Merge pull request #55 from manyfold3d/0.69.0

0.69.0 release and security docs to go with it

_posts/2024-05-12-release-v0-66-0.md

@@ -1,11 +1,11 @@
----
-title: Release v0.66.0
-date: 2024-05-12 16:03:50 UTC
-layout: post
-excerpt_separator: "
-
-"
----
+---
+title: Release v0.66.0
+date: 2024-05-12 16:03:50 UTC
+layout: post
+excerpt_separator: "
+
+"
+---
 On the surface, this release is mostly about more accessibility - keyboard controls for rotating 3d models, correctly-tagged languages, and colour contrast. But in order to do that, behind the scenes the 3d renderer has had a *massive* rewrite, and I hope you'll find it a lot faster and smoother to use!
 
 ## What's Changed
@@ -27,6 +27,6 @@ On the surface, this release is mostly about more accessibility - keyboard contr
 ## New Contributors
 * [@matthewbadeau](https://github.com/matthewbadeau) made their first contribution in [#2164](https://github.com/manyfold3d/manyfold/pull/2164)
 
-**Full Changelog**: [v0.65.0...v0.66.0](https://github.com/manyfold3d/manyfold/compare/v0.65.0...v0.66.0)
-
-See the original release on GitHub: [v0.66.0](https://github.com/manyfold3d/manyfold/releases/tag/v0.66.0)
+**Full Changelog**: [v0.65.0...v0.66.0](https://github.com/manyfold3d/manyfold/compare/v0.65.0...v0.66.0)
+
+See the original release on GitHub: [v0.66.0](https://github.com/manyfold3d/manyfold/releases/tag/v0.66.0)

_posts/2024-06-20-release-v0-69-0.md

@@ -0,0 +1,49 @@
+---
+title: Release v0.69.0
+date: 2024-06-20 08:53:01 UTC
+layout: post
+excerpt_separator: "
+
+"
+---
+We had a security audit recently, thanks to NLNet / NGI Zero and Radically Open Security. This release fixes a load of security issues that were found in the audit, many of which fix other bugs at the same time.
+
+The biggest obvious change is that you should now set `PUID` and `PGID` environment variables to specify which user and group Manyfold should run as - before, it would run as root because that's what Docker does by default, and that's obviously a security risk. If you don't set those variables, it will continue to run as root, but it will warn you loudly until you change it! Don't forget to make sure that your libraries are writable by the user you choose!
+
+Visit our new [Security](https://manyfold.app/sysadmin/security) page for more details on these and other new options to make your instances more secure!
+
+<!-- Release notes generated using configuration in .github/release.yml at main -->
+
+## What's Changed
+### ✨ New Features ✨
+* Show admins a security alert if container is being run as root by [@Floppy](https://github.com/Floppy) in [#2252](https://github.com/manyfold3d/manyfold/pull/2252)
+* Add PUID and PGID env vars to control which user the app runs as by [@Floppy](https://github.com/Floppy) in [#2253](https://github.com/manyfold3d/manyfold/pull/2253)
+* Lock accounts temporarily after too many failed login attempts by [@Floppy](https://github.com/Floppy) in [#2254](https://github.com/manyfold3d/manyfold/pull/2254)
+* Show free space in upload selector and library details (for admins only) by [@Floppy](https://github.com/Floppy) in [#2260](https://github.com/manyfold3d/manyfold/pull/2260)
+* Limit file upload size by [@Floppy](https://github.com/Floppy) in [#2266](https://github.com/manyfold3d/manyfold/pull/2266)
+* Add HTTPS_ONLY env option to force secure-only connections by [@Floppy](https://github.com/Floppy) in [#2275](https://github.com/manyfold3d/manyfold/pull/2275)
+* Limit size of extracted files on upload by [@Floppy](https://github.com/Floppy) in [#2281](https://github.com/manyfold3d/manyfold/pull/2281)
+### 🐛 Bug Fixes 🐛
+* Restrict problem viewing to contributors, not viewers by [@Floppy](https://github.com/Floppy) in [#2257](https://github.com/manyfold3d/manyfold/pull/2257)
+* Set secure flags on libarchive extraction to avoid "Zip Slip" exploits by [@Floppy](https://github.com/Floppy) in [#2258](https://github.com/manyfold3d/manyfold/pull/2258)
+* Fix upload file filter on Windows machines by [@Floppy](https://github.com/Floppy) in [#2261](https://github.com/manyfold3d/manyfold/pull/2261)
+* Fix translation linter error by [@Floppy](https://github.com/Floppy) in [#2262](https://github.com/manyfold3d/manyfold/pull/2262)
+* Avoid naming race condition on upload by [@Floppy](https://github.com/Floppy) in [#2268](https://github.com/manyfold3d/manyfold/pull/2268)
+* Stop username enumeration through password reset form by [@Floppy](https://github.com/Floppy) in [#2283](https://github.com/manyfold3d/manyfold/pull/2283)
+* Check problematic item exists when rendering problem list by [@Floppy](https://github.com/Floppy) in [#2289](https://github.com/manyfold3d/manyfold/pull/2289)
+* Allow inline style attributes in Content-Security-Policy by [@Floppy](https://github.com/Floppy) in [#2290](https://github.com/manyfold3d/manyfold/pull/2290)
+### 🛠️ Other Improvements 🛠️
+* Check file extension before unzipping uploads by [@Floppy](https://github.com/Floppy) in [#2267](https://github.com/manyfold3d/manyfold/pull/2267)
+* Make the "remember me" cookie HTTPS-only if appropriate by [@Floppy](https://github.com/Floppy) in [#2276](https://github.com/manyfold3d/manyfold/pull/2276)
+* Completely reset user session on logout by [@Floppy](https://github.com/Floppy) in [#2279](https://github.com/manyfold3d/manyfold/pull/2279)
+* Add session timeouts to reduce session fixation/hijacking by [@Floppy](https://github.com/Floppy) in [#2280](https://github.com/manyfold3d/manyfold/pull/2280)
+* Mitigate timing attacks on user lookups by [@Floppy](https://github.com/Floppy) in [#2282](https://github.com/manyfold3d/manyfold/pull/2282)
+* Change from cocoon to cocooned by [@Floppy](https://github.com/Floppy) in [#2259](https://github.com/manyfold3d/manyfold/pull/2259)
+* Remove external jQuery and selectize scripts by [@Floppy](https://github.com/Floppy) in [#2285](https://github.com/manyfold3d/manyfold/pull/2285)
+* Reduce javascript payload with tree-shaking by [@Floppy](https://github.com/Floppy) in [#2286](https://github.com/manyfold3d/manyfold/pull/2286)
+* Add Content-Security-Policy to increase security by [@Floppy](https://github.com/Floppy) in [#2287](https://github.com/manyfold3d/manyfold/pull/2287)
+
+
+**Full Changelog**: [v0.68.0...v0.69.0](https://github.com/manyfold3d/manyfold/compare/v0.68.0...v0.69.0)
+
+See the original release on GitHub: [v0.69.0](https://github.com/manyfold3d/manyfold/releases/tag/v0.69.0)

get-started/docker-compose.md

@@ -38,8 +38,18 @@ services:
       DATABASE_URL: postgresql://manyfold:password@db/manyfold?pool=5
       SECRET_KEY_BASE: a_nice_long_random_string
       REDIS_URL: redis://redis:6379/1
+      PUID: 1000
+      PGID: 1000
       # For details of other optional environment variables, including features such
       # as multiuser mode, visit https://manyfold.app/sysadmin/configuration.html
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETUID
+      - SETGID
     depends_on:
       - db
       - redis

sysadmin/configuration.md

@@ -28,6 +28,16 @@ A string that includes all the information necessary to connect to a Redis serve
 
 A secret key used to sign browser cookies; normally a 128-digit hexadecimal number, but any long random string will do. If you have the code checked out, you can generate one with `rake secret`. Changing this will invalidate all user cookies and sessions.
 
+### `PUID` and `PGID`
+<small>Version 0.69.0+</small>
+
+Set the user and group IDs that the Manyfold application should run as. Works the same as it does in [Linuxserver containers](https://docs.linuxserver.io/general/understanding-puid-and-pgid/).
+
+For example: `PUID=1000` and `PGID=1000`
+
+To get your user and group IDs, run `id` and look at the `uid` and `gid` values. Read our [security guide](security) for more details.
+
+
 ## Features
 
 ### `DEMO_MODE`
@@ -50,6 +60,14 @@ You should set a secure administrator password before turning on multiuser mode.
 
 ## Network
 
+### `HTTPS_ONLY`
+<small>Version 0.69.0+</small>
+
+Put the application into HTTPS-only mode, including automatic HTTPS redirection, Strict-Transport-Security, and secure cookies. Read the [security](security) page for important details.
+
+{:.important}
+The HSTS header has a long expiry time, so this is effectively a one-way switch! By turning it on you will lose unencrypted access to your instance for a long time, so make sure HTTPS is working first!
+
 ### `RAILS_RELATIVE_URL_ROOT`
 
 If you are mapping Manyfold to a non-root path via a reverse proxy like nginx, use this option to tell Manyfold what the root path is; for instance `/manyfold`.
@@ -118,6 +136,16 @@ If your public service is on a non-standard port, set it here (e.g. `3214`).
 
 ## Miscellaneous
 
+### `MAX_FILE_EXTRACT_SIZE`
+<small>Version 0.69.0+</small>
+
+The maximum individual file size (in bytes) that will be extracted from uploaded archives. 1GiB by default.
+
+### `MAX_FILE_UPLOAD_SIZE`
+<small>Version 0.69.0+</small>
+
+The maximum individual file size (in bytes) that can be uploaded. 256MiB by default.
+
 ### `USAGE_REPORTING_URL`
 <small>Version 0.67.0+</small>
 

sysadmin/proxies.md

@@ -2,7 +2,7 @@
 title: Proxies
 parent: Running Manyfold
 layout: page
-nav_order: 5
+nav_order: 6
 ---
 
 You may want to run Manyfold behind a reverse proxy, in order to provide HTTPS termination, or run it on a path. This page lists some considerations you'll need to take into account.
@@ -21,6 +21,7 @@ In order for Manyfold to correctly realise it's running behind an HTTPS proxy, y
 
 ```
 http-request set-header X-Forwarded-Ssl on
+http-request set-header X-Forwarded-Proto https
 http-request set-header X-Forwarded-Port 443
 http-request set-header X-Forwarded-Host "YOUR_DOMAIN"
 ```

sysadmin/security.md

@@ -0,0 +1,111 @@
+---
+title: Security
+parent: Running Manyfold
+layout: page
+nav_order: 3
+---
+
+This page describes how to configure your Manyfold instance to run securely. Some things are built-in options, and some are changes to your Docker configuration that you'll need to apply yourself.
+
+## `PUID` and `PGID`
+
+By default, Docker containers run as root. This is a security concern, especially for an application that manipulates files on disk!
+
+In order to increase security, and so that all the created files aren't owned by root, Manyfold should be run as a less-privileged user. In line with the [Linuxserver approach](https://docs.linuxserver.io/general/understanding-puid-and-pgid/), this is done by setting the user and group ID to run as using the `PUID` and `PGID` environment variables.
+
+ `docker create -e PUID=1000 -e PGID=1000 ghcr.io/manyfold3d/manyfold:latest`
+
+If these are set, the container will start and set up as root, but then drop to this less privileged user when actually running the app.
+
+If not set, the application will run as root, but will continuously warn admins to fix it, and will fail to start in a future release, probably v1.0.0.
+
+To get your user and group IDs, run `id` and look at the `uid` and `gid` values.
+
+{:.note}
+Make sure that your libraries and files are readable and writable by the user you run as!
+
+## Enforcing secure connections
+
+If you're running an instance anywhere except your own private network, it should be using HTTPS. Manyfold itself doesn't (yet) provide SSL termination, but if you're [running behind a proxy](proxies.md), you can put the app into secure-only mode using the following environment variable:
+
+`HTTPS_ONLY=enabled`
+
+This will do three things:
+
+1. Automatically redirects any HTTP requests to HTTPS. The proxy is probably already doing this, but just in case, the application will as well. Make sure your proxy is setting `X-Forwarded-Proto` appropriately so you don't get infinite loops!
+2. Set the `Strict-Transport-Security` header (aka [HSTS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)).
+3. Set all cookies to `secure`, meaning they will only be sent over HTTPS connections.
+
+{:.important}
+The HSTS header has a long expiry time, so this is effectively a one-way switch! By turning it on you will lose unencrypted access to your instance for a long time, so make sure HTTPS is working first!
+
+
+## File uploads
+
+An attacker with upload capability could upload a file that's too big for your server, or even a [zip bomb](https://en.wikipedia.org/wiki/Zip_bomb) in order to cause problems. To avoid that, there are two environment variables to control uploads:
+
+* `MAX_FILE_UPLOAD_SIZE`: sets the maximum size of any individual uploaded file. 256MiB by default.
+* `MAX_FILE_EXTRACT_SIZE`: sets the maximum size of any extracted file. 1GiB by default.
+
+To change these sizes, set a number _in bytes_ in the environment variable. For instance, to allow up to 512MiB uploads, set `MAX_FILE_UPLOAD_SIZE=536870912`.
+
+## Container permissions
+
+You should always make sure that you're running Docker containers securely. After all, can you *really* trust a downloaded image without going through every line of code? This is a very [big topic](https://docs.docker.com/engine/security/) that we can't explain fully here, but we can recommend some basic security options that you can set on the command line or in your compose file.
+
+### Privileges
+
+The container runs as root, and then drops to a different user once initialized, as described about in the `PUID` documentation. To minimise what the container can do as much as possible, you can set some privilege options.
+
+First, you should forbid privilege escalation, using the `no-new-privileges` security option.
+
+Then, you can set the container's capabilities by dropping all default capabilities, then adding back only the ones Manyfold really needs. Manyfold uses `CHOWN` permission to make sure temp and log files are writable by the `PUID` user, then uses `SETUID` and `SETGID` to actually change to that user. No others are required.
+
+On the docker command line, you can set these options using the following arguments:
+
+`--security-opt=no-new-privileges:true --cap-drop=ALL --cap-add=CHOWN,SETUID,SETGID`
+
+Or, if you're using docker-compose:
+
+```yaml
+security_opt:
+  - no-new-privileges:true
+cap_drop:
+  - ALL
+cap_add:
+  - CHOWN
+	- SETUID
+	- SETGID
+```
+
+### Read-only filesystem
+
+By setting `read-only` on your container, you can prevent the application from writing to the image filesystem, thus preventing attackers from (for instance) changing the running code.
+
+On the docker command line:
+
+`--read-only`
+
+In docker-compose:
+
+```yaml
+read_only: true
+```
+
+{:.important}
+If you set this option, you will need to map some extra volumes, because Manyfold does need to write to some temporary files.
+
+The required paths are:
+
+* `/tmp`
+* `/usr/src/app/tmp`
+* `/usr/src/app/log`
+
+For example, you might map these to a specific place on your host. In docker-compose:
+
+```yaml
+volumes:
+  - /var/manyfold/sys_tmp:/tmp
+  - /var/manyfold/app_tmp:/usr/src/app/tmp
+  - /var/manyfold/log:/usr/src/app/log
+```

sysadmin/tracking.md

@@ -2,7 +2,7 @@
 title: Tracking
 parent: Running Manyfold
 layout: page
-nav_order: 3
+nav_order: 4
 ---
 
 Since v0.67.0, Manyfold includes an opt-in anonymous usage tracking option. This has been designed to let the developers answer one single question; how many people are running Manyfold instances?