dev.onlyoffice.org

[ckinsey]

I am using the OnlyOffice Document Server only (not community).

How can I provide security for documents uploaded to that server? I thought I might be able to take advantage of the vkey value in the API config, but it doesn't seem to get passed back to my server. There is nothing to stop someone from download other users' files if they can get the document's key.

[AnaMih]

In the current version if someone has the key of another document, he can access to it.
This issue will be fixed soon, we are currently working on the solution.

[ckinsey]

Was there ever an update to address this issue?

[Maxim]

Hello ckinsey!

Was there ever an update to address this issue?

We have implemented into the OnlyOffice (this feature is used in Document Server starting with version 4.2) JSON Web Tokens standard that provides security for documents. Now this Standard protects users against unauthorized access to their documents.

[AndrewG]

Hi Maxim,

can you please provide some more clarification on the security, as currently it doesn't seem to work smoothly:

1) I am using Docker image of Document Editor v4.3.3 (latest available one as of today) and integrating it with our web-based system.
2) I have updated default.json (according to this guide: https://api.onlyoffice.com/editors/signature/) by replacing all "secret" with my own secret and enabling security features (by setting all three parameters to "true")
3) I have generated JWT for the whole config (all values), signed it with the same secret, and added the resulting JWT to "token" property of the "config" object which is passed to the "new DocsAPI.DocEditor(ooEditorDivId, config);"
4) Looks like "Document editing service" is able to verify signature of the JWT, as once I am changing the signature key on one end only - "Document editing service" gives me error about token, and when both secret keys are the same - document loads fine for editing
5) The issue: It seems that "Document editing service" doesn't use values from the signed JWT, it continues using values from the plain "config" object, which is easily could be altered on the end-user side (in the end-user browser).


The issue could be reproduced as following:

Our Server side (our "Document storage service" implementation):
1) "config" object is generated, and contains values like:
config.editorConfig.user.id = "properUserID";
config.editorConfig.user.name = "Proper User Name";
2) JWT for the config is generated (for the whole config object) and added to the "token" property:
config.token = getJWT(config);
3) config object is passed to the end-user browser side;

End-user side:
4) User loads page with documents available for editing
5) User opens Chrome Development Console -> Sources -> finds the JS which creates DocEditor JS Object:

Code: Select all

var docEditor = new DocsAPI.DocEditor(ooEditorDivId, config);

Example print screen

Chrome console initial

OO_issue1_image1.jpg (37.79 KiB) Viewed 2067 times

6) End-user alters this JS file to the following state:

Code: Select all

...
config.editorConfig.user.id = "userID-ALTERED";
config.editorConfig.user.name = "User Name - ALTERED";
var docEditor = new DocsAPI.DocEditor(ooEditorDivId, config);


And instead of "Proper User Name" Document Editor gets "User Name - ALTERED" (ids got altered as well - just see the console log).

Print screen with altered pages

Result on the page:

Chrome console JS altered

OO_issue1_image2.jpg (71.79 KiB) Viewed 2067 times

Result in the "Document storage service" end, request to the callBack url:

CallbakUrl request altered

OO_issue1_image3.jpg (63.86 KiB) Viewed 2067 times

According to this page: https://api.onlyoffice.com/editors/security it is stated that:
ONLYOFFICE Document Server validates the token. The data from the payload are considered valid and is used instead of the corresponding data from the main parameters. If the token is invalid, the command is not executed.

So how to achieve this behavior? Have I missed something?

Thank you in advance for your quick response!

[Maxim]

Hello AndrewG!
Great thanks for the bug notification! We will fix it!

[AndrewG]

Hi Maxim,

thank you for the reply!
Okay, then we continue working on integration, assuming that this security issue will be fixed really soon and the JWT functionality will work as described here: https://api.onlyoffice.com/editors/security

Thanks and looking forward to downloading the patched version soon!

[Maxim]

Hello AndrewG!
Be sure it will be fixed!

[AndrewG]

Just checked this issue in version 5.0.6 - look like it is fixed now, what is good! Thanks!