Added v22.02.3 post

2022-03-07 15:05:41 +00:00 · 2022-03-07 15:05:41 +00:00 · 4fe7dfe038
commit 4fe7dfe038
parent 7c5ac37f01
4 changed files with 92 additions and 4 deletions
--- a/content/blog/security-release-v22-02-3.md
+++ b/content/blog/security-release-v22-02-3.md
@ -0,0 +1,48 @@
+++ 
+categories = ["Releases"] 
+tags = ["Releases"] 
+title = "BookStack Security Release v22.02.3" 
+date = 2022-03-07T15:00:00Z 
+author = "Dan Brown" 
+image = "/images/blog-cover-images/fence-birds-yudi-m.jpg" 
+slug = "bookstack-release-v22-02-3" 
+draft = false 
+++ 
+  
+BookStack v22.02.3 has been released. 
+This is a security release that adds better protections against embedded content 
+that could be used in malicious ways. This effectively restricts embedded iframe 
+content in an allow-list approach.  
+  
+A new `ALLOWED_IFRAME_SOURCES` option has been added to provide configuration of  
+allowed embed/iframe sources within BookStack pages, and this defaults to a couple 
+of popular services such as YouTube and Vimeo. 
+  
+Please see this link for more detail regarding this option: 
+- https://www.bookstackapp.com/docs/admin/security/#iframe-src-control 
+ - ("Iframe Source Control" section) 
+  
+It's advised to upgrade as soon as possible if untrusted users can create or update  
+pages within your BookStack instance. 
+  
+* [Update instructions](https://www.bookstackapp.com/docs/admin/updates) 
+* [GitHub release page](https://github.com/BookStackApp/BookStack/releases/tag/v22.02.3) 
+  
+Thanks to @416e6e61 (Anna) for discovering and reporting this vulnerability via huntr.dev. 
+  
+### Full List of Changes 
+  
+* Added iframe allow-list control to prevent a range of malicious uses of untrusted iframe sources. ([#3314](https://github.com/BookStackApp/BookStack/issues/3314)) 
+* Updated translations with latest Crowdin changes. ([#3312](https://github.com/BookStackApp/BookStack/pull/3312)) 
+  
+  
+### For More Information 
+  
+If you have any questions or comments about this advisory: 
+* Open an issue in [the BookStack GitHub repository](BookStackApp/BookStack/issues). 
+* Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2). 
+* Follow the [BookStack security policy](https://github.com/BookStackApp/BookStack/blob/development/.github/SECURITY.md) to contact someone privately. 
+  
+---- 
+  
+<span style="font-size: 0.8em;opacity:0.9;">Header Image Credits: <span>Photo by <a href="https://unsplash.com/@yudi_m?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Yudi M</a> on <a href="https://unsplash.com/s/photos/fence?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></span></span> 
--- a/content/docs/admin/security.md
+++ b/content/docs/admin/security.md
@ -21,7 +21,8 @@ If you'd like to be notified of new potential security concerns you can sign-up
 <li><a href="#javascript-in-page-content">JavaScript in Page Content</a></li> 
 <li><a href="#web-crawler-control">Web Crawler Control</a></li> 
 <li><a href="#secure-cookies">Secure Cookies</a></li> 
- <li><a href="#iframe-control">Host IFrame Control</a></li> 
+ <li><a href="#iframe-control">Host Iframe Control</a></li> 
+ <li><a href="#iframe-src-control">Iframe Source Control</a></li> 
 <li><a href="#failed-access-logging">Failed Access Logging</a></li> 
 <li><a href="#server-side-requests">Untrusted Server Side Requests</a></li> 
 <li><a href="#csp">Content Security Policy (CSP)</a></li> 
@ -174,7 +175,7 @@ By default BookStack will only allow itself to be embedded within iframes on the
 # Adding a single host 
 ALLOWED_IFRAME_HOSTS="https://example.com" 
  
-# Mulitple hosts can be separated with a space 
+# Multiple hosts can be separated with a space 
 ALLOWED_IFRAME_HOSTS="https://a.example.com https://b.example.com" 
 ``` 
  
@ -183,6 +184,34 @@ a user session can persist within the iframe.
  
 --- 
  
+<a name="iframe-src-control"></a> 
+  
+### Iframe Source Control 
+  
+By default BookStack will only allow certain other hosts to be used as `src` values for embededd iframe/frame content within the application. This is done through a [CSP: frame-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src) header. You can configure the list of trusted sources by setting a `ALLOWED_IFRAME_SOURCES` option in your `.env` file like the examples below: 
+  
+```bash 
+# Adding a single host 
+ALLOWED_IFRAME_SOURCES="https://example.com" 
+  
+# Multiple hosts can be separated with a space 
+ALLOWED_IFRAME_SOURCES="https://a.example.com https://b.example.com" 
+  
+# Allow all sources 
+# This opens vulnerability risk and should only be done in secure & trusted environments. 
+ALLOWED_IFRAME_SOURCES="*" 
+``` 
+  
+By default this option is configured as follows: 
+  
+```bash 
+ALLOWED_IFRAME_SOURCES="https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com" 
+``` 
+  
+Note: The source of 'self' will always be automatically added to this CSP rule. In addition, the host used for the diagrams.net integration (If enabled) will be automatically appended to the lists of hosts. 
+  
+--- 
+  
 <a name="failed-access-logging"></a> 
  
 ### Failed Access Logging 
@ -222,14 +251,18 @@ ALLOW_UNTRUSTED_SERVER_FETCHING=true
  
 ### Content Security Policy (CSP) 
  
-BookStack serves responses with multiple CSP headers to increase protection again malicious content. 
+BookStack serves responses with a CSP header to increase protection again malicious content. 
 This is especially important in a system such as BookStack where users can create a variety of HTML content,  
 especially so if you allow untrusted users to create content in your instance. 
-The CSP headers set by BookStack are as follows: 
+The CSP rules set by BookStack are as follows: 
  
 - `frame-ancestors 'self'` 
 - Restricts what websites can embed BookStack pages via iframes. 
 - See the "[Host Iframe Control](#iframe-control)" section above for details on expanding this rule to other hosts. 
+- `frame-source 'self' https://*.diagrams.net https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://embed.diagrams.net` 
+ - Restricts what sources are allowed to load for frames/iframes. 
+ - Can be configured via a `ALLOWED_IFRAME_SOURCES` .env option. 
+ - May be different depending on other configuration set. 
 - `script-src http: https: 'nonce-abc123' 'strict-dynamic'` 
 - Restricts what scripts can be ran on a BookStack-served page. 
 - Will not be set if the `ALLOW_CONTENT_SCRIPTS` .env option is active. 
--- a/content/docs/admin/updates.md
+++ b/content/docs/admin/updates.md
@ -37,6 +37,10 @@ This is primarily a list of breaking changes & security notices.
 Details of updates can be found on [our blog](https://www.bookstackapp.com/blog/) or via  
 the [GitHub releases page](https://github.com/BookStackApp/BookStack/releases). 
  
+#### Updating to v22.02.3 or higher 
+  
+**Security** - v22.02.3 adds controls to limit external/iframe content on BookStack pages to prevent potential malicious sources being used. See [the added "Iframe Source Control" section on our security page](/docs/admin/security/#iframe-src-control) for more detail regarding the added controls. 
+  
 #### Updating to v22.02 or higher 
  
 **PHP Version Requirement Change** - The minimum required version of PHP has changed from 7.3 to 7.4. This should not be a concern for those that are using common containers or for those that have installed using our install scripts. 
--- a/static/images/blog-cover-images/fence-birds-yudi-m.jpg
+++ b/static/images/blog-cover-images/fence-birds-yudi-m.jpg