Document Server Security and setHistoryData()

Integration questions/issues
Post Reply
User avatar
AndrewG
Posts: 22
Joined: Sat May 06, 2017 3:09 am

Document Server Security and setHistoryData()

Post by AndrewG » Sat May 13, 2017 9:10 am

Hi OnlyOffice Team,

So we have implemented document changes history tracking according to the documentation, and faced with the following security issue with the setHistoryData() method:
1) Please, recall this doc: https://api.onlyoffice.com/editors/meth ... istoryData
2) The main concern is re property: "changesUrl": "http://example.com/url-to-changes.zip"

Looks like request to the given URL ("http://example.com/url-to-changes.zip" in example above) goes absolutely without any authorization or tokens, and is sent on behalf of end-user browser.
This means that "Document Storage Server" implementation should allow file downloads via this url absolutely without authentication, and in case end-user smart enough - he could guess url for other files and got them downloaded as well.

Can you please provide some clarification on the mentioned issue and guide us in case something were missed by us!

Thank you in advance for quick response!
--
Best regards,
Andrew

Maxim
Posts: 1844
Joined: Tue Oct 11, 2016 2:34 pm

Re: Document Server Security and setHistoryData()

Post by Maxim » Mon May 15, 2017 12:26 pm

Hello AndrewG!
We plan to use JWT in future releases, but now you can perform your authentication, because request to changesUrl is executed from browser.

User avatar
AndrewG
Posts: 22
Joined: Sat May 06, 2017 3:09 am

Re: Document Server Security and setHistoryData()

Post by AndrewG » Mon May 15, 2017 2:39 pm

Hi Maxim,

okay, thank you! ...just would like to make sure that we didn't miss some details here.

Indeed, we have implemented tokens for signing url for getting changes document, so url to changes doc is signed with secret and ttl (time-to-live) keys and added as get param to the original url.

Works like a charm!
--
Best regards,
Andrew

Maxim
Posts: 1844
Joined: Tue Oct 11, 2016 2:34 pm

Re: Document Server Security and setHistoryData()

Post by Maxim » Tue May 16, 2017 7:22 am

Hello AndrewG!
It looks OK!

Oouser
Posts: 1
Joined: Fri Jun 08, 2018 11:51 pm

Re: Document Server Security and setHistoryData()

Post by Oouser » Sat Jun 09, 2018 8:14 am

Hi Maxim,

Does Onlyoffice Document server supports RS256 algorithm for signing?
From the documentation I see examples only for HS256 but none with RS256.


Another thing, wouldn be better to get hash(md5, sha256) from the json and use that in JWT as claim, insted od putting whole json as claim, which duplicates data.
Also for downloading files provided in callback url, is not secure at all. JWT is provided in headers, but without any information about content of file. You shoud provide digest (mdt5, sha256) of file inside JWT as claim so I can verify file itself.

Post Reply