Security issue: Notes do not require auth to be viewed
-
While HedgeDoc does require auth to log into the main site, if one copies a doc URL and shares it, or web history leaks, there is no auth required.
Looking into the config options in /app/data/config.json it's not clear there is a setting preventing such. (for example the sso/ldap directive is not present either.)
https://docs.hedgedoc.org/configuration/#users-and-privileges
mentions several settings, yet even if all are false to deny access and true to require auth, it doesn't change the behavior of the app.Tested by creating a new note, getting the browser URL and opening it in a private browser or different browser that hasn't been auth'd.
What combination of settings is required to resolve this?
The default config on Cloudron should be set more securely. -
While HedgeDoc does require auth to log into the main site, if one copies a doc URL and shares it, or web history leaks, there is no auth required.
Looking into the config options in /app/data/config.json it's not clear there is a setting preventing such. (for example the sso/ldap directive is not present either.)
https://docs.hedgedoc.org/configuration/#users-and-privileges
mentions several settings, yet even if all are false to deny access and true to require auth, it doesn't change the behavior of the app.Tested by creating a new note, getting the browser URL and opening it in a private browser or different browser that hasn't been auth'd.
What combination of settings is required to resolve this?
The default config on Cloudron should be set more securely.@robi said in Security issue: Notes do not require auth to be viewed:
While HedgeDoc does require auth to log into the main site, if one copies a doc URL and shares it, or web history leaks, there is no auth required.
I can*
notconfirm this. (see follow up post)
I checked across multiple HedgeDoc installments and all the configs look (almost) the same:
* Note: Some customers decided for some extra config which can be ignored{ "production": { "allowAnonymous": false, "allowAnonymousEdits": true, "allowEmailRegister": false, "allowFreeUrl": true, "allowPdfExport": false, "debug": false, "defaultPermission": "private", "email": false, "imageUploadType": "filesystem", "sessionSecret": "REDACTED" } }Here, try yourself: https://pad.hackradt.com/W_7CaZOVQfKzyeuuqT_tRw
I this old this installment and created a new note as you described.
Also here is the "published" URL wich also does not work: https://pad.hackradt.com/s/KcC7OXB56#Both times the browser delivers a
302and shows this:
Oh what? Wait.
I installed a new one.
Now suddenly it worked
let me check again. -
@robi said in Security issue: Notes do not require auth to be viewed:
While HedgeDoc does require auth to log into the main site, if one copies a doc URL and shares it, or web history leaks, there is no auth required.
I can*
notconfirm this. (see follow up post)
I checked across multiple HedgeDoc installments and all the configs look (almost) the same:
* Note: Some customers decided for some extra config which can be ignored{ "production": { "allowAnonymous": false, "allowAnonymousEdits": true, "allowEmailRegister": false, "allowFreeUrl": true, "allowPdfExport": false, "debug": false, "defaultPermission": "private", "email": false, "imageUploadType": "filesystem", "sessionSecret": "REDACTED" } }Here, try yourself: https://pad.hackradt.com/W_7CaZOVQfKzyeuuqT_tRw
I this old this installment and created a new note as you described.
Also here is the "published" URL wich also does not work: https://pad.hackradt.com/s/KcC7OXB56#Both times the browser delivers a
302and shows this:
Oh what? Wait.
I installed a new one.
Now suddenly it worked let me check again.@BrutalBirdie said in Security issue: Notes do not require auth to be viewed:
"defaultPermission": "private"
That is the key point.
I will have to check if this was default and got changed.
No clue why all the old installments I have use theprivateflag, maybe I knew did the setting and simply forgot
(and with old I mean 3 years old!)As you see in https://docs.hedgedoc.org/configuration/#users-and-privileges the
defaultPermissiondefault iseditablewhich can make sense if you host this for students whom simply would like to share and edit the same document. (Highlighted by the bold - I assume, keep reading
)But even this statement it self makes no real sense, since
allowAnonymousin the hedgedoc docs statestrueby default but is defaultfalsefor new cloudron installments.
Which is not set by Cloudron- https://git.cloudron.io/cloudron/hedgedoc-app/-/blob/master/start.shSo if by default no one can create a shared doc without a login, why would the default be
editable?
The only logical option would be to force a user to Login so he can be monitored?
Like in a school setting? Student X gets an account, creates a note and tells the group worker "Hey here is the URL, work with me".
Still very odd choice.In a private Cloudron setting this does not make sense at all.
It should be editable by the user surely.
So making it defaultprivateis also no option.
At least a first start message like many other apps have would be good.We could also set
privateby default for more security and let it be still editable.
What would you guys this is the better option here?My option pick would be, set
privateby default but leave it editable. -
@BrutalBirdie said in Security issue: Notes do not require auth to be viewed:
"defaultPermission": "private"
That is the key point.
I will have to check if this was default and got changed.
No clue why all the old installments I have use theprivateflag, maybe I knew did the setting and simply forgot (and with old I mean 3 years old!)As you see in https://docs.hedgedoc.org/configuration/#users-and-privileges the
defaultPermissiondefault iseditablewhich can make sense if you host this for students whom simply would like to share and edit the same document. (Highlighted by the bold - I assume, keep reading )But even this statement it self makes no real sense, since
allowAnonymousin the hedgedoc docs statestrueby default but is defaultfalsefor new cloudron installments.
Which is not set by Cloudron- https://git.cloudron.io/cloudron/hedgedoc-app/-/blob/master/start.shSo if by default no one can create a shared doc without a login, why would the default be
editable?
The only logical option would be to force a user to Login so he can be monitored?
Like in a school setting? Student X gets an account, creates a note and tells the group worker "Hey here is the URL, work with me".
Still very odd choice.In a private Cloudron setting this does not make sense at all.
It should be editable by the user surely.
So making it defaultprivateis also no option.
At least a first start message like many other apps have would be good.We could also set
privateby default for more security and let it be still editable.
What would you guys this is the better option here?My option pick would be, set
privateby default but leave it editable. -
We use:
{ "production": { "allowAnonymous": false, "allowAnonymousEdits": false, "allowEmailRegister": false, "allowFreeUrl": true, "allowPdfExport": false, "debug": false, "defaultPermission": "limited", "email": false, "sessionSecret": "<redacted>" } }With the above, notes are not visible to others without logging in. You can always change the default perms at a note level with the drop down on the top right of each note.
-
@girish said in Security issue: Notes do not require auth to be viewed:
"defaultPermission": "limited",Thanks guys, this did it.
The per doc setting is also good, however it only shows from the read-only view, non-editor mode. (Hint for those who can't find it while editing a doc and looking at the menus.)
-
R robi marked this topic as a question on
-
G girish has marked this topic as solved on
