Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(imageview): Don't try to load unresolved images #5655

Merged
merged 1 commit into from
Apr 11, 2024
Merged

fix(imageview): Don't try to load unresolved images #5655

merged 1 commit into from
Apr 11, 2024

Conversation

nickvergessen
Copy link
Member

📝 Summary

Currently a lot of people on our instance get bruteforce protected in Talk regularly. After some log reading it seems to always happen when interactive widgets are involved.
After some trying the smallest possible test is:

  1. Create a test.md file with the following content: (on our instance it's .attachment links with wrong file ids) 
    ![](C.png)
  2. Copy the /f/... link and post it into a chat
  3. Check the browser console for calls to index.php/call/undefined

After some debugging I found this trace. The problem is the "default" resolver responds:

text/src/components/Editor.provider.js

Lines 91 to 94 in 648cf20

resolve(src) {
logger.warn('No attachment resolver provided. Some attachment sources cannot be resolved.')
return [src]
},

This means that

text/src/nodes/ImageView.vue

Line 245 in 99e7a7a

this.attachment = await this.$attachmentResolver.resolve(this.src)

makes this.attachment = [this.src]
in the Promise it sets img.src = this.attachment.previewUrl but previewUrl is undefined as only 0 exists.
This will make the browser load undefined relative to the current page which results in https://localhost/index.php/call/undefined
This however looks like you are trying to open a conversation with the token undefined, but you have no access to it => bruteforce registered.

by simply checking if previewUrl exists and otherwise jumping into the fail mode, it prevents the request to load index.php/call/undefined and so also no bruteforce attempt it registered.

🏁 Checklist

  • Code is properly formatted (npm run lint / npm run stylelint / composer run cs:check)
  • Sign-off message is added to all commits
  • Tests (unit, integration and/or end-to-end) passing and the changes are covered with tests
  • Documentation (README or documentation) has been updated or is not required

@nickvergessen nickvergessen added this to the Nextcloud 30 milestone Apr 11, 2024
@nickvergessen nickvergessen self-assigned this Apr 11, 2024
@nickvergessen nickvergessen mentioned this pull request Apr 11, 2024
Merged
5 tasks
Antreesy
Antreesy reviewed Apr 11, 2024
View reviewed changes
src/nodes/ImageView.vue Outdated Show resolved Hide resolved
@nickvergessen nickvergessen force-pushed the bugfix/noid/stop-loading-broken-images branch from 759b8d4 to 99e7a7a Compare April 11, 2024 07:56
@nickvergessen
fix(imageview): Don't try to load unresolved images
ec99e9f 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen nickvergessen force-pushed the bugfix/noid/stop-loading-broken-images branch from 99e7a7a to ec99e9f Compare April 11, 2024 08:00
Antreesy
Antreesy approved these changes Apr 11, 2024
View reviewed changes
Copy link

@Antreesy Antreesy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be enough for a fix. Waiting for maintainers input

max-nextcloud
max-nextcloud approved these changes Apr 11, 2024
View reviewed changes
Copy link
Collaborator

@max-nextcloud max-nextcloud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking into this. Code change looks good and matches the description. Let's get this in.

@max-nextcloud max-nextcloud merged commit 99bc6ff into main Apr 11, 2024
58 checks passed
@max-nextcloud max-nextcloud deleted the bugfix/noid/stop-loading-broken-images branch April 11, 2024 08:59
@nextcloud nextcloud deleted a comment from backportbot bot Apr 11, 2024
@nickvergessen
Copy link
Member Author

/backport to stable29

@backportbot backportbot bot mentioned this pull request Apr 11, 2024
Merged
@blizzz blizzz mentioned this pull request Jul 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Antreesy Antreesy Antreesy approved these changes

@max-nextcloud max-nextcloud max-nextcloud approved these changes

@juliushaertl juliushaertl Awaiting requested review from juliushaertl

@mejo- mejo- Awaiting requested review from mejo- mejo- is a code owner

Assignees

@nickvergessen nickvergessen

Labels
3. to review bug Something isn't working feature: embed
Projects
None yet
Milestone
Nextcloud 30
Development

Successfully merging this pull request may close these issues.
3 participants
@nickvergessen @Antreesy @max-nextcloud