Upload image is not scoped by user, image uploaded will view by all user

[halida]

I upload an image in ckeditor, and change to another user, and this user can see this uploaded image too.

I check the source code from rich Gem, found it doesn't have a authority checking system, it only use params to scope user, which means it only bring frontend user authentication check.

Maybe you can find a better way to do this, or ask rich author to create this function?

[halida]

Maybe you can upload image to the issue/wiki page?

[a-ono]

Upload images are scoped by projects for now. https://github.com/a-ono/redmine_ckeditor/blob/master/lib/redmine_ckeditor/wiki_formatting/helper.rb#L26 https://github.com/a-ono/redmine_ckeditor/blob/master/lib/redmine_ckeditor.rb#L88

It is technically possible to scope by issue or wiki, but not possible to upload image at the new issue/wiki page. https://github.com/bastiaanterhorst/rich#user-content-scoping-filtering-in-the-file-manager

In the latter example (scoping to an object), it is up to you to determine if scoping is possible. For example, a new object has no id yet, so there is nothing to scope to (yet). You could hide Rich in that case, until the object has been saved. If you do enable Rich but there is no id to scope to, Rich will disable scoping until an id has been set. This will effectively hide any files previously uploaded (before the save), which is most likely not what you want.

[halida]

@a-ono I've checked it, this scope is done at frontend, If I edit the url, I can see other project's image. I will check whether or not it support backend scope check.

[halida]

@a-ono I've checked, It won't check scope authentication, so image upload is not save, everyone can see the uploaded files. For security concern, I will not use image upload.

[justintime4tea]

halida is correct, because images are stored in redmine/public/system/... these images can be scraped by BOTS or malicious actors. No images with sensitive information should be posted using the CKEditor at this time until this is resolved. I will be working on this, this weekend to move saved images OUT of the public accessible folder and will submit pull request so everyone can benefit from CKEditor securely storing/accessing images. If this has already been done please point me to the code change so I can update my end.

[BRUTEF0RCE]

I was worried about and notice the same thing on my side. Any progression on that matter?

[a-ono]

I have no plans to implement this feature at the moment. Pull requests are welcome. You can also use base64image instead of uploading images.

[justintime4tea]

base64 encode and store in DB maybe, that way DB has an AUTH layer?

We've mitigated any potential issues by placing a couple policies in place around using Redmine/CKEditor and monitoring for file changes in /public/ of which are images :)

Still great for open projects or truly transparent companies that want Rich Text in the Redmine editor. Great job all around on the plug-in! Been busy with Android application for company but want to contribute some help towards a secure CKEditor image storage sometime in the future, if time ever allows.

[adrianobr]

Do you need add the plugins: 'pastebase64' and 'base64image' In config.js add: config.extraPlugins = 'pastebase64'; config.extraPlugins = 'base64image';

And init.rb add: (Loofah::VERSION >= "2.3.0" ? Loofah::HTML5::SafeList : Loofah::HTML5::WhiteList)::ALLOWED_PROTOCOLS.add('data')

Working perfect!