Commit graph

6274 commits

Author SHA1 Message Date
Richard Hansen
9e6d3f3f63 tests: Add authentication, authorization bypass tests 2020-09-15 20:03:30 +01:00
Richard Hansen
80639fdc6a webaccess: Pass settings.users to the authenticate hook
Authentication plugins almost always want to read and modify
`settings.users`. The settings can already be accessed in a few other
ways, but this is much more convenient.
2020-09-15 19:26:24 +01:00
Richard Hansen
250e932f59 webaccess: Enforce creation of req.session.user by authn plugins
The authorization logic determines whether the user has already
successfully authenticated by looking to see if `req.session.user`
exists. If an authentication plugin says that it successfully
authenticated the user but it did not create `req.session.user` then
authentication will re-run for every access, and authorization plugins
will be unable to determine whether the user has been authenticated.
Return a 500 internal server error to prevent these problems.
2020-09-15 19:26:14 +01:00
Richard Hansen
362b567276 docs: Revise documentation for handleMessage and handleMessageSecurity 2020-09-15 19:25:04 +01:00
Richard Hansen
80c0e2487d PadMessageHandler: Move code out of unnecessary closure
Also simplify the logic.
2020-09-15 19:23:48 +01:00
Richard Hansen
a261fdf430 i18n: Improve error logging when language JSON read fails
Before it only logged an error like this:

    SyntaxError: Unexpected string in JSON at position XYZ

Now it also logs the filename, making it easier to figure out where
the bad data is:

    failed to read file /path/to/etherpad-lite/src/locales/en.json: SyntaxError: Unexpected string in JSON at position XYZ
2020-09-15 15:32:43 +01:00
John McLear
38352c1f8c Merge branch 'develop' of github.com:ether/etherpad-lite into develop 2020-09-15 13:15:53 +01:00
John McLear
9f3cc7aae0 deps: update UeberDB to fix issue with Postgres which was causing 1.8.5 to fail on PG sites. 2020-09-15 13:15:28 +01:00
Richard Hansen
2bc26b8ef8 webaccess: Factor out common code 2020-09-15 10:44:23 +01:00
Richard Hansen
f9087fabd6 security: Check authentication in SecurityManager checkAccess
In addition to providing defense in depth, this change makes it easier
to implement future enhancements such as support for read-only users.
2020-09-15 10:43:23 +01:00
Richard Hansen
259b8d891d socketio: Use Error objects for socket.io connection errors
socket.io expects Error objects, otherwise it won't propagate the
message to the client.

Also do some cleanup.
2020-09-15 10:42:25 +01:00
Richard Hansen
0a836ced29 css: Line up line numbers with their rows
Tested with both `no-skin` and `colibris`.
2020-09-15 09:29:09 +01:00
webzwo0i
ec6b983917
packaging: remove pad_docbar.js (#4286)
package to reduce http requests: nice-select,
pad_automatic_reconnect, skin_variants, scroll, caretPosition

rename unorm in tar.json so it can be included
2020-09-13 19:01:28 +01:00
Richard Hansen
d0a16d23cb security: Fix authentication bypass vulnerability
Before, anyone who could create a socket.io connection to Etherpad
could read, modify, and create pads at will without authenticating
first.

The `checkAccess` middleware in `webaccess.js` normally handles
authentication and authorization, but it does not run for `/socket.io`
requests. This means that the connection handler in `socketio.js` must
handle authentication and authorization. However, before this change:
  * The handler did not require a signed `express_sid` cookie.
  * After loading the express-session state, the handler did not check
    to see if the user had authenticated.

Now the handler requires a signed `express_sid` cookie, and it ensures
that `socket.request.session.user` is non-null if authentication is
required. (`socket.request.session.user` is non-null if and only if
the user has authenticated.)
2020-09-13 18:56:31 +01:00
John McLear
4434e54368
Update responsiveness.js
Changing allowed delay from 300 to 400 because Safari OSX is consistently slow compared to every other modern browser.
2020-09-12 11:00:05 +01:00
Richard Hansen
8b0baa9679 SecurityManager: Refactor checkAccess for readability, correctness
* Move session validity check and session author ID fetch to a
    separate function. This separate function can be used by hooks,
    making it easier for them to properly determine the author ID.
  * Rewrite the remainder of checkAccess. Benefits:
      - The function is more readable and maintainable now.
      - Vulnerability fix: Before, the session IDs in sessionCookie
        were not validated when checking settings.requireSession. Now,
        sessionCookie must identify a valid session for the
        settings.requireSession test to pass.
      - Bug fix: Before, checkAccess would sometimes use the author ID
        associated with the token even if sessionCookie identified a
        valid session. Now it always uses the author ID associated
        with the session if available.
2020-09-12 09:42:47 +01:00
Richard Hansen
8756fed80d PadMessageHandler: Use await instead of p.then() 2020-09-11 22:11:03 +01:00
Richard Hansen
3262ff1cb9 PadMessageHandler: Rename createSessionInfo to createSessionInfoAuth
The function doesn't create the session info -- it creates the auth
property of existing session info.
2020-09-11 22:11:03 +01:00
Richard Hansen
de792559cb PadMessageHandler: Use === instead of == for comparison 2020-09-11 22:11:03 +01:00
Richard Hansen
7f0770d684 PadMessageHandler: Invert logic to improve readability 2020-09-11 22:11:03 +01:00
Richard Hansen
d4db091d1d PadMessageHandler: Simplify handleClientReady a bit
Before, this function referred to the same author ID in different ways
in different places. Use one spelling to make the code easier to read.
2020-09-11 22:11:03 +01:00
Richard Hansen
ed3c82e8c3 Use null, not "null", if sessionID cookie doesn't exist
`decodeURIComponent(null)` returns the string `'null'`, which we don't
want.
2020-09-11 22:10:04 +01:00
translatewiki.net
24978daeb0 Localisation updates from https://translatewiki.net. 2020-09-10 18:36:59 +02:00
webzwo0i
e2b3b009e1
tests: skip responsivness test on firefox 52.0/windows (#4275) 2020-09-09 21:40:53 +01:00
John McLear
5dfae625b9 Package Lock update 2020-09-09 18:15:47 +01:00
John McLear
c8361a211a bump ueber 2020-09-09 14:41:03 +01:00
Stefan Mueller
477f637488 Merge tag '1.8.5' into develop
Version 1.8.5
2020-09-08 22:34:35 +02:00
Stefan Mueller
f3d950c664 Merge branch 'release/1.8.5' 2020-09-08 22:34:02 +02:00
Stefan Mueller
5e03a3b0fe Set changelog informations for new version 2020-09-08 22:10:27 +02:00
Stefan Mueller
e64a269a65 Update version to 1.8.5 2020-09-08 22:09:56 +02:00
Stefan Mueller
10402c2e2d Update version to 1.8.5 2020-09-08 21:56:20 +02:00
John McLear
7258d75cc5 bumping ueber 2020-09-08 16:03:15 +01:00
John McLear
2b9915d00d commenting out responsiveness test in preperation for a release 2020-09-08 15:18:19 +01:00
Richard Hansen
6c2a361935 import: Use the correct author ID when using sessions
There are two different ways an author ID becomes associated with a
user: either bound to a token or bound to a session ID. (The token and
session ID come from the `token` and `sessionID` cookies, or, in the
case of socket.io messages, from the `token` and `sessionID` message
properties.) When `settings.requireSession` is true or the user is
accessing a group pad, the session ID should be used. Otherwise the
token should be used.

Before this change, the `/p/:pad/import` handler was always using the
token, even when `settings.requireSession` was true. This caused the
following error because a different author ID was bound to the token
versus the session ID:

> Unable to import file into ${pad}. Author ${authorID} exists but he
> never contributed to this pad

This bug was reported in issue #4006. PR #4012 worked around the
problem by binding the same author ID to the token as well as the
session ID.

This change does the following:
  * Modifies the import handler to use the session ID to obtain the
    author ID (when appropriate).
  * Expands the documentation for the SecurityManager checkAccess
    function.
  * Removes the workaround from PR #4012.
  * Cleans up the `bin/createUserSession.js` test script.
2020-09-08 15:04:17 +01:00
Richard Hansen
db0bcb524e SecurityManager: Use constants for returned rejections
This reduces the chances of a typo-induced bug.
2020-09-08 14:53:28 +01:00
Sebastian Castro
818194da90
editor/performance: Fix performance for large pads (#4267)
* Fix line numbers top padding

This old rule was conflicting with new css rules introduced in 1.8.4

* Fixes #4228 Performance degradation for long pads 

Due to layout trashing when calculating new heights
2020-09-08 14:52:26 +01:00
Richard Hansen
da459888dc plugins: Move plugin definitions to avoid monkey patching
Also document the plugin data structures.
2020-09-08 00:50:24 +01:00
Richard Hansen
dcbf876d03 hooks: New mechanism to deprecate hooks
I plan on splitting authFailure into authnFailure and authzFailure so
that separate authentication and authentication plugins can coexist
peacefully. This change will make it possible to mark the authFailure
hook as deprecated (which simply logs a warning).
2020-09-08 00:49:10 +01:00
Richard Hansen
8cf2bcaeb4 plugins: Fix type typo
`exports.parts` is a topologically sorted array, but the intermediate
collection of parts assembled in `plugins.update()` is associative.
2020-09-08 00:47:32 +01:00
Richard Hansen
c3b2e68dad Revert "Delete redundant token2author DB save"
Something's weird here; this change shouldn't have any effect. I'll
have to squint at the code some more.

This reverts commit 2bf076043f.

Fixes #4262
2020-09-08 00:46:01 +01:00
webzwo0i
49a6b1dac2 GroupManager: typo during session deletion 2020-09-08 00:45:39 +01:00
translatewiki.net
efa4ba3cf1 Localisation updates from https://translatewiki.net. 2020-09-07 16:40:05 +02:00
Richard Hansen
68be78ace0 SecurityManager: Simplify checkAccess 2020-09-07 08:34:15 +01:00
Richard Hansen
17096919e0 PadMessageHandler: Delete redundant check
This check is already made very early in `handleMessage`.
2020-09-05 22:49:07 +01:00
Richard Hansen
d4162341e7 webaccess: Always sleep for 1s before returning HTTP 401
Not all authentication plugins require the Authorization header, so it
might not be present in subsequent attempts. (In particular, a reverse
proxy might strip it.)
2020-09-05 22:45:46 +01:00
Richard Hansen
442fe1e86f pluginfw: Always include the function name in hook_fn_name
Plugin authors are allowed to omit the function name in the `ep.json`
parts definition. For example:

```
{
  "parts": [
    {
      "name": "ep_example",
      "hooks": {
        "authenticate": "ep_example",
        "authFailure": "ep_example"
      }
    }
  ]
}
```

If omitted, the function name is assumed to be the same as the hook
name. Before this change, `hook_fn_name` for the example hooks would
both be `/opt/etherpad-lite/node_modules/ep_example`. Now they are
suffixed with `:authenticate` and `:authFailure`. This improves
logging, and it makes it possible to use `hook_fn_name` to uniquely
identify a particular hook function.
2020-09-05 22:43:17 +01:00
Richard Hansen
6f3e7d14f6 hooks: Always return a list from aCallFirst and callFirst
Every existing caller of `aCallFirst` expects a list and will throw an
exception if given `undefined`. (Nobody calls `callFirst`, except
maybe plugins.)
2020-09-05 20:35:19 +01:00
Richard Hansen
9f288480e8 docs: Revise hooks overview section 2020-09-05 20:34:47 +01:00
John McLear
ec01e4c947
tests: npminstall before update
Some plugins have npm dependencies, we should install them before testing them.
2020-09-05 12:44:49 +01:00
Richard Hansen
2bf076043f Delete redundant token2author DB save
See:
https://github.com/ether/etherpad-lite/pull/4012#issuecomment-686005563
https://github.com/ether/etherpad-lite/issues/4006
2020-09-05 12:40:16 +01:00