mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-04-22 08:26:16 -04:00
Security: Fix revision parsing (#5772)
A carefully crated URL can cause Etherpad to hang.
This commit is contained in:
John McLear
GitHub
parent
1d289520eb
commit
1e98033632
9 changed files with 325 additions and 29 deletions
|
|
@ -33,6 +33,7 @@ const exportTxt = require('../utils/ExportTxt');
|
|||
const importHtml = require('../utils/ImportHtml');
|
||||
const cleanText = require('./Pad').cleanText;
|
||||
const PadDiff = require('../utils/padDiff');
|
||||
const { checkValidRev, isInt } = require('../utils/checkValidRev');
|
||||
|
||||
/* ********************
|
||||
* GROUP FUNCTIONS ****
|
||||
|
|
@ -777,6 +778,13 @@ exports.createDiffHTML = async (padID, startRev, endRev) => {
|
|||
|
||||
// get the pad
|
||||
const pad = await getPadSafe(padID, true);
|
||||
const headRev = pad.getHeadRevisionNumber();
|
||||
if (startRev > headRev)
|
||||
startRev = headRev;
|
||||
|
||||
if (endRev > headRev)
|
||||
endRev = headRev;
|
||||
|
||||
let padDiff;
|
||||
try {
|
||||
padDiff = new PadDiff(pad, startRev, endRev);
|
||||
|
|
@ -822,9 +830,6 @@ exports.getStats = async () => {
|
|||
** INTERNAL HELPER FUNCTIONS *
|
||||
**************************** */
|
||||
|
||||
// checks if a number is an int
|
||||
const isInt = (value) => (parseFloat(value) === parseInt(value, 10)) && !isNaN(value);
|
||||
|
||||
// gets a pad safe
|
||||
const getPadSafe = async (padID, shouldExist, text, authorId = '') => {
|
||||
// check if padID is a string
|
||||
|
|
@ -854,31 +859,6 @@ const getPadSafe = async (padID, shouldExist, text, authorId = '') => {
|
|||
return padManager.getPad(padID, text, authorId);
|
||||
};
|
||||
|
||||
// checks if a rev is a legal number
|
||||
// pre-condition is that `rev` is not undefined
|
||||
const checkValidRev = (rev) => {
|
||||
if (typeof rev !== 'number') {
|
||||
rev = parseInt(rev, 10);
|
||||
}
|
||||
|
||||
// check if rev is a number
|
||||
if (isNaN(rev)) {
|
||||
throw new CustomError('rev is not a number', 'apierror');
|
||||
}
|
||||
|
||||
// ensure this is not a negative number
|
||||
if (rev < 0) {
|
||||
throw new CustomError('rev is not a negative number', 'apierror');
|
||||
}
|
||||
|
||||
// ensure this is not a float value
|
||||
if (!isInt(rev)) {
|
||||
throw new CustomError('rev is a float value', 'apierror');
|
||||
}
|
||||
|
||||
return rev;
|
||||
};
|
||||
|
||||
// checks if a padID is part of a group
|
||||
const checkGroupPad = (padID, field) => {
|
||||
// ensure this is a group pad
|
||||
|
|
|
|||
|
|
@ -172,6 +172,9 @@ class Pad {
|
|||
|
||||
async getInternalRevisionAText(targetRev) {
|
||||
const keyRev = this.getKeyRevisionNumber(targetRev);
|
||||
const headRev = this.getHeadRevisionNumber();
|
||||
if (targetRev > headRev)
|
||||
targetRev = headRev;
|
||||
const [keyAText, changesets] = await Promise.all([
|
||||
this._getKeyRevisionAText(keyRev),
|
||||
Promise.all(
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ const os = require('os');
|
|||
const hooks = require('../../static/js/pluginfw/hooks');
|
||||
const TidyHtml = require('../utils/TidyHtml');
|
||||
const util = require('util');
|
||||
const { checkValidRev } = require('../utils/checkValidRev');
|
||||
|
||||
const fsp_writeFile = util.promisify(fs.writeFile);
|
||||
const fsp_unlink = util.promisify(fs.unlink);
|
||||
|
|
@ -53,6 +54,12 @@ exports.doExport = async (req, res, padId, readOnlyId, type) => {
|
|||
// tell the browser that this is a downloadable file
|
||||
res.attachment(`${fileName}.${type}`);
|
||||
|
||||
if (req.params.rev !== undefined) {
|
||||
// ensure revision is a number
|
||||
// modify req, as we use it in a later call to exportConvert
|
||||
req.params.rev = checkValidRev(req.params.rev);
|
||||
}
|
||||
|
||||
// if this is a plain text export, we can do this directly
|
||||
// We have to over engineer this because tabs are stored as attributes and not plain text
|
||||
if (type === 'etherpad') {
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ const stats = require('../stats');
|
|||
const assert = require('assert').strict;
|
||||
const {RateLimiterMemory} = require('rate-limiter-flexible');
|
||||
const webaccess = require('../hooks/express/webaccess');
|
||||
const { checkValidRev } = require('../utils/checkValidRev');
|
||||
|
||||
let rateLimiter;
|
||||
let socketio = null;
|
||||
|
|
@ -1076,10 +1077,14 @@ const handleChangesetRequest = async (socket, {data: {granularity, start, reques
|
|||
if (granularity == null) throw new Error('missing granularity');
|
||||
if (!Number.isInteger(granularity)) throw new Error('granularity is not an integer');
|
||||
if (start == null) throw new Error('missing start');
|
||||
start = checkValidRev(start);
|
||||
if (requestID == null) throw new Error('mising requestID');
|
||||
const end = start + (100 * granularity);
|
||||
const {padId, author: authorId} = sessioninfos[socket.id];
|
||||
const pad = await padManager.getPad(padId, null, authorId);
|
||||
const headRev = pad.getHeadRevisionNumber();
|
||||
if (start > headRev)
|
||||
start = headRev;
|
||||
const data = await getChangesetInfo(pad, start, end, granularity);
|
||||
data.requestID = requestID;
|
||||
socket.json.send({type: 'CHANGESET_REQ', data});
|
||||
|
|
|
|||
|
|
@ -21,10 +21,14 @@
|
|||
|
||||
const AttributeMap = require('../../static/js/AttributeMap');
|
||||
const Changeset = require('../../static/js/Changeset');
|
||||
const { checkValidRev } = require('./checkValidRev');
|
||||
|
||||
/*
|
||||
* This method seems unused in core and no plugins depend on it
|
||||
*/
|
||||
exports.getPadPlainText = (pad, revNum) => {
|
||||
const _analyzeLine = exports._analyzeLine;
|
||||
const atext = ((revNum !== undefined) ? pad.getInternalRevisionAText(revNum) : pad.atext);
|
||||
const atext = ((revNum !== undefined) ? pad.getInternalRevisionAText(checkValidRev(revNum)) : pad.atext);
|
||||
const textLines = atext.text.slice(0, -1).split('\n');
|
||||
const attribLines = Changeset.splitAttributionLines(atext.attribs, atext.text);
|
||||
const apool = pad.pool;
|
||||
|
|
|
|||
34
src/node/utils/checkValidRev.js
Normal file
34
src/node/utils/checkValidRev.js
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
'use strict';
|
||||
|
||||
const CustomError = require('../utils/customError');
|
||||
|
||||
// checks if a rev is a legal number
|
||||
// pre-condition is that `rev` is not undefined
|
||||
const checkValidRev = (rev) => {
|
||||
if (typeof rev !== 'number') {
|
||||
rev = parseInt(rev, 10);
|
||||
}
|
||||
|
||||
// check if rev is a number
|
||||
if (isNaN(rev)) {
|
||||
throw new CustomError('rev is not a number', 'apierror');
|
||||
}
|
||||
|
||||
// ensure this is not a negative number
|
||||
if (rev < 0) {
|
||||
throw new CustomError('rev is not a negative number', 'apierror');
|
||||
}
|
||||
|
||||
// ensure this is not a float value
|
||||
if (!isInt(rev)) {
|
||||
throw new CustomError('rev is a float value', 'apierror');
|
||||
}
|
||||
|
||||
return rev;
|
||||
};
|
||||
|
||||
// checks if a number is an int
|
||||
const isInt = (value) => (parseFloat(value) === parseInt(value, 10)) && !isNaN(value);
|
||||
|
||||
exports.isInt = isInt;
|
||||
exports.checkValidRev = checkValidRev;
|
||||
Loading…
Add table
Add a link
Reference in a new issue