etherpad-lite/src/node/hooks/express/importexport.js

var hasPadAccess = require("../../padaccess");
var settings = require('../../utils/Settings');
var exportHandler = require('../../handler/ExportHandler');
var importHandler = require('../../handler/ImportHandler');
var padManager = require("../../db/PadManager");
var authorManager = require("../../db/AuthorManager");
const rateLimit = require("express-rate-limit");

settings.importExportRateLimiting.onLimitReached = function(req, res, options) {
  // when the rate limiter triggers, write a warning in the logs
  console.warn(`Import/Export rate limiter triggered on "${req.originalUrl}" for IP address ${req.ip}`);
}

var limiter = rateLimit(settings.importExportRateLimiting);

exports.expressCreateServer = function (hook_name, args, cb) {

  // handle export requests
  args.app.use('/p/:pad/:rev?/export/:type', limiter);
  args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) {
    var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"];
    //send a 404 if we don't support this filetype
    if (types.indexOf(req.params.type) == -1) {
      return next();
    }

    // if abiword is disabled, and this is a format we only support with abiword, output a message
    if (settings.exportAvailable() == "no" &&
       ["odt", "pdf", "doc"].indexOf(req.params.type) !== -1) {
      console.error(`Impossible to export pad "${req.params.pad}" in ${req.params.type} format. There is no converter configured`);

      // ACHTUNG: do not include req.params.type in res.send() because there is no HTML escaping and it would lead to an XSS
      res.send("This export is not enabled at this Etherpad instance. Set the path to Abiword or soffice (LibreOffice) in settings.json to enable this feature");
      return;
    }

    res.header("Access-Control-Allow-Origin", "*");

    if (await hasPadAccess(req, res)) {
      let exists = await padManager.doesPadExists(req.params.pad);
      if (!exists) {
        console.warn(`Someone tried to export a pad that doesn't exist (${req.params.pad})`);
        return next();
      }

      console.log(`Exporting pad "${req.params.pad}" in ${req.params.type} format`);
      exportHandler.doExport(req, res, req.params.pad, req.params.type);
    }
  });

  // handle import requests
  args.app.use('/p/:pad/import', limiter);
  args.app.post('/p/:pad/import', async function(req, res, next) {
    if (await hasPadAccess(req, res)) {
      let exists = await padManager.doesPadExists(req.params.pad);
      if (!exists) {
        console.warn(`Someone tried to import into a pad that doesn't exist (${req.params.pad})`);
        return next();
      }

      /*
       * Starting from Etherpad 1.8.3 onwards, importing into a pad is allowed
       * only if a user has his browser opened and connected to the pad (i.e. a
       * Socket.IO session is estabilished for him) and he has already
       * contributed to that specific pad.
       *
       * Note that this does not have anything to do with the "session", used
       * for logging into "group pads". That kind of session is not needed here.
       *
       * This behaviour does not apply to API requests, only to /p/$PAD$/import
       *
       * See: https://github.com/ether/etherpad-lite/pull/3833#discussion_r407490205
       */
      if (!req.cookies && !settings.allowAnyoneToImport) {
        console.warn(`Unable to import file into "${req.params.pad}". No cookies included in request`);
        return next();
      }

      if (!req.cookies.token && !settings.allowAnyoneToImport) {
        console.warn(`Unable to import file into "${req.params.pad}". No token in the cookies`);
        return next();
      }

      let author = await authorManager.getAuthor4Token(req.cookies.token);
      // author is of the form: "a.g2droBYw1prY7HW9"
      if (!author && !settings.allowAnyoneToImport) {
        console.warn(`Unable to import file into "${req.params.pad}". No Author found for token ${req.cookies.token}`);

        return next();
      }

      let authorsPads = await authorManager.listPadsOfAuthor(author);
      if (!authorsPads && !settings.allowAnyoneToImport) {
        console.warn(`Unable to import file into "${req.params.pad}". Author "${author}" exists but he never contributed to any pad`);
        return next();
      }

      let authorsPadIDs = authorsPads.padIDs;
      if ( (authorsPadIDs.indexOf(req.params.pad) === -1) && !settings.allowAnyoneToImport) {
        console.warn(`Unable to import file into "${req.params.pad}". Author "${author}" exists but he never contributed to this pad`);
        return next();
      }

      importHandler.doImport(req, res, req.params.pad);
    }
  });
}
Moved all the hooks into a hooks directory 2012-02-25 17:23:44 +01:00			`var hasPadAccess = require("../../padaccess");`
			`var settings = require('../../utils/Settings');`
			`var exportHandler = require('../../handler/ExportHandler');`
			`var importHandler = require('../../handler/ImportHandler');`
check pad exists before importing / exporting 2018-04-04 22:48:32 +02:00			`var padManager = require("../../db/PadManager");`
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled. 2020-04-04 23:43:33 +02:00			`var authorManager = require("../../db/AuthorManager");`
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting. 2020-04-04 22:39:33 +02:00			`const rateLimit = require("express-rate-limit");`

			`settings.importExportRateLimiting.onLimitReached = function(req, res, options) {`
			`// when the rate limiter triggers, write a warning in the logs`
			console.warn(`Import/Export rate limiter triggered on "${req.originalUrl}" for IP address ${req.ip}`);
			`}`

			`var limiter = rateLimit(settings.importExportRateLimiting);`
Moved importexport 2012-02-25 16:06:08 +01:00
			`exports.expressCreateServer = function (hook_name, args, cb) {`
importexport: improved logging This is in preparation to the next activities about import/export securization. 2020-04-13 01:33:43 +02:00
			`// handle export requests`
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting. 2020-04-04 22:39:33 +02:00			`args.app.use('/p/:pad/:rev?/export/:type', limiter);`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) {`
semi working requires browser refresh 2014-12-29 20:57:58 +01:00			`var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"];`
Moved importexport 2012-02-25 16:06:08 +01:00			`//send a 404 if we don't support this filetype`
			`if (types.indexOf(req.params.type) == -1) {`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`return next();`
Moved importexport 2012-02-25 16:06:08 +01:00			`}`

prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ``` 2019-02-08 23:20:57 +01:00			`// if abiword is disabled, and this is a format we only support with abiword, output a message`
Use new exportAvailable() check to include check for SOffice along with Abiword in importexport hook 2015-12-18 07:14:13 +01:00			`if (settings.exportAvailable() == "no" &&`
Moved importexport 2012-02-25 16:06:08 +01:00			`["odt", "pdf", "doc"].indexOf(req.params.type) !== -1) {`
importexport: improved logging This is in preparation to the next activities about import/export securization. 2020-04-13 01:33:43 +02:00			console.error(`Impossible to export pad "${req.params.pad}" in ${req.params.type} format. There is no converter configured`);

			`// ACHTUNG: do not include req.params.type in res.send() because there is no HTML escaping and it would lead to an XSS`
			`res.send("This export is not enabled at this Etherpad instance. Set the path to Abiword or soffice (LibreOffice) in settings.json to enable this feature");`
Moved importexport 2012-02-25 16:06:08 +01:00			`return;`
			`}`

			`res.header("Access-Control-Allow-Origin", "*");`

access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`if (await hasPadAccess(req, res)) {`
			`let exists = await padManager.doesPadExists(req.params.pad);`
			`if (!exists) {`
importexport: improved logging This is in preparation to the next activities about import/export securization. 2020-04-13 01:33:43 +02:00			console.warn(`Someone tried to export a pad that doesn't exist (${req.params.pad})`);
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`return next();`
			`}`
check pad exists before importing / exporting 2018-04-04 22:48:32 +02:00
importexport: improved logging This is in preparation to the next activities about import/export securization. 2020-04-13 01:33:43 +02:00			console.log(`Exporting pad "${req.params.pad}" in ${req.params.type} format`);
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`exportHandler.doExport(req, res, req.params.pad, req.params.type);`
			`}`
Moved importexport 2012-02-25 16:06:08 +01:00			`});`

prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ``` 2019-02-08 23:20:57 +01:00			`// handle import requests`
import/export: always rate limit import and exports This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting. 2020-04-04 22:39:33 +02:00			`args.app.use('/p/:pad/import', limiter);`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`args.app.post('/p/:pad/import', async function(req, res, next) {`
			`if (await hasPadAccess(req, res)) {`
			`let exists = await padManager.doesPadExists(req.params.pad);`
			`if (!exists) {`
importexport: improved logging This is in preparation to the next activities about import/export securization. 2020-04-13 01:33:43 +02:00			console.warn(`Someone tried to import into a pad that doesn't exist (${req.params.pad})`);
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`return next();`
			`}`
check pad exists before importing / exporting 2018-04-04 22:48:32 +02:00
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled. 2020-04-04 23:43:33 +02:00			`/*`
			`* Starting from Etherpad 1.8.3 onwards, importing into a pad is allowed`
			`* only if a user has his browser opened and connected to the pad (i.e. a`
			`* Socket.IO session is estabilished for him) and he has already`
			`* contributed to that specific pad.`
			`*`
			`* Note that this does not have anything to do with the "session", used`
			`* for logging into "group pads". That kind of session is not needed here.`
			`*`
			`* This behaviour does not apply to API requests, only to /p/$PAD$/import`
			`*`
			`* See: https://github.com/ether/etherpad-lite/pull/3833#discussion_r407490205`
			`*/`
WIP - Test Coverage: Import & Export include LibreOffice Test Coverage (#4163) Runs on Travis Will only run locally is ``allowAnyoneToImport`` and ``soffice`` or ``abiword`` is set. 2020-07-14 19:44:53 +02:00			`if (!req.cookies && !settings.allowAnyoneToImport) {`
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled. 2020-04-04 23:43:33 +02:00			console.warn(`Unable to import file into "${req.params.pad}". No cookies included in request`);
			`return next();`
			`}`

WIP - Test Coverage: Import & Export include LibreOffice Test Coverage (#4163) Runs on Travis Will only run locally is ``allowAnyoneToImport`` and ``soffice`` or ``abiword`` is set. 2020-07-14 19:44:53 +02:00			`if (!req.cookies.token && !settings.allowAnyoneToImport) {`
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled. 2020-04-04 23:43:33 +02:00			console.warn(`Unable to import file into "${req.params.pad}". No token in the cookies`);
			`return next();`
			`}`

			`let author = await authorManager.getAuthor4Token(req.cookies.token);`
			`// author is of the form: "a.g2droBYw1prY7HW9"`
import: setting for allowing import without author existing 2020-06-01 19:19:06 +02:00			`if (!author && !settings.allowAnyoneToImport) {`
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled. 2020-04-04 23:43:33 +02:00			console.warn(`Unable to import file into "${req.params.pad}". No Author found for token ${req.cookies.token}`);

			`return next();`
			`}`

			`let authorsPads = await authorManager.listPadsOfAuthor(author);`
import: setting for allowing import without author existing 2020-06-01 19:19:06 +02:00			`if (!authorsPads && !settings.allowAnyoneToImport) {`
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled. 2020-04-04 23:43:33 +02:00			console.warn(`Unable to import file into "${req.params.pad}". Author "${author}" exists but he never contributed to any pad`);
			`return next();`
			`}`

			`let authorsPadIDs = authorsPads.padIDs;`
import: setting for allowing import without author existing 2020-06-01 19:19:06 +02:00			`if ( (authorsPadIDs.indexOf(req.params.pad) === -1) && !settings.allowAnyoneToImport) {`
import: do not allow importing into a pad from the web UI if the user is not on that pad Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled. 2020-04-04 23:43:33 +02:00			console.warn(`Unable to import file into "${req.params.pad}". Author "${author}" exists but he never contributed to this pad`);
			`return next();`
			`}`

access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`importHandler.doImport(req, res, req.params.pad);`
			`}`
Moved importexport 2012-02-25 16:06:08 +01:00			`});`
			`}`