I am using the OnlyOffice Document Server only (not community).
How can I provide security for documents uploaded to that server? I thought I might be able to take advantage of the vkey value in the API config, but it doesn't seem to get passed back to my server. There is nothing to stop someone from download other users' files if they can get the document's key.
Document Server Security
8 posts
• Page 1 of 1
Document Server Security
by ckinsey » Wed Aug 19, 2015 9:15 pm
- ckinsey
- Posts: 6
- Joined: Wed Aug 19, 2015 9:10 pm
Re: Document Server Security
by AnaMih » Fri Aug 21, 2015 4:19 pm
In the current version if someone has the key of another document, he can access to it.
This issue will be fixed soon, we are currently working on the solution.
This issue will be fixed soon, we are currently working on the solution.
-
AnaMih - Posts: 264
- Joined: Mon Aug 25, 2014 10:15 am
Re: Document Server Security
by ckinsey » Fri Jan 27, 2017 11:56 pm
Was there ever an update to address this issue?
- ckinsey
- Posts: 6
- Joined: Wed Aug 19, 2015 9:10 pm
Re: Document Server Security
by Maxim » Wed Feb 15, 2017 6:58 am
Hello ckinsey!
We have implemented into the OnlyOffice (this feature is used in Document Server starting with version 4.2) JSON Web Tokens standard that provides security for documents. Now this Standard protects users against unauthorized access to their documents.
Was there ever an update to address this issue?
We have implemented into the OnlyOffice (this feature is used in Document Server starting with version 4.2) JSON Web Tokens standard that provides security for documents. Now this Standard protects users against unauthorized access to their documents.
- Maxim
- Posts: 1082
- Joined: Tue Oct 11, 2016 2:34 pm
Re: Document Server Security
by AndrewG » Mon May 08, 2017 2:21 am
Hi Maxim,
can you please provide some more clarification on the security, as currently it doesn't seem to work smoothly:
1) I am using Docker image of Document Editor v4.3.3 (latest available one as of today) and integrating it with our web-based system.
2) I have updated default.json (according to this guide: https://api.onlyoffice.com/editors/signature/) by replacing all "secret" with my own secret and enabling security features (by setting all three parameters to "true")
3) I have generated JWT for the whole config (all values), signed it with the same secret, and added the resulting JWT to "token" property of the "config" object which is passed to the "new DocsAPI.DocEditor(ooEditorDivId, config);"
4) Looks like "Document editing service" is able to verify signature of the JWT, as once I am changing the signature key on one end only - "Document editing service" gives me error about token, and when both secret keys are the same - document loads fine for editing
5) The issue: It seems that "Document editing service" doesn't use values from the signed JWT, it continues using values from the plain "config" object, which is easily could be altered on the end-user side (in the end-user browser).
The issue could be reproduced as following:
Our Server side (our "Document storage service" implementation):
1) "config" object is generated, and contains values like:
config.editorConfig.user.id = "properUserID";
config.editorConfig.user.name = "Proper User Name";
2) JWT for the config is generated (for the whole config object) and added to the "token" property:
config.token = getJWT(config);
3) config object is passed to the end-user browser side;
End-user side:
4) User loads page with documents available for editing
5) User opens Chrome Development Console -> Sources -> finds the JS which creates DocEditor JS Object:
Example print screen
6) End-user alters this JS file to the following state:
And instead of "Proper User Name" Document Editor gets "User Name - ALTERED" (ids got altered as well - just see the console log).
Print screen with altered pages
According to this page: https://api.onlyoffice.com/editors/security it is stated that:
ONLYOFFICE Document Server validates the token. The data from the payload are considered valid and is used instead of the corresponding data from the main parameters. If the token is invalid, the command is not executed.
So how to achieve this behavior? Have I missed something?
Thank you in advance for your quick response!
can you please provide some more clarification on the security, as currently it doesn't seem to work smoothly:
1) I am using Docker image of Document Editor v4.3.3 (latest available one as of today) and integrating it with our web-based system.
2) I have updated default.json (according to this guide: https://api.onlyoffice.com/editors/signature/) by replacing all "secret" with my own secret and enabling security features (by setting all three parameters to "true")
3) I have generated JWT for the whole config (all values), signed it with the same secret, and added the resulting JWT to "token" property of the "config" object which is passed to the "new DocsAPI.DocEditor(ooEditorDivId, config);"
4) Looks like "Document editing service" is able to verify signature of the JWT, as once I am changing the signature key on one end only - "Document editing service" gives me error about token, and when both secret keys are the same - document loads fine for editing
5) The issue: It seems that "Document editing service" doesn't use values from the signed JWT, it continues using values from the plain "config" object, which is easily could be altered on the end-user side (in the end-user browser).
The issue could be reproduced as following:
Our Server side (our "Document storage service" implementation):
1) "config" object is generated, and contains values like:
config.editorConfig.user.id = "properUserID";
config.editorConfig.user.name = "Proper User Name";
2) JWT for the config is generated (for the whole config object) and added to the "token" property:
config.token = getJWT(config);
3) config object is passed to the end-user browser side;
End-user side:
4) User loads page with documents available for editing
5) User opens Chrome Development Console -> Sources -> finds the JS which creates DocEditor JS Object:
- Code: Select all
var docEditor = new DocsAPI.DocEditor(ooEditorDivId, config);
Example print screen
6) End-user alters this JS file to the following state:
- Code: Select all
...
config.editorConfig.user.id = "userID-ALTERED";
config.editorConfig.user.name = "User Name - ALTERED";
var docEditor = new DocsAPI.DocEditor(ooEditorDivId, config);
And instead of "Proper User Name" Document Editor gets "User Name - ALTERED" (ids got altered as well - just see the console log).
Print screen with altered pages
According to this page: https://api.onlyoffice.com/editors/security it is stated that:
ONLYOFFICE Document Server validates the token. The data from the payload are considered valid and is used instead of the corresponding data from the main parameters. If the token is invalid, the command is not executed.
So how to achieve this behavior? Have I missed something?
Thank you in advance for your quick response!
--
Best regards,
Andrew
Best regards,
Andrew
-
AndrewG - Posts: 16
- Joined: Sat May 06, 2017 3:09 am
Re: Document Server Security
by Maxim » Wed May 10, 2017 12:39 pm
Hello AndrewG!
Great thanks for the bug notification! We will fix it!
Great thanks for the bug notification! We will fix it!
- Maxim
- Posts: 1082
- Joined: Tue Oct 11, 2016 2:34 pm
Re: Document Server Security
by AndrewG » Thu May 11, 2017 1:56 am
Hi Maxim,
thank you for the reply!
Okay, then we continue working on integration, assuming that this security issue will be fixed really soon and the JWT functionality will work as described here: https://api.onlyoffice.com/editors/security
Thanks and looking forward to downloading the patched version soon!
thank you for the reply!
Okay, then we continue working on integration, assuming that this security issue will be fixed really soon and the JWT functionality will work as described here: https://api.onlyoffice.com/editors/security
Thanks and looking forward to downloading the patched version soon!
--
Best regards,
Andrew
Best regards,
Andrew
-
AndrewG - Posts: 16
- Joined: Sat May 06, 2017 3:09 am
Re: Document Server Security
by Maxim » Thu May 11, 2017 6:03 am
Hello AndrewG!
Be sure it will be fixed!
Be sure it will be fixed!
- Maxim
- Posts: 1082
- Joined: Tue Oct 11, 2016 2:34 pm
8 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest