Commit Graph

266 Commits (4890cd8972a460f8c84dffafe0b3c436077624d5)

Author SHA1 Message Date
JustAnotherArchivist fe7d223b6e Docker: Expose socketIo.maxHttpBufferSize and dumpOnUncleanExit settings as environment variables 2021-09-16 19:14:36 +00:00
Myzel394 15964345f7 fixed typo 2021-08-31 16:00:12 +01:00
Richard Hansen 0d65dc8a44 pad: Add `clientVars` to `postAceInit` hook context
This allows plugins to avoid the `clientVars` global variable.
2021-08-25 14:59:17 -04:00
Richard Hansen ee41de4809 pad_editbar: Deprecate the `toggleDropDown` callback 2021-08-14 07:08:57 -04:00
Richard Hansen 5d39a57507 Pad: Delete dead `ace_getFormattedCode()` 2021-07-30 03:49:35 -04:00
jon r bb7ece7d7e doc/docker.md - add sqlite to DB_FILENAME
The configuration option `DB_FILENAME` is also used in conjunction with the `sqlite` ueberdb2 adapter.
2021-07-02 16:39:17 -04:00
Richard Hansen f8a9cd4bad docs: Revise `clientVars` documentation 2021-06-18 22:22:56 -04:00
Richard Hansen ef1ba21104 deps: Drop support for Node.js < 12.13.0 2021-06-14 23:17:17 +02:00
pcworld 3c71e8983b Fix read only pad access with authentication
Before this commit, webaccess.checkAccess saved the authorization in
user.padAuthorizations[padId] with padId being the read-only pad ID,
however later stages, e.g. in PadMessageHandler, use the real pad ID for
access checks. This led to authorization being denied.

This commit fixes it by only storing and comparing the real pad IDs and
not read-only pad IDs.

This fixes test case "authn user readonly pad -> 200, ok" in
src/tests/backend/specs/socketio.js.
2021-04-12 22:51:06 -04:00
Richard Hansen 74554d36a5 chat: Allow `chatNewMessage` hook to modify more values 2021-04-11 06:20:29 +02:00
Mikk Andresen 78ea888cb7 DOCS: Add basic styles for tables and resources section to Changeset docs - https://github.com/citizenos/citizenos-fe/issues/535 2021-04-06 21:42:01 +02:00
John McLear 4a65acf417
docs: fix links from TOC to Headings and improve appearance of docs (a little) (#4866)
* docs: fix links from TOC to Headings
* docs: Styling

Just a little modernisation of the appearance of the documentation

* Update src/bin/doc/package.json

Co-authored-by: Richard Hansen <rhansen@rhansen.org>

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
2021-02-25 09:01:45 +00:00
John McLear 0f16e518ff
api: drop JSONP (#4835)
* api: drop JSONP

* docs: drop JSONP

* tests: drop JSONP

* api: remove isValidJSONPName require
2021-02-22 09:10:02 +00:00
Richard Hansen 6198e92706 tests: Pass `--legacy-peer-deps` flag to work around npm v7 bug
This flag is unknown to npm v6, but npm v6 silently ignores unknown
flags.
2021-02-22 03:36:12 -05:00
Richard Hansen 6163339c0d plugins: Always install plugins with `--no-save`
The npm CLI can get confused if `package.json` or `package-lock.json`
exist.
2021-02-18 19:18:59 +00:00
Ole Langbehn 24c1639f11
feat(docker): Add build var for optionally installing abiword (#4796)
This MR introduces a docker build variable `INSTALL_ABIWORD`. When set
to any value other than `0`, ABIWORD is installed in the resulting
docker container, enabling the possibility to configure ABIWORD in
settings.json.docker or via ENV VAR `ABIWORD` for exporting to
DOC/PDF/ODT.

Documentation is included inline and in the docker markdown file.
2021-02-18 04:27:52 -05:00
Ole Langbehn 4c6a12ce2b Add commitRateLimiting settings block to settings.json.docker
The settings commitRateLimiting.duration and commitRateLimiting.points
were not available in the settings.json.docker file, and therefore it
was not possible to override their values via environment variables.

Now, they can be overridden by setting the following env vars:

* commitRateLimiting.duration: COMMIT_RATE_LIMIT_DURATION
* commitRateLimiting.points:   COMMIT_RATE_LIMIT_POINTS
2021-02-08 19:19:03 +00:00
Richard Hansen 8b28e00784 restructure: Prefix `bin/` and `tests/` with `src/`
This is a follow-up to commit
2ea8ea1275.
2021-02-05 21:52:08 +00:00
freddii ea202e41f6 docs: fixed typos 2021-02-03 00:30:07 +01:00
John McLear 0cc8405e9c Bump minimum required Node.js version to 10.17.0
This makes it possible to use fs.promises.
2021-01-30 17:00:40 -05:00
Richard Hansen e3a47e48f9 contentcollector: Fix collectContentLineText hook
Before, the hook always ignored the return values provided by the hook
functions. Now the hook functions can change the text by either
returning a string or setting `context.text` to the desired value.

Also drop the `styl` and `cls` context properties. They were never
documented and they were always null.
2021-01-27 04:59:36 +00:00
Richard Hansen bfe813fca2 docs: Wrap long lines and fix whitespace 2021-01-22 02:25:48 -05:00
John McLear 38c9827161
Feature: Scroll to Line number based on Hash IE http://foo.com/p/bar#L10 will scroll to line 10. (#4554)
Includes test coverage
Co-authored-by: webzwo0i <webzwo0i@c3d2.de>
2020-12-26 22:05:08 +01:00
Richard Hansen 8c1afc3399 express: New expressCloseServer hook
This will be used by a future commit to close all socket.io
connections during server restart.
2020-12-23 16:18:28 -05:00
John McLear 83e28ec031
docs: correct name for callback function 2020-11-26 10:10:43 +00:00
Richard Hansen cedd27e4fe plugins: Default the module name to the plugin name 2020-11-13 20:30:27 +00:00
Richard Hansen 6c07229d38 docs: Revise plugin documentation 2020-11-13 20:30:27 +00:00
Richard Hansen cc8dbb07fd docs: Wrap long lines
Also add blank lines around section headings and code blocks.
2020-11-13 20:30:27 +00:00
Richard Hansen 6a8563eeab import/export: Simplify exportEtherpadAdditionalContent processing
Also:
  * Improve parallelization
  * Refine the documentation
2020-11-10 23:02:43 +00:00
Richard Hansen 68a91f5e24 HTML export: Move `padId` to context object property 2020-11-10 07:13:26 +00:00
John McLear 881d8b8d95
pluginfw: Hook to include additional body in HTML exports (#4469)
* hook, needs docs

* docs
2020-11-06 13:48:59 +00:00
John McLear 3fa58efede
pluginfw: Export .etherpad hooks (#4466)
* export support

* proper prefix

* just a basic example, needs working on still

* docs

* comments shouldnt be hard coded
2020-11-06 13:48:25 +00:00
Richard Hansen 91268e14b7 PadMessageHandler: Rename `client` to `socket`
The `client` variable is actually a socket.io Socket object. Rename it
to reduce confusion.
2020-11-02 20:39:08 +00:00
chandi 30b1273853 docs: fix key in padUpdate context 2020-10-26 23:43:09 +00:00
Richard Hansen 36aceb3aba hooks: Rewrite `callAll` and `aCallAll` for consistency
Rewrite the `callAll` and `aCallAll` functions to support all
reasonable hook behaviors and to report errors for unreasonable
behaviors (e.g., calling the callback twice).

Now a hook function like the following works as expected when invoked
by `aCallAll`:

```
exports.myHookFn = (hookName, context, cb) => {
  cb('some value');
  return;
};
```
2020-10-24 16:08:50 +01:00
chandi 94cb000e8f
plugins: include more data within padUpdate hook (#4425)
* Including more data at pad update event

* docs: new context fields in padUpdate

Co-authored-by: Pedro Beschorner Marin <pedrobmarin@gmail.com>
2020-10-21 18:04:03 +01:00
Richard Hansen a4927095ae CSP: Disable the indexCustomInlineScripts hook 2020-10-11 20:31:00 +01:00
John McLear 66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2020-10-07 13:43:54 +01:00
Richard Hansen ba6bdf35be Make the aceAttribClasses hook harder to misuse 2020-10-07 10:37:56 +01:00
Richard Hansen bf9d613e95
feature: New user-specific `readOnly` and `canCreate` settings (#4370)
Also:
  * Group the tests for readability.
  * Factor out some common test setup.
2020-09-28 11:22:06 +01:00
Richard Hansen 180983736d security: Enable authorize plugins to grant read-only access 2020-09-27 22:55:49 +01:00
Richard Hansen 304318b618 webaccess: Move pre-authn authz check to a separate hook
Before this change, the authorize hook was invoked twice: once before
authentication and again after (if settings.requireAuthorization is
true). Now pre-authentication authorization is instead handled by a
new preAuthorize hook, and the authorize hook is only invoked after
the user has authenticated.

Rationale: Without this change it is too easy to write an
authorization plugin that is too permissive. Specifically:

  * If the plugin does not check the path for /admin then a non-admin
    user might be able to access /admin pages.
  * If the plugin assumes that the user has already been authenticated
    by the time the authorize function is called then unauthenticated
    users might be able to gain access to restricted resources.

This change also avoids calling the plugin's authorize function twice
per access, which makes it easier for plugin authors to write an
authorization plugin that is easy to understand.

This change may break existing authorization plugins: After this
change, the authorize hook will no longer be able to authorize
non-admin access to /admin pages. This is intentional. Access to admin
pages should instead be controlled via the `is_admin` user setting,
which can be set in the config file or by an authentication plugin.

Also:
  * Add tests for the authenticate and authorize hooks.
  * Disable the authentication failure delay when testing.
2020-09-27 21:19:58 +01:00
Richard Hansen ab5934cbda webaccess: Split authFailure hook into authnFailure and authzFailure
This makes it possible for plugins to return different pages to the
user depending on whether the auth failure was authn or authz.
2020-09-26 19:37:11 +01:00
Richard Hansen 02757079c0 security: Enable authorize plugins to grant modify-only access 2020-09-26 18:36:36 +01:00
Richard Hansen 53fd0b4f98 webaccess: Return 401 for authn failure, 403 for authz failure
This makes it possible for reverse proxies to transform 403 errors
into something like "upgrade to a premium account to access this
pad".

Also add some webaccess tests.
2020-09-24 10:41:58 +01:00
Richard Hansen 1bb44098df PadMessageHandler: Move handleMessage hooks after access check
Move the handleMessageSecurity and handleMessage hooks after the call
to securityManager.checkAccess.

Benefits:

  * A handleMessage plugin can safely assume the message will be
    handled unless the plugin itself drops the message, so it doesn't
    need to repeat the access checks done by the `handleMessage`
    function.
  * This paves the way for a future enhancement: pass the author ID to
    the hooks.

Note: The handleMessageSecurity hook is broken in several ways:

  * The hook result is ignored for `CLIENT_READY` and `SWITCH_TO_PAD`
    messages because the `handleClientReady` function overwrites the
    hook result. This causes the client to receive client vars with
    `readonly` set to true, which causes the client to display an
    immutable pad even though the pad is technically writable.
  * The formatting toolbar buttons are removed for read-only pads
    before the handleMessageSecurity hook even runs.
  * It is awkwardly named: Without reading the documentation, how is
    one supposed to know that "handle message security" actually means
    "grant one-time write access to a read-only pad"?
  * It is called for every message even though calls after a
    `CLIENT_READY` or `SWITCH_TO_PAD` are mostly pointless.
  * Why would anyone want to grant write access when the user visits a
    read-only pad URL? The user should just visit the writable pad URL
    instead.
  * Why would anyone want to grant write access that only lasts for a
    single socket.io connection?
  * There are better ways to temporarily grant write access (e.g., the
    authorize hook).
  * This hook is inviting bugs because it breaks a core assumption
    about `/p/r.*` URLs.

I think the hook should be deprecated and eventually removed.
2020-09-23 08:26:47 +01:00
Richard Hansen a000a93dc6 Refactor startup/shutdown for tests
* `src/node/server.js` can now be run as a script (for normal
    operation) or imported as a module (for tests).
  * Move shutdown actions to `src/node/server.js` to be close to the
    startup actions.
  * Put startup and shutdown in functions so that tests can call them.
  * Use `await` instead of callbacks.
  * Block until the HTTP server is listening to avoid races during
    test startup.
  * Add a new `shutdown` hook.
  * Use the `shutdown` hook to:
      * close the HTTP server
      * call `end()` on the stats collection to cancel its timers
      * call `terminate()` on the Threads.Pool to stop the workers
  * Exit with exit code 0 (instead of 1) on SIGTERM.
  * Export the HTTP server so that tests can get the HTTP server's
    port via `server.address().port` when `settings.port` is 0.
2020-09-22 11:07:21 +01:00
Joas Souza 8c04fe8775
Feature: Copy Pad without history (#4295)
New feature to copy a pad without copying entire history.  This is useful to perform a low CPU intensive operation while still copying current pad state.
2020-09-16 19:24:09 +01:00
Richard Hansen b80a37173e security: Fix authorization bypass vulnerability
Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:

 * Step 1: Fetch any resource that the malicious user is authorized to
   access (e.g., static content).
 * Step 2: Use the signed express_sid cookie generated in step 1 to
   create a socket.io connection.
 * Step 3: Perform the CLIENT_READY handshake for the desired pad.
 * Step 4: Profit!

Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.

This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.
2020-09-15 21:40:25 +01:00
Richard Hansen 80639fdc6a webaccess: Pass `settings.users` to the authenticate hook
Authentication plugins almost always want to read and modify
`settings.users`. The settings can already be accessed in a few other
ways, but this is much more convenient.
2020-09-15 19:26:24 +01:00