Skip to content

aio-interface: fix token history leak, streaming XSS and missing cache headers#8049

Draft
szaimen with Copilot wants to merge 9 commits into
mainfrom
copilot/security-analysis-suggestions
Draft

aio-interface: fix token history leak, streaming XSS and missing cache headers#8049
szaimen with Copilot wants to merge 9 commits into
mainfrom
copilot/security-analysis-suggestions

Conversation

Copilot AI commented May 4, 2026

Copy link
Copy Markdown
Contributor

No description provided.

Copilot AI and others added 6 commits May 4, 2026 09:56
…SS, borg password persistence, and missing cache headers

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
…tighten URL validation

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
…_fetch success param

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
Comment thread php/src/Controller/DockerController.php Outdated
Comment thread php/src/Controller/LoginController.php Outdated
@szaimen szaimen added 2. developing Work in progress enhancement New feature or request labels May 4, 2026
@szaimen szaimen added this to the next milestone May 4, 2026
@szaimen szaimen changed the title security: fix brute-force protection, token history leak, streaming XSS, borg password persistence, and missing cache headers aio-interface: fix brute-force protection, token history leak, streaming XSS, borg password persistence, and missing cache headers May 4, 2026
@szaimen szaimen modified the milestones: v13.0.1, next May 4, 2026
@szaimen szaimen modified the milestones: v13.0.2, next May 6, 2026
@szaimen szaimen modified the milestones: v13.0.3, next May 7, 2026
…ing and GetTryLogin HTML redirect

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/55bc79a5-dea6-4bcf-9d13-030209b54382

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
Copilot AI requested a review from szaimen May 12, 2026 09:56
…rd clearing and GetTryLogin HTML redirect"

This reverts commit 68bb93a.
…addressed in separate PRs)

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d7eb7ba7-23d8-4082-8255-09f1338de24b

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
@szaimen szaimen marked this pull request as ready for review May 12, 2026 10:04
@szaimen szaimen added 3. to review Waiting for reviews and removed 2. developing Work in progress labels May 12, 2026
@szaimen szaimen requested a review from pabzm May 12, 2026 10:04
@szaimen szaimen changed the title aio-interface: fix brute-force protection, token history leak, streaming XSS, borg password persistence, and missing cache headers aio-interface: fix token history leak, streaming XSS and missing cache headers May 12, 2026
@szaimen szaimen modified the milestones: v13.0.4, next May 15, 2026

@pabzm pabzm left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without a description I can only comment on the technical implementation, not on the intention.

Comment thread php/public/index.php
'community_containers_enabled' => $configurationManager->aioCommunityContainers,
'bypass_container_update' => $bypass_container_update,
]);
])->withHeader('Cache-Control', 'no-store');

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't these headers probably be added in more places?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've split this change up into a separate PR: #8161

@@ -0,0 +1,26 @@
// This script is loaded after a successful token-based login.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a crutch for a problem that wouldn't exist if we'd use a POST-request for the indirect login, which is more appropriate for a login-request anyways. (Or replace it fully e.g. by a cookie as discussed in #7686).

I'd favour to change the login request method instead of this.

@szaimen szaimen May 19, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fear a cross-site Post is possible but would probably require an adjusted CSP inside Nextcloud and IAO to make it work... Also not sure about CSRF...

// wanted markup or formatting.
$addToStreamingResponseBody = function (Container $container, string $message) use ($nonbufResp) : void {
$nonbufResp->getBody()->write("<div>{$container->displayName}: {$message}</div>");
$nonbufResp->getBody()->write('<div>' . htmlspecialchars($container->displayName, ENT_QUOTES | ENT_HTML5) . ': ' . htmlspecialchars($message, ENT_QUOTES | ENT_HTML5) . '</div>');

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell this would result in the HTML-encoded entities being visible as text in the log view overlay.

Was there an actual XSS found? The JS code in log-view.js deliberately inserts the text in a way that should be safe, thus I'm wondering if this comes from a wild guess or from an actual vulnerability.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No this does not come from a vulnerability found. Probably we don't need this then.

@szaimen szaimen added 2. developing Work in progress and removed 3. to review Waiting for reviews labels May 19, 2026
@szaimen szaimen removed this from the next milestone May 19, 2026
@szaimen

szaimen commented May 19, 2026

Copy link
Copy Markdown
Collaborator

This PR probably needs more discussions. Lets for now continue in #8161

@szaimen szaimen marked this pull request as draft June 17, 2026 13:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

2. developing Work in progress enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants