Page 1 of 1

Document Server Security

PostPosted: Wed Aug 19, 2015 9:15 pm
by ckinsey
I am using the OnlyOffice Document Server only (not community).

How can I provide security for documents uploaded to that server? I thought I might be able to take advantage of the vkey value in the API config, but it doesn't seem to get passed back to my server. There is nothing to stop someone from download other users' files if they can get the document's key.

Re: Document Server Security

PostPosted: Fri Aug 21, 2015 4:19 pm
by AnaMih
In the current version if someone has the key of another document, he can access to it.
This issue will be fixed soon, we are currently working on the solution.

Re: Document Server Security

PostPosted: Fri Jan 27, 2017 11:56 pm
by ckinsey
Was there ever an update to address this issue?

Re: Document Server Security

PostPosted: Wed Feb 15, 2017 6:58 am
by Maxim
Hello ckinsey!
Was there ever an update to address this issue?

We have implemented into the OnlyOffice (this feature is used in Document Server starting with version 4.2) JSON Web Tokens standard that provides security for documents. Now this Standard protects users against unauthorized access to their documents.

Re: Document Server Security

PostPosted: Mon May 08, 2017 2:21 am
by AndrewG
Hi Maxim,

can you please provide some more clarification on the security, as currently it doesn't seem to work smoothly:

1) I am using Docker image of Document Editor v4.3.3 (latest available one as of today) and integrating it with our web-based system.
2) I have updated default.json (according to this guide: https://api.onlyoffice.com/editors/signature/) by replacing all "secret" with my own secret and enabling security features (by setting all three parameters to "true")
3) I have generated JWT for the whole config (all values), signed it with the same secret, and added the resulting JWT to "token" property of the "config" object which is passed to the "new DocsAPI.DocEditor(ooEditorDivId, config);"
4) Looks like "Document editing service" is able to verify signature of the JWT, as once I am changing the signature key on one end only - "Document editing service" gives me error about token, and when both secret keys are the same - document loads fine for editing
5) The issue: It seems that "Document editing service" doesn't use values from the signed JWT, it continues using values from the plain "config" object, which is easily could be altered on the end-user side (in the end-user browser).


The issue could be reproduced as following:

Our Server side (our "Document storage service" implementation):
1) "config" object is generated, and contains values like:
config.editorConfig.user.id = "properUserID";
config.editorConfig.user.name = "Proper User Name";
2) JWT for the config is generated (for the whole config object) and added to the "token" property:
config.token = getJWT(config);
3) config object is passed to the end-user browser side;

End-user side:
4) User loads page with documents available for editing
5) User opens Chrome Development Console -> Sources -> finds the JS which creates DocEditor JS Object:
Code: Select all
var docEditor = new DocsAPI.DocEditor(ooEditorDivId, config);

Example print screen
OO_issue1_image1.jpg
Chrome console initial
OO_issue1_image1.jpg (37.79 KiB) Viewed 532 times

6) End-user alters this JS file to the following state:
Code: Select all
...
config.editorConfig.user.id = "userID-ALTERED";
config.editorConfig.user.name = "User Name - ALTERED";
var docEditor = new DocsAPI.DocEditor(ooEditorDivId, config);


And instead of "Proper User Name" Document Editor gets "User Name - ALTERED" (ids got altered as well - just see the console log).

Print screen with altered pages
Result on the page:
OO_issue1_image2.jpg
Chrome console JS altered
OO_issue1_image2.jpg (71.79 KiB) Viewed 532 times


Result in the "Document storage service" end, request to the callBack url:
OO_issue1_image3.jpg
CallbakUrl request altered
OO_issue1_image3.jpg (63.86 KiB) Viewed 532 times


According to this page: https://api.onlyoffice.com/editors/security it is stated that:
ONLYOFFICE Document Server validates the token. The data from the payload are considered valid and is used instead of the corresponding data from the main parameters. If the token is invalid, the command is not executed.

So how to achieve this behavior? Have I missed something?

Thank you in advance for your quick response!

Re: Document Server Security

PostPosted: Wed May 10, 2017 12:39 pm
by Maxim
Hello AndrewG!
Great thanks for the bug notification! We will fix it!

Re: Document Server Security

PostPosted: Thu May 11, 2017 1:56 am
by AndrewG
Hi Maxim,

thank you for the reply!
Okay, then we continue working on integration, assuming that this security issue will be fixed really soon and the JWT functionality will work as described here: https://api.onlyoffice.com/editors/security

Thanks and looking forward to downloading the patched version soon!

Re: Document Server Security

PostPosted: Thu May 11, 2017 6:03 am
by Maxim
Hello AndrewG!
Be sure it will be fixed!