Skip to content

Commit

Permalink
Merge pull request #9215 from RocketChat/hotfix/upload-access
Browse files Browse the repository at this point in the history 
Fix: Upload access control too distributed
  • Loading branch information
@rodrigok
rodrigok committed Dec 26, 2017
1 parent 4e3bba9 commit 41712bf
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 74 deletions.
38 changes: 2 additions & 36 deletions packages/rocketchat-file-upload/server/config/GridFS.js
View file
Expand Up @@ -4,9 +4,6 @@ import zlib from 'zlib';
import util from 'util';

import { FileUploadClass } from '../lib/FileUpload';
import { Cookies } from 'meteor/ostrio:cookies';

const cookie = new Cookies();

const logger = new Logger('FileUpload');

Expand Down Expand Up @@ -126,46 +123,15 @@ const readFromGridFS = function(storeName, fileId, file, headers, req, res) {
}
};

const onRead = function(fileId, file, req, res) {
if (RocketChat.settings.get('FileUpload_ProtectFiles')) {
let uid;
let token;

if (req && req.headers && req.headers.cookie) {
const rawCookies = req.headers.cookie;

if (rawCookies) {
uid = cookie.get('rc_uid', rawCookies) ;
token = cookie.get('rc_token', rawCookies);
}
}

if (!uid) {
uid = req.query.rc_uid;
token = req.query.rc_token;
}

if (!uid || !token || !RocketChat.models.Users.findOneByIdAndLoginToken(uid, token)) {
res.writeHead(403);
return false;
}
}

res.setHeader('content-disposition', `attachment; filename="${ encodeURIComponent(file.name) }"`);
return true;
};

FileUpload.configureUploadsStore('GridFS', 'GridFS:Uploads', {
collectionName: 'rocketchat_uploads',
onRead
collectionName: 'rocketchat_uploads'
});

// DEPRECATED: backwards compatibility (remove)
UploadFS.getStores()['rocketchat_uploads'] = UploadFS.getStores()['GridFS:Uploads'];

FileUpload.configureUploadsStore('GridFS', 'GridFS:Avatars', {
collectionName: 'rocketchat_avatars',
onRead
collectionName: 'rocketchat_avatars'
});


Expand Down
33 changes: 32 additions & 1 deletion packages/rocketchat-file-upload/server/lib/FileUpload.js
View file
Expand Up @@ -4,6 +4,9 @@ import fs from 'fs';
import stream from 'stream';
import mime from 'mime-type/with-db';
import Future from 'fibers/future';
import { Cookies } from 'meteor/ostrio:cookies';

const cookie = new Cookies();

Object.assign(FileUpload, {
handlers: {},
Expand All @@ -28,7 +31,16 @@ Object.assign(FileUpload, {
return `${ RocketChat.settings.get('uniqueID') }/uploads/${ file.rid }/${ file.userId }/${ file._id }`;
},
// transformWrite: FileUpload.uploadsTransformWrite
onValidate: FileUpload.uploadsOnValidate
onValidate: FileUpload.uploadsOnValidate,
onRead(fileId, file, req, res) {
if (!FileUpload.requestCanAccessFiles(req)) {
res.writeHead(403);
return false;
}

res.setHeader('content-disposition', `attachment; filename="${ encodeURIComponent(file.name) }"`);
return true;
}
};
},

Expand Down Expand Up @@ -156,6 +168,25 @@ Object.assign(FileUpload, {
// console.log('upload finished ->', file);
},

requestCanAccessFiles({ headers = {}, query = {} }) {
if (!RocketChat.settings.get('FileUpload_ProtectFiles')) {
return true;
}

let { uid, token } = query;

if (!uid && headers.cookie) {
uid = cookie.get('rc_uid', headers.cookie) ;
token = cookie.get('rc_token', headers.cookie);
}

if (!uid || !token || !RocketChat.models.Users.findOneByIdAndLoginToken(uid, token)) {
return false;
}

return true;
},

addExtensionTo(file) {
if (mime.lookup(file.name) === file.type) {
return file;
Expand Down
40 changes: 3 additions & 37 deletions packages/rocketchat-file-upload/server/lib/requests.js
View file
@@ -1,11 +1,4 @@
/* globals FileUpload, WebApp */
import { Cookies } from 'meteor/ostrio:cookies';

let protectedFiles;

RocketChat.settings.get('FileUpload_ProtectFiles', function(key, value) {
protectedFiles = value;
});

WebApp.connectHandlers.use(`${ __meteor_runtime_config__.ROOT_URL_PATH_PREFIX }/file-upload/`, function(req, res, next) {

Expand All @@ -15,43 +8,16 @@ WebApp.connectHandlers.use(`${ __meteor_runtime_config__.ROOT_URL_PATH_PREFIX }/
const file = RocketChat.models.Uploads.findOneById(match[1]);

if (file) {
if (!Meteor.settings.public.sandstorm && protectedFiles) {
let rawCookies;
let token;
let uid;
const cookie = new Cookies();

if (req.headers && req.headers.cookie != null) {
rawCookies = req.headers.cookie;
}

if (rawCookies != null) {
uid = cookie.get('rc_uid', rawCookies);
}

if (rawCookies != null) {
token = cookie.get('rc_token', rawCookies);
}

if (uid == null) {
uid = req.query.rc_uid;
token = req.query.rc_token;
}

if (!(uid && token && RocketChat.models.Users.findOneByIdAndLoginToken(uid, token))) {
res.writeHead(403);
res.end();
return false;
}
if (!Meteor.settings.public.sandstorm && !FileUpload.requestCanAccessFiles(req)) {
res.writeHead(403);
return res.end();
}

res.setHeader('Content-Security-Policy', 'default-src \'none\'');

return FileUpload.get(file, req, res, next);
}
}

res.writeHead(404);
res.end();
return;
});

0 comments on commit 41712bf

Please sign in to comment.