Try the fastest and simplest way to install ONLYOFFICE

Document Server Security

Integration questions/issues

Document Server Security

Postby ckinsey » Wed Aug 19, 2015 9:15 pm

I am using the OnlyOffice Document Server only (not community).

How can I provide security for documents uploaded to that server? I thought I might be able to take advantage of the vkey value in the API config, but it doesn't seem to get passed back to my server. There is nothing to stop someone from download other users' files if they can get the document's key.
ckinsey
 
Posts: 6
Joined: Wed Aug 19, 2015 9:10 pm

Re: Document Server Security

Postby AnaMih » Fri Aug 21, 2015 4:19 pm

In the current version if someone has the key of another document, he can access to it.
This issue will be fixed soon, we are currently working on the solution.
User avatar
AnaMih
 
Posts: 264
Joined: Mon Aug 25, 2014 10:15 am

Re: Document Server Security

Postby ckinsey » Fri Jan 27, 2017 11:56 pm

Was there ever an update to address this issue?
ckinsey
 
Posts: 6
Joined: Wed Aug 19, 2015 9:10 pm

Re: Document Server Security

Postby Maxim » Wed Feb 15, 2017 6:58 am

Hello ckinsey!
Was there ever an update to address this issue?

We have implemented into the OnlyOffice (this feature is used in Document Server starting with version 4.2) JSON Web Tokens standard that provides security for documents. Now this Standard protects users against unauthorized access to their documents.
Maxim
 
Posts: 1229
Joined: Tue Oct 11, 2016 2:34 pm

Re: Document Server Security

Postby AndrewG » Mon May 08, 2017 2:21 am

Hi Maxim,

can you please provide some more clarification on the security, as currently it doesn't seem to work smoothly:

1) I am using Docker image of Document Editor v4.3.3 (latest available one as of today) and integrating it with our web-based system.
2) I have updated default.json (according to this guide: https://api.onlyoffice.com/editors/signature/) by replacing all "secret" with my own secret and enabling security features (by setting all three parameters to "true")
3) I have generated JWT for the whole config (all values), signed it with the same secret, and added the resulting JWT to "token" property of the "config" object which is passed to the "new DocsAPI.DocEditor(ooEditorDivId, config);"
4) Looks like "Document editing service" is able to verify signature of the JWT, as once I am changing the signature key on one end only - "Document editing service" gives me error about token, and when both secret keys are the same - document loads fine for editing
5) The issue: It seems that "Document editing service" doesn't use values from the signed JWT, it continues using values from the plain "config" object, which is easily could be altered on the end-user side (in the end-user browser).


The issue could be reproduced as following:

Our Server side (our "Document storage service" implementation):
1) "config" object is generated, and contains values like:
config.editorConfig.user.id = "properUserID";
config.editorConfig.user.name = "Proper User Name";
2) JWT for the config is generated (for the whole config object) and added to the "token" property:
config.token = getJWT(config);
3) config object is passed to the end-user browser side;

End-user side:
4) User loads page with documents available for editing
5) User opens Chrome Development Console -> Sources -> finds the JS which creates DocEditor JS Object:
Code: Select all
var docEditor = new DocsAPI.DocEditor(ooEditorDivId, config);

Example print screen
OO_issue1_image1.jpg
Chrome console initial
OO_issue1_image1.jpg (37.79 KiB) Viewed 807 times

6) End-user alters this JS file to the following state:
Code: Select all
...
config.editorConfig.user.id = "userID-ALTERED";
config.editorConfig.user.name = "User Name - ALTERED";
var docEditor = new DocsAPI.DocEditor(ooEditorDivId, config);


And instead of "Proper User Name" Document Editor gets "User Name - ALTERED" (ids got altered as well - just see the console log).

Print screen with altered pages
Result on the page:
OO_issue1_image2.jpg
Chrome console JS altered
OO_issue1_image2.jpg (71.79 KiB) Viewed 807 times


Result in the "Document storage service" end, request to the callBack url:
OO_issue1_image3.jpg
CallbakUrl request altered
OO_issue1_image3.jpg (63.86 KiB) Viewed 807 times


According to this page: https://api.onlyoffice.com/editors/security it is stated that:
ONLYOFFICE Document Server validates the token. The data from the payload are considered valid and is used instead of the corresponding data from the main parameters. If the token is invalid, the command is not executed.

So how to achieve this behavior? Have I missed something?

Thank you in advance for your quick response!
--
Best regards,
Andrew
User avatar
AndrewG
 
Posts: 18
Joined: Sat May 06, 2017 3:09 am

Re: Document Server Security

Postby Maxim » Wed May 10, 2017 12:39 pm

Hello AndrewG!
Great thanks for the bug notification! We will fix it!
Maxim
 
Posts: 1229
Joined: Tue Oct 11, 2016 2:34 pm

Re: Document Server Security

Postby AndrewG » Thu May 11, 2017 1:56 am

Hi Maxim,

thank you for the reply!
Okay, then we continue working on integration, assuming that this security issue will be fixed really soon and the JWT functionality will work as described here: https://api.onlyoffice.com/editors/security

Thanks and looking forward to downloading the patched version soon!
--
Best regards,
Andrew
User avatar
AndrewG
 
Posts: 18
Joined: Sat May 06, 2017 3:09 am

Re: Document Server Security

Postby Maxim » Thu May 11, 2017 6:03 am

Hello AndrewG!
Be sure it will be fixed!
Maxim
 
Posts: 1229
Joined: Tue Oct 11, 2016 2:34 pm


Return to API

Who is online

Users browsing this forum: No registered users and 1 guest