MyFavMirrors
/
MeshCentral
mirror of https://github.com/Ylianst/MeshCentral.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Guest sharing security improvements.

This commit is contained in:
Ylian Saint-Hilaire 2021-11-10 10:31:33 -08:00
parent 2ca10b3e58
commit 529fa04094
3 changed files with 19 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
meshagent.js
View File

@ -1670,16 +1670,16 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
break; break;
} }
case 'guestShare': { case 'guestShare': {
if ((domain.agentselfguestsharing !== true) || (typeof command.flags != 'number')) return; // Check if agent self-sharing is allowed, this is off by default. if ((command.flags == null) || (command.flags == 0)) {
if (command.flags == 0) { // Stop any current self-share, this is allowed even if self guest sharing is not allows so to clear any old shares.
// Stop any current self-share
removeGuestSharing(function () { removeGuestSharing(function () {
delete obj.guestSharing; delete obj.guestSharing;
obj.send(JSON.stringify({ action: 'guestShare', flags: command.flags, url: null, viewOnly: false })); obj.send(JSON.stringify({ action: 'guestShare', flags: command.flags, url: null, viewOnly: false }));
}); });
} else { } else {
// Add a new self-share, this will replace any share for this device // Add a new self-share, this will replace any share for this device
if ((command.flags & 1) == 0) { command.viewOnly = false; } // Only allow "view only" if desktop is shared. if ((domain.agentselfguestsharing !== true) || (typeof command.flags != 'number')) return; // Check if agent self-sharing is allowed, this is off by default.
if ((command.flags & 2) == 0) { command.viewOnly = false; } // Only allow "view only" if desktop is shared.
addGuestSharing(command.flags, command.viewOnly, function (share) { addGuestSharing(command.flags, command.viewOnly, function (share) {
obj.guestSharing = true; obj.guestSharing = true;
obj.send(JSON.stringify({ action: 'guestShare', url: share.url, flags: share.flags, viewOnly: share.viewOnly })); obj.send(JSON.stringify({ action: 'guestShare', url: share.url, flags: share.flags, viewOnly: share.viewOnly }));

9
meshuser.js
View File

@ -402,6 +402,12 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
else if (event == 'resubscribe') { user.subscriptions = parent.subscribe(user._id, ws); } else if (event == 'resubscribe') { user.subscriptions = parent.subscribe(user._id, ws); }
else if (event == 'updatefiles') { updateUserFiles(user, ws, domain); } else if (event == 'updatefiles') { updateUserFiles(user, ws, domain); }
else { else {
// If updating guest device shares, if we are updating a user that is not creator of the share, remove the URL.
if (event.action == 'deviceShareUpdate') {
event = common.Clone(event);
for (var i in event.deviceShares) { if (event.deviceShares[i].userid != user._id) { delete event.deviceShares[i].url; } }
}
// Because of the device group "Show Self Events Only", we need to do more checks here. // Because of the device group "Show Self Events Only", we need to do more checks here.
if (id.startsWith('mesh/')) { if (id.startsWith('mesh/')) {
// Check if we have rights to get this message. If we have limited events on this mesh, don't send the event to the user. // Check if we have rights to get this message. If we have limited events on this mesh, don't send the event to the user.
@ -430,7 +436,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
ws.send(JSON.stringify({ action: 'event', event: event })); ws.send(JSON.stringify({ action: 'event', event: event }));
} }
} }
} catch (e) { } } catch (ex) { console.log(ex); }
} }
}; };
@ -4613,6 +4619,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
} else { } else {
// This share is ok, remove extra data we don't need to send. // This share is ok, remove extra data we don't need to send.
delete doc._id; delete doc.domain; delete doc.nodeid; delete doc.type; delete doc._id; delete doc.domain; delete doc.nodeid; delete doc.type;
if (doc.userid != user._id) { delete doc.url; } // If this is not the user who created this link, don't give the link.
okDocs.push(doc); okDocs.push(doc);
} }
} }

11
views/default.handlebars
View File

@ -7096,19 +7096,22 @@
x += '<br /><table style="color:black;background-color:#EEE;border-color:#AAA;border-width:1px;border-style:solid;border-collapse:collapse" border=0 cellpadding=2 cellspacing=0 width=100%><tbody><tr style=background-color:#AAAAAA;font-weight:bold><th scope=col style=text-align:left;width:430px>' + "Active Device Sharing" + '</th><th scope=col style=text-align:left></th></tr>'; x += '<br /><table style="color:black;background-color:#EEE;border-color:#AAA;border-width:1px;border-style:solid;border-collapse:collapse" border=0 cellpadding=2 cellspacing=0 width=100%><tbody><tr style=background-color:#AAAAAA;font-weight:bold><th scope=col style=text-align:left;width:430px>' + "Active Device Sharing" + '</th><th scope=col style=text-align:left></th></tr>';
count = 1; count = 1;
for (var i = 0; i < deviceShares.length; i++) { for (var i = 0; i < deviceShares.length; i++) {
var dshare = deviceShares[i]; var dshare = deviceShares[i], trash = '';
var trash = '<a href="' + dshare.url + '" rel="noreferrer noopener" target=_blank title="' + "Device Sharing Link" + '" style=cursor:pointer><img src=images/link2.png border=0 height=10 width=10></a> <a href=# onclick=\'return p30removeDeviceSharing(event,"' + encodeURIComponentEx(currentNode._id) + '","' + encodeURIComponentEx(dshare.publicid) + '","' + encodeURIComponentEx(dshare.guestName) + '")\' title="' + "Remove device sharing" + '" style=cursor:pointer><img src=images/trash.png border=0 height=10 width=10></a>'; if (dshare.url != null) { trash += '<a href="' + dshare.url + '" rel="noreferrer noopener" target=_blank title="' + "Device Sharing Link" + '" style=cursor:pointer><img src=images/link2.png border=0 height=10 width=10></a> '; }
trash += '<a href=# onclick=\'return p30removeDeviceSharing(event,"' + encodeURIComponentEx(currentNode._id) + '","' + encodeURIComponentEx(dshare.publicid) + '","' + encodeURIComponentEx(dshare.guestName) + '")\' title="' + "Remove device sharing" + '" style=cursor:pointer><img src=images/trash.png border=0 height=10 width=10></a>';
var type = ['', "Terminal", "Desktop", "Desktop + Terminal", "Files", "Terminal + Files", "Desktop + Files", "Desktop + Terminal + Files"][dshare.p]; var type = ['', "Terminal", "Desktop", "Desktop + Terminal", "Files", "Terminal + Files", "Desktop + Files", "Desktop + Terminal + Files"][dshare.p];
var details = type; var details = type;
if ((dshare.startTime != null) && (dshare.expireTime != null)) { details = format("{0}, {1} to {2}", type, printFlexDateTime(new Date(dshare.startTime)), printFlexDateTime(new Date(dshare.expireTime))); } if ((dshare.startTime != null) && (dshare.expireTime != null)) { details = format("{0}, {1} to {2}", type, printFlexDateTime(new Date(dshare.startTime)), printFlexDateTime(new Date(dshare.expireTime))); }
if (dshare.viewOnly === true) { details += ", View only"; } if (((dshare.p & 2) != 0) && (dshare.viewOnly === true)) { details += ", View only desktop"; }
if (dshare.consent != null) { if (dshare.consent != null) {
if (dshare.consent == 0) { details += ", No Consent"; } else { if (dshare.consent == 0) { details += ", No Consent"; } else {
if ((dshare.consent & 0x0038) != 0) { details += ", Prompt for consent"; } if ((dshare.consent & 0x0038) != 0) { details += ", Prompt for consent"; }
if ((dshare.consent & 0x0040) != 0) { details += ", Toolbar"; } if ((dshare.consent & 0x0040) != 0) { details += ", Toolbar"; }
} }
} }
x += '<tr ' + (((++count % 2) == 0) ? 'style=background-color:#DDD' : '') + '><td style=width:30%><div class=m' + 2 + '></div><div>&nbsp;' + dshare.guestName + '<div></div></div></td><td style=width:70%><div style=float:right>' + trash + '</div><div>' + details + '</div></td></tr>'; var guestName = EscapeHtml(dshare.guestName);
if (dshare.publicid.startsWith('AS:node/')) { guestName = '<i>' + "Agent Self-Share" + '</i>'; }
x += '<tr ' + (((++count % 2) == 0) ? 'style=background-color:#DDD' : '') + '><td style=width:30%><div class=m' + 2 + '></div><div>&nbsp;' + guestName + '<div></div></div></td><td style=width:70%><div style=float:right>' + trash + '</div><div>' + details + '</div></td></tr>';
} }
x += '</tbody></table>'; x += '</tbody></table>';
} }