mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-22 08:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

PadMessageHandler: Don't trust user-provided padId

Browse source
This commit is contained in:
Richard Hansen 2022-02-23 01:03:46 -05:00
parent bdbde88fed
commit ba370b0e05
4 changed files with 115 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/node/handler/PadMessageHandler.js
View file

@ -235,6 +235,14 @@ exports.handleMessage = async (socket, message) => {
token: message.token,
};
}
// Outside of the checks done by this function, message.padId must not be accessed because it is
// too easy to introduce a security vulnerability that allows malicious users to read or modify
// pads that they should not be able to access. Code should instead use
// sessioninfos[socket.id].padId if the real pad ID is needed or
// sessioninfos[socket.id].auth.padID if the original user-supplied pad ID is needed.
Object.defineProperty(message, 'padId', {get: () => {
throw new Error('message.padId must not be accessed (for security reasons)');
}});
const auth = thisSession.auth;
if (!auth) {
@ -1115,11 +1123,6 @@ const handleChangesetRequest = async (socket, message) => {
return;
}
if (message.padId == null) {
messageLogger.warn('Dropped message, changeset request has no padId!');
return;
}
if (message.data.granularity == null) {
messageLogger.warn('Dropped message, changeset request has no granularity!');
return;
@ -1145,16 +1148,16 @@ const handleChangesetRequest = async (socket, message) => {
const start = message.data.start;
const end = start + (100 * granularity);
const padIds = await readOnlyManager.getIds(message.padId);
const {padId} = sessioninfos[socket.id];
// build the requested rough changesets and send them back
try {
const data = await getChangesetInfo(padIds.padId, start, end, granularity);
const data = await getChangesetInfo(padId, start, end, granularity);
data.requestID = message.data.requestID;
socket.json.send({type: 'CHANGESET_REQ', data});
} catch (err) {
messageLogger.error(`Error while handling a changeset request ${message.data} ` +
`for ${padIds.padId}: ${err.stack || err}`);
`for ${padId}: ${err.stack || err}`);
}
};