Added BREACH attack mittigation, #4084

This commit is contained in:
Ylian Saint-Hilaire 2022-06-08 10:47:23 -07:00
parent f5f4305841
commit ea7e98b3b4
24 changed files with 727 additions and 700 deletions

View File

@ -613,6 +613,7 @@
<Content Include="views\messenger.handlebars" />
<Content Include="views\mstsc.handlebars" />
<Content Include="views\player.handlebars" />
<Content Include="views\sharing-mobile.handlebars" />
<Content Include="views\sharing.handlebars" />
<Content Include="views\ssh.handlebars" />
<Content Include="views\terms-mobile.handlebars" />

View File

@ -120,6 +120,7 @@
"amtManager": { "type": "boolean", "default": true, "description": "When enabled, MeshCentral will automatically monitor and manage Intel AMT devices." },
"orphanAgentUser": { "type": "string", "default": null, "description": "If an agent attempts to connect to a unknown device group, automatically create a new device group and grant access to the specified user. Example: admin" },
"agentIdleTimeout": { "type": "integer", "minimum": 1, "default": 150 ,"description": "How much time in seconds with no traffic from an agent before dropping the agent connection." },
"webPageLengthRandomization": { "type": "boolean", "default": true, "description": "Adds a random length string to generated web pages to mitigate a BREACH attack." },
"compression": { "type": "boolean", "default": true, "description": "Enables GZIP compression for web requests." },
"wsCompression": { "type": "boolean", "default": false, "description": "Enables server-side, websocket per-message deflate compression." },
"agentWsCompression": { "type": "boolean", "default": true, "description": "Enables agent-side, websocket per-message deflate compression. wscompression must also be true for this to work." },

View File

@ -1,7 +1,7 @@
@ECHO OFF
CD ..\translate
%LOCALAPPDATA%\..\Roaming\nvm\v12.13.0\node translate.js minifyall
%LOCALAPPDATA%\..\Roaming\nvm\v12.13.0\node translate.js translateall
%LOCALAPPDATA%\..\Roaming\nvm\v12.13.0\node translate.js extractall
REM %LOCALAPPDATA%\..\Roaming\nvm\v12.13.0\node translate.js translateall
REM %LOCALAPPDATA%\..\Roaming\nvm\v12.13.0\node translate.js extractall
DEL ..\emails\translations\*-min_*
Pause

View File

@ -167,6 +167,8 @@
</div>
<script>
'use strict';
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var uiMode = parseInt(getstore('uiMode', 1));
var webPageStackMenu = false;
var webPageFullScreen = true;

View File

@ -1192,6 +1192,7 @@
<iframe name="fileUploadFrame" style=display:none></iframe>
<script>
'use strict';
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
// Process server-side web state
var webState = '{{{webstate}}}';

View File

@ -1402,6 +1402,7 @@
</div>
<script type="text/javascript">
'use strict';
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
// Process server-side web state
var webState = '{{{webstate}}}';

View File

@ -43,6 +43,7 @@
</div>
</div>
<script>
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var messageid = parseInt('{{{messageid}}}');
var fileurl = '{{{fileurl}}}';
var filename = '{{{filename}}}';

View File

@ -57,6 +57,7 @@
</tr>
</table>
<script>
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var messageid = parseInt('{{{messageid}}}');
var fileurl = '{{{fileurl}}}';
var filename = '{{{filename}}}';

View File

@ -148,6 +148,7 @@
</div>
<script nonce="{{{cspNonce}}}">
'use strict';
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var uiMode = parseInt(getstore('uiMode', 1));
var webPageStackMenu = false;
var webPageFullScreen = true;

View File

@ -103,6 +103,7 @@
</div>
<script>
'use strict';
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var urlargs = parseUriArgs();
if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
var uiMode = parseInt(getstore('uiMode', 1));

View File

@ -311,6 +311,7 @@
</div>
<script>
'use strict';
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var loginMode = '{{{loginmode}}}';
var newAccount = '{{{newAccount}}}';
var passhint = '{{{passhint}}}';

View File

@ -305,6 +305,7 @@
</div>
<script>
'use strict';
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var passlogin = '{{{passlogin}}}';
var passhint = '{{{passhint}}}';
var loginMode = '{{{loginmode}}}';

View File

@ -361,6 +361,7 @@
</div>
<script>
'use strict';
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var welcomePictureFullScreen = (decodeURIComponent('{{{welcomePictureFullScreen}}}') === 'true');
var passlogin = '{{{passlogin}}}';
var passhint = '{{{passhint}}}';

View File

@ -43,6 +43,7 @@
</div>
</div>
<script>
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var titleid = parseInt('{{{titleid}}}');
var msgid = parseInt('{{{msgid}}}');
var domainurl = decodeURIComponent('{{{domainurl}}}');

View File

@ -44,6 +44,7 @@
</tr>
</table>
<script>
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var titleid = parseInt('{{{titleid}}}');
var msgid = parseInt('{{{msgid}}}');
var domainurl = decodeURIComponent('{{{domainurl}}}');

File diff suppressed because it is too large Load Diff

View File

@ -75,6 +75,7 @@
}
</style>
<script language="javascript">
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var client = null;
var canvas = null;
var urlargs = parseUriArgs();

View File

@ -96,6 +96,7 @@
</div>
</div>
<script>
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var recFile = null;
var recFilePtr = 0;
var recFileStartTime = 0;

View File

@ -737,6 +737,7 @@
<iframe name="fileUploadFrame" style=display:none></iframe>
<script>
'use strict';
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var args = parseUriArgs();
var urlargs = args;
var sessionTime = parseInt('{{{sessiontime}}}');

View File

@ -283,6 +283,7 @@
</div>
</div>
<script>
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var sessionActivity = null;
var desktop = null;
var agentPresent = true;

View File

@ -68,6 +68,7 @@
</div>
</div>
<script>
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var term = null;
var termfit = null;
var resizeTimer = null;

View File

@ -161,6 +161,7 @@
</div>
<script>
'use strict';
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var uiMode = parseInt(getstore('uiMode', 1));
var webPageStackMenu = false;
var webPageFullScreen = true;

View File

@ -80,6 +80,7 @@
</div>
</div>
<script>
var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
var term = null;
var termfit = null;
var tunnel = null;

View File

@ -7696,6 +7696,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
xargs.domainurl = domain.url;
xargs.autocomplete = (domain.autocomplete === false)?'x':'autocomplete'; // This option allows autocomplete to be turned off on the login page.
if (typeof domain.hide == 'number') { xargs.hide = domain.hide; }
// To mitigate any possible BREACH attack, we generate a random length string here.
xargs.randomlength = (args.webpagelengthrandomization !== false) ? parent.crypto.randomBytes(parent.crypto.randomInt(0, 256)).toString('base64') : '';
return xargs;
}