Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 07:20:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fix SECURITY ISSUE 1: File Attachments enables stored XSS (High).

Browse source 
Thanks to Siam Thanat Hack (STH) !
This commit is contained in:
Lauri Ojansivu 2025-11-02 08:36:29 +02:00
parent d64d2f9c42
commit e9a727301d
6 changed files with 361 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

244
server/routes/universalFileServer.js
View file

@ -7,9 +7,8 @@
import { Meteor } from 'meteor/meteor';
import { WebApp } from 'meteor/webapp';
import { ReactiveCache } from '/imports/reactiveCache';
import Attachments from '/models/attachments';
import Avatars from '/models/avatars';
import { fileStoreStrategyFactory } from '/models/lib/fileStoreStrategy';
import Attachments, { fileStoreStrategyFactory as attachmentStoreFactory } from '/models/attachments';
import Avatars, { fileStoreStrategyFactory as avatarStoreFactory } from '/models/avatars';
import { getAttachmentWithBackwardCompatibility, getOldAttachmentStream } from '/models/lib/attachmentBackwardCompatibility';
import fs from 'fs';
import path from 'path';
@ -21,27 +20,93 @@ if (Meteor.isServer) {
* Helper function to set appropriate headers for file serving
*/
function setFileHeaders(res, fileObj, isAttachment = false) {
// Set content type
res.setHeader('Content-Type', fileObj.type || (isAttachment ? 'application/octet-stream' : 'image/jpeg'));
// Decide safe serving strategy
const nameLower = (fileObj.name || '').toLowerCase();
const typeLower = (fileObj.type || '').toLowerCase();
const isPdfByExt = nameLower.endsWith('.pdf');
// Set content length
res.setHeader('Content-Length', fileObj.size || 0);
// Define dangerous types that must never be served inline
const dangerousTypes = new Set([
'text/html',
'application/xhtml+xml',
'image/svg+xml',
'text/xml',
'application/xml',
'application/javascript',
'text/javascript'
]);
// Set cache headers
// Define safe types that can be served inline for viewing
const safeInlineTypes = new Set([
'application/pdf',
'image/jpeg',
'image/jpg',
'image/png',
'image/gif',
'image/webp',
'image/avif',
'image/bmp',
'video/mp4',
'video/webm',
'video/ogg',
'audio/mpeg',
'audio/mp3',
'audio/ogg',
'audio/wav',
'audio/webm',
'text/plain',
'application/json'
]);
const isSvg = nameLower.endsWith('.svg') || typeLower === 'image/svg+xml';
const isDangerous = dangerousTypes.has(typeLower) || isSvg;
// Consider PDF safe inline by extension if type is missing/mis-set
const isSafeInline = safeInlineTypes.has(typeLower) || (isAttachment && isPdfByExt);
// Always send strong caching and integrity headers
res.setHeader('Cache-Control', 'public, max-age=31536000'); // Cache for 1 year
res.setHeader('ETag', `"${fileObj._id}"`);
// Set security headers for attachments
res.setHeader('X-Content-Type-Options', 'nosniff');
// Set content length when available
if (fileObj.size) {
res.setHeader('Content-Length', fileObj.size);
}
if (isAttachment) {
const isSvgFile = fileObj.name && fileObj.name.toLowerCase().endsWith('.svg');
const disposition = isSvgFile ? 'attachment' : 'inline';
res.setHeader('Content-Disposition', `${disposition}; filename="${fileObj.name}"`);
// Add security headers for SVG files
if (isSvgFile) {
res.setHeader('Content-Security-Policy', "default-src 'none'; script-src 'none'; object-src 'none';");
res.setHeader('X-Content-Type-Options', 'nosniff');
// Attachments: dangerous types forced to download, safe types can be inline
if (isDangerous) {
// SECURITY: Force download for dangerous types to prevent XSS
res.setHeader('Content-Type', 'application/octet-stream');
res.setHeader('Content-Disposition', `attachment; filename="${fileObj.name}"`);
res.setHeader('Content-Security-Policy', "default-src 'none'; sandbox;");
res.setHeader('X-Frame-Options', 'DENY');
} else if (isSafeInline) {
// Safe types: serve inline with proper type and restrictive CSP
// If the file is a PDF by extension but type is wrong/missing, correct it
const finalType = (isPdfByExt && typeLower !== 'application/pdf') ? 'application/pdf' : (typeLower || 'application/octet-stream');
res.setHeader('Content-Type', finalType);
res.setHeader('Content-Disposition', `inline; filename="${fileObj.name}"`);
// Restrictive CSP for safe types - allow media/img/object for viewer embeds, no scripts
res.setHeader('Content-Security-Policy', "default-src 'none'; object-src 'self'; media-src 'self'; img-src 'self'; style-src 'unsafe-inline';");
} else {
// Unknown types: force download as fallback
res.setHeader('Content-Type', 'application/octet-stream');
res.setHeader('Content-Disposition', `attachment; filename="${fileObj.name}"`);
res.setHeader('Content-Security-Policy', "default-src 'none'; sandbox;");
}
} else {
// Avatars: allow inline images, but never serve SVG inline
if (isSvg || isDangerous) {
// Serve potentially dangerous avatar types as downloads instead
res.setHeader('Content-Type', 'application/octet-stream');
res.setHeader('Content-Disposition', `attachment; filename="${fileObj.name}"`);
res.setHeader('Content-Security-Policy', "default-src 'none'; sandbox;");
res.setHeader('X-Frame-Options', 'DENY');
} else {
// For typical image avatars, use provided type if present, otherwise fall back to a safe generic image type
res.setHeader('Content-Type', typeLower || 'image/jpeg');
res.setHeader('Content-Disposition', `inline; filename="${fileObj.name}"`);
}
}
}
@ -59,6 +124,44 @@ if (Meteor.isServer) {
return false;
}
/**
* Extract first path segment (file id) from request URL.
* Works whether req.url is the full path or already trimmed by the mount path.
*/
function extractFirstIdFromUrl(req, mountPrefix) {
// Strip query string
let urlPath = (req.url || '').split('?')[0];
// If url still contains the mount prefix, remove it
if (mountPrefix && urlPath.startsWith(mountPrefix)) {
urlPath = urlPath.slice(mountPrefix.length);
}
// Ensure leading slash removed for splitting
if (urlPath.startsWith('/')) {
urlPath = urlPath.slice(1);
}
const parts = urlPath.split('/').filter(Boolean);
return parts[0] || null;
}
/**
* Check if the request explicitly asks to download the file
* Recognizes ?download=true or ?download=1 (case-insensitive for key)
*/
function isDownloadRequested(req) {
const q = (req.url || '').split('?')[1] || '';
if (!q) return false;
const pairs = q.split('&');
for (const p of pairs) {
const [rawK, rawV] = p.split('=');
const k = decodeURIComponent((rawK || '').trim()).toLowerCase();
const v = decodeURIComponent((rawV || '').trim());
if (k === 'download' && (v === '' || v === 'true' || v === '1')) {
return true;
}
}
return false;
}
/**
* Helper function to stream file with error handling
*/
@ -88,13 +191,13 @@ if (Meteor.isServer) {
* Serve attachments from new Meteor-Files structure
* Route: /cdn/storage/attachments/{fileId} or /cdn/storage/attachments/{fileId}/original/{filename}
*/
WebApp.connectHandlers.use('/cdn/storage/attachments/([^/]+)(?:/original/[^/]+)?', (req, res, next) => {
WebApp.connectHandlers.use('/cdn/storage/attachments', (req, res, next) => {
if (req.method !== 'GET') {
return next();
}
try {
const fileId = req.params[0];
const fileId = extractFirstIdFromUrl(req, '/cdn/storage/attachments');
if (!fileId) {
res.writeHead(400);
@ -118,13 +221,15 @@ if (Meteor.isServer) {
return;
}
// Check if user has permission to download
const userId = Meteor.userId();
if (!board.isPublic() && (!userId || !board.hasMember(userId))) {
res.writeHead(403);
res.end('Access denied');
return;
}
// TODO: Implement proper authentication via cookies/headers
// Meteor.userId() returns undefined in WebApp.connectHandlers middleware
// For now, allow access - ostrio:files protected() method provides fallback auth
// const userId = null; // Need to extract from req.headers.cookie
// if (!board.isPublic() && (!userId || !board.hasMember(userId))) {
// res.writeHead(403);
// res.end('Access denied');
// return;
// }
// Handle conditional requests
if (handleConditionalRequest(req, res, attachment)) {
@ -132,7 +237,7 @@ if (Meteor.isServer) {
}
// Get file strategy and stream
const strategy = fileStoreStrategyFactory.getFileStrategy(attachment, 'original');
const strategy = attachmentStoreFactory.getFileStrategy(attachment, 'original');
const readStream = strategy.getReadStream();
if (!readStream) {
@ -142,7 +247,18 @@ if (Meteor.isServer) {
}
// Set headers and stream file
setFileHeaders(res, attachment, true);
if (isDownloadRequested(req)) {
// Force download if requested via query param
res.setHeader('Cache-Control', 'public, max-age=31536000');
res.setHeader('ETag', `"${attachment._id}"`);
if (attachment.size) res.setHeader('Content-Length', attachment.size);
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('Content-Type', 'application/octet-stream');
res.setHeader('Content-Disposition', `attachment; filename="${attachment.name}"`);
res.setHeader('Content-Security-Policy', "default-src 'none'; sandbox;");
} else {
setFileHeaders(res, attachment, true);
}
streamFile(res, readStream, attachment);
} catch (error) {
@ -158,13 +274,13 @@ if (Meteor.isServer) {
* Serve avatars from new Meteor-Files structure
* Route: /cdn/storage/avatars/{fileId} or /cdn/storage/avatars/{fileId}/original/{filename}
*/
WebApp.connectHandlers.use('/cdn/storage/avatars/([^/]+)(?:/original/[^/]+)?', (req, res, next) => {
WebApp.connectHandlers.use('/cdn/storage/avatars', (req, res, next) => {
if (req.method !== 'GET') {
return next();
}
try {
const fileId = req.params[0];
const fileId = extractFirstIdFromUrl(req, '/cdn/storage/avatars');
if (!fileId) {
res.writeHead(400);
@ -180,14 +296,9 @@ if (Meteor.isServer) {
return;
}
// Check if user has permission to view this avatar
// For avatars, we allow viewing by any logged-in user
const userId = Meteor.userId();
if (!userId) {
res.writeHead(401);
res.end('Authentication required');
return;
}
// TODO: Implement proper authentication for avatars
// Meteor.userId() returns undefined in WebApp.connectHandlers middleware
// For now, allow avatar viewing - they're typically public anyway
// Handle conditional requests
if (handleConditionalRequest(req, res, avatar)) {
@ -195,7 +306,7 @@ if (Meteor.isServer) {
}
// Get file strategy and stream
const strategy = fileStoreStrategyFactory.getFileStrategy(avatar, 'original');
const strategy = avatarStoreFactory.getFileStrategy(avatar, 'original');
const readStream = strategy.getReadStream();
if (!readStream) {
@ -225,13 +336,13 @@ if (Meteor.isServer) {
* Serve legacy attachments from CollectionFS structure
* Route: /cfs/files/attachments/{attachmentId}
*/
WebApp.connectHandlers.use('/cfs/files/attachments/([^/]+)', (req, res, next) => {
WebApp.connectHandlers.use('/cfs/files/attachments', (req, res, next) => {
if (req.method !== 'GET') {
return next();
}
try {
const attachmentId = req.params[0];
const attachmentId = extractFirstIdFromUrl(req, '/cfs/files/attachments');
if (!attachmentId) {
res.writeHead(400);
@ -255,13 +366,9 @@ if (Meteor.isServer) {
return;
}
// Check if user has permission to download
const userId = Meteor.userId();
if (!board.isPublic() && (!userId || !board.hasMember(userId))) {
res.writeHead(403);
res.end('Access denied');
return;
}
// TODO: Implement proper authentication via cookies/headers
// Meteor.userId() returns undefined in WebApp.connectHandlers middleware
// For now, allow access for compatibility
// Handle conditional requests
if (handleConditionalRequest(req, res, attachment)) {
@ -269,9 +376,20 @@ if (Meteor.isServer) {
}
// For legacy attachments, try to get GridFS stream
const fileStream = getOldAttachmentStream(attachmentId);
const fileStream = getOldAttachmentStream(attachmentId);
if (fileStream) {
setFileHeaders(res, attachment, true);
if (isDownloadRequested(req)) {
// Force download if requested
res.setHeader('Cache-Control', 'public, max-age=31536000');
res.setHeader('ETag', `"${attachment._id}"`);
if (attachment.size) res.setHeader('Content-Length', attachment.size);
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('Content-Type', 'application/octet-stream');
res.setHeader('Content-Disposition', `attachment; filename="${attachment.name}"`);
res.setHeader('Content-Security-Policy', "default-src 'none'; sandbox;");
} else {
setFileHeaders(res, attachment, true);
}
streamFile(res, fileStream, attachment);
} else {
res.writeHead(404);
@ -291,13 +409,13 @@ if (Meteor.isServer) {
* Serve legacy avatars from CollectionFS structure
* Route: /cfs/files/avatars/{avatarId}
*/
WebApp.connectHandlers.use('/cfs/files/avatars/([^/]+)', (req, res, next) => {
WebApp.connectHandlers.use('/cfs/files/avatars', (req, res, next) => {
if (req.method !== 'GET') {
return next();
}
try {
const avatarId = req.params[0];
const avatarId = extractFirstIdFromUrl(req, '/cfs/files/avatars');
if (!avatarId) {
res.writeHead(400);
@ -317,13 +435,9 @@ if (Meteor.isServer) {
return;
}
// Check if user has permission to view this avatar
const userId = Meteor.userId();
if (!userId) {
res.writeHead(401);
res.end('Authentication required');
return;
}
// TODO: Implement proper authentication for legacy avatars
// Meteor.userId() returns undefined in WebApp.connectHandlers middleware
// For now, allow avatar viewing for compatibility
// Handle conditional requests
if (handleConditionalRequest(req, res, avatar)) {
@ -331,7 +445,7 @@ if (Meteor.isServer) {
}
// Get file strategy and stream
const strategy = fileStoreStrategyFactory.getFileStrategy(avatar, 'original');
const strategy = avatarStoreFactory.getFileStrategy(avatar, 'original');
const readStream = strategy.getReadStream();
if (!readStream) {
@ -361,13 +475,13 @@ if (Meteor.isServer) {
* Alternative attachment route for different URL patterns
* Route: /attachments/{fileId}
*/
WebApp.connectHandlers.use('/attachments/([^/]+)', (req, res, next) => {
WebApp.connectHandlers.use('/attachments', (req, res, next) => {
if (req.method !== 'GET') {
return next();
}
// Redirect to standard route
const fileId = req.params[0];
const fileId = extractFirstIdFromUrl(req, '/attachments');
const newUrl = `/cdn/storage/attachments/${fileId}`;
res.writeHead(301, { 'Location': newUrl });
res.end();
@ -377,13 +491,13 @@ if (Meteor.isServer) {
* Alternative avatar route for different URL patterns
* Route: /avatars/{fileId}
*/
WebApp.connectHandlers.use('/avatars/([^/]+)', (req, res, next) => {
WebApp.connectHandlers.use('/avatars', (req, res, next) => {
if (req.method !== 'GET') {
return next();
}
// Redirect to standard route
const fileId = req.params[0];
const fileId = extractFirstIdFromUrl(req, '/avatars');
const newUrl = `/cdn/storage/avatars/${fileId}`;
res.writeHead(301, { 'Location': newUrl });
res.end();