Commit graph

6111 commits

Author SHA1 Message Date
Richard Hansen
94f944160d security: Don't require express_sid if authn not required
This should make it possible to embed a pad in an iframe from another
site as long as `settings.requireAuthentication` is false.
2020-09-24 10:42:41 +01:00
Richard Hansen
53fd0b4f98 webaccess: Return 401 for authn failure, 403 for authz failure
This makes it possible for reverse proxies to transform 403 errors
into something like "upgrade to a premium account to access this
pad".

Also add some webaccess tests.
2020-09-24 10:41:58 +01:00
John McLear
ff4da04907 no need to ask for translations if no template files are included 2020-09-23 09:25:17 +01:00
Richard Hansen
1bb44098df PadMessageHandler: Move handleMessage hooks after access check
Move the handleMessageSecurity and handleMessage hooks after the call
to securityManager.checkAccess.

Benefits:

  * A handleMessage plugin can safely assume the message will be
    handled unless the plugin itself drops the message, so it doesn't
    need to repeat the access checks done by the `handleMessage`
    function.
  * This paves the way for a future enhancement: pass the author ID to
    the hooks.

Note: The handleMessageSecurity hook is broken in several ways:

  * The hook result is ignored for `CLIENT_READY` and `SWITCH_TO_PAD`
    messages because the `handleClientReady` function overwrites the
    hook result. This causes the client to receive client vars with
    `readonly` set to true, which causes the client to display an
    immutable pad even though the pad is technically writable.
  * The formatting toolbar buttons are removed for read-only pads
    before the handleMessageSecurity hook even runs.
  * It is awkwardly named: Without reading the documentation, how is
    one supposed to know that "handle message security" actually means
    "grant one-time write access to a read-only pad"?
  * It is called for every message even though calls after a
    `CLIENT_READY` or `SWITCH_TO_PAD` are mostly pointless.
  * Why would anyone want to grant write access when the user visits a
    read-only pad URL? The user should just visit the writable pad URL
    instead.
  * Why would anyone want to grant write access that only lasts for a
    single socket.io connection?
  * There are better ways to temporarily grant write access (e.g., the
    authorize hook).
  * This hook is inviting bugs because it breaks a core assumption
    about `/p/r.*` URLs.

I think the hook should be deprecated and eventually removed.
2020-09-23 08:26:47 +01:00
Richard Hansen
0f6baac7b5
Revert "tests: Use wtfnode to determine why mocha isn't exiting" (#4315)
This reverts commit ae1142a799.

According to
https://github.com/ether/etherpad-lite/pull/4304#issuecomment-694833456
wtfnode always seems to exit with 0 even if the tests fail.
2020-09-22 22:47:26 +01:00
John McLear
ca7b8e278f allow slower for Safari 2020-09-22 16:32:40 +01:00
Richard Hansen
6011ef426f PadMessageHandler: Make sessioninfo tracking more robust
A session's sessioninfo could go away asynchronously due to a
disconnect. Grab a reference once and use it throughout the function
to avoid dereferencing a null sessioninfo object.
2020-09-22 14:11:02 +01:00
Richard Hansen
3365e944bf async-ify more functions, and await completion
Where feasible I put the await at the end of the function to
minimize the impact on latency.

My motivation for this change: Eliminate a race condition in tests I
am writing.
2020-09-22 14:10:44 +01:00
Richard Hansen
45ec8326f0 Add a new 'rejected' disconnect reason
This reason will be used in a future commit that will reject erroneous
messages.
2020-09-22 14:09:07 +01:00
John McLear
13252c955c include hash auth in tests 2020-09-22 11:12:24 +01:00
Richard Hansen
a000a93dc6 Refactor startup/shutdown for tests
* `src/node/server.js` can now be run as a script (for normal
    operation) or imported as a module (for tests).
  * Move shutdown actions to `src/node/server.js` to be close to the
    startup actions.
  * Put startup and shutdown in functions so that tests can call them.
  * Use `await` instead of callbacks.
  * Block until the HTTP server is listening to avoid races during
    test startup.
  * Add a new `shutdown` hook.
  * Use the `shutdown` hook to:
      * close the HTTP server
      * call `end()` on the stats collection to cancel its timers
      * call `terminate()` on the Threads.Pool to stop the workers
  * Exit with exit code 0 (instead of 1) on SIGTERM.
  * Export the HTTP server so that tests can get the HTTP server's
    port via `server.address().port` when `settings.port` is 0.
2020-09-22 11:07:21 +01:00
Richard Hansen
a4be577ed1 SessionStore: Don't call callback until cached in DB layer 2020-09-21 23:21:05 +01:00
Richard Hansen
436cbb031d SessionStore: Avoid early DB.db dereference
Avoid dereferencing `DB.db` until it is used so that it is possible to
`require('SessionStore')` before calling `DB.init()`. (This is useful
when writing tests.)
2020-09-21 23:21:05 +01:00
Richard Hansen
bee91a0bd1 SessionStore: Use EC6 class syntax
This fixes a minor bug where the SessionStore constructor did not call
the base class constructor.
2020-09-21 23:21:05 +01:00
Richard Hansen
0504e07eb4 SessionStore: Wrap long line 2020-09-21 23:21:05 +01:00
Richard Hansen
90775cec0d SessionStore: Rename messageLogger to logger 2020-09-21 23:21:05 +01:00
Richard Hansen
4060db0daf SessionStore: Reduce unnecessary vertical space 2020-09-21 23:21:05 +01:00
Richard Hansen
5fb6bc1938 SessionStore: Use single quotes everywhere 2020-09-21 23:21:05 +01:00
Richard Hansen
012449101d SessionStore: Use const instead of var 2020-09-21 23:21:05 +01:00
Richard Hansen
5d2c438e3e SessionStore: Use an arrow function to avoid this juggling 2020-09-21 23:21:05 +01:00
Richard Hansen
de98852da6 SessionStore: Delete unused methods all, clear, length 2020-09-21 23:21:05 +01:00
Richard Hansen
346111250e utils: Fix promise creation accounting bug in promises.timesLimit
Before this change, `promises.timesLimit()` created `concurrency - 1`
too many promises. The only users of this function use a concurrency
of 500, so this meant that 499 extra promises were created each time
it was used. The bug didn't affect correctness, but it did result in a
large number of unnecessary database operations whenever a pad was
deleted. This change fixes that bug.

Also:
  * Convert the function to async and have it resolve after all of the
    created promises are resolved.
  * Reject concurrency of 0 (unless total is 0).
  * Document the function.
  * Add tests.
2020-09-21 23:16:32 +01:00
translatewiki.net
65942691b6 Localisation updates from https://translatewiki.net. 2020-09-21 16:02:42 +02:00
Stefan Mueller
91f25b51ff Merge remote-tracking branch 'origin/release/1.8.6' into develop 2020-09-20 21:23:14 +02:00
Richard Hansen
df7fa1fd41
changelog: Mention fix for authz bypass vulnerability in 1.8.6 (#4318) 2020-09-20 19:21:46 +00:00
Richard Hansen
3886e95c83 SessionManager: Fix session expiration check
This bug was introduced in 8b0baa9679.
2020-09-19 21:10:36 +01:00
Sebastian Castro
12bd617f51
css: Improve toolbar responsiveness for small screen (#4322)
Until now, the "mobile layout" (with right toolbar on bottom of the screen) was displayed only when screen was smaller than 800px. It made the toolbar break for screen about 1000px when a lot of plugins are in the toolbar.
Now instead, we detect with javascript when the toolbar icons overflow the natural space available, and we switch in "mobile layout" in such case
2020-09-19 19:09:30 +01:00
Stefan Mueller
299bd962b6 Update version to 1.8.6 and add changelog informations 2020-09-18 21:14:19 +02:00
webzwo0i
85f52a2f23
tests: Plugin backend tests in ci (#4314) 2020-09-18 16:28:42 +01:00
translatewiki.net
dfe0368910 Localisation updates from https://translatewiki.net. 2020-09-17 16:40:29 +02:00
Joas Souza
8c04fe8775
Feature: Copy Pad without history (#4295)
New feature to copy a pad without copying entire history.  This is useful to perform a low CPU intensive operation while still copying current pad state.
2020-09-16 19:24:09 +01:00
Richard Hansen
b80a37173e security: Fix authorization bypass vulnerability
Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:

 * Step 1: Fetch any resource that the malicious user is authorized to
   access (e.g., static content).
 * Step 2: Use the signed express_sid cookie generated in step 1 to
   create a socket.io connection.
 * Step 3: Perform the CLIENT_READY handshake for the desired pad.
 * Step 4: Profit!

Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.

This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.
2020-09-15 21:40:25 +01:00
Richard Hansen
ae1142a799 tests: Use wtfnode to determine why mocha isn't exiting
If mocha hangs after running the tests, hit Ctrl-C and wtfnode will
print open files, open sockets, running timers, and running intervals.
Adding an `after` function that closes/stops all of those things will
ensure that mocha exits when it finishes running the tests.
2020-09-15 21:22:52 +01:00
Richard Hansen
e20731cb12 webaccess: Fix syntax error (missing close curly brace)
Somehow I introduced this bug in commit
2bc26b8ef8 but never noticed.
2020-09-15 21:21:13 +01:00
Richard Hansen
d2773609d1 PadMessageHandler: Fix assignment to const variable 2020-09-15 20:04:33 +01:00
Richard Hansen
5ac5b65aff Pad: Disable toolbar and import/export when reconnecting 2020-09-15 20:04:17 +01:00
Richard Hansen
6f28e415ec PadMessageHandler: Move code out of unnecessary closure (again) 2020-09-15 20:04:01 +01:00
Richard Hansen
9e6d3f3f63 tests: Add authentication, authorization bypass tests 2020-09-15 20:03:30 +01:00
Richard Hansen
80639fdc6a webaccess: Pass settings.users to the authenticate hook
Authentication plugins almost always want to read and modify
`settings.users`. The settings can already be accessed in a few other
ways, but this is much more convenient.
2020-09-15 19:26:24 +01:00
Richard Hansen
250e932f59 webaccess: Enforce creation of req.session.user by authn plugins
The authorization logic determines whether the user has already
successfully authenticated by looking to see if `req.session.user`
exists. If an authentication plugin says that it successfully
authenticated the user but it did not create `req.session.user` then
authentication will re-run for every access, and authorization plugins
will be unable to determine whether the user has been authenticated.
Return a 500 internal server error to prevent these problems.
2020-09-15 19:26:14 +01:00
Richard Hansen
362b567276 docs: Revise documentation for handleMessage and handleMessageSecurity 2020-09-15 19:25:04 +01:00
Richard Hansen
80c0e2487d PadMessageHandler: Move code out of unnecessary closure
Also simplify the logic.
2020-09-15 19:23:48 +01:00
Richard Hansen
a261fdf430 i18n: Improve error logging when language JSON read fails
Before it only logged an error like this:

    SyntaxError: Unexpected string in JSON at position XYZ

Now it also logs the filename, making it easier to figure out where
the bad data is:

    failed to read file /path/to/etherpad-lite/src/locales/en.json: SyntaxError: Unexpected string in JSON at position XYZ
2020-09-15 15:32:43 +01:00
John McLear
38352c1f8c Merge branch 'develop' of github.com:ether/etherpad-lite into develop 2020-09-15 13:15:53 +01:00
John McLear
9f3cc7aae0 deps: update UeberDB to fix issue with Postgres which was causing 1.8.5 to fail on PG sites. 2020-09-15 13:15:28 +01:00
Richard Hansen
2bc26b8ef8 webaccess: Factor out common code 2020-09-15 10:44:23 +01:00
Richard Hansen
f9087fabd6 security: Check authentication in SecurityManager checkAccess
In addition to providing defense in depth, this change makes it easier
to implement future enhancements such as support for read-only users.
2020-09-15 10:43:23 +01:00
Richard Hansen
259b8d891d socketio: Use Error objects for socket.io connection errors
socket.io expects Error objects, otherwise it won't propagate the
message to the client.

Also do some cleanup.
2020-09-15 10:42:25 +01:00
Richard Hansen
0a836ced29 css: Line up line numbers with their rows
Tested with both `no-skin` and `colibris`.
2020-09-15 09:29:09 +01:00
webzwo0i
ec6b983917
packaging: remove pad_docbar.js (#4286)
package to reduce http requests: nice-select,
pad_automatic_reconnect, skin_variants, scroll, caretPosition

rename unorm in tar.json so it can be included
2020-09-13 19:01:28 +01:00