mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-05-08 21:08:04 -05:00
e025209e3c
Previously GetLinkShareFromClaims built a *LinkSharing entirely from JWT claims with no DB interaction, so deleted shares and permission downgrades took up to 72h (the JWT TTL) to take effect. The permission and sharedByID claims were trusted blindly. GetLinkShareFromClaims now takes an *xorm.Session, looks up the share via GetLinkShareByID, verifies the hash claim against the DB row, and returns ErrLinkShareTokenInvalid when the row is missing or the hash mismatches. The permission and sharedByID claims are discarded; the DB row is authoritative. GetAuthFromClaims opens a read session for the link-share branch, mirroring the existing API-token branch. Token creation and the JWT format are unchanged, so already-issued tokens keep working except when the underlying share has been deleted or its hash no longer matches. Fixes GHSA-96q5-xm3p-7m84 / CVE-2026-35594.
383 lines
12 KiB
Go
383 lines
12 KiB
Go
// Vikunja is a to-do list application to facilitate your life.
|
|
// Copyright 2018-present Vikunja and contributors. All rights reserved.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package models
|
|
|
|
import (
|
|
"errors"
|
|
"strconv"
|
|
"time"
|
|
|
|
"code.vikunja.io/api/pkg/db"
|
|
"code.vikunja.io/api/pkg/user"
|
|
"code.vikunja.io/api/pkg/utils"
|
|
"code.vikunja.io/api/pkg/web"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"golang.org/x/crypto/bcrypt"
|
|
"xorm.io/builder"
|
|
"xorm.io/xorm"
|
|
)
|
|
|
|
// SharingType holds the sharing type
|
|
type SharingType int
|
|
|
|
// These consts represent all valid link sharing types
|
|
const (
|
|
SharingTypeUnknown SharingType = iota
|
|
SharingTypeWithoutPassword
|
|
SharingTypeWithPassword
|
|
)
|
|
|
|
// LinkSharing represents a shared project
|
|
type LinkSharing struct {
|
|
// The ID of the shared thing
|
|
ID int64 `xorm:"bigint autoincr not null unique pk" json:"id" param:"share"`
|
|
// The public id to get this shared project
|
|
Hash string `xorm:"varchar(40) not null unique" json:"hash" param:"hash"`
|
|
// The name of this link share. All actions someone takes while being authenticated with that link will appear with that name.
|
|
Name string `xorm:"text null" json:"name"`
|
|
// The ID of the shared project
|
|
ProjectID int64 `xorm:"bigint not null" json:"-" param:"project"`
|
|
// The permission this project is shared with. 0 = Read only, 1 = Read & Write, 2 = Admin. See the docs for more details.
|
|
Permission Permission `xorm:"bigint INDEX not null default 0" json:"permission" valid:"length(0|2)" maximum:"2" default:"0"`
|
|
|
|
// The kind of this link. 0 = undefined, 1 = without password, 2 = with password.
|
|
SharingType SharingType `xorm:"bigint INDEX not null default 0" json:"sharing_type" valid:"length(0|2)" maximum:"2" default:"0"`
|
|
|
|
// The password of this link share. You can only set it, not retrieve it after the link share has been created.
|
|
Password string `xorm:"text null" json:"password"`
|
|
|
|
// The user who shared this project
|
|
SharedBy *user.User `xorm:"-" json:"shared_by"`
|
|
SharedByID int64 `xorm:"bigint INDEX not null" json:"-"`
|
|
|
|
// A timestamp when this project was shared. You cannot change this value.
|
|
Created time.Time `xorm:"created not null" json:"created"`
|
|
// A timestamp when this share was last updated. You cannot change this value.
|
|
Updated time.Time `xorm:"updated not null" json:"updated"`
|
|
|
|
web.CRUDable `xorm:"-" json:"-"`
|
|
web.Permissions `xorm:"-" json:"-"`
|
|
}
|
|
|
|
// TableName holds the table name
|
|
func (*LinkSharing) TableName() string {
|
|
return "link_shares"
|
|
}
|
|
|
|
// GetID returns the ID of the links sharing object
|
|
func (share *LinkSharing) GetID() int64 {
|
|
return share.ID
|
|
}
|
|
|
|
// GetLinkShareFromClaims resolves a link share JWT against the DB on every
|
|
// call so that deletion or permission downgrades take effect immediately
|
|
// instead of persisting for the (up to 72h) JWT TTL. The `permission` and
|
|
// `sharedByID` claims NewLinkShareJWTAuthtoken writes are intentionally
|
|
// ignored: the DB row is authoritative.
|
|
//
|
|
// Fixes GHSA-96q5-xm3p-7m84 / CVE-2026-35594.
|
|
func GetLinkShareFromClaims(s *xorm.Session, claims jwt.MapClaims) (share *LinkSharing, err error) {
|
|
idFloat, is := claims["id"].(float64)
|
|
if !is {
|
|
return nil, &ErrLinkShareTokenInvalid{}
|
|
}
|
|
hash, is := claims["hash"].(string)
|
|
if !is {
|
|
return nil, &ErrLinkShareTokenInvalid{}
|
|
}
|
|
|
|
share, err = GetLinkShareByID(s, int64(idFloat))
|
|
if err != nil {
|
|
// Only a missing row means the token is stale; everything else
|
|
// (DB down, etc.) must bubble up as 500 instead of 400.
|
|
if IsErrProjectShareDoesNotExist(err) {
|
|
return nil, &ErrLinkShareTokenInvalid{}
|
|
}
|
|
return nil, err
|
|
}
|
|
|
|
// Defense in depth against a future bug that mints a token with a
|
|
// mismatched id/hash pair — the JWT signature alone already prevents
|
|
// tampering at rest.
|
|
if share.Hash != hash {
|
|
return nil, &ErrLinkShareTokenInvalid{}
|
|
}
|
|
|
|
// Never leak the hashed password through the auth object.
|
|
share.Password = ""
|
|
return share, nil
|
|
}
|
|
|
|
func (share *LinkSharing) getUserID() int64 {
|
|
return share.ID * -1
|
|
}
|
|
|
|
func (share *LinkSharing) toUser() *user.User {
|
|
suffix := "Link Share"
|
|
if share.Name != "" {
|
|
suffix = " (" + suffix + ")"
|
|
}
|
|
|
|
username := "link-share-" + strconv.FormatInt(share.ID, 10)
|
|
|
|
return &user.User{
|
|
ID: share.getUserID(),
|
|
Name: share.Name + suffix,
|
|
Username: username,
|
|
Created: share.Created,
|
|
Updated: share.Updated,
|
|
}
|
|
}
|
|
|
|
// Create creates a new link share for a given project
|
|
// @Summary Share a project via link
|
|
// @Description Share a project via link. The user needs to have write-access to the project to be able do this.
|
|
// @tags sharing
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Security JWTKeyAuth
|
|
// @Param project path int true "Project ID"
|
|
// @Param label body models.LinkSharing true "The new link share object"
|
|
// @Success 201 {object} models.LinkSharing "The created link share object."
|
|
// @Failure 400 {object} web.HTTPError "Invalid link share object provided."
|
|
// @Failure 403 {object} web.HTTPError "Not allowed to add the project share."
|
|
// @Failure 404 {object} web.HTTPError "The project does not exist."
|
|
// @Failure 500 {object} models.Message "Internal error"
|
|
// @Router /projects/{project}/shares [put]
|
|
func (share *LinkSharing) Create(s *xorm.Session, a web.Auth) (err error) {
|
|
|
|
err = share.Permission.isValid()
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
share.SharedByID = a.GetID()
|
|
hash, err := utils.CryptoRandomString(40)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
share.Hash = hash
|
|
|
|
if share.Password != "" {
|
|
share.SharingType = SharingTypeWithPassword
|
|
share.Password, err = user.HashPassword(share.Password)
|
|
if err != nil {
|
|
return
|
|
}
|
|
} else {
|
|
share.SharingType = SharingTypeWithoutPassword
|
|
}
|
|
|
|
share.ID = 0
|
|
_, err = s.Insert(share)
|
|
share.Password = ""
|
|
share.SharedBy, _ = user.GetFromAuth(a)
|
|
return
|
|
}
|
|
|
|
// ReadOne returns one share
|
|
// @Summary Get one link shares for a project
|
|
// @Description Returns one link share by its ID.
|
|
// @tags sharing
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Param project path int true "Project ID"
|
|
// @Param share path int true "Share ID"
|
|
// @Security JWTKeyAuth
|
|
// @Success 200 {object} models.LinkSharing "The share links"
|
|
// @Failure 403 {object} web.HTTPError "No access to the project"
|
|
// @Failure 404 {object} web.HTTPError "Share Link not found."
|
|
// @Failure 500 {object} models.Message "Internal error"
|
|
// @Router /projects/{project}/shares/{share} [get]
|
|
func (share *LinkSharing) ReadOne(s *xorm.Session, _ web.Auth) (err error) {
|
|
query := s.Where("id = ?", share.ID)
|
|
if share.ProjectID != 0 {
|
|
query = query.And("project_id = ?", share.ProjectID)
|
|
}
|
|
exists, err := query.Get(share)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if !exists {
|
|
return ErrProjectShareDoesNotExist{ID: share.ID, Hash: share.Hash}
|
|
}
|
|
share.Password = ""
|
|
return
|
|
}
|
|
|
|
// ReadAll returns all shares for a given project
|
|
// @Summary Get all link shares for a project
|
|
// @Description Returns all link shares which exist for a given project
|
|
// @tags sharing
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Param project path int true "Project ID"
|
|
// @Param page query int false "The page number. Used for pagination. If not provided, the first page of results is returned."
|
|
// @Param per_page query int false "The maximum number of items per page. Note this parameter is limited by the configured maximum of items per page."
|
|
// @Param s query string false "Search shares by hash."
|
|
// @Security JWTKeyAuth
|
|
// @Success 200 {array} models.LinkSharing "The share links"
|
|
// @Failure 500 {object} models.Message "Internal error"
|
|
// @Router /projects/{project}/shares [get]
|
|
func (share *LinkSharing) ReadAll(s *xorm.Session, a web.Auth, search string, page int, perPage int) (result interface{}, resultCount int, totalItems int64, err error) {
|
|
// Don't allow link share authenticated users to list link shares
|
|
if _, is := a.(*LinkSharing); is {
|
|
return nil, 0, 0, ErrGenericForbidden{}
|
|
}
|
|
|
|
project := &Project{ID: share.ProjectID}
|
|
can, err := project.IsAdmin(s, a)
|
|
if err != nil {
|
|
return nil, 0, 0, err
|
|
}
|
|
if !can {
|
|
return nil, 0, 0, ErrGenericForbidden{}
|
|
}
|
|
|
|
limit, start := getLimitFromPageIndex(page, perPage)
|
|
|
|
var shares []*LinkSharing
|
|
var where []builder.Cond
|
|
where = append(where, builder.Eq{"project_id": share.ProjectID})
|
|
|
|
if search != "" {
|
|
where = append(where, db.ILIKE("name", search))
|
|
}
|
|
|
|
query := s.Where(builder.And(where...))
|
|
|
|
if limit > 0 {
|
|
query = query.Limit(limit, start)
|
|
}
|
|
err = query.Find(&shares)
|
|
if err != nil {
|
|
return nil, 0, 0, err
|
|
}
|
|
|
|
// Find all users and add them
|
|
var userIDs []int64
|
|
for _, s := range shares {
|
|
userIDs = append(userIDs, s.SharedByID)
|
|
}
|
|
|
|
users := make(map[int64]*user.User)
|
|
if len(userIDs) > 0 {
|
|
err = s.In("id", userIDs).Find(&users)
|
|
if err != nil {
|
|
return nil, 0, 0, err
|
|
}
|
|
}
|
|
|
|
for _, s := range shares {
|
|
if sharedBy, has := users[s.SharedByID]; has {
|
|
s.SharedBy = sharedBy
|
|
}
|
|
s.Password = ""
|
|
}
|
|
|
|
// Total count
|
|
totalItems, err = s.
|
|
Where("project_id = ? AND hash LIKE ?", share.ProjectID, "%"+search+"%").
|
|
Count(&LinkSharing{})
|
|
if err != nil {
|
|
return nil, 0, 0, err
|
|
}
|
|
|
|
return shares, len(shares), totalItems, err
|
|
}
|
|
|
|
// Delete removes a link share
|
|
// @Summary Remove a link share
|
|
// @Description Remove a link share. The user needs to have write-access to the project to be able do this.
|
|
// @tags sharing
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Security JWTKeyAuth
|
|
// @Param project path int true "Project ID"
|
|
// @Param share path int true "Share Link ID"
|
|
// @Success 200 {object} models.Message "The link was successfully removed."
|
|
// @Failure 403 {object} web.HTTPError "Not allowed to remove the link."
|
|
// @Failure 404 {object} web.HTTPError "Share Link not found."
|
|
// @Failure 500 {object} models.Message "Internal error"
|
|
// @Router /projects/{project}/shares/{share} [delete]
|
|
func (share *LinkSharing) Delete(s *xorm.Session, _ web.Auth) (err error) {
|
|
_, err = s.Where("id = ? AND project_id = ?", share.ID, share.ProjectID).Delete(share)
|
|
return
|
|
}
|
|
|
|
// GetLinkShareByHash returns a link share by hash
|
|
func GetLinkShareByHash(s *xorm.Session, hash string) (share *LinkSharing, err error) {
|
|
share = &LinkSharing{}
|
|
has, err := s.Where("hash = ?", hash).Get(share)
|
|
if err != nil {
|
|
return
|
|
}
|
|
if !has {
|
|
return share, ErrProjectShareDoesNotExist{Hash: hash}
|
|
}
|
|
return
|
|
}
|
|
|
|
// GetProjectByShareHash returns a link share by its hash
|
|
func GetProjectByShareHash(s *xorm.Session, hash string) (project *Project, err error) {
|
|
share, err := GetLinkShareByHash(s, hash)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
project, err = GetProjectSimpleByID(s, share.ProjectID)
|
|
return
|
|
}
|
|
|
|
// GetLinkShareByID returns a link share by its id.
|
|
func GetLinkShareByID(s *xorm.Session, id int64) (share *LinkSharing, err error) {
|
|
share = &LinkSharing{}
|
|
has, err := s.Where("id = ?", id).Get(share)
|
|
if err != nil {
|
|
return
|
|
}
|
|
if !has {
|
|
return share, ErrProjectShareDoesNotExist{ID: id}
|
|
}
|
|
return
|
|
}
|
|
|
|
// GetLinkSharesByIDs returns all link shares from a slice of ids
|
|
func GetLinkSharesByIDs(s *xorm.Session, ids []int64) (shares map[int64]*LinkSharing, err error) {
|
|
shares = make(map[int64]*LinkSharing)
|
|
err = s.In("id", ids).Find(&shares)
|
|
return
|
|
}
|
|
|
|
// VerifyLinkSharePassword checks if a password of a link share matches a provided one.
|
|
func VerifyLinkSharePassword(share *LinkSharing, password string) (err error) {
|
|
if password == "" {
|
|
return &ErrLinkSharePasswordRequired{ShareID: share.ID}
|
|
}
|
|
|
|
err = bcrypt.CompareHashAndPassword([]byte(share.Password), []byte(password))
|
|
if err != nil {
|
|
if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {
|
|
return &ErrLinkSharePasswordInvalid{ShareID: share.ID}
|
|
}
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|