mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-25 06:35:54 -05:00
Added option to remove clipboard get/set support.
This commit is contained in:
parent
914d3ba82b
commit
dffafae46e
@ -643,6 +643,8 @@
|
||||
},
|
||||
"httpHeaders": { "type": "object", "additionalProperties": { "type": "string" } },
|
||||
"agentConfig": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
|
||||
"clipboardGet": { "type": "boolean", "default": true, "description": "When false, users can't set the clipboard of a remove device." },
|
||||
"clipboardSet": { "type": "boolean", "default": true, "description": "When false, users can't get the clipboard of a remove device." },
|
||||
"localSessionRecording": { "type": "boolean", "default": true, "description": "When false, removes the local recording feature on remote desktop." },
|
||||
"sessionRecording": {
|
||||
"type": "object",
|
||||
|
@ -481,7 +481,8 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
var httpport = ((args.aliasport != null) ? args.aliasport : args.port);
|
||||
|
||||
// Build server information object
|
||||
var serverinfo = { domain: domain.id, name: domain.dns ? domain.dns : parent.certificates.CommonName, mpsname: parent.certificates.AmtMpsName, mpsport: mpsport, mpspass: args.mpspass, port: httpport, emailcheck: ((domain.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap') && (args.lanonly != true) && (parent.certificates.CommonName != null) && (parent.certificates.CommonName.indexOf('.') != -1) && (user._id.split('/')[2].startsWith('~') == false)), domainauth: (domain.auth == 'sspi'), serverTime: Date.now() };
|
||||
const allFeatures = parent.getDomainUserFeatures(domain, user, req);
|
||||
var serverinfo = { domain: domain.id, name: domain.dns ? domain.dns : parent.certificates.CommonName, mpsname: parent.certificates.AmtMpsName, mpsport: mpsport, mpspass: args.mpspass, port: httpport, emailcheck: ((domain.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap') && (args.lanonly != true) && (parent.certificates.CommonName != null) && (parent.certificates.CommonName.indexOf('.') != -1) && (user._id.split('/')[2].startsWith('~') == false)), domainauth: (domain.auth == 'sspi'), serverTime: Date.now(), features: allFeatures.features, features2: allFeatures.features2 };
|
||||
serverinfo.languages = parent.renderLanguages;
|
||||
serverinfo.tlshash = Buffer.from(parent.webCertificateFullHashs[domain.id], 'binary').toString('hex').toUpperCase(); // SHA384 of server HTTPS certificate
|
||||
serverinfo.agentCertHash = parent.agentCertificateHashBase64;
|
||||
@ -891,6 +892,10 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
// Complete the nodeid if needed
|
||||
if (command.nodeid.indexOf('/') == -1) { command.nodeid = 'node/' + domain.id + '/' + command.nodeid; }
|
||||
|
||||
// Check if getting / setting clipboard data is allowed
|
||||
if ((command.type == 'getclip') && (domain.clipboardget == false)) { console.log('CG-EXIT'); break; }
|
||||
if ((command.type == 'setclip') && (domain.clipboardset == false)) { console.log('CS-EXIT'); break; }
|
||||
|
||||
// Before routing this command, let's do some security checking.
|
||||
// If this is a tunnel request, we need to make sure the NodeID in the URL matches the NodeID in the command.
|
||||
if (command.type == 'tunnel') {
|
||||
|
@ -7707,7 +7707,7 @@
|
||||
QE('connectbutton1h', hwonline);
|
||||
QV('deskFocusBtn', (desktop != null) && (desktop.contype == 2) && (deskState != 0) && (desktopsettings.showfocus));
|
||||
QE('DeskClip', deskState == 3);
|
||||
QV('DeskClip', (inputAllowed) && (currentNode.agent) && (currentNode.agent.id != 11) && (currentNode.agent.id != 16) && ((desktop == null) || (desktop.contype != 2)) && ((desktopsettings.autoclipboard != true) || (navigator.clipboard == null) || (navigator.clipboard.readText == null))); // Clipboard not supported on macOS
|
||||
QV('DeskClip', (inputAllowed) && (currentNode.agent) && ((features2 & 0x1800) != 0x1800) && (currentNode.agent.id != 11) && (currentNode.agent.id != 16) && ((desktop == null) || (desktop.contype != 2)) && ((desktopsettings.autoclipboard != true) || (navigator.clipboard == null) || (navigator.clipboard.readText == null))); // Clipboard not supported on macOS
|
||||
QE('DeskESC', deskState == 3);
|
||||
QV('DeskESC', browserfullscreen && inputAllowed);
|
||||
QE('DeskType', deskState == 3);
|
||||
@ -7718,9 +7718,9 @@
|
||||
QV('DeskTimer', deskState == 3);
|
||||
|
||||
// Enable browser clipboard read if supported
|
||||
QV('DeskClipboardOutButton', online && inputAllowed && (navigator.clipboard != null) && (navigator.clipboard.readText != null) && ((desktopsettings.autoclipboard != true) || (navigator.clipboard == null) || (navigator.clipboard.readText == null)));
|
||||
QV('d7deskAutoClipboardLabel', navigator.clipboard.readText != null);
|
||||
QV('DeskClipboardInButton', online && inputAllowed && (navigator.clipboard != null) && (navigator.clipboard.writeText != null) && ((desktopsettings.autoclipboard != true) || (navigator.clipboard == null) || (navigator.clipboard.readText == null)));
|
||||
QV('DeskClipboardOutButton', online && inputAllowed && ((features2 & 0x1000) == 0) && (navigator.clipboard != null) && (navigator.clipboard.readText != null) && ((desktopsettings.autoclipboard != true) || (navigator.clipboard == null) || (navigator.clipboard.readText == null)));
|
||||
QV('d7deskAutoClipboardLabel', (navigator.clipboard.readText != null) && ((features2 & 0x1000) == 0));
|
||||
QV('DeskClipboardInButton', online && inputAllowed && ((features2 & 0x0800) == 0) && (navigator.clipboard != null) && (navigator.clipboard.writeText != null) && ((desktopsettings.autoclipboard != true) || (navigator.clipboard == null) || (navigator.clipboard.readText == null)));
|
||||
|
||||
if (deskState != 3) { QV('DeskInputLockedButton', false); QV('DeskInputUnLockedButton', false); }
|
||||
|
||||
@ -8482,8 +8482,8 @@
|
||||
if (xxdialogMode || desktop == null || desktop.State != 3) return;
|
||||
Q('DeskClip').blur();
|
||||
var x = '';
|
||||
x += '<input id=dlgClipGet type=button value="Get Clipboard" style=width:120px onclick=showDeskClipGet()>';
|
||||
x += '<input id=dlgClipSet type=button value="Set Clipboard" style=width:120px onclick=showDeskClipSet()>';
|
||||
if ((features2 & 0x0800) == 0) x += '<input id=dlgClipGet type=button value="Get Clipboard" style=width:120px onclick=showDeskClipGet()>';
|
||||
if ((features2 & 0x1000) == 0) x += '<input id=dlgClipSet type=button value="Set Clipboard" style=width:120px onclick=showDeskClipSet()>';
|
||||
x += '<div id=dlgClipStatus style="display:inline-block;margin-left:8px" ></div>';
|
||||
x += '<textarea id=d2clipText style="width:100%;height:184px;resize:none" maxlength=65535></textarea>';
|
||||
x += '<input type=button value="Close" style=width:80px;float:right onclick=dialogclose(0)><div style=height:26px;margin-top:3px><span id=linuxClipWarn style=display:none>' + "Remote clipboard is valid for 60 seconds." + '</span> </div><div></div>';
|
||||
|
124
webserver.js
124
webserver.js
@ -2468,7 +2468,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
}
|
||||
|
||||
function handleRootRequestEx(req, res, domain, direct) {
|
||||
var nologout = false, user = null, features = 0, features2 = 0;
|
||||
var nologout = false, user = null;
|
||||
res.set({ 'Cache-Control': 'no-store' });
|
||||
|
||||
// Check if we have an incomplete domain name in the path
|
||||
@ -2640,61 +2640,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
var logoutcontrols = {};
|
||||
if (obj.args.nousers != true) { logoutcontrols.name = user.name; }
|
||||
|
||||
// Give the web page a list of supported server features
|
||||
features = 0;
|
||||
features2 = 0;
|
||||
if (obj.args.wanonly == true) { features += 0x00000001; } // WAN-only mode
|
||||
if (obj.args.lanonly == true) { features += 0x00000002; } // LAN-only mode
|
||||
if (obj.args.nousers == true) { features += 0x00000004; } // Single user mode
|
||||
if (domain.userQuota == -1) { features += 0x00000008; } // No server files mode
|
||||
if (obj.args.mpstlsoffload) { features += 0x00000010; } // No mutual-auth CIRA
|
||||
if ((parent.config.settings.allowframing != null) || (domain.allowframing != null)) { features += 0x00000020; } // Allow site within iframe
|
||||
if ((domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true)) { features += 0x00000040; } // Email invites
|
||||
if (obj.args.webrtc == true) { features += 0x00000080; } // Enable WebRTC (Default false for now)
|
||||
// 0x00000100 --> This feature flag is free for future use.
|
||||
if (obj.args.allowhighqualitydesktop !== false) { features += 0x00000200; } // Enable AllowHighQualityDesktop (Default true)
|
||||
if ((obj.args.lanonly == true) || (obj.args.mpsport == 0)) { features += 0x00000400; } // No CIRA
|
||||
if ((obj.parent.serverSelfWriteAllowed == true) && (dbGetFunc.user != null) && (dbGetFunc.user.siteadmin == 0xFFFFFFFF)) { features += 0x00000800; } // Server can self-write (Allows self-update)
|
||||
if ((parent.config.settings.no2factorauth !== true) && (domain.auth != 'sspi') && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.nousers !== true) && (dbGetFunc.user._id.split('/')[2][0] != '~')) { features += 0x00001000; } // 2FA login supported
|
||||
if (domain.agentnoproxy === true) { features += 0x00002000; } // Indicates that agents should be installed without using a HTTP proxy
|
||||
if ((parent.config.settings.no2factorauth !== true) && domain.yubikey && domain.yubikey.id && domain.yubikey.secret && (dbGetFunc.user._id.split('/')[2][0] != '~')) { features += 0x00004000; } // Indicates Yubikey support
|
||||
if (domain.geolocation == true) { features += 0x00008000; } // Enable geo-location features
|
||||
if ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true)) { features += 0x00010000; } // Enable password hints
|
||||
if (parent.config.settings.no2factorauth !== true) { features += 0x00020000; } // Enable WebAuthn/FIDO2 support
|
||||
if ((obj.args.nousers != true) && (domain.passwordrequirements != null) && (domain.passwordrequirements.force2factor === true) && (dbGetFunc.user._id.split('/')[2][0] != '~')) {
|
||||
// Check if we can skip 2nd factor auth because of the source IP address
|
||||
var skip2factor = false;
|
||||
if ((dbGetFunc.req != null) && (dbGetFunc.req.clientIp != null) && (domain.passwordrequirements != null) && (domain.passwordrequirements.skip2factor != null)) {
|
||||
for (var i in domain.passwordrequirements.skip2factor) {
|
||||
if (require('ipcheck').match(dbGetFunc.req.clientIp, domain.passwordrequirements.skip2factor[i]) === true) { skip2factor = true; }
|
||||
}
|
||||
}
|
||||
if (skip2factor == false) { features += 0x00040000; } // Force 2-factor auth
|
||||
}
|
||||
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { features += 0x00080000; } // LDAP or SSPI in use, warn that users must login first before adding a user to a group.
|
||||
if (domain.amtacmactivation) { features += 0x00100000; } // Intel AMT ACM activation/upgrade is possible
|
||||
if (domain.usernameisemail) { features += 0x00200000; } // Username is email address
|
||||
if (parent.mqttbroker != null) { features += 0x00400000; } // This server supports MQTT channels
|
||||
if (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null)) { features += 0x00800000; } // using email for 2FA is allowed
|
||||
if (domain.agentinvitecodes == true) { features += 0x01000000; } // Support for agent invite codes
|
||||
if (parent.smsserver != null) { features += 0x02000000; } // SMS messaging is supported
|
||||
if ((parent.smsserver != null) && ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false))) { features += 0x04000000; } // SMS 2FA is allowed
|
||||
if (domain.sessionrecording != null) { features += 0x08000000; } // Server recordings enabled
|
||||
if (domain.urlswitching === false) { features += 0x10000000; } // Disables the URL switching feature
|
||||
if (domain.novnc === false) { features += 0x20000000; } // Disables noVNC
|
||||
if (domain.mstsc !== true) { features += 0x40000000; } // Disables MSTSC.js
|
||||
if (obj.isTrustedCert(domain) == false) { features += 0x80000000; } // Indicate we are not using a trusted certificate
|
||||
if (obj.parent.amtManager != null) { features2 += 0x00000001; } // Indicates that the Intel AMT manager is active
|
||||
if (obj.parent.firebase != null) { features2 += 0x00000002; } // Indicates the server supports Firebase push messaging
|
||||
if ((obj.parent.firebase != null) && (obj.parent.firebase.pushOnly != true)) { features2 += 0x00000004; } // Indicates the server supports Firebase two-way push messaging
|
||||
if (obj.parent.webpush != null) { features2 += 0x00000008; } // Indicates web push is enabled
|
||||
if (((obj.args.noagentupdate == 1) || (obj.args.noagentupdate == true))) { features2 += 0x00000010; } // No agent update
|
||||
if (parent.amtProvisioningServer != null) { features2 += 0x00000020; } // Intel AMT LAN provisioning server
|
||||
if (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.push2factor != false)) && (obj.parent.firebase != null)) { features2 += 0x00000040; } // Indicates device push notification 2FA is enabled
|
||||
if ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.logintokens != false)) { features2 += 0x00000080; } // Indicates login tokens are allowed
|
||||
if (req.session.loginToken != null) { features2 += 0x00000100; } // LoginToken mode, no account changes.
|
||||
if (domain.ssh == true) { features2 += 0x00000200; } // SSH is enabled
|
||||
if (domain.localsessionrecording === false) { features2 += 0x00000400; } // Disable local recording feature
|
||||
// Give the web page a list of supported server features for this domain and user
|
||||
const allFeatures = obj.getDomainUserFeatures(domain, dbGetFunc.user, dbGetFunc.req);
|
||||
|
||||
// Create a authentication cookie
|
||||
const authCookie = obj.parent.encodeCookie({ userid: dbGetFunc.user._id, domainid: domain.id, ip: req.clientIp }, obj.parent.loginCookieEncryptionKey);
|
||||
@ -2759,8 +2706,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
serverRedirPort: args.redirport,
|
||||
serverPublicPort: httpsPort,
|
||||
serverfeatures: serverFeatures,
|
||||
features: features,
|
||||
features2: features2,
|
||||
features: allFeatures.features,
|
||||
features2: allFeatures.features2,
|
||||
sessiontime: (args.sessiontime) ? args.sessiontime : 60,
|
||||
mpspass: args.mpspass,
|
||||
passRequirements: passRequirements,
|
||||
@ -2813,6 +2760,67 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
}
|
||||
}
|
||||
|
||||
// Return a list of server supported features for a given domain and user
|
||||
obj.getDomainUserFeatures = function(domain, user, req) {
|
||||
var features = 0;
|
||||
var features2 = 0;
|
||||
if (obj.args.wanonly == true) { features += 0x00000001; } // WAN-only mode
|
||||
if (obj.args.lanonly == true) { features += 0x00000002; } // LAN-only mode
|
||||
if (obj.args.nousers == true) { features += 0x00000004; } // Single user mode
|
||||
if (domain.userQuota == -1) { features += 0x00000008; } // No server files mode
|
||||
if (obj.args.mpstlsoffload) { features += 0x00000010; } // No mutual-auth CIRA
|
||||
if ((parent.config.settings.allowframing != null) || (domain.allowframing != null)) { features += 0x00000020; } // Allow site within iframe
|
||||
if ((domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true)) { features += 0x00000040; } // Email invites
|
||||
if (obj.args.webrtc == true) { features += 0x00000080; } // Enable WebRTC (Default false for now)
|
||||
// 0x00000100 --> This feature flag is free for future use.
|
||||
if (obj.args.allowhighqualitydesktop !== false) { features += 0x00000200; } // Enable AllowHighQualityDesktop (Default true)
|
||||
if ((obj.args.lanonly == true) || (obj.args.mpsport == 0)) { features += 0x00000400; } // No CIRA
|
||||
if ((obj.parent.serverSelfWriteAllowed == true) && (user != null) && (user.siteadmin == 0xFFFFFFFF)) { features += 0x00000800; } // Server can self-write (Allows self-update)
|
||||
if ((parent.config.settings.no2factorauth !== true) && (domain.auth != 'sspi') && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.nousers !== true) && (user._id.split('/')[2][0] != '~')) { features += 0x00001000; } // 2FA login supported
|
||||
if (domain.agentnoproxy === true) { features += 0x00002000; } // Indicates that agents should be installed without using a HTTP proxy
|
||||
if ((parent.config.settings.no2factorauth !== true) && domain.yubikey && domain.yubikey.id && domain.yubikey.secret && (user._id.split('/')[2][0] != '~')) { features += 0x00004000; } // Indicates Yubikey support
|
||||
if (domain.geolocation == true) { features += 0x00008000; } // Enable geo-location features
|
||||
if ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true)) { features += 0x00010000; } // Enable password hints
|
||||
if (parent.config.settings.no2factorauth !== true) { features += 0x00020000; } // Enable WebAuthn/FIDO2 support
|
||||
if ((obj.args.nousers != true) && (domain.passwordrequirements != null) && (domain.passwordrequirements.force2factor === true) && (user._id.split('/')[2][0] != '~')) {
|
||||
// Check if we can skip 2nd factor auth because of the source IP address
|
||||
var skip2factor = false;
|
||||
if ((req != null) && (req.clientIp != null) && (domain.passwordrequirements != null) && (domain.passwordrequirements.skip2factor != null)) {
|
||||
for (var i in domain.passwordrequirements.skip2factor) {
|
||||
if (require('ipcheck').match(req.clientIp, domain.passwordrequirements.skip2factor[i]) === true) { skip2factor = true; }
|
||||
}
|
||||
}
|
||||
if (skip2factor == false) { features += 0x00040000; } // Force 2-factor auth
|
||||
}
|
||||
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { features += 0x00080000; } // LDAP or SSPI in use, warn that users must login first before adding a user to a group.
|
||||
if (domain.amtacmactivation) { features += 0x00100000; } // Intel AMT ACM activation/upgrade is possible
|
||||
if (domain.usernameisemail) { features += 0x00200000; } // Username is email address
|
||||
if (parent.mqttbroker != null) { features += 0x00400000; } // This server supports MQTT channels
|
||||
if (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null)) { features += 0x00800000; } // using email for 2FA is allowed
|
||||
if (domain.agentinvitecodes == true) { features += 0x01000000; } // Support for agent invite codes
|
||||
if (parent.smsserver != null) { features += 0x02000000; } // SMS messaging is supported
|
||||
if ((parent.smsserver != null) && ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false))) { features += 0x04000000; } // SMS 2FA is allowed
|
||||
if (domain.sessionrecording != null) { features += 0x08000000; } // Server recordings enabled
|
||||
if (domain.urlswitching === false) { features += 0x10000000; } // Disables the URL switching feature
|
||||
if (domain.novnc === false) { features += 0x20000000; } // Disables noVNC
|
||||
if (domain.mstsc !== true) { features += 0x40000000; } // Disables MSTSC.js
|
||||
if (obj.isTrustedCert(domain) == false) { features += 0x80000000; } // Indicate we are not using a trusted certificate
|
||||
if (obj.parent.amtManager != null) { features2 += 0x00000001; } // Indicates that the Intel AMT manager is active
|
||||
if (obj.parent.firebase != null) { features2 += 0x00000002; } // Indicates the server supports Firebase push messaging
|
||||
if ((obj.parent.firebase != null) && (obj.parent.firebase.pushOnly != true)) { features2 += 0x00000004; } // Indicates the server supports Firebase two-way push messaging
|
||||
if (obj.parent.webpush != null) { features2 += 0x00000008; } // Indicates web push is enabled
|
||||
if (((obj.args.noagentupdate == 1) || (obj.args.noagentupdate == true))) { features2 += 0x00000010; } // No agent update
|
||||
if (parent.amtProvisioningServer != null) { features2 += 0x00000020; } // Intel AMT LAN provisioning server
|
||||
if (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.push2factor != false)) && (obj.parent.firebase != null)) { features2 += 0x00000040; } // Indicates device push notification 2FA is enabled
|
||||
if ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.logintokens != false)) { features2 += 0x00000080; } // Indicates login tokens are allowed
|
||||
if (req.session.loginToken != null) { features2 += 0x00000100; } // LoginToken mode, no account changes.
|
||||
if (domain.ssh == true) { features2 += 0x00000200; } // SSH is enabled
|
||||
if (domain.localsessionrecording === false) { features2 += 0x00000400; } // Disable local recording feature
|
||||
if (domain.clipboardget == false) { features2 += 0x00000800; } // Disable clipboard get
|
||||
if (domain.clipboardset == false) { features2 += 0x00001000; } // Disable clipboard set
|
||||
return { features: features, features2: features2 };
|
||||
}
|
||||
|
||||
function handleRootRequestLogin(req, res, domain, hardwareKeyChallenge, passRequirements) {
|
||||
parent.debug('web', 'handleRootRequestLogin()');
|
||||
var features = 0;
|
||||
|
Loading…
Reference in New Issue
Block a user