Impact
Images uploaded with HedgeDoc version 1.9.1 and later have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur.
Patches
This issue is patched in version 1.9.3 by replacing the filename generation with UUIDv4.
--- a/lib/web/imageRouter/index.js
+++ b/lib/web/imageRouter/index.js
@@ -4,6 +4,7 @@ const Router = require('express').Router
const formidable = require('formidable')
const path = require('path')
const fs = require('fs')
+const { v4: uuidv4 } = require('uuid');
const os = require('os')
const rimraf = require('rimraf')
const isSvg = require('is-svg')
@@ -70,7 +71,13 @@ imageRouter.post('/uploadimage', function (req, res) {
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hedgedoc-'))
const form = formidable({
keepExtensions: true,
- uploadDir: tmpDir
+ uploadDir: tmpDir,
+ filename: function(filename, ext) {
+ if (typeof ext !== "string") {
+ ext = ".invalid"
+ }
+ return uuidv4() + ext
+ }
})
form.parse(req, async function (err, fields, files) {
Workarounds
If you cannot upgrade to HedgeDoc 1.9.3, it is possible to block POST requests to /uploadimage
, which will disable future uploads.
References
node-formidable/formidable#808 (comment)
More information
HedgeDoc 1.9.2 upgraded to formidable
2, which switched to using hexoid to generate upload filenames. While hexoid-generated strings look random, they are generated using a random prefix concatenated with a counter, making them enumerable. The prefix is regenerated on startup and after 256 uploads.
Attribution
This issue was reported by the NCSC-FI.
If you have any questions or comments about this advisory:
Impact
Images uploaded with HedgeDoc version 1.9.1 and later have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur.
Patches
This issue is patched in version 1.9.3 by replacing the filename generation with UUIDv4.
Workarounds
If you cannot upgrade to HedgeDoc 1.9.3, it is possible to block POST requests to
/uploadimage
, which will disable future uploads.References
node-formidable/formidable#808 (comment)
More information
HedgeDoc 1.9.2 upgraded to
formidable
2, which switched to using hexoid to generate upload filenames. While hexoid-generated strings look random, they are generated using a random prefix concatenated with a counter, making them enumerable. The prefix is regenerated on startup and after 256 uploads.Attribution
This issue was reported by the NCSC-FI.
If you have any questions or comments about this advisory: