mirror of
https://github.com/ether/etherpad-lite.git
synced 2026-07-18 17:13:58 +00:00
Hardening: API request handling, random IDs, and plugin loading (#7906)
* Hardening: API request handling, token generation, and plugin loading
- pad_utils.randomString: generate the random IDs via crypto.getRandomValues
(CSPRNG) instead of Math.random.
- OAuth2Provider: constant-time password comparison and a uniform failure delay
on the OIDC interaction login; own-property user lookup.
- API.appendChatMessage: require the pad to already exist (getPadSafe),
consistent with the other content API methods.
- RestAPI /api/2: forward only the authorization header rather than merging all
request headers into the API field set.
- LinkInstaller: validate plugin dependency names before building filesystem
paths from them.
- admin file server: return a generic error message and log details server-side.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Address review: timingSafeEqual on raw bytes; align /api/2 auth fallback
- OAuth2Provider.constantTimeEquals: compare raw UTF-8 bytes with
crypto.timingSafeEqual instead of hashing them first. Resolves the CodeQL
"password hash with insufficient computational effort" alert while keeping a
content-independent comparison (length difference is covered by the uniform
failure delay).
- RestAPI /api/2: fall back to the authorization header whenever the field is
falsy (not only null), matching the openapi.ts handler so the two routers
authenticate identically (Qodo).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* appendChatMessage: throw explicit error instead of getPadSafe (review)
Per review: replace the getPadSafe(padID, true) existence check with an
explicit `throw new CustomError('padID does not exist', 'apierror')` so chat
messages can't create pads, without fetching the pad.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
86c56cf827
commit
7ea9970648
6 changed files with 84 additions and 17 deletions
|
|
@ -1471,7 +1471,15 @@ export const expressCreateServer = async (hookName: string, {app}: ArgsExpressTy
|
|||
}
|
||||
}
|
||||
|
||||
const fields = Object.assign({}, headers, params, query, formData);
|
||||
// Merge with clear precedence: body > query > path params, matching the
|
||||
// openapi.ts handler. Forward only the authorization header explicitly
|
||||
// instead of merging all request headers into the field set.
|
||||
const fields = Object.assign({}, params, query, formData);
|
||||
if (headers && headers.authorization) {
|
||||
// Match the openapi.ts handler: fall back to the header whenever the
|
||||
// field value is falsy (absent or empty), not only when it is null.
|
||||
fields.authorization = fields.authorization || headers.authorization;
|
||||
}
|
||||
|
||||
if (mapping.has(method) && pathToFunction in mapping.get(method)!) {
|
||||
const {apiVersion, functionName} = mapping.get(method)![pathToFunction]!
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue