be used. Before this change, the `/p/:pad/import` handler was always using the token, even when `settings.requireSession` was true. This caused the following error because a different author ID was bound to the token versus the session ID: > Unable to import file into ${pad}. Author ${authorID} exists but he > never contributed to this pad This bug was reported in issue #4006. PR #4012 worked around the problem by binding the same author ID to the token as well as the session ID. This change does the following: * Modifies the import handler to use the session ID to obtain the author ID (when appropriate). * Expands the documentation for the SecurityManager checkAccess function. * Removes the workaround from PR #4012. * Cleans up the `bin/createUserSession.js` test script.
2020-09-02 17:16:02 -04:00
const assert = require('assert').strict;
Moved all the hooks into a hooks directory
2012-02-25 17:23:44 +01:00
var hasPadAccess = require("../../padaccess");
var settings = require('../../utils/Settings');
var exportHandler = require('../../handler/ExportHandler');
var importHandler = require('../../handler/ImportHandler');
check pad exists before importing / exporting
2018-04-04 21:48:32 +01:00
var padManager = require("../../db/PadManager");
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled.
2020-04-04 21:43:33 +00:00
var authorManager = require("../../db/AuthorManager");
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting.
2020-04-04 20:39:33 +00:00
const rateLimit = require("express-rate-limit");
import: Use the correct author ID when using sessions There are two different ways an author ID becomes associated with a user: either bound to a token or bound to a session ID. (The token and session ID come from the `token` and `sessionID` cookies, or, in the case of socket.io messages, from the `token` and `sessionID` message properties.) When `settings.requireSession` is true or the user is accessing a group pad, the session ID should be used. Otherwise the token should be used. Before this change, the `/p/:pad/import` handler was always using the token, even when `settings.requireSession` was true. This caused the following error because a different author ID was bound to the token versus the session ID: > Unable to import file into ${pad}. Author ${authorID} exists but he > never contributed to this pad This bug was reported in issue #4006. PR #4012 worked around the problem by binding the same author ID to the token as well as the session ID. This change does the following: * Modifies the import handler to use the session ID to obtain the author ID (when appropriate). * Expands the documentation for the SecurityManager checkAccess function. * Removes the workaround from PR #4012. * Cleans up the `bin/createUserSession.js` test script.
2020-09-02 17:16:02 -04:00
const securityManager = require("../../db/SecurityManager");
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting.
2020-04-04 20:39:33 +00:00
settings.importExportRateLimiting.onLimitReached = function(req, res, options) {
// when the rate limiter triggers, write a warning in the logs
console.warn(`Import/Export rate limiter triggered on "${req.originalUrl}" for IP address ${req.ip}`);
}
var limiter = rateLimit(settings.importExportRateLimiting);
Moved importexport
2012-02-25 16:06:08 +01:00
exports.expressCreateServer = function (hook_name, args, cb) {
importexport: improved logging This is in preparation to the next activities about import/export securization.
2020-04-13 01:33:43 +02:00
// handle export requests
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting.
2020-04-04 20:39:33 +00:00
args.app.use('/p/:pad/:rev?/export/:type', limiter);
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match.
2019-01-23 16:29:36 +00:00
args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) {
semi working requires browser refresh
2014-12-29 20:57:58 +01:00
var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"];
Moved importexport
2012-02-25 16:06:08 +01:00
//send a 404 if we don't support this filetype
if (types.indexOf(req.params.type) == -1) {
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match.
2019-01-23 16:29:36 +00:00
return next();
Moved importexport
2012-02-25 16:06:08 +01:00
}
prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ```
2019-02-08 23:20:57 +01:00
// if abiword is disabled, and this is a format we only support with abiword, output a message
Use new exportAvailable() check to include check for SOffice along with Abiword in importexport hook
2015-12-18 00:14:13 -06:00
if (settings.exportAvailable() == "no" &&
Moved importexport
2012-02-25 16:06:08 +01:00
["odt", "pdf", "doc"].indexOf(req.params.type) !== -1) {
importexport: improved logging This is in preparation to the next activities about import/export securization.
2020-04-13 01:33:43 +02:00
console.error(`Impossible to export pad "${req.params.pad}" in ${req.params.type} format. There is no converter configured`);
// ACHTUNG: do not include req.params.type in res.send() because there is no HTML escaping and it would lead to an XSS
res.send("This export is not enabled at this Etherpad instance. Set the path to Abiword or soffice (LibreOffice) in settings.json to enable this feature");
Moved importexport
2012-02-25 16:06:08 +01:00
return;
}
res.header("Access-Control-Allow-Origin", "*");
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match.
2019-01-23 16:29:36 +00:00
if (await hasPadAccess(req, res)) {
let exists = await padManager.doesPadExists(req.params.pad);
if (!exists) {
importexport: improved logging This is in preparation to the next activities about import/export securization.
2020-04-13 01:33:43 +02:00
console.warn(`Someone tried to export a pad that doesn't exist (${req.params.pad})`);
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match.
2019-01-23 16:29:36 +00:00
return next();
}
check pad exists before importing / exporting
2018-04-04 21:48:32 +01:00
importexport: improved logging This is in preparation to the next activities about import/export securization.
2020-04-13 01:33:43 +02:00
console.log(`Exporting pad "${req.params.pad}" in ${req.params.type} format`);
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match.
2019-01-23 16:29:36 +00:00
exportHandler.doExport(req, res, req.params.pad, req.params.type);
}
Moved importexport
2012-02-25 16:06:08 +01:00
});
prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ```
2019-02-08 23:20:57 +01:00
// handle import requests
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting.
2020-04-04 20:39:33 +00:00
args.app.use('/p/:pad/import', limiter);
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match.
2019-01-23 16:29:36 +00:00
args.app.post('/p/:pad/import', async function(req, res, next) {
import: Use the correct author ID when using sessions There are two different ways an author ID becomes associated with a user: either bound to a token or bound to a session ID. (The token and session ID come from the `token` and `sessionID` cookies, or, in the case of socket.io messages, from the `token` and `sessionID` message properties.) When `settings.requireSession` is true or the user is accessing a group pad, the session ID should be used. Otherwise the token should be used. Before this change, the `/p/:pad/import` handler was always using the token, even when `settings.requireSession` was true. This caused the following error because a different author ID was bound to the token versus the session ID: > Unable to import file into ${pad}. Author ${authorID} exists but he > never contributed to this pad This bug was reported in issue #4006. PR #4012 worked around the problem by binding the same author ID to the token as well as the session ID. This change does the following: * Modifies the import handler to use the session ID to obtain the author ID (when appropriate). * Expands the documentation for the SecurityManager checkAccess function. * Removes the workaround from PR #4012. * Cleans up the `bin/createUserSession.js` test script.
2020-09-02 17:16:02 -04:00
if (!(await padManager.doesPadExists(req.params.pad))) {
console.warn(`Someone tried to import into a pad that doesn't exist (${req.params.pad})`);
return next();
}
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled.
2020-04-04 21:43:33 +00:00
security: Check authentication in SecurityManager checkAccess In addition to providing defense in depth, this change makes it easier to implement future enhancements such as support for read-only users.
2020-09-11 17:12:29 -04:00
const {session: {user} = {}} = req;
import: Use the correct author ID when using sessions There are two different ways an author ID becomes associated with a user: either bound to a token or bound to a session ID. (The token and session ID come from the `token` and `sessionID` cookies, or, in the case of socket.io messages, from the `token` and `sessionID` message properties.) When `settings.requireSession` is true or the user is accessing a group pad, the session ID should be used. Otherwise the token should be used. Before this change, the `/p/:pad/import` handler was always using the token, even when `settings.requireSession` was true. This caused the following error because a different author ID was bound to the token versus the session ID: > Unable to import file into ${pad}. Author ${authorID} exists but he > never contributed to this pad This bug was reported in issue #4006. PR #4012 worked around the problem by binding the same author ID to the token as well as the session ID. This change does the following: * Modifies the import handler to use the session ID to obtain the author ID (when appropriate). * Expands the documentation for the SecurityManager checkAccess function. * Removes the workaround from PR #4012. * Cleans up the `bin/createUserSession.js` test script.
2020-09-02 17:16:02 -04:00
const {accessStatus, authorID} = await securityManager.checkAccess(
security: Check authentication in SecurityManager checkAccess In addition to providing defense in depth, this change makes it easier to implement future enhancements such as support for read-only users.
2020-09-11 17:12:29 -04:00
req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password, user);
import: Use the correct author ID when using sessions There are two different ways an author ID becomes associated with a user: either bound to a token or bound to a session ID. (The token and session ID come from the `token` and `sessionID` cookies, or, in the case of socket.io messages, from the `token` and `sessionID` message properties.) When `settings.requireSession` is true or the user is accessing a group pad, the session ID should be used. Otherwise the token should be used. Before this change, the `/p/:pad/import` handler was always using the token, even when `settings.requireSession` was true. This caused the following error because a different author ID was bound to the token versus the session ID: > Unable to import file into ${pad}. Author ${authorID} exists but he > never contributed to this pad This bug was reported in issue #4006. PR #4012 worked around the problem by binding the same author ID to the token as well as the session ID. This change does the following: * Modifies the import handler to use the session ID to obtain the author ID (when appropriate). * Expands the documentation for the SecurityManager checkAccess function. * Removes the workaround from PR #4012. * Cleans up the `bin/createUserSession.js` test script.
2020-09-02 17:16:02 -04:00
if (accessStatus !== 'grant') return res.status(403).send('Forbidden');
assert(authorID);
/*
* Starting from Etherpad 1.8.3 onwards, importing into a pad is allowed
* only if a user has his browser opened and connected to the pad (i.e. a
* Socket.IO session is estabilished for him) and he has already
* contributed to that specific pad.
*
* Note that this does not have anything to do with the "session", used
* for logging into "group pads". That kind of session is not needed here.
*
* This behaviour does not apply to API requests, only to /p/$PAD$/import
*
* See: https://github.com/ether/etherpad-lite/pull/3833#discussion_r407490205
*/
if (!settings.allowAnyoneToImport) {
const authorsPads = await authorManager.listPadsOfAuthor(authorID);
if (!authorsPads) {
console.warn(`Unable to import file into "${req.params.pad}". Author "${authorID}" exists but he never contributed to any pad`);
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled.
2020-04-04 21:43:33 +00:00
return next();
}
import: Use the correct author ID when using sessions There are two different ways an author ID becomes associated with a user: either bound to a token or bound to a session ID. (The token and session ID come from the `token` and `sessionID` cookies, or, in the case of socket.io messages, from the `token` and `sessionID` message properties.) When `settings.requireSession` is true or the user is accessing a group pad, the session ID should be used. Otherwise the token should be used. Before this change, the `/p/:pad/import` handler was always using the token, even when `settings.requireSession` was true. This caused the following error because a different author ID was bound to the token versus the session ID: > Unable to import file into ${pad}. Author ${authorID} exists but he > never contributed to this pad This bug was reported in issue #4006. PR #4012 worked around the problem by binding the same author ID to the token as well as the session ID. This change does the following: * Modifies the import handler to use the session ID to obtain the author ID (when appropriate). * Expands the documentation for the SecurityManager checkAccess function. * Removes the workaround from PR #4012. * Cleans up the `bin/createUserSession.js` test script.
2020-09-02 17:16:02 -04:00
if (authorsPads.padIDs.indexOf(req.params.pad) === -1) {
console.warn(`Unable to import file into "${req.params.pad}". Author "${authorID}" exists but he never contributed to this pad`);
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled.
2020-04-04 21:43:33 +00:00
return next();
}
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match.
2019-01-23 16:29:36 +00:00
}
import: Use the correct author ID when using sessions There are two different ways an author ID becomes associated with a user: either bound to a token or bound to a session ID. (The token and session ID come from the `token` and `sessionID` cookies, or, in the case of socket.io messages, from the `token` and `sessionID` message properties.) When `settings.requireSession` is true or the user is accessing a group pad, the session ID should be used. Otherwise the token should be used. Before this change, the `/p/:pad/import` handler was always using the token, even when `settings.requireSession` was true. This caused the following error because a different author ID was bound to the token versus the session ID: > Unable to import file into ${pad}. Author ${authorID} exists but he > never contributed to this pad This bug was reported in issue #4006. PR #4012 worked around the problem by binding the same author ID to the token as well as the session ID. This change does the following: * Modifies the import handler to use the session ID to obtain the author ID (when appropriate). * Expands the documentation for the SecurityManager checkAccess function. * Removes the workaround from PR #4012. * Cleans up the `bin/createUserSession.js` test script.
2020-09-02 17:16:02 -04:00
importHandler.doImport(req, res, req.params.pad);
Moved importexport
2012-02-25 16:06:08 +01:00
});
}
Reference in a new issue Copy permalink