Security Fix: Computational Resource Abuse in Export endpoints.

Thanks to Anynymous Security Researcher and xet7 !
2025-12-16 23:40:13 +01:00 · 2025-10-10 22:09:27 +03:00 · 2025-10-10 22:09:27 +03:00 · d0f118e7af
commit d0f118e7af
parent c481443667
3 changed files with 160 additions and 2 deletions
--- a/models/exportPDF.js
+++ b/models/exportPDF.js
@ -37,8 +37,34 @@ runOnServer(function() {
    let user = null;
    let impersonateDone = false;
    let adminId = null;
+
+    // First check if board exists and is public to avoid unnecessary authentication
+    const board = ReactiveCache.getBoard(boardId);
+    if (!board) {
+      res.end('Board not found');
+      return;
+    }
+
+    // If board is public, skip expensive authentication operations
+    if (board.isPublic()) {
+      // Public boards don't require authentication - skip hash operations
+      const exporterCardPDF = new ExporterCardPDF(boardId);
+      exporterCardPDF.build(res);
+      return;
+    }
+
+    // Only perform expensive authentication for private boards
    const loginToken = params.query.authToken;
    if (loginToken) {
+      // Validate token length to prevent resource abuse
+      if (loginToken.length > 10000) {
+        if (process.env.DEBUG === 'true') {
+          console.warn('Suspiciously long auth token received, rejecting to prevent resource abuse');
+        }
+        res.end('Invalid token');
+        return;
+      }
+
      const hashToken = Accounts._hashLoginToken(loginToken);
      user = ReactiveCache.getUser({
        'services.resume.loginTokens.hashedToken': hashToken,