chore: bump nodebb version

fix: improper neutralization of user input in image wrapping code
(Backport of: 1d1639d46f)
2025-12-16 21:40:23 +01:00 · 2023-06-13 14:54:56 -04:00 · 2023-06-13 14:53:27 -04:00 · 2023-05-20 21:05:02 -04:00 · 2023-05-15 12:15:48 -04:00 · 2023-05-15 11:55:18 -04:00
11 changed files with 73 additions and 23 deletions
--- a/install/package.json
+++ b/install/package.json
@@ -2,7 +2,7 @@
    "name": "nodebb",
    "license": "GPL-3.0",
    "description": "NodeBB Forum",
-    "version": "2.8.11",
+    "version": "2.8.15",
    "homepage": "http://www.nodebb.org",
    "repository": {
        "type": "git",
@@ -55,7 +55,7 @@
        "cookie-parser": "1.4.6",
        "cron": "2.3.0",
        "cropperjs": "1.5.13",
-        "csurf": "1.11.0",
+        "csrf-sync": "4.0.1",
        "daemon": "1.1.0",
        "diff": "5.1.0",
        "esbuild": "0.16.10",
@@ -192,4 +192,4 @@
            "url": "https://github.com/barisusakli"
        }
    ]
-}
+}
--- a/public/src/client/topic/images.js
+++ b/public/src/client/topic/images.js
@@ -24,7 +24,7 @@ define('forum/topic/images', [], function () {

 			if (!$this.parent().is('a')) {
 				$this.wrap('<a href="' + src + '" ' +
-					(!srcExt && altExt ? ' download="' + altFilename + '" ' : '') +
+					(!srcExt && altExt ? ' download="' + utils.escapeHTML(altFilename) + '" ' : '') +
 					' target="_blank" rel="noopener">');
 			}
 		});
--- a/public/src/sockets.js
+++ b/public/src/sockets.js
@@ -15,6 +15,9 @@ app = window.app || {};
 		reconnectionDelay: config.reconnectionDelay,
 		transports: config.socketioTransports,
 		path: config.relative_path + '/socket.io',
+		query: {
+			_csrf: config.csrf_token,
+		},
 	};

 	window.socket = io(config.websocketAddress, ioParams);
--- a/src/controllers/api.js
+++ b/src/controllers/api.js
@@ -9,6 +9,7 @@ const categories = require('../categories');
 const plugins = require('../plugins');
 const translator = require('../translator');
 const languages = require('../languages');
+const { generateToken } = require('../middleware/csrf');

 const apiController = module.exports;

@@ -64,7 +65,7 @@ apiController.loadConfig = async function (req) {
 		'cache-buster': meta.config['cache-buster'] || '',
 		topicPostSort: meta.config.topicPostSort || 'oldest_to_newest',
 		categoryTopicSort: meta.config.categoryTopicSort || 'newest_to_oldest',
-		csrf_token: req.uid >= 0 && req.csrfToken && req.csrfToken(),
+		csrf_token: req.uid >= 0 ? generateToken(req) : undefined,
 		searchEnabled: plugins.hooks.hasListeners('filter:search.query'),
 		searchDefaultInQuick: meta.config.searchDefaultInQuick || 'titles',
 		bootswatchSkin: meta.config.bootswatchSkin || '',
--- a/src/middleware/csrf.js
+++ b/src/middleware/csrf.js
@@ -0,0 +1,26 @@
+'use strict';
+
+const { csrfSync } = require('csrf-sync');
+
+const {
+	generateToken,
+	csrfSynchronisedProtection,
+	isRequestValid,
+} = csrfSync({
+	getTokenFromRequest: (req) => {
+		if (req.headers['x-csrf-token']) {
+			return req.headers['x-csrf-token'];
+		} else if (req.body && req.body.csrf_token) {
+			return req.body.csrf_token;
+		} else if (req.query) {
+			return req.query._csrf;
+		}
+	},
+	size: 64,
+});
+
+module.exports = {
+	generateToken,
+	csrfSynchronisedProtection,
+	isRequestValid,
+};
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -2,11 +2,11 @@

 const async = require('async');
 const path = require('path');
-const csrf = require('csurf');
 const validator = require('validator');
 const nconf = require('nconf');
 const toobusy = require('toobusy-js');
 const util = require('util');
+const { csrfSynchronisedProtection } = require('./csrf');

 const plugins = require('../plugins');
 const meta = require('../meta');
@@ -34,7 +34,7 @@ middleware.regexes = {
 	timestampedUpload: /^\d+-.+$/,
 };

-const csrfMiddleware = csrf();
+const csrfMiddleware = csrfSynchronisedProtection;

 middleware.applyCSRF = function (req, res, next) {
 	if (req.uid >= 0) {
--- a/src/routes/authentication.js
+++ b/src/routes/authentication.js
@@ -10,6 +10,7 @@ const meta = require('../meta');
 const controllers = require('../controllers');
 const helpers = require('../controllers/helpers');
 const plugins = require('../plugins');
+const { generateToken } = require('../middleware/csrf');

 let loginStrategies = [];

@@ -108,7 +109,7 @@ Auth.reloadRoutes = async function (params) {
 				};

 				if (strategy.checkState !== false) {
-					req.session.ssoState = req.csrfToken && req.csrfToken();
+					req.session.ssoState = generateToken(req, true);
 					opts.state = req.session.ssoState;
 				}

--- a/src/socket.io/index.js
+++ b/src/socket.io/index.js
@@ -34,13 +34,25 @@ Sockets.init = async function (server) {
 		}
 	}

-	io.use(authorize);
-
 	io.on('connection', onConnection);

 	const opts = {
 		transports: nconf.get('socket.io:transports') || ['polling', 'websocket'],
 		cookie: false,
+		allowRequest: (req, callback) => {
+			authorize(req, (err) => {
+				if (err) {
+					return callback(err);
+				}
+				const csrf = require('../middleware/csrf');
+				const isValid = csrf.isRequestValid({
+					session: req.session || {},
+					query: req._query,
+					headers: req.headers,
+				});
+				callback(null, isValid);
+			});
+		},
 	};
 	/*
 	 * Restrict socket.io listener to cookie domain. If none is set, infer based on url.
@@ -62,7 +74,11 @@ Sockets.init = async function (server) {
 };

 function onConnection(socket) {
-	socket.ip = (socket.request.headers['x-forwarded-for'] || socket.request.connection.remoteAddress || '').split(',')[0];
+	socket.uid = socket.request.uid;
+	socket.ip = (
+		socket.request.headers['x-forwarded-for'] ||
+		socket.request.connection.remoteAddress || ''
+	).split(',')[0];
 	socket.request.ip = socket.ip;
 	logger.io_one(socket, socket.uid);

@@ -231,9 +247,7 @@ async function validateSession(socket, errorMsg) {

 const cookieParserAsync = util.promisify((req, callback) => cookieParser(req, {}, err => callback(err)));

-async function authorize(socket, callback) {
-	const { request } = socket;
-
+async function authorize(request, callback) {
 	if (!request) {
 		return callback(new Error('[[error:not-authorized]]'));
 	}
@@ -246,15 +260,13 @@ async function authorize(socket, callback) {
 	});

 	const sessionData = await getSessionAsync(sessionId);
-
+	request.session = sessionData;
+	let uid = 0;
 	if (sessionData && sessionData.passport && sessionData.passport.user) {
-		request.session = sessionData;
-		socket.uid = parseInt(sessionData.passport.user, 10);
-	} else {
-		socket.uid = 0;
+		uid = parseInt(sessionData.passport.user, 10);
 	}
-	request.uid = socket.uid;
-	callback();
+	request.uid = uid;
+	callback(null, uid);
 }

 Sockets.in = function (room) {
--- a/src/user/interstitials.js
+++ b/src/user/interstitials.js
@@ -40,6 +40,10 @@ Interstitials.email = async (data) => {
 			issuePasswordChallenge: !!data.userData.uid && hasPassword,
 		},
 		callback: async (userData, formData) => {
+			if (formData.email) {
+				formData.email = String(formData.email).trim();
+			}
+
 			// Validate and send email confirmation
 			if (userData.uid) {
 				const isSelf = parseInt(userData.uid, 10) === parseInt(data.req.uid, 10);
--- a/test/helpers/index.js
+++ b/test/helpers/index.js
@@ -95,7 +95,7 @@ helpers.logoutUser = function (jar, callback) {
 	});
 };

-helpers.connectSocketIO = function (res, callback) {
+helpers.connectSocketIO = function (res, csrf_token, callback) {
 	const io = require('socket.io-client');
 	let cookies = res.headers['set-cookie'];
 	cookies = cookies.filter(c => /express.sid=[^;]+;/.test(c));
@@ -106,6 +106,9 @@ helpers.connectSocketIO = function (res, callback) {
 			Origin: nconf.get('url'),
 			Cookie: cookie,
 		},
+		query: {
+			_csrf: csrf_token,
+		},
 	});

 	socket.on('connect', () => {
--- a/test/socket.io.js
+++ b/test/socket.io.js
@@ -73,7 +73,7 @@ describe('socket.io', () => {
 			}, (err, res) => {
 				assert.ifError(err);

-				helpers.connectSocketIO(res, (err, _io) => {
+				helpers.connectSocketIO(res, body.csrf_token, (err, _io) => {
 					io = _io;
 					assert.ifError(err);
Author	SHA1	Message	Date
Julian Lam	2514aace4e	chore: bump nodebb version	2023-06-13 14:54:56 -04:00
Julian Lam	9ec7ab4afc	fix: improper neutralization of user input in image wrapping code (Backport of: `1d1639d46f`)	2023-06-13 14:53:27 -04:00
Barış Soner Uşaklı	dd5ed9e507	fix: closes #11617 , upgrade csrf-sync dep adds back req.csrfToken()	2023-05-20 21:05:02 -04:00
Barış Soner Uşaklı	8bc8cf1ba0	lint	2023-05-15 12:15:48 -04:00
Barış Soner Uşaklı	62e162cf1e	fix: backport ws token fix	2023-05-15 11:55:18 -04:00
psibean	a5d92da9dd	Replace csurf with csrf-sync	2023-05-15 11:48:25 -04:00
Julian Lam	2bd6eea2fa	fix: #11554 , email requirement bypass by sending in whitespace	2023-05-02 12:01:28 -04:00
Misty Release Bot	42b9fbc91c	chore: incrementing version number - v2.8.12 (cherry picked from commit `3e494a1ea0`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-04-26 14:34:45 +00:00
Misty Release Bot	5c0bf7ccbe	Merge commit '30b6bcfca117e667c262c0462fc5f0100e6a436c' into v2.x	2023-04-26 14:34:42 +00:00
Misty Release Bot	2ec81eff43	chore: incrementing version number - v2.8.11 (cherry picked from commit `82f0efb14b`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-04-11 01:49:11 +00:00
Misty Release Bot	df08b47163	Merge commit 'c27567289f9937abd4abe6960a9b6e387cf68331' into v2.x	2023-04-11 01:49:09 +00:00
Misty Release Bot	5b7c3671c8	chore: incrementing version number - v2.8.10 (cherry picked from commit `48c1c7594d`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-03-27 18:10:57 +00:00
Misty Release Bot	73ff25887c	Merge commit '830f142b7aea2e597294a84d52c05aab3a3539ca' into v2.x	2023-03-27 15:12:54 +00:00
Misty Release Bot	57f14e419f	chore: incrementing version number - v2.8.9 (cherry picked from commit `fb100ac731`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-03-19 16:31:26 +00:00
Misty Release Bot	bb725987b3	Merge commit '73a50d17180dcd6cb42ef9cf305a480f92b4af05' into v2.x	2023-03-19 16:31:24 +00:00
Misty Release Bot	b331b9423b	chore: incrementing version number - v2.8.8 (cherry picked from commit `f5a59991fc`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-03-09 14:58:29 +00:00
Misty Release Bot	e45a6de24b	Merge commit '22fc8fe38fd3b3c8ba6300ca6d12d90eb9b990ca' into v2.x	2023-03-09 14:58:22 +00:00
Misty Release Bot	3f8248d673	chore: incrementing version number - v2.8.7 (cherry picked from commit `6976925943`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-03-01 15:51:30 +00:00
Misty Release Bot	f4282c091b	Merge commit '791551098cb4a56edbae824e45b6f0a10138695b' into v2.x	2023-03-01 15:51:22 +00:00
Misty Release Bot	af6ce44737	chore: incrementing version number - v2.8.6 (cherry picked from commit `76732140f3`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-02-03 16:39:40 +00:00
Misty Release Bot	c6681a1725	Merge commit 'bf92ee0e5fcd0b7a69bb58ec4baaf3b6225ebd6b' into v2.x	2023-02-03 16:39:38 +00:00
Misty Release Bot	bff5ce2d79	chore: incrementing version number - v2.8.5 (cherry picked from commit `93ccf604db`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-01-27 14:35:25 +00:00
Misty Release Bot	4821b21e81	Merge commit 'f6c96948fe7cee13575ab9c93af6fe7fb9d7b722' into v2.x	2023-01-27 14:35:21 +00:00
Misty Release Bot	a46b2bbc45	chore: incrementing version number - v2.8.4 (cherry picked from commit `b9553613ab`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-01-26 14:38:07 +00:00
Misty Release Bot	ce924eca0d	Merge commit 'c3653bee60740e410bf28808e29ffed6ab373bf9' into v2.x	2023-01-26 14:38:03 +00:00
Misty Release Bot	c20b20a7aa	chore: incrementing version number - v2.8.3 (cherry picked from commit `4c46ff42f6`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-01-25 19:37:34 +00:00
Misty Release Bot	82eb55d77d	Merge commit '89e059a0841f4265d16b28a99ebf847dd10fa055' into v2.x	2023-01-25 19:37:31 +00:00
Misty Release Bot	050e43f8b4	chore: incrementing version number - v2.8.2 (cherry picked from commit `1d5eff2365`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2023-01-13 18:38:13 +00:00
Misty Release Bot	9b6dad367d	Merge commit '25ae58e8a057d9c640fbb50f675eadcdbe442aa9' into v2.x	2023-01-13 18:38:09 +00:00
Misty Release Bot	727f879e5b	chore: incrementing version number - v2.8.1 (cherry picked from commit `96bdbf52b8`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-12-30 20:48:48 +00:00
Misty Release Bot	fe662f3a46	Merge commit '8a69e740a859cf2eb4a12a0167c1ac76a48c33db' into v2.x	2022-12-30 20:48:22 +00:00
Misty Release Bot	8e77673d39	chore: incrementing version number - v2.8.0 (cherry picked from commit `7ce758d698`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-12-21 22:10:49 +00:00
Misty Release Bot	3f950d5162	Merge commit 'ef500af8e6c618d86069cbf0be0d21e8c3f6e527' into v2.x	2022-12-21 22:10:47 +00:00
Misty Release Bot	96cc0617c5	chore: incrementing version number - v2.7.0 (cherry picked from commit `098097257d`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-12-14 19:36:38 +00:00
Misty Release Bot	ccf8739344	Merge commit '9ee8502d7a8ba41ce6ded74b1ce1fbbe180b1dda' into v2.x	2022-12-14 19:36:36 +00:00
Misty Release Bot	7e52a7a574	chore: incrementing version number - v2.6.1 (cherry picked from commit `f8e947e2a7`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-11-28 01:01:10 +00:00
Misty Release Bot	21d9806ca9	Merge commit '48d143921753914da45926cca6370a92ed0c46b8' into v2.x	2022-11-28 01:00:52 +00:00
Misty Release Bot	e7fcf482f3	chore: incrementing version number - v2.6.0 (cherry picked from commit `12f0541dfa`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-11-23 19:04:45 +00:00
Misty Release Bot	d80c80b618	Merge commit 'c7aa4ebf47f7b87db1f5efa0c9662b21cff7b194' into v2.x	2022-11-23 19:04:37 +00:00
Misty Release Bot	dec0e7deac	chore: incrementing version number - v2.5.8 (cherry picked from commit `466263172a`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-11-09 18:46:09 +00:00
Misty Release Bot	c7ff98a12d	Merge commit '2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38' into v2.x	2022-11-09 18:42:47 +00:00
Misty Release Bot	5836bf4a05	chore: incrementing version number - v2.5.7 (cherry picked from commit `dd6d104820`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-10-14 15:59:58 +00:00
Misty Release Bot	a5357812c6	Merge commit 'dc4a850cacecb8c57923803363dac9bb61221bba' into v2.x	2022-10-14 15:59:56 +00:00
Misty Release Bot	c7bd7dbfe6	chore: incrementing version number - v2.5.6 (cherry picked from commit `7dc45afa4c`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-10-13 14:21:02 +00:00
Misty Release Bot	ec4dadabd4	Merge commit '67efaeb4b8e03417dfc3b575f19249f18f4cb3d6' into v2.x	2022-10-13 14:21:00 +00:00
Misty Release Bot	3509ed9461	chore: incrementing version number - v2.5.5 (cherry picked from commit `58b2f10ee9`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-10-11 17:07:16 +00:00
Misty Release Bot	cb8d94563a	Merge commit 'b91ef6dd761d643383d1eb4f4ac3abd5e55c18e5' into v2.x	2022-10-11 17:07:09 +00:00
Misty Release Bot	e83260ca28	chore: incrementing version number - v2.5.4 (cherry picked from commit `89eb0340d1`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-10-11 12:25:36 +00:00
Misty Release Bot	4bf1ce42e6	Merge commit 'ebd5dcc6d62841dbcd120351919cdf7cf59f5933' into v2.x	2022-10-11 12:25:01 +00:00
Misty Release Bot	7e922936d0	chore: incrementing version number - v2.5.3 (cherry picked from commit `cf6e8101e8`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-09-19 16:23:59 +00:00
Misty Release Bot	3c8ce70c74	Merge commit 'cf4f5447bb168b9bac32ac7ddbe567f273966b88' into v2.x	2022-09-19 16:23:38 +00:00
Misty Release Bot	babcd17e6c	chore: incrementing version number - v2.5.2 (cherry picked from commit `e351fbe89c`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-09-04 14:57:03 +00:00
Misty Release Bot	ec6ffaad4e	Merge commit 'b45e24139092af6c3d50851a31452b9d28953fdd' into v2.x	2022-09-04 14:54:41 +00:00
Misty Release Bot	ce3aa95053	chore: incrementing version number - v2.5.1 (cherry picked from commit `2bf475299d`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-09-02 19:14:02 +00:00
Misty Release Bot	7aab01d87a	Merge commit '67cb70352f994d8fab3477f0d753e0dd588bab70' into v2.x	2022-09-02 19:14:00 +00:00
Misty Release Bot	01d276cbee	chore: incrementing version number - v2.5.0 (cherry picked from commit `c3e19005f6`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-09-01 16:14:07 +00:00
Misty Release Bot	9758b7af2c	Merge commit '8fe41d92a261ee00820a2b270f67d8baf8d84461' into v2.x	2022-09-01 15:23:08 +00:00
Misty Release Bot	dd3e1a2861	chore: incrementing version number - v2.4.5 (cherry picked from commit `d8b1291088`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-08-22 16:14:00 +00:00
Misty Release Bot	2a97342035	Merge commit '9b96c33d5d3706f9c5795b9c07ace063f69b101d' into v2.x	2022-08-22 16:13:55 +00:00
Misty Release Bot	d5525c873b	chore: incrementing version number - v2.4.4 (cherry picked from commit `24221d66e0`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-08-18 13:45:27 +00:00
Misty Release Bot	e7c3634f9a	Merge commit 'fc9b436f3ef9d0ef335967456b6f6890ee8560b1' into v2.x	2022-08-18 13:45:18 +00:00
Misty Release Bot	9c647c6ce2	chore: incrementing version number - v2.4.3 (cherry picked from commit `be0256b26e`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-08-18 02:33:19 +00:00
Misty Release Bot	52fc05edfe	Merge commit '4dc7fa050f1f30888b5bd71622b68537cc032b44' into v2.x	2022-08-18 02:33:06 +00:00
Misty Release Bot	3aa7b8552a	chore: incrementing version number - v2.4.2 (cherry picked from commit `1635633acd`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-08-17 21:12:35 +00:00
Misty Release Bot	36523c67b8	Merge commit 'ec048a01ba9f2dbc17064427bdcafd88e7271c88' into v2.x	2022-08-17 21:12:23 +00:00
Misty Release Bot	60cbd1480d	chore: incrementing version number - v2.4.1 (cherry picked from commit `7f5ff2e613`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-08-14 00:18:25 +00:00
Misty Release Bot	f3e59508ae	Merge commit '15ca460c8f144c3167249b135902ac59289ca2f8' into v2.x	2022-08-14 00:18:05 +00:00
Misty Release Bot	4834cde335	chore: incrementing version number - v2.4.0 (cherry picked from commit `5525442279`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-08-10 20:02:19 +00:00
Misty Release Bot	01da76e1dc	Merge commit '9b753d6d57b850ef5ebc50e5a3dd7b2cbe4d5a27' into v2.x	2022-08-10 20:02:08 +00:00
Misty Release Bot	d2425942a6	chore: incrementing version number - v2.3.1 (cherry picked from commit `44dd42dc89`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-07-29 15:26:23 +00:00
Misty Release Bot	8d7475be7b	Merge commit '89173f17cab6f6447647e5a3d8609f97c09084d1' into v2.x	2022-07-29 15:26:17 +00:00
Misty Release Bot	046ea12022	chore: incrementing version number - v2.3.0 (cherry picked from commit `e616b2e16d`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-07-28 18:21:07 +00:00