setupchecks.js 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462
  1. /*
  2. * Copyright (c) 2014
  3. *
  4. * This file is licensed under the Affero General Public License version 3
  5. * or later.
  6. *
  7. * See the COPYING-README file.
  8. *
  9. */
  10. (function() {
  11. OC.SetupChecks = {
  12. /* Message types */
  13. MESSAGE_TYPE_INFO:0,
  14. MESSAGE_TYPE_WARNING:1,
  15. MESSAGE_TYPE_ERROR:2,
  16. /**
  17. * Check whether the WebDAV connection works.
  18. *
  19. * @return $.Deferred object resolved with an array of error messages
  20. */
  21. checkWebDAV: function() {
  22. var deferred = $.Deferred();
  23. var afterCall = function(xhr) {
  24. var messages = [];
  25. if (xhr.status !== 207 && xhr.status !== 401) {
  26. messages.push({
  27. msg: t('core', 'Your web server is not yet properly set up to allow file synchronization, because the WebDAV interface seems to be broken.'),
  28. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  29. });
  30. }
  31. deferred.resolve(messages);
  32. };
  33. $.ajax({
  34. type: 'PROPFIND',
  35. url: OC.linkToRemoteBase('webdav'),
  36. data: '<?xml version="1.0"?>' +
  37. '<d:propfind xmlns:d="DAV:">' +
  38. '<d:prop><d:resourcetype/></d:prop>' +
  39. '</d:propfind>',
  40. contentType: 'application/xml; charset=utf-8',
  41. complete: afterCall,
  42. allowAuthErrors: true
  43. });
  44. return deferred.promise();
  45. },
  46. /**
  47. * Check whether the .well-known URLs works.
  48. *
  49. * @param url the URL to test
  50. * @param placeholderUrl the placeholder URL - can be found at OC.theme.docPlaceholderUrl
  51. * @param {boolean} runCheck if this is set to false the check is skipped and no error is returned
  52. * @param {int|int[]} expectedStatus the expected HTTP status to be returned by the URL, 207 by default
  53. * @return $.Deferred object resolved with an array of error messages
  54. */
  55. checkWellKnownUrl: function(verb, url, placeholderUrl, runCheck, expectedStatus, checkCustomHeader) {
  56. if (expectedStatus === undefined) {
  57. expectedStatus = [207];
  58. }
  59. if (!Array.isArray(expectedStatus)) {
  60. expectedStatus = [expectedStatus];
  61. }
  62. var deferred = $.Deferred();
  63. if(runCheck === false) {
  64. deferred.resolve([]);
  65. return deferred.promise();
  66. }
  67. var afterCall = function(xhr) {
  68. var messages = [];
  69. var customWellKnown = xhr.getResponseHeader('X-NEXTCLOUD-WELL-KNOWN')
  70. if (expectedStatus.indexOf(xhr.status) === -1 || (checkCustomHeader && !customWellKnown)) {
  71. var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-setup-well-known-URL');
  72. messages.push({
  73. msg: t('core', 'Your web server is not properly set up to resolve "{url}". Further information can be found in the {linkstart}documentation ↗{linkend}.', { url: url })
  74. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + docUrl + '">')
  75. .replace('{linkend}', '</a>'),
  76. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  77. });
  78. }
  79. deferred.resolve(messages);
  80. };
  81. $.ajax({
  82. type: verb,
  83. url: url,
  84. complete: afterCall,
  85. allowAuthErrors: true
  86. });
  87. return deferred.promise();
  88. },
  89. /**
  90. * Check whether the .well-known URLs works.
  91. *
  92. * @param url the URL to test
  93. * @param placeholderUrl the placeholder URL - can be found at OC.theme.docPlaceholderUrl
  94. * @param {boolean} runCheck if this is set to false the check is skipped and no error is returned
  95. *
  96. * @return $.Deferred object resolved with an array of error messages
  97. */
  98. checkProviderUrl: function(url, placeholderUrl, runCheck) {
  99. var expectedStatus = [200];
  100. var deferred = $.Deferred();
  101. if(runCheck === false) {
  102. deferred.resolve([]);
  103. return deferred.promise();
  104. }
  105. var afterCall = function(xhr) {
  106. var messages = [];
  107. if (expectedStatus.indexOf(xhr.status) === -1) {
  108. var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-nginx');
  109. messages.push({
  110. msg: t('core', 'Your web server is not properly set up to resolve "{url}". This is most likely related to a web server configuration that was not updated to deliver this folder directly. Please compare your configuration against the shipped rewrite rules in ".htaccess" for Apache or the provided one in the documentation for Nginx at it\'s {linkstart}documentation page ↗{linkend}. On Nginx those are typically the lines starting with "location ~" that need an update.', { docLink: docUrl, url: url })
  111. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + docUrl + '">')
  112. .replace('{linkend}', '</a>'),
  113. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  114. });
  115. }
  116. deferred.resolve(messages);
  117. };
  118. $.ajax({
  119. type: 'GET',
  120. url: url,
  121. complete: afterCall,
  122. allowAuthErrors: true
  123. });
  124. return deferred.promise();
  125. },
  126. /**
  127. * Check whether the WOFF2 URLs works.
  128. *
  129. * @param url the URL to test
  130. * @param placeholderUrl the placeholder URL - can be found at OC.theme.docPlaceholderUrl
  131. * @return $.Deferred object resolved with an array of error messages
  132. */
  133. checkWOFF2Loading: function(url, placeholderUrl) {
  134. var deferred = $.Deferred();
  135. var afterCall = function(xhr) {
  136. var messages = [];
  137. if (xhr.status !== 200) {
  138. var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-nginx');
  139. messages.push({
  140. msg: t('core', 'Your web server is not properly set up to deliver .woff2 files. This is typically an issue with the Nginx configuration. For Nextcloud 15 it needs an adjustement to also deliver .woff2 files. Compare your Nginx configuration to the recommended configuration in our {linkstart}documentation ↗{linkend}.', { docLink: docUrl, url: url })
  141. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + docUrl + '">')
  142. .replace('{linkend}', '</a>'),
  143. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  144. });
  145. }
  146. deferred.resolve(messages);
  147. };
  148. $.ajax({
  149. type: 'GET',
  150. url: url,
  151. complete: afterCall,
  152. allowAuthErrors: true
  153. });
  154. return deferred.promise();
  155. },
  156. /**
  157. * Runs setup checks on the server side
  158. *
  159. * @return $.Deferred object resolved with an array of error messages
  160. */
  161. checkSetup: function() {
  162. var deferred = $.Deferred();
  163. var afterCall = function(data, statusText, xhr) {
  164. var messages = [];
  165. if (xhr.status === 200 && data) {
  166. if (window.location.protocol === 'https:' && data.reverseProxyGeneratedURL.split('/')[0] !== 'https:') {
  167. messages.push({
  168. msg: t('core', 'You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read {linkstart}the documentation page about this ↗{linkend}.')
  169. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + data.reverseProxyDocs + '">')
  170. .replace('{linkend}', '</a>'),
  171. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  172. })
  173. }
  174. if (Object.keys(data.generic).length > 0) {
  175. Object.keys(data.generic).forEach(function(key){
  176. Object.keys(data.generic[key]).forEach(function(title){
  177. if (data.generic[key][title].severity != 'success') {
  178. data.generic[key][title].pass = false;
  179. OC.SetupChecks.addGenericSetupCheck(data.generic[key], title, messages);
  180. }
  181. });
  182. });
  183. }
  184. } else {
  185. messages.push({
  186. msg: t('core', 'Error occurred while checking server setup'),
  187. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  188. });
  189. }
  190. deferred.resolve(messages);
  191. };
  192. $.ajax({
  193. type: 'GET',
  194. url: OC.generateUrl('settings/ajax/checksetup'),
  195. allowAuthErrors: true
  196. }).then(afterCall, afterCall);
  197. return deferred.promise();
  198. },
  199. escapeHTML: function(text) {
  200. return text.toString()
  201. .split('&').join('&amp;')
  202. .split('<').join('&lt;')
  203. .split('>').join('&gt;')
  204. .split('"').join('&quot;')
  205. .split('\'').join('&#039;')
  206. },
  207. /**
  208. * @param message The message string containing placeholders.
  209. * @param parameters An object with keys as placeholders and values as their replacements.
  210. *
  211. * @return The message with placeholders replaced by values.
  212. */
  213. richToParsed: function (message, parameters) {
  214. for (var [placeholder, parameter] of Object.entries(parameters)) {
  215. var replacement;
  216. if (parameter.type === 'user') {
  217. replacement = '@' + this.escapeHTML(parameter.name);
  218. } else if (parameter.type === 'file') {
  219. replacement = this.escapeHTML(parameter.path) || this.escapeHTML(parameter.name);
  220. } else if (parameter.type === 'highlight') {
  221. replacement = '<a href="' + encodeURI(parameter.link) + '">' + this.escapeHTML(parameter.name) + '</a>';
  222. } else {
  223. replacement = this.escapeHTML(parameter.name);
  224. }
  225. message = message.replace('{' + placeholder + '}', replacement);
  226. }
  227. return message;
  228. },
  229. addGenericSetupCheck: function(data, check, messages) {
  230. var setupCheck = data[check] || { pass: true, description: '', severity: 'info', linkToDoc: null}
  231. var type = OC.SetupChecks.MESSAGE_TYPE_INFO
  232. if (setupCheck.severity === 'warning') {
  233. type = OC.SetupChecks.MESSAGE_TYPE_WARNING
  234. } else if (setupCheck.severity === 'error') {
  235. type = OC.SetupChecks.MESSAGE_TYPE_ERROR
  236. }
  237. var message = setupCheck.description;
  238. if (message) {
  239. message = this.escapeHTML(message)
  240. }
  241. if (setupCheck.descriptionParameters) {
  242. message = this.richToParsed(message, setupCheck.descriptionParameters);
  243. }
  244. if (setupCheck.linkToDoc) {
  245. message += ' ' + t('core', 'For more details see the {linkstart}documentation ↗{linkend}.')
  246. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + setupCheck.linkToDoc + '">')
  247. .replace('{linkend}', '</a>');
  248. }
  249. if (setupCheck.elements) {
  250. message += '<br><ul>'
  251. setupCheck.elements.forEach(function(element){
  252. message += '<li>';
  253. message += element
  254. message += '</li>';
  255. });
  256. message += '</ul>'
  257. }
  258. if (!setupCheck.pass) {
  259. messages.push({
  260. msg: message,
  261. type: type,
  262. })
  263. }
  264. },
  265. /**
  266. * Runs generic checks on the server side, the difference to dedicated
  267. * methods is that we use the same XHR object for all checks to save
  268. * requests.
  269. *
  270. * @return $.Deferred object resolved with an array of error messages
  271. */
  272. checkGeneric: function() {
  273. var self = this;
  274. var deferred = $.Deferred();
  275. var afterCall = function(data, statusText, xhr) {
  276. var messages = [];
  277. messages = messages.concat(self._checkSecurityHeaders(xhr));
  278. messages = messages.concat(self._checkSSL(xhr));
  279. deferred.resolve(messages);
  280. };
  281. $.ajax({
  282. type: 'GET',
  283. url: OC.generateUrl('heartbeat'),
  284. allowAuthErrors: true
  285. }).then(afterCall, afterCall);
  286. return deferred.promise();
  287. },
  288. checkDataProtected: function() {
  289. var deferred = $.Deferred();
  290. if(oc_dataURL === false){
  291. return deferred.resolve([]);
  292. }
  293. var afterCall = function(xhr) {
  294. var messages = [];
  295. // .ocdata is an empty file in the data directory - if this is readable then the data dir is not protected
  296. if (xhr.status === 200 && xhr.responseText === '') {
  297. messages.push({
  298. msg: t('core', 'Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.'),
  299. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  300. });
  301. }
  302. deferred.resolve(messages);
  303. };
  304. $.ajax({
  305. type: 'GET',
  306. url: OC.linkTo('', oc_dataURL+'/.ocdata?t=' + (new Date()).getTime()),
  307. complete: afterCall,
  308. allowAuthErrors: true
  309. });
  310. return deferred.promise();
  311. },
  312. /**
  313. * Runs check for some generic security headers on the server side
  314. *
  315. * @param {Object} xhr
  316. * @return {Array} Array with error messages
  317. */
  318. _checkSecurityHeaders: function(xhr) {
  319. var messages = [];
  320. if (xhr.status === 200) {
  321. var securityHeaders = {
  322. 'X-Content-Type-Options': ['nosniff'],
  323. 'X-Robots-Tag': ['noindex, nofollow'],
  324. 'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
  325. 'X-Permitted-Cross-Domain-Policies': ['none'],
  326. };
  327. for (var header in securityHeaders) {
  328. var option = securityHeaders[header][0];
  329. if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).replace(/, /, ',').toLowerCase() !== option.replace(/, /, ',').toLowerCase()) {
  330. var msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
  331. if(xhr.getResponseHeader(header) && securityHeaders[header].length > 1 && xhr.getResponseHeader(header).toLowerCase() === securityHeaders[header][1].toLowerCase()) {
  332. msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". Some features might not work correctly, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
  333. }
  334. messages.push({
  335. msg: msg,
  336. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  337. });
  338. }
  339. }
  340. var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : [];
  341. if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
  342. messages.push({
  343. msg: t('core', 'The "{header}" HTTP header does not contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
  344. {
  345. header: 'X-XSS-Protection',
  346. expected: '1; mode=block'
  347. }),
  348. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  349. });
  350. }
  351. const referrerPolicy = xhr.getResponseHeader('Referrer-Policy')
  352. if (referrerPolicy === null || !/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/.test(referrerPolicy)) {
  353. messages.push({
  354. msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}", "{val4}" or "{val5}". This can leak referer information. See the {linkstart}W3C Recommendation ↗{linkend}.',
  355. {
  356. header: 'Referrer-Policy',
  357. val1: 'no-referrer',
  358. val2: 'no-referrer-when-downgrade',
  359. val3: 'strict-origin',
  360. val4: 'strict-origin-when-cross-origin',
  361. val5: 'same-origin'
  362. })
  363. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">')
  364. .replace('{linkend}', '</a>'),
  365. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  366. })
  367. }
  368. } else {
  369. messages.push({
  370. msg: t('core', 'Error occurred while checking server setup'),
  371. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  372. });
  373. }
  374. return messages;
  375. },
  376. /**
  377. * Runs check for some SSL configuration issues on the server side
  378. *
  379. * @param {Object} xhr
  380. * @return {Array} Array with error messages
  381. */
  382. _checkSSL: function(xhr) {
  383. var messages = [];
  384. if (xhr.status === 200) {
  385. var tipsUrl = OC.theme.docPlaceholderUrl.replace('PLACEHOLDER', 'admin-security');
  386. if(OC.getProtocol() === 'https') {
  387. // Extract the value of 'Strict-Transport-Security'
  388. var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
  389. if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
  390. var firstComma = transportSecurityValidity.indexOf(";");
  391. if(firstComma !== -1) {
  392. transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);
  393. } else {
  394. transportSecurityValidity = transportSecurityValidity.substring(8);
  395. }
  396. }
  397. var minimumSeconds = 15552000;
  398. if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
  399. messages.push({
  400. msg: t('core', 'The "Strict-Transport-Security" HTTP header is not set to at least "{seconds}" seconds. For enhanced security, it is recommended to enable HSTS as described in the {linkstart}security tips ↗{linkend}.', {'seconds': minimumSeconds})
  401. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + tipsUrl + '">')
  402. .replace('{linkend}', '</a>'),
  403. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  404. });
  405. }
  406. } else if (!/(?:^(?:localhost|127\.0\.0\.1|::1)|\.onion)$/.exec(window.location.hostname)) {
  407. messages.push({
  408. msg: t('core', 'Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead, as described in the {linkstart}security tips ↗{linkend}. Without it some important web functionality like "copy to clipboard" or "service workers" will not work!')
  409. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + tipsUrl + '">')
  410. .replace('{linkend}', '</a>'),
  411. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  412. });
  413. }
  414. } else {
  415. messages.push({
  416. msg: t('core', 'Error occurred while checking server setup'),
  417. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  418. });
  419. }
  420. return messages;
  421. }
  422. };
  423. })();