Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. HedgeDoc
  3. Security issue: Notes do not require auth to be viewed

Security issue: Notes do not require auth to be viewed

Scheduled Pinned Locked Moved Solved HedgeDoc
6 Posts 3 Posters 542 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • robiR Offline
    robiR Offline
    robi
    wrote on last edited by
    #1

    While HedgeDoc does require auth to log into the main site, if one copies a doc URL and shares it, or web history leaks, there is no auth required.

    Looking into the config options in /app/data/config.json it's not clear there is a setting preventing such. (for example the sso/ldap directive is not present either.)

    https://docs.hedgedoc.org/configuration/#users-and-privileges
    mentions several settings, yet even if all are false to deny access and true to require auth, it doesn't change the behavior of the app.

    Tested by creating a new note, getting the browser URL and opening it in a private browser or different browser that hasn't been auth'd.

    What combination of settings is required to resolve this?
    The default config on Cloudron should be set more securely.

    Conscious tech

    BrutalBirdieB 1 Reply Last reply
    0
    • BrutalBirdieB Offline
      BrutalBirdieB Offline
      BrutalBirdie Partner
      replied to robi on last edited by BrutalBirdie
      #2

      @robi said in Security issue: Notes do not require auth to be viewed:

      While HedgeDoc does require auth to log into the main site, if one copies a doc URL and shares it, or web history leaks, there is no auth required.

      I can* not confirm this. (see follow up post)
      I checked across multiple HedgeDoc installments and all the configs look (almost      ) the same:
      * Note: Some customers decided for some extra config which can be ignored

      {
  "production": {
    "allowAnonymous": false,
    "allowAnonymousEdits": true,
    "allowEmailRegister": false,
    "allowFreeUrl": true,
    "allowPdfExport": false,
    "debug": false,
    "defaultPermission": "private",
    "email": false,
    "imageUploadType": "filesystem",
    "sessionSecret": "REDACTED"
  }
}

      Here, try yourself: https://pad.hackradt.com/W_7CaZOVQfKzyeuuqT_tRw
      I this old this installment and created a new note as you described.
      Also here is the "published" URL wich also does not work: https://pad.hackradt.com/s/KcC7OXB56#

      Both times the browser delivers a 302 and shows this:
      ae363ec4-49d6-476a-a4f4-b54d9cab63da-image.png

      Oh what? Wait.
      I installed a new one.
      Now suddenly it worked 😕 let me check again.

      Like my work? Consider donating a drink. Cheers!

      BrutalBirdieB 1 Reply Last reply
      1
      • BrutalBirdieB Offline
        BrutalBirdieB Offline
        BrutalBirdie Partner
        replied to BrutalBirdie on last edited by BrutalBirdie
        #3

        @BrutalBirdie said in Security issue: Notes do not require auth to be viewed:

        "defaultPermission": "private"

        That is the key point.
        I will have to check if this was default and got changed.
        No clue why all the old installments I have use the private flag, maybe I knew did the setting and simply forgot 🤷 (and with old I mean 3 years old!)

        As you see in https://docs.hedgedoc.org/configuration/#users-and-privileges the defaultPermission default is editable which can make sense if you host this for students whom simply would like to share and edit the same document. (Highlighted by the bold - I assume, keep reading 😄 )

        But even this statement it self makes no real sense, since allowAnonymous in the hedgedoc docs states true by default but is default false for new cloudron installments.
        Which is not set by Cloudron- https://git.cloudron.io/cloudron/hedgedoc-app/-/blob/master/start.sh

        So if by default no one can create a shared doc without a login, why would the default be editable?
        The only logical option would be to force a user to Login so he can be monitored?
        Like in a school setting? Student X gets an account, creates a note and tells the group worker "Hey here is the URL, work with me".
        😕 Still very odd choice.

        In a private Cloudron setting this does not make sense at all.
        It should be editable by the user surely. 🤔
        So making it default private is also no option.
        At least a first start message like many other apps have would be good.

        We could also set private by default for more security and let it be still editable.
        What would you guys this is the better option here?

        My option pick would be, set private by default but leave it editable.

        @staff @robi

        Like my work? Consider donating a drink. Cheers!

        BrutalBirdieB 1 Reply Last reply
        1
        • BrutalBirdieB Offline
          BrutalBirdieB Offline
          BrutalBirdie Partner
          replied to BrutalBirdie on last edited by BrutalBirdie
          #4

          Ohh also @robi - look at this 👀

          This is my old installment with default private.
          2c93f3da-a624-48f9-98a1-8e4bb4b285b3-image.png

          Now here the new installed with default editable:
          d4288987-4703-4115-8232-bcd99f62a66f-image.png

          Of course this must be configurable per document.

          Like my work? Consider donating a drink. Cheers!

          1 Reply Last reply
          1
          • girishG Offline
            girishG Offline
            girish Staff
            wrote on last edited by girish
            #5

            We use:

            {
  "production": {
    "allowAnonymous": false,
    "allowAnonymousEdits": false,
    "allowEmailRegister": false,
    "allowFreeUrl": true,
    "allowPdfExport": false,
    "debug": false,
    "defaultPermission": "limited",
    "email": false,
    "sessionSecret": "<redacted>"
  }
}

            With the above, notes are not visible to others without logging in. You can always change the default perms at a note level with the drop down on the top right of each note.

            1 Reply Last reply
            1
            • robiR Offline
              robiR Offline
              robi
              wrote on last edited by
              #6

              @girish said in Security issue: Notes do not require auth to be viewed:

              "defaultPermission": "limited",

              Thanks guys, this did it.

              The per doc setting is also good, however it only shows from the read-only view, non-editor mode. (Hint for those who can't find it while editing a doc and looking at the menus.)

              Conscious tech

              1 Reply Last reply
              0
              • robiR robi marked this topic as a question on
              • girishG girish has marked this topic as solved on

              • Login
              • Don't have an account? Register
              • Login or register to search.
              • First post
                Last post
              0
              • Categories
              • Recent
              • Tags
              • Popular
              • Bookmarks
              • Search