etherpad-lite/src/node/handler
John McLear 7ea9970648
Hardening: API request handling, random IDs, and plugin loading (#7906)
* Hardening: API request handling, token generation, and plugin loading

- pad_utils.randomString: generate the random IDs via crypto.getRandomValues
  (CSPRNG) instead of Math.random.
- OAuth2Provider: constant-time password comparison and a uniform failure delay
  on the OIDC interaction login; own-property user lookup.
- API.appendChatMessage: require the pad to already exist (getPadSafe),
  consistent with the other content API methods.
- RestAPI /api/2: forward only the authorization header rather than merging all
  request headers into the API field set.
- LinkInstaller: validate plugin dependency names before building filesystem
  paths from them.
- admin file server: return a generic error message and log details server-side.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Address review: timingSafeEqual on raw bytes; align /api/2 auth fallback

- OAuth2Provider.constantTimeEquals: compare raw UTF-8 bytes with
  crypto.timingSafeEqual instead of hashing them first. Resolves the CodeQL
  "password hash with insufficient computational effort" alert while keeping a
  content-independent comparison (length difference is covered by the uniform
  failure delay).
- RestAPI /api/2: fall back to the authorization header whenever the field is
  falsy (not only null), matching the openapi.ts handler so the two routers
  authenticate identically (Qodo).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* appendChatMessage: throw explicit error instead of getPadSafe (review)

Per review: replace the getPadSafe(padID, true) existence check with an
explicit `throw new CustomError('padID does not exist', 'apierror')` so chat
messages can't create pads, without fetching the pad.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 19:17:39 +02:00
..
APIHandler.ts harden: assorted server-side tightening for 3.0.2 (#7784) 2026-05-17 13:19:41 +01:00
APIKeyHandler.ts chore: migrated settings to esm6 (#7062) 2025-08-04 22:42:50 +02:00
ExportHandler.ts fix(export): surface checkValidRev error message on bad :rev (#7792) 2026-05-17 13:20:05 +01:00
ImportHandler.ts harden: assorted server-side tightening for 3.0.2 (#7784) 2026-05-17 13:19:41 +01:00
PadMessageHandler.ts harden: reject USER_CHANGES inserts without an author attribute (#7773) 2026-05-16 17:23:25 +01:00
RestAPI.ts Hardening: API request handling, random IDs, and plugin loading (#7906) 2026-06-07 19:17:39 +02:00
SocketIORouter.ts feat(gdpr): IP/privacy audit (PR2 of #6701) (#7547) 2026-05-01 13:47:40 +01:00