Added BREACH attack mittigation, #4084

2022-06-08 10:47:23 -07:00 · 2022-06-08 10:47:23 -07:00 · ea7e98b3b4
parent f5f4305841
commit ea7e98b3b4
24 changed files with 727 additions and 700 deletions
--- a/MeshCentralServer.njsproj
+++ b/MeshCentralServer.njsproj
@ -613,6 +613,7 @@
    <Content Include="views\messenger.handlebars" />
    <Content Include="views\mstsc.handlebars" />
    <Content Include="views\player.handlebars" />
+    <Content Include="views\sharing-mobile.handlebars" />
    <Content Include="views\sharing.handlebars" />
    <Content Include="views\ssh.handlebars" />
    <Content Include="views\terms-mobile.handlebars" />
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@ -120,6 +120,7 @@
        "amtManager": { "type": "boolean", "default": true, "description": "When enabled, MeshCentral will automatically monitor and manage Intel AMT devices." },
        "orphanAgentUser": { "type": "string", "default": null, "description": "If an agent attempts to connect to a unknown device group, automatically create a new device group and grant access to the specified user. Example: admin" },
        "agentIdleTimeout": { "type": "integer", "minimum": 1, "default": 150 ,"description": "How much time in seconds with no traffic from an agent before dropping the agent connection." },
+        "webPageLengthRandomization": { "type": "boolean", "default": true, "description": "Adds a random length string to generated web pages to mitigate a BREACH attack." },
        "compression": { "type": "boolean", "default": true, "description": "Enables GZIP compression for web requests." },
        "wsCompression": { "type": "boolean", "default": false, "description": "Enables server-side, websocket per-message deflate compression." },
        "agentWsCompression": { "type": "boolean", "default": true, "description": "Enables agent-side, websocket per-message deflate compression. wscompression must also be true for this to work." },
--- a/public/translate.bat
+++ b/public/translate.bat
@ -1,7 +1,7 @@
@ECHO OFF
 CD ..\translate
 %LOCALAPPDATA%\..\Roaming\nvm\v12.13.0\node translate.js minifyall
-%LOCALAPPDATA%\..\Roaming\nvm\v12.13.0\node translate.js translateall
-%LOCALAPPDATA%\..\Roaming\nvm\v12.13.0\node translate.js extractall
+REM %LOCALAPPDATA%\..\Roaming\nvm\v12.13.0\node translate.js translateall
+REM %LOCALAPPDATA%\..\Roaming\nvm\v12.13.0\node translate.js extractall
 DEL ..\emails\translations\*-min_*
 Pause
--- a/views/agentinvite.handlebars
+++ b/views/agentinvite.handlebars
@ -167,6 +167,8 @@
    </div>
    <script>
        'use strict';
+
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var uiMode = parseInt(getstore('uiMode', 1));
        var webPageStackMenu = false;
        var webPageFullScreen = true;
--- a/views/default-mobile.handlebars
+++ b/views/default-mobile.handlebars
@ -1192,6 +1192,7 @@
    <iframe name="fileUploadFrame" style=display:none></iframe>
    <script>
        'use strict';
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation

        // Process server-side web state
        var webState = '{{{webstate}}}';
--- a/views/default.handlebars
+++ b/views/default.handlebars
@ -1402,6 +1402,7 @@
    </div>
    <script type="text/javascript">
        'use strict';
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation

        // Process server-side web state
        var webState = '{{{webstate}}}';
--- a/views/download.handlebars
+++ b/views/download.handlebars
@ -43,6 +43,7 @@
        </div>
    </div>
    <script>
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var messageid = parseInt('{{{messageid}}}');
        var fileurl = '{{{fileurl}}}';
        var filename = '{{{filename}}}';
--- a/views/download2.handlebars
+++ b/views/download2.handlebars
@ -57,6 +57,7 @@
        </tr>
    </table>
    <script>
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var messageid = parseInt('{{{messageid}}}');
        var fileurl = '{{{fileurl}}}';
        var filename = '{{{filename}}}';
--- a/views/error404.handlebars
+++ b/views/error404.handlebars
@ -148,6 +148,7 @@
    </div>
    <script nonce="{{{cspNonce}}}">
        'use strict';
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var uiMode = parseInt(getstore('uiMode', 1));
        var webPageStackMenu = false;
        var webPageFullScreen = true;
--- a/views/invite.handlebars
+++ b/views/invite.handlebars
@ -103,6 +103,7 @@
    </div>
    <script>
        'use strict';
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var urlargs = parseUriArgs();
        if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
        var uiMode = parseInt(getstore('uiMode', 1));
--- a/views/login-mobile.handlebars
+++ b/views/login-mobile.handlebars
@ -311,6 +311,7 @@
    </div>
    <script>
        'use strict';
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var loginMode = '{{{loginmode}}}';
        var newAccount = '{{{newAccount}}}';
        var passhint = '{{{passhint}}}';
--- a/views/login.handlebars
+++ b/views/login.handlebars
@ -305,6 +305,7 @@
    </div>
    <script>
        'use strict';
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var passlogin = '{{{passlogin}}}';
        var passhint = '{{{passhint}}}';
        var loginMode = '{{{loginmode}}}';
--- a/views/login2.handlebars
+++ b/views/login2.handlebars
@ -361,6 +361,7 @@
    </div>
    <script>
        'use strict';
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var welcomePictureFullScreen = (decodeURIComponent('{{{welcomePictureFullScreen}}}') === 'true');
        var passlogin = '{{{passlogin}}}';
        var passhint = '{{{passhint}}}';
--- a/views/message.handlebars
+++ b/views/message.handlebars
@ -43,6 +43,7 @@
        </div>
    </div>
    <script>
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var titleid = parseInt('{{{titleid}}}');
        var msgid = parseInt('{{{msgid}}}');
        var domainurl = decodeURIComponent('{{{domainurl}}}');
--- a/views/message2.handlebars
+++ b/views/message2.handlebars
@ -44,6 +44,7 @@
        </tr>
    </table>
    <script>
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var titleid = parseInt('{{{titleid}}}');
        var msgid = parseInt('{{{msgid}}}');
        var domainurl = decodeURIComponent('{{{domainurl}}}');
--- a/views/messenger.handlebars
+++ b/views/messenger.handlebars
--- a/views/mstsc.handlebars
+++ b/views/mstsc.handlebars
@ -75,6 +75,7 @@
        }
    </style>
    <script language="javascript">
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var client = null;
        var canvas = null;
        var urlargs = parseUriArgs();
--- a/views/player.handlebars
+++ b/views/player.handlebars
@ -96,6 +96,7 @@
        </div>
    </div>
    <script>
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var recFile = null;
        var recFilePtr = 0;
        var recFileStartTime = 0;
--- a/views/sharing-mobile.handlebars
+++ b/views/sharing-mobile.handlebars
@ -737,6 +737,7 @@
    <iframe name="fileUploadFrame" style=display:none></iframe>
    <script>
        'use strict';
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var args = parseUriArgs();
        var urlargs = args;
        var sessionTime = parseInt('{{{sessiontime}}}');
--- a/views/sharing.handlebars
+++ b/views/sharing.handlebars
@ -283,6 +283,7 @@
        </div>
    </div>
    <script>
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var sessionActivity = null;
        var desktop = null;
        var agentPresent = true;
--- a/views/ssh.handlebars
+++ b/views/ssh.handlebars
@ -68,6 +68,7 @@
        </div>
    </div>
    <script>
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var term = null;
        var termfit = null;
        var resizeTimer = null;
--- a/views/terms.handlebars
+++ b/views/terms.handlebars
@ -161,6 +161,7 @@
    </div>
    <script>
        'use strict';
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var uiMode = parseInt(getstore('uiMode', 1));
        var webPageStackMenu = false;
        var webPageFullScreen = true;
--- a/views/xterm.handlebars
+++ b/views/xterm.handlebars
@ -80,6 +80,7 @@
        </div>
    </div>
    <script>
+        var random = '{{{randomlength}}}' // Random length string for BREACH mitigation
        var term = null;
        var termfit = null;
        var tunnel = null;
--- a/webserver.js
+++ b/webserver.js
@ -7696,6 +7696,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
        xargs.domainurl = domain.url;
        xargs.autocomplete = (domain.autocomplete === false)?'x':'autocomplete'; // This option allows autocomplete to be turned off on the login page.
        if (typeof domain.hide == 'number') { xargs.hide = domain.hide; }
+
+        // To mitigate any possible BREACH attack, we generate a random length string here.
+        xargs.randomlength = (args.webpagelengthrandomization !== false) ? parent.crypto.randomBytes(parent.crypto.randomInt(0, 256)).toString('base64') : '';
+
        return xargs;
    }