Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-03-07 14:20:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fix IntegrationBleed.

Browse source 
Thanks to Rodolphe GHIO and xet7 !
This commit is contained in:
Lauri Ojansivu 2026-03-05 21:26:22 +02:00
parent 97b0c392be
commit 2cd702f48d
3 changed files with 116 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

52
models/integrations.js
View file

@ -36,11 +36,45 @@ Integrations.attachSchema(
defaultValue: ['all'], defaultValue: ['all'],
}, },
url: { url: {
// URL validation regex (https://mathiasbynens.be/demo/url-regex) // URL validation with SSRF protection
/** /**
* URL validation regex (https://mathiasbynens.be/demo/url-regex) * URL validation regex (https://mathiasbynens.be/demo/url-regex)
* Includes validation to block private/loopback addresses and ensure safe protocols
*/ */
type: String, type: String,
custom() {
try {
const u = new URL(this.value);
// Only allow http and https protocols
if (!['http:', 'https:'].includes(u.protocol)) {
return 'invalidProtocol';
}
// Block private/loopback IP ranges and hostnames
const hostname = u.hostname.toLowerCase();
const blockedPatterns = [
/^127\./, // 127.x.x.x (loopback)
/^10\./, // 10.x.x.x (private)
/^172\.(1[6-9]|2\d|3[01])\./, // 172.16-31.x.x (private)
/^192\.168\./, // 192.168.x.x (private)
/^0\./, // 0.x.x.x (current network)
/^::1$/, // IPv6 loopback
/^fe80:/, // IPv6 link-local
/^fc00:/, // IPv6 unique local
/^fd00:/, // IPv6 unique local
/^localhost$/i,
/\.local$/i,
/^169\.254\./, // link-local IP
];
if (blockedPatterns.some(pattern => pattern.test(hostname))) {
return 'privateAddress';
}
} catch {
return 'invalidUrl';
}
},
}, },
token: { token: {
/** /**
@ -198,13 +232,13 @@ if (Meteor.isServer) {
* @param {string} url the URL of the integration * @param {string} url the URL of the integration
* @return_type {_id: string} * @return_type {_id: string}
*/ */
JsonRoutes.add('POST', '/api/boards/:boardId/integrations', function( JsonRoutes.add('POST', '/api/boards/:boardId/integrations', async function(
req, req,
res, res,
) { ) {
try { try {
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId); await Authentication.checkBoardAdmin(req.userId, paramBoardId);
const id = Integrations.insert({ const id = Integrations.insert({
userId: req.userId, userId: req.userId,
@ -239,14 +273,14 @@ if (Meteor.isServer) {
* @param {string} [activities] new list of activities of the integration * @param {string} [activities] new list of activities of the integration
* @return_type {_id: string} * @return_type {_id: string}
*/ */
JsonRoutes.add('PUT', '/api/boards/:boardId/integrations/:intId', function( JsonRoutes.add('PUT', '/api/boards/:boardId/integrations/:intId', async function(
req, req,
res, res,
) { ) {
try { try {
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramIntId = req.params.intId; const paramIntId = req.params.intId;
Authentication.checkBoardAccess(req.userId, paramBoardId); await Authentication.checkBoardAdmin(req.userId, paramBoardId);
if (req.body.hasOwnProperty('enabled')) { if (req.body.hasOwnProperty('enabled')) {
const newEnabled = req.body.enabled; const newEnabled = req.body.enabled;
@ -315,7 +349,7 @@ if (Meteor.isServer) {
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramIntId = req.params.intId; const paramIntId = req.params.intId;
const newActivities = req.body.activities; const newActivities = req.body.activities;
Authentication.checkBoardAccess(req.userId, paramBoardId); await Authentication.checkBoardAdmin(req.userId, paramBoardId);
Integrations.direct.update( Integrations.direct.update(
{ _id: paramIntId, boardId: paramBoardId }, { _id: paramIntId, boardId: paramBoardId },
@ -355,7 +389,7 @@ if (Meteor.isServer) {
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramIntId = req.params.intId; const paramIntId = req.params.intId;
const newActivities = req.body.activities; const newActivities = req.body.activities;
Authentication.checkBoardAccess(req.userId, paramBoardId); await Authentication.checkBoardAdmin(req.userId, paramBoardId);
Integrations.direct.update( Integrations.direct.update(
{ _id: paramIntId, boardId: paramBoardId }, { _id: paramIntId, boardId: paramBoardId },
@ -386,14 +420,14 @@ if (Meteor.isServer) {
* @param {string} intId the integration ID * @param {string} intId the integration ID
* @return_type {_id: string} * @return_type {_id: string}
*/ */
JsonRoutes.add('DELETE', '/api/boards/:boardId/integrations/:intId', function( JsonRoutes.add('DELETE', '/api/boards/:boardId/integrations/:intId', async function(
req, req,
res, res,
) { ) {
try { try {
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramIntId = req.params.intId; const paramIntId = req.params.intId;
Authentication.checkBoardAccess(req.userId, paramBoardId); await Authentication.checkBoardAdmin(req.userId, paramBoardId);
Integrations.direct.remove({ _id: paramIntId, boardId: paramBoardId }); Integrations.direct.remove({ _id: paramIntId, boardId: paramBoardId });
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {

8
server/authentication.js
View file

@ -68,6 +68,14 @@ Meteor.startup(() => {
await Authentication.checkAdminOrCondition(userId, writeAccess); await Authentication.checkAdminOrCondition(userId, writeAccess);
}; };
// Helper function. Will throw an error if the user is not a board admin.
Authentication.checkBoardAdmin = async function(userId, boardId) {
Authentication.checkLoggedIn(userId);
const board = await ReactiveCache.getBoard(boardId);
const adminAccess = board.members.some(e => e.userId === userId && e.isActive && e.isAdmin);
await Authentication.checkAdminOrCondition(userId, adminAccess);
};
if (Meteor.isServer) { if (Meteor.isServer) {
if ( if (
process.env.ORACLE_OIM_ENABLED === 'true' || process.env.ORACLE_OIM_ENABLED === 'true' ||

78
server/notifications/outgoing.js
View file

@ -12,6 +12,43 @@ if (Meteor.isServer) {
}); });
}); });
// SSRF Protection: Validate webhook URLs before posting
const isValidWebhookUrl = (urlString) => {
try {
const u = new URL(urlString);
// Only allow http and https protocols
if (!['http:', 'https:'].includes(u.protocol)) {
return false;
}
// Block private/loopback IP ranges and hostnames
const hostname = u.hostname.toLowerCase();
const blockedPatterns = [
/^127\./, // 127.x.x.x (loopback)
/^10\./, // 10.x.x.x (private)
/^172\.(1[6-9]|2\d|3[01])\./, // 172.16-31.x.x (private)
/^192\.168\./, // 192.168.x.x (private)
/^0\./, // 0.x.x.x (current network)
/^::1$/, // IPv6 loopback
/^fe80:/, // IPv6 link-local
/^fc00:/, // IPv6 unique local
/^fd00:/, // IPv6 unique local
/^localhost$/i,
/\.local$/i,
/^169\.254\./, // link-local IP (AWS metadata)
];
if (blockedPatterns.some(pattern => pattern.test(hostname))) {
return false;
}
return true;
} catch {
return false;
}
};
const Lock = { const Lock = {
_lock: {}, _lock: {},
_timer: {}, _timer: {},
@ -70,13 +107,24 @@ if (Meteor.isServer) {
'label', 'label',
'attachmentId', 'attachmentId',
]; ];
const responseFunc = async data => { const responseFunc = async (data, integration) => {
const paramCommentId = data.commentId; const paramCommentId = data.commentId;
const paramCardId = data.cardId; const paramCardId = data.cardId;
const paramBoardId = data.boardId; const paramBoardId = data.boardId;
const newComment = data.comment; const newComment = data.comment;
if (paramCardId && paramBoardId && newComment) {
// only process data with the cardid, boardid and comment text, TODO can expand other functions here to react on returned data // Authorization: Verify the request is from a bidirectional webhook
if (!integration || integration.type !== Integrations.Const.TWOWAY) {
return; // Only bidirectional webhooks can update comments
}
// Authorization: Prevent cross-board comment injection
if (paramBoardId !== integration.boardId) {
return; // Webhook can only modify comments in its own board
}
if (paramCardId && paramBoardId && newComment && paramCommentId) {
// only process data with the commentId, cardId, boardId and comment text
const comment = await ReactiveCache.getCardComment({ const comment = await ReactiveCache.getCardComment({
_id: paramCommentId, _id: paramCommentId,
cardId: paramCardId, cardId: paramCardId,
@ -84,8 +132,9 @@ if (Meteor.isServer) {
}); });
const board = await ReactiveCache.getBoard(paramBoardId); const board = await ReactiveCache.getBoard(paramBoardId);
const card = await ReactiveCache.getCard(paramCardId); const card = await ReactiveCache.getCard(paramCardId);
if (board && card) {
if (comment) { if (board && card && comment) {
// Only update existing comments - do not create new comments from webhook responses
Lock.set(comment._id, newComment); Lock.set(comment._id, newComment);
CardComments.direct.update(comment._id, { CardComments.direct.update(comment._id, {
$set: { $set: {
@ -93,18 +142,6 @@ if (Meteor.isServer) {
}, },
}); });
} }
} else {
const userId = data.userId;
if (userId) {
const inserted = CardComments.direct.insert({
text: newComment,
userId,
cardId,
boardId,
});
Lock.set(inserted._id, newComment);
}
}
} }
}; };
Meteor.methods({ Meteor.methods({
@ -175,6 +212,11 @@ if (Meteor.isServer) {
const url = integration.url; const url = integration.url;
// SSRF Protection: Validate webhook URL before posting
if (!isValidWebhookUrl(url)) {
throw new Meteor.Error('invalid-webhook-url', 'Webhook URL is invalid or points to a private/internal address');
}
if (is2way) { if (is2way) {
const cid = params.commentId; const cid = params.commentId;
const comment = params.comment; const comment = params.comment;
@ -198,7 +240,7 @@ if (Meteor.isServer) {
const data = response.data; // only an JSON encoded response will be actioned const data = response.data; // only an JSON encoded response will be actioned
if (data) { if (data) {
try { try {
await responseFunc(data); await responseFunc(data, integration);
} catch (e) { } catch (e) {
throw new Meteor.Error('error-process-data'); throw new Meteor.Error('error-process-data');
} }