Commit graph

266 commits

Author SHA1 Message Date
Henrique Dias
ec13054671
fix(share): stop exposing password hash and bypass token in share API (GHSA-833g-cqhp-h72j)
The share management endpoints serialized the storage struct directly, returning
the bcrypt password_hash (crackable offline) and the bypass token for every
share an authenticated caller could list, with admins seeing them for all users.
Return a response DTO that exposes only whether a share is password-protected
(hasPassword) and drops both secrets. The storage struct keeps its tags so the
secrets stay persisted and the server-side auth/public flows are unchanged.
Updates the frontend to use hasPassword and adds a regression test.
2026-06-27 09:08:56 +02:00
Henrique Dias
883a36f02f
fix(auth): reject signup when normalized home dir collides (GHSA-7rc3-g7h6-22m7)
cleanUsername is many-to-one, so distinct usernames (e.g. "teamone/x" and
"teamone-x") can normalize to the same home directory. With CreateUserDir
enabled, the second registrant silently reused the first user's directory,
breaking per-user isolation. Add a GetByScope lookup and reject a signup whose
derived scope is already taken. The check is gated on CreateUserDir: when it is
off, signups intentionally share the configured default scope. Adds a regression
test for the colliding-username case.
2026-06-27 09:08:56 +02:00
Henrique Dias
8503ba61ff
fix(raw): neutralize backslashes in archive entry names (GHSA-83xp-526h-j3ww)
The fix for CVE-2026-54093 rewrote backslashes to the path separator "/" in
archive entry names. On POSIX hosts a backslash is a legal filename byte, so
that rewrite manufactured a traversal sequence ("..\..\x" -> "../../x") out
of a single in-scope file, turning a Windows-only zip-slip into a cross-platform
one. Neutralize backslashes to an inert character instead, and reject any entry
whose name is not already a normalized root-relative path. Adds a regression
test that downloads a folder containing a backslash-named file as a zip.
2026-06-27 08:39:14 +02:00
Henrique Dias
2472fbcd30
fix: normalize recursive listing paths to forward slashes (#6003) 2026-06-27 08:01:26 +02:00
JinHyuk Sung
43a404ca69
fix: match admin share paths by owner scope (#5992) 2026-06-27 07:43:22 +02:00
Rayan Salhab
d9cf2f0100
fix: preserve SRT subtitle line breaks (#6002) 2026-06-27 07:28:55 +02:00
Henrique Dias
a1063925e1
fix: restore symlink behavior as opt-in followExternalSymlinks 2026-06-23 13:19:51 +02:00
Henrique Dias
64511ce45e
fix: dangling symlink, write, delete scope bugs 2026-06-23 12:35:55 +02:00
Henrique Dias
d9816b1531
chore: add symlink tests 2026-06-07 18:21:13 +02:00
Henrique Dias
7c2c0a11b3
refactor: ScopedFs to avoid escaping symlinks 2026-06-07 18:16:46 +02:00
Henrique Dias
3406d3d7f9
fix: recursive check 2026-06-07 17:12:31 +02:00
Henrique Dias
3471ec2c4b
fix: incomplete fix for symlinked directories let scopes users and public-share recipients read and write files outside of scope 2026-06-04 11:02:18 +02:00
Henrique Dias
35db07d015
fix: set X-Content-Type-Options: nosniff on raw file responses
Prevents browsers from MIME-sniffing uploaded files into a renderable type.
2026-06-03 12:21:23 +02:00
Henrique Dias
19514367ad
fix: use constant-time comparison for share access token
Compare the share token with subtle.ConstantTimeCompare instead of ==.
2026-06-03 12:21:23 +02:00
Henrique Dias
cdd666fc95
fix: prevent symlink scope escape in copy/move/rename
Check WithinScope for src and dst in resourcePatchHandler before
fileutils.Copy/MoveFile, which follow symlinks and bypassed the
stat()/writeFile() guards (GHSA-239w-m3h6-ch8v).
2026-06-03 12:21:23 +02:00
mehmet turac
103acd15fe
fix: force octet-stream for attachment downloads (#5942) 2026-06-03 11:59:17 +02:00
Henrique Dias
ca019ae7d9
fix: check if share is within scope when creating 2026-06-03 11:57:10 +02:00
Henrique Dias
166583db63
fix: disallow shares for non-existent paths 2026-06-03 11:43:22 +02:00
Henrique Dias
847d08bdd1
fix: address three security disclosures (archive traversal, login DoS, symlink escape)
- http/raw.go: strip Windows backslash separators from archive entry names
  on any host. filepath.ToSlash is a no-op for "\" on Linux, so a stored
  backslash filename was emitted verbatim and could escape the extraction
  directory on Windows extractors (zip-slip). (GHSA-gxjx-7m74-hcq8)

- http/auth.go: cap the login and signup request bodies with
  http.MaxBytesReader (1 MiB). The JSON decoder previously read an
  arbitrarily large password into memory before bcrypt truncated it,
  enabling unauthenticated memory-exhaustion DoS. (GHSA-w5fm-68j4-fpc4)

- files/file.go, http/resource.go: add files.WithinScope and refuse to
  follow a symlink whose on-disk target escapes the user's scoped root,
  on both the read path (stat) and the write path (writeFile). Prevents a
  scoped user from reading/overwriting/sharing files outside their scope
  via a pre-existing escaping symlink. (GHSA-239w-m3h6-ch8v)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 11:21:00 +02:00
Henrique Dias
0231b7ebdf
fix: cross-user unauthorized share-link deletion 2026-06-03 10:31:44 +02:00
Henrique Dias
e07c59df0b
fix: incorrect access control in public directory shares via rule path rebasing 2026-06-03 10:24:05 +02:00
mehmet turac
9cc18a81e3
fix: show item shares from all users to admins (#5941) 2026-05-17 15:01:02 +02:00
Anthony Geourjon
f4e148523e
fix: Fix conflict modal and add a resume transfert option (#5884)
Co-authored-by: Henrique Dias <mail@hacdias.com>
2026-05-05 14:24:06 +02:00
kodareef5
1e03feadb5
fix: check download permission in resource handler (#5891) 2026-04-04 21:58:17 +02:00
kodareef5
7dbf7a3528
fix: check share owner permissions on public share access (#5888) 2026-04-04 21:56:55 +02:00
Ariel Leyva
7a16129bfc
fix(tus): reject negative upload-length to prevent inconsistent cache entry (#5876) 2026-04-04 09:11:50 +02:00
Ariel Leyva
0f39bd055e
fix: check download permission when sharing permission is enabled (#5875) 2026-04-04 09:11:21 +02:00
Henrique Dias
a8fc1657b7
fix: shares listing 2026-03-28 20:02:12 +01:00
Henrique Dias
c406bda0c7
fix: json escaping 2026-03-28 19:54:21 +01:00
Henrique Dias
d9f9460c1e
fix: use html/template 2026-03-28 19:16:12 +01:00
Henrique Dias
b6a4fb1f27
fix: self-registered users don't get execute perms 2026-03-28 19:08:19 +01:00
lif
8f81b77cf2
fix: include filename in Content-Disposition header for inline downloads (#5860) 2026-03-28 19:03:07 +01:00
Arran
4812536555
fix: touch Redis upload cache key on GetLength to prevent TTL expiry (#5850) 2026-03-26 16:27:28 +01:00
Henrique Dias
fc80f4f44c
fix: base url/reverse proxy redirect 2026-03-14 09:30:35 +01:00
Henrique Dias
09a26166b4
fix: make perm.share depend on share.download 2026-03-14 08:31:55 +01:00
Henrique Dias
a63573b67e
fix: signup handler shouldn't create admins 2026-03-14 08:23:10 +01:00
Henrique Dias
4bd7d69c82
fix: clean path in patch handler 2026-03-14 08:13:51 +01:00
Sergio
0542fc0ba4
fix(tus): preserve percent-encoded upload paths in Location header (#5817) 2026-03-11 19:37:07 +01:00
Ariel Leyva
4af3f85e64
fix(csv-viewer): add support for missing text encodings in dropdown list (#5795) 2026-03-06 15:26:13 +01:00
Henrique Dias
7ed1425115
fix: check for correct permission in TUS Delete 2026-03-04 10:04:22 +01:00
Henrique Dias
31194fb57a
fix: correctly clean path 2026-02-28 10:31:09 +01:00
Ariel Leyva
f67bccf8c5
feat: support for multiple encodings in CSV files (#5756) 2026-02-14 07:37:28 +01:00
Nian
6a76dfeba9
fix: respect Accept-Encoding for pre-compressed JS (#5750) 2026-02-14 07:30:10 +01:00
Henrique Dias
489af403a1
fix: remove skip clean 2026-02-08 08:02:03 +01:00
Henrique Dias
ff2f00498c
fix: normalize fields capitalization 2026-02-08 07:50:40 +01:00
Arran
08d7a1504c
feat: Add Redis upload cache for multi-replica deployments (#5724) 2026-02-01 17:08:40 +01:00
Ariel Leyva
d441b28f43
fix: avoid 409 conflict when renaming files differing only by case (#5729) 2026-02-01 11:37:07 +01:00
Ariel Leyva
cfa6c5864e
fix: request current password when deleting users (#5667) 2026-01-18 08:36:25 +01:00
Beckam White
fda8a99292
feat: add "redirect after copy/move" user setting (#5662) 2026-01-10 10:27:54 +01:00
Jagadam Dinesh Reddy
4fd18a382c
feat: force file sync while uploading file (#5668) 2026-01-10 09:30:08 +01:00