Impact

Images uploaded with HedgeDoc version 1.9.1 and later have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur.

Patches

This issue is patched in version 1.9.3 by replacing the filename generation with UUIDv4.

--- a/lib/web/imageRouter/index.js
+++ b/lib/web/imageRouter/index.js
@@ -4,6 +4,7 @@ const Router = require('express').Router
 const formidable = require('formidable')
 const path = require('path')
 const fs = require('fs')
+const { v4: uuidv4 } = require('uuid');
 const os = require('os')
 const rimraf = require('rimraf')
 const isSvg = require('is-svg')
@@ -70,7 +71,13 @@ imageRouter.post('/uploadimage', function (req, res) {
   const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hedgedoc-'))
   const form = formidable({
     keepExtensions: true,
-    uploadDir: tmpDir
+    uploadDir: tmpDir,
+    filename: function(filename, ext) {
+        if (typeof ext !== "string") {
+            ext = ".invalid"
+        }
+        return uuidv4() + ext
+    }
   })
 
   form.parse(req, async function (err, fields, files) {

Workarounds

If you cannot upgrade to HedgeDoc 1.9.3, it is possible to block POST requests to /uploadimage, which will disable future uploads.

References

node-formidable/formidable#808 (comment)

More information

HedgeDoc 1.9.2 upgraded to formidable 2, which switched to using hexoid to generate upload filenames. While hexoid-generated strings look random, they are generated using a random prefix concatenated with a counter, making them enumerable. The prefix is regenerated on startup and after 256 uploads.

Attribution

This issue was reported by the NCSC-FI.

If you have any questions or comments about this advisory:

• Open a topic on our community forum
• Join our matrix room