From 6e13cebffe083b472f86db2c1434e4aaa2129b16 Mon Sep 17 00:00:00 2001 From: Half-Shot Date: Thu, 16 Apr 2020 14:52:25 +0100 Subject: [PATCH 1/3] Run requestCheckToken against provisioner endpoint --- package-lock.json | 93 ++++++++++------------- package.json | 2 +- src/provisioning/Provisioner.ts | 8 +- types/matrix-appservice-bridge/index.d.ts | 2 +- 4 files changed, 49 insertions(+), 56 deletions(-) diff --git a/package-lock.json b/package-lock.json index 389251ea7..831252754 100644 --- a/package-lock.json +++ b/package-lock.json @@ -579,9 +579,9 @@ "dev": true }, "base-x": { - "version": "3.0.7", - "resolved": "https://registry.npmjs.org/base-x/-/base-x-3.0.7.tgz", - "integrity": "sha512-zAKJGuQPihXW22fkrfOclUUZXM2g92z5GzlSMHxhO6r6Qj+Nm0ccaGNBzDZojzwOMkpjAv4J0fOv1U4go+a4iw==", + "version": "3.0.8", + "resolved": "https://registry.npmjs.org/base-x/-/base-x-3.0.8.tgz", + "integrity": "sha512-Rl/1AWP4J/zRrk54hhlxH4drNxPJXYUaKffODVI53/dAsV4t9fBxyxYKAVPU1XBHxYwOWP9h9H0hM2MVw4YfJA==", "requires": { "safe-buffer": "^5.0.1" } @@ -1282,6 +1282,11 @@ "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", "integrity": "sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc=" }, + "eventemitter3": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-4.0.0.tgz", + "integrity": "sha512-qerSRB0p+UDEssxTtm6EDKcE7W4OaoisfIMl4CngyEhjpYglocpNg6UEqCvemdGhosAsg4sO2dXJOdyBifPGCg==" + }, "express": { "version": "4.17.1", "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz", @@ -2226,9 +2231,9 @@ } }, "loglevel": { - "version": "1.6.7", - "resolved": "https://registry.npmjs.org/loglevel/-/loglevel-1.6.7.tgz", - "integrity": "sha512-cY2eLFrQSAfVPhCgH1s7JI73tMbg9YC3v3+ZHVW67sBS7UxWzNEk/ZBbSfLykBWHp33dqqtOv82gjhKEi81T/A==" + "version": "1.6.8", + "resolved": "https://registry.npmjs.org/loglevel/-/loglevel-1.6.8.tgz", + "integrity": "sha512-bsU7+gc9AJ2SqpzxwU3+1fedl8zAntbtC5XYlt3s2j1hJcn2PsXSmgN8TaLG/J1/2mod4+cE/3vNL70/c1RNCA==" }, "lowdb": { "version": "1.0.0", @@ -2286,9 +2291,9 @@ } }, "matrix-appservice-bridge": { - "version": "1.11.1", - "resolved": "https://registry.npmjs.org/matrix-appservice-bridge/-/matrix-appservice-bridge-1.11.1.tgz", - "integrity": "sha512-xrtjxScBIx33HRkiK/5G6wkUxZ9jxF9GqTiKzM/Fn7CgMZoHVDIms3sTc7ybZKA6RHAqH68bg4Eg4JbGCtUrhw==", + "version": "1.12.1", + "resolved": "https://registry.npmjs.org/matrix-appservice-bridge/-/matrix-appservice-bridge-1.12.1.tgz", + "integrity": "sha512-l2IAMmRwKDcIl+63OLLxXWSozedYC5/B1JFMpU50fOoeSpSVqFf68Ucu9yEdM5RddQCzJPmA6cVRthPOvq7K0g==", "requires": { "bluebird": "^2.9.34", "chalk": "^2.4.1", @@ -2299,21 +2304,13 @@ "matrix-js-sdk": "^2.3.0", "nedb": "^1.1.3", "nopt": "^3.0.3", + "p-queue": "^6.3.0", "prom-client": "^11.1.1", "request": "^2.61.0", "winston": "^3.1.0", "winston-daily-rotate-file": "^3.3.3" }, "dependencies": { - "async": { - "version": "2.6.3", - "resolved": "https://registry.npmjs.org/async/-/async-2.6.3.tgz", - "integrity": "sha512-zflvls11DCy+dQWzTW2dzuilv8Z5X/pjfmZOWba6TNIVDm+2UDaJmXSOXlasHKfNBs8oo3M0aT50fDEWfKZjXg==", - "optional": true, - "requires": { - "lodash": "^4.17.14" - } - }, "bluebird": { "version": "2.11.0", "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-2.11.0.tgz", @@ -2330,38 +2327,6 @@ "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==", "optional": true }, - "winston": { - "version": "3.2.1", - "resolved": "https://registry.npmjs.org/winston/-/winston-3.2.1.tgz", - "integrity": "sha512-zU6vgnS9dAWCEKg/QYigd6cgMVVNwyTzKs81XZtTFuRwJOcDdBg7AU0mXVyNbs7O5RH2zdv+BdNZUlx7mXPuOw==", - "optional": true, - "requires": { - "async": "^2.6.1", - "diagnostics": "^1.1.1", - "is-stream": "^1.1.0", - "logform": "^2.1.1", - "one-time": "0.0.4", - "readable-stream": "^3.1.1", - "stack-trace": "0.0.x", - "triple-beam": "^1.3.0", - "winston-transport": "^4.3.0" - }, - "dependencies": { - "logform": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/logform/-/logform-2.1.2.tgz", - "integrity": "sha512-+lZh4OpERDBLqjiwDLpAWNQu6KMjnlXH2ByZwCuSqVPJletw0kTWJf5CgSNAUKn1KUkv3m2cUz/LK8zyEy7wzQ==", - "optional": true, - "requires": { - "colors": "^1.2.1", - "fast-safe-stringify": "^2.0.4", - "fecha": "^2.3.3", - "ms": "^2.1.1", - "triple-beam": "^1.3.0" - } - } - } - }, "winston-daily-rotate-file": { "version": "3.10.0", "resolved": "https://registry.npmjs.org/winston-daily-rotate-file/-/winston-daily-rotate-file-3.10.0.tgz", @@ -2776,6 +2741,11 @@ "integrity": "sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=", "dev": true }, + "p-finally": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/p-finally/-/p-finally-1.0.0.tgz", + "integrity": "sha1-P7z7FbiZpEEjs0ttzBi3JDNqLK4=" + }, "p-limit": { "version": "2.2.2", "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.2.tgz", @@ -2794,6 +2764,23 @@ "p-limit": "^2.0.0" } }, + "p-queue": { + "version": "6.3.0", + "resolved": "https://registry.npmjs.org/p-queue/-/p-queue-6.3.0.tgz", + "integrity": "sha512-fg5dJlFpd5+3CgG3/0ogpVZUeJbjiyXFg0nu53hrOYsybqSiDyxyOpad0Rm6tAiGjgztAwkyvhlYHC53OiAJOA==", + "requires": { + "eventemitter3": "^4.0.0", + "p-timeout": "^3.1.0" + } + }, + "p-timeout": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/p-timeout/-/p-timeout-3.2.0.tgz", + "integrity": "sha512-rhIwUycgwwKcP9yTOOFK/AKsAopjjCakVqLHePO3CC6Mir1Z99xT+R63jZxAT5lFZLa2inS5h+ZS2GvR99/FBg==", + "requires": { + "p-finally": "^1.0.0" + } + }, "p-try": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz", @@ -3746,9 +3733,9 @@ "integrity": "sha1-YaajIBBiKvoHljvzJSA88SI51gQ=" }, "unhomoglyph": { - "version": "1.0.4", - "resolved": "https://registry.npmjs.org/unhomoglyph/-/unhomoglyph-1.0.4.tgz", - "integrity": "sha512-+y+QeEXwm4f0H8Tmy9fFUWHM95YcFjJLlv83/p3+EARUkeJBxnSOBADVyeuSq0TsRJ/UexxCXBKXo40ksu715w==" + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/unhomoglyph/-/unhomoglyph-1.0.5.tgz", + "integrity": "sha512-rNAw2rGogjq4BVhsCX8K6qXrCcHmUaMCHETlUG0ujGZ3OHwnzJHwdMyzy3n/c9Y7lvlbckOd9nkW33grUVE3bg==" }, "unpipe": { "version": "1.0.0", diff --git a/package.json b/package.json index ff62cb94f..297a979b0 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ "js-yaml": "^3.2.7", "logform": "^2.1.2", "matrix-appservice": "^0.4.1", - "matrix-appservice-bridge": "^1.11.1", + "matrix-appservice-bridge": "^1.12.1", "matrix-lastactive": "^0.1.3", "nedb": "^1.1.2", "nopt": "^3.0.1", diff --git a/src/provisioning/Provisioner.ts b/src/provisioning/Provisioner.ts index a6bdb75de..639018bfa 100644 --- a/src/provisioning/Provisioner.ts +++ b/src/provisioning/Provisioner.ts @@ -132,12 +132,18 @@ export class Provisioner { // Deal with CORS (temporarily for s-web) app.use((req, res, next) => { + if (!this.ircBridge.getAppServiceBridge().requestCheckToken(req)) { + return res.status(403).send({ + errcode: "M_FORBIDDEN", + error: "Bad token supplied," + }); + } if (this.isProvisionRequest(req)) { res.header("Access-Control-Allow-Origin", "*"); res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); } - next(); + return next(); }); app.post("/_matrix/provision/link", diff --git a/types/matrix-appservice-bridge/index.d.ts b/types/matrix-appservice-bridge/index.d.ts index ec509ae9f..b7ff4ec5b 100644 --- a/types/matrix-appservice-bridge/index.d.ts +++ b/types/matrix-appservice-bridge/index.d.ts @@ -260,7 +260,7 @@ declare module 'matrix-appservice-bridge' { getPrometheusMetrics(): PrometheusMetrics; getIntent(userId?: string): Intent; getIntentFromLocalpart(localpart: string): Intent; - + requestCheckToken(req: Express.Request): boolean; run(port: number, config: undefined, appservice?: import("matrix-appservice").AppService, hostname?: string): void; registerBridgeGauges(cb: () => void): void; getClientFactory(): ClientFactory; From 6b9b14d962c76c41beff6ce4fc11599314e918c5 Mon Sep 17 00:00:00 2001 From: Half-Shot Date: Thu, 16 Apr 2020 14:56:06 +0100 Subject: [PATCH 2/3] changelog --- changelog.d/1035.bugfix | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/1035.bugfix diff --git a/changelog.d/1035.bugfix b/changelog.d/1035.bugfix new file mode 100644 index 000000000..eac0b8438 --- /dev/null +++ b/changelog.d/1035.bugfix @@ -0,0 +1 @@ +**SECURITY FIX** The bridge now authenticatess the /_matrix/provision set of endpoints. It now requires either a `access_token` query parameter or a `Authorization` header containing the `hs_token` provided in the registration file. \ No newline at end of file From 862c1c3a6afe5dd15a7f827aab3d39ecacd531c0 Mon Sep 17 00:00:00 2001 From: Half-Shot Date: Thu, 16 Apr 2020 16:46:19 +0100 Subject: [PATCH 3/3] tidyup --- src/provisioning/Provisioner.ts | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/provisioning/Provisioner.ts b/src/provisioning/Provisioner.ts index 639018bfa..a7ae9d1ec 100644 --- a/src/provisioning/Provisioner.ts +++ b/src/provisioning/Provisioner.ts @@ -130,20 +130,21 @@ export class Provisioner { }); } - // Deal with CORS (temporarily for s-web) app.use((req, res, next) => { - if (!this.ircBridge.getAppServiceBridge().requestCheckToken(req)) { - return res.status(403).send({ - errcode: "M_FORBIDDEN", - error: "Bad token supplied," - }); - } + // Deal with CORS (temporarily for s-web) if (this.isProvisionRequest(req)) { res.header("Access-Control-Allow-Origin", "*"); res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); } - return next(); + if (!this.ircBridge.getAppServiceBridge().requestCheckToken(req)) { + res.status(403).send({ + errcode: "M_FORBIDDEN", + error: "Bad token supplied" + }); + return; + } + next(); }); app.post("/_matrix/provision/link",