From a51684b0227942b87c4742fbbdc3934c2a4d7018 Mon Sep 17 00:00:00 2001
From: muxator <a.mux@inwind.it>
Date: Sat, 7 Dec 2019 04:20:12 +0100
Subject: [PATCH] security: stop setting the "io" cookie

The "io" cookie is created by socket.io, and its purpose is to offer an handle
to perform load balancing with session stickiness when the library falls back to
long polling or below.

In Etherpad's case, if an operator needs to load balance, he can use the
"express_sid" cookie, and thus "io" is of no use.

Moreover, socket.io API does not offer a way of setting the "secure" flag on it,
and thus is a liability.

Let's simply nuke it.

References:
  https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing
  https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
---
 src/node/hooks/express/socketio.js | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/node/hooks/express/socketio.js b/src/node/hooks/express/socketio.js
index de94e9fbb..fde514e66 100644
--- a/src/node/hooks/express/socketio.js
+++ b/src/node/hooks/express/socketio.js
@@ -16,7 +16,28 @@ exports.expressCreateServer = function (hook_name, args, cb) {
   // e.g. XHR is disabled in IE by default, so in IE it should use jsonp-polling
   var io = socketio({
     transports: settings.socketTransportProtocols
-  }).listen(args.server);
+  }).listen(args.server, {
+    /*
+     * Do not set the "io" cookie.
+     *
+     * The "io" cookie is created by socket.io, and its purpose is to offer an
+     * handle to perform load balancing with session stickiness when the library
+     * falls back to long polling or below.
+     *
+     * In Etherpad's case, if an operator needs to load balance, he can use the
+     * "express_sid" cookie, and thus "io" is of no use.
+     *
+     * Moreover, socket.io API does not offer a way of setting the "secure" flag
+     * on it, and thus is a liability.
+     *
+     * Let's simply nuke "io".
+     *
+     * references:
+     *   https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing
+     *   https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
+     */
+    cookie: false,
+  });
 
   /* Require an express session cookie to be present, and load the
    * session. See http://www.danielbaulig.de/socket-ioexpress for more