liz/wikijs-fork
liz/wikijs-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963)

Browse Source 
* Open redirect vulnerabilty mitigation

* Refacted Open Redirect to user configurable and corrected incorrect security variable names.

Co-authored-by: danallendds <daniel.allen@friends.dds.mil>
This commit is contained in:
daneallen 2020-05-29 18:24:20 -04:00 committed by GitHub
parent 4b93e04261
commit 20e6bc1a70
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
client/components/admin/admin-security.vue
View File

@ -20,6 +20,15 @@
v-card-info(color='red') v-card-info(color='red')
span Make sure to understand the implications before turning on / off a security feature. span Make sure to understand the implications before turning on / off a security feature.
v-card-text v-card-text
v-switch.mt-3(
inset
label='Block Open Redirect'
color='red darken-2'
v-model='config.securityOpenRedirect'
persistent-hint
hint='Prevents user controlled URLs from directing to websites outside of your wiki. This provides Open Redirect protection.'
)
v-switch.mt-3( v-switch.mt-3(
inset inset
label='Block IFrame Embedding' label='Block IFrame Embedding'
@ -145,6 +154,7 @@ export default {
config: { config: {
uploadMaxFileSize: 0, uploadMaxFileSize: 0,
uploadMaxFiles: 0, uploadMaxFiles: 0,
securityOpenRedirect: true,
securityIframe: true, securityIframe: true,
securityReferrerPolicy: true, securityReferrerPolicy: true,
securityTrustProxy: true, securityTrustProxy: true,
@ -175,6 +185,7 @@ export default {
mutation ( mutation (
$uploadMaxFileSize: Int $uploadMaxFileSize: Int
$uploadMaxFiles: Int $uploadMaxFiles: Int
$securityOpenRedirect: Boolean
$securityIframe: Boolean $securityIframe: Boolean
$securityReferrerPolicy: Boolean $securityReferrerPolicy: Boolean
$securityTrustProxy: Boolean $securityTrustProxy: Boolean
@ -188,6 +199,7 @@ export default {
updateConfig( updateConfig(
uploadMaxFileSize: $uploadMaxFileSize, uploadMaxFileSize: $uploadMaxFileSize,
uploadMaxFiles: $uploadMaxFiles, uploadMaxFiles: $uploadMaxFiles,
securityOpenRedirect: $securityOpenRedirect,
securityIframe: $securityIframe, securityIframe: $securityIframe,
securityReferrerPolicy: $securityReferrerPolicy, securityReferrerPolicy: $securityReferrerPolicy,
securityTrustProxy: $securityTrustProxy, securityTrustProxy: $securityTrustProxy,
@ -210,6 +222,7 @@ export default {
variables: { variables: {
uploadMaxFileSize: _.toSafeInteger(_.get(this.config, 'uploadMaxFileSize', 0)), uploadMaxFileSize: _.toSafeInteger(_.get(this.config, 'uploadMaxFileSize', 0)),
uploadMaxFiles: _.toSafeInteger(_.get(this.config, 'uploadMaxFiles', 0)), uploadMaxFiles: _.toSafeInteger(_.get(this.config, 'uploadMaxFiles', 0)),
securityOpenRedirect: _.get(this.config, 'securityOpenRedirect', false),
securityIframe: _.get(this.config, 'securityIframe', false), securityIframe: _.get(this.config, 'securityIframe', false),
securityReferrerPolicy: _.get(this.config, 'securityReferrerPolicy', false), securityReferrerPolicy: _.get(this.config, 'securityReferrerPolicy', false),
securityTrustProxy: _.get(this.config, 'securityTrustProxy', false), securityTrustProxy: _.get(this.config, 'securityTrustProxy', false),
@ -241,6 +254,7 @@ export default {
config { config {
uploadMaxFileSize uploadMaxFileSize
uploadMaxFiles uploadMaxFiles
securityOpenRedirect
securityIframe securityIframe
securityReferrerPolicy securityReferrerPolicy
securityTrustProxy securityTrustProxy

1
server/app/data.yml
View File

@ -54,6 +54,7 @@ defaults:
iconset: 'md' iconset: 'md'
darkMode: false darkMode: false
security: security:
securityOpenRedirect: true
securityIframe: true securityIframe: true
securityReferrerPolicy: true securityReferrerPolicy: true
securityTrustProxy: true securityTrustProxy: true

1
server/graph/resolvers/site.js
View File

@ -67,6 +67,7 @@ module.exports = {
} }
WIKI.config.security = { WIKI.config.security = {
securityOpenRedirect: _.get(args, 'securityOpenRedirect', WIKI.config.security.securityOpenRedirect),
securityIframe: _.get(args, 'securityIframe', WIKI.config.security.securityIframe), securityIframe: _.get(args, 'securityIframe', WIKI.config.security.securityIframe),
securityReferrerPolicy: _.get(args, 'securityReferrerPolicy', WIKI.config.security.securityReferrerPolicy), securityReferrerPolicy: _.get(args, 'securityReferrerPolicy', WIKI.config.security.securityReferrerPolicy),
securityTrustProxy: _.get(args, 'securityTrustProxy', WIKI.config.security.securityTrustProxy), securityTrustProxy: _.get(args, 'securityTrustProxy', WIKI.config.security.securityTrustProxy),

2
server/graph/schemas/site.graphql
View File

@ -36,6 +36,7 @@ type SiteMutation {
featurePageRatings: Boolean featurePageRatings: Boolean
featurePageComments: Boolean featurePageComments: Boolean
featurePersonalWikis: Boolean featurePersonalWikis: Boolean
securityOpenRedirect: Boolean
securityIframe: Boolean securityIframe: Boolean
securityReferrerPolicy: Boolean securityReferrerPolicy: Boolean
securityTrustProxy: Boolean securityTrustProxy: Boolean
@ -67,6 +68,7 @@ type SiteConfig {
featurePageRatings: Boolean! featurePageRatings: Boolean!
featurePageComments: Boolean! featurePageComments: Boolean!
featurePersonalWikis: Boolean! featurePersonalWikis: Boolean!
securityOpenRedirect: Boolean!
securityIframe: Boolean! securityIframe: Boolean!
securityReferrerPolicy: Boolean! securityReferrerPolicy: Boolean!
securityTrustProxy: Boolean! securityTrustProxy: Boolean!

12
server/middlewares/security.js
View File

@ -13,7 +13,7 @@ module.exports = function (req, res, next) {
req.app.disable('x-powered-by') req.app.disable('x-powered-by')
// -> Disable Frame Embedding // -> Disable Frame Embedding
if (WIKI.config.securityIframe) { if (WIKI.config.security.securityIframe) {
res.set('X-Frame-Options', 'deny') res.set('X-Frame-Options', 'deny')
} }
@ -27,14 +27,20 @@ module.exports = function (req, res, next) {
res.set('X-UA-Compatible', 'IE=edge') res.set('X-UA-Compatible', 'IE=edge')
// -> Disables referrer header when navigating to a different origin // -> Disables referrer header when navigating to a different origin
if (WIKI.config.securityReferrerPolicy) { if (WIKI.config.security.securityReferrerPolicy) {
res.set('Referrer-Policy', 'same-origin') res.set('Referrer-Policy', 'same-origin')
} }
// -> Enforce HSTS // -> Enforce HSTS
if (WIKI.config.securityHSTS) { if (WIKI.config.security.securityHSTS) {
res.set('Strict-Transport-Security', `max-age=${WIKI.config.securityHSTSDuration}; includeSubDomains`) res.set('Strict-Transport-Security', `max-age=${WIKI.config.securityHSTSDuration}; includeSubDomains`)
} }
// -> Prevent Open Redirect from user provided URL
if (WIKI.config.security.securityOpenRedirect) {
// Strips out all repeating / character in the provided URL
req.url = req.url.replace(/(\/)(?=\/*\1)/g, "")
}
return next() return next()
} }