setupchecks.js 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428
  1. /*
  2. * Copyright (c) 2014
  3. *
  4. * This file is licensed under the Affero General Public License version 3
  5. * or later.
  6. *
  7. * See the COPYING-README file.
  8. *
  9. */
  10. (function() {
  11. OC.SetupChecks = {
  12. /* Message types */
  13. MESSAGE_TYPE_INFO:0,
  14. MESSAGE_TYPE_WARNING:1,
  15. MESSAGE_TYPE_ERROR:2,
  16. /**
  17. * Check whether the WebDAV connection works.
  18. *
  19. * @return $.Deferred object resolved with an array of error messages
  20. */
  21. checkWebDAV: function() {
  22. var deferred = $.Deferred();
  23. var afterCall = function(xhr) {
  24. var messages = [];
  25. if (xhr.status !== 207 && xhr.status !== 401) {
  26. messages.push({
  27. msg: t('core', 'Your web server is not yet properly set up to allow file synchronization, because the WebDAV interface seems to be broken.'),
  28. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  29. });
  30. }
  31. deferred.resolve(messages);
  32. };
  33. $.ajax({
  34. type: 'PROPFIND',
  35. url: OC.linkToRemoteBase('webdav'),
  36. data: '<?xml version="1.0"?>' +
  37. '<d:propfind xmlns:d="DAV:">' +
  38. '<d:prop><d:resourcetype/></d:prop>' +
  39. '</d:propfind>',
  40. contentType: 'application/xml; charset=utf-8',
  41. complete: afterCall,
  42. allowAuthErrors: true
  43. });
  44. return deferred.promise();
  45. },
  46. /**
  47. * Check whether the .well-known URLs works.
  48. *
  49. * @param url the URL to test
  50. * @param placeholderUrl the placeholder URL - can be found at OC.theme.docPlaceholderUrl
  51. * @param {boolean} runCheck if this is set to false the check is skipped and no error is returned
  52. * @param {int|int[]} expectedStatus the expected HTTP status to be returned by the URL, 207 by default
  53. * @return $.Deferred object resolved with an array of error messages
  54. */
  55. checkWellKnownUrl: function(verb, url, placeholderUrl, runCheck, expectedStatus, checkCustomHeader) {
  56. if (expectedStatus === undefined) {
  57. expectedStatus = [207];
  58. }
  59. if (!Array.isArray(expectedStatus)) {
  60. expectedStatus = [expectedStatus];
  61. }
  62. var deferred = $.Deferred();
  63. if(runCheck === false) {
  64. deferred.resolve([]);
  65. return deferred.promise();
  66. }
  67. var afterCall = function(xhr) {
  68. var messages = [];
  69. var customWellKnown = xhr.getResponseHeader('X-NEXTCLOUD-WELL-KNOWN')
  70. if (expectedStatus.indexOf(xhr.status) === -1 || (checkCustomHeader && !customWellKnown)) {
  71. var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-setup-well-known-URL');
  72. messages.push({
  73. msg: t('core', 'Your web server is not properly set up to resolve "{url}". Further information can be found in the {linkstart}documentation ↗{linkend}.', { url: url })
  74. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + docUrl + '">')
  75. .replace('{linkend}', '</a>'),
  76. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  77. });
  78. }
  79. deferred.resolve(messages);
  80. };
  81. $.ajax({
  82. type: verb,
  83. url: url,
  84. complete: afterCall,
  85. allowAuthErrors: true
  86. });
  87. return deferred.promise();
  88. },
  89. /**
  90. * Check whether the .well-known URLs works.
  91. *
  92. * @param url the URL to test
  93. * @param placeholderUrl the placeholder URL - can be found at OC.theme.docPlaceholderUrl
  94. * @param {boolean} runCheck if this is set to false the check is skipped and no error is returned
  95. *
  96. * @return $.Deferred object resolved with an array of error messages
  97. */
  98. checkProviderUrl: function(url, placeholderUrl, runCheck) {
  99. var expectedStatus = [200];
  100. var deferred = $.Deferred();
  101. if(runCheck === false) {
  102. deferred.resolve([]);
  103. return deferred.promise();
  104. }
  105. var afterCall = function(xhr) {
  106. var messages = [];
  107. if (expectedStatus.indexOf(xhr.status) === -1) {
  108. var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-nginx');
  109. messages.push({
  110. msg: t('core', 'Your web server is not properly set up to resolve "{url}". This is most likely related to a web server configuration that was not updated to deliver this folder directly. Please compare your configuration against the shipped rewrite rules in ".htaccess" for Apache or the provided one in the documentation for Nginx at it\'s {linkstart}documentation page ↗{linkend}. On Nginx those are typically the lines starting with "location ~" that need an update.', { docLink: docUrl, url: url })
  111. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + docUrl + '">')
  112. .replace('{linkend}', '</a>'),
  113. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  114. });
  115. }
  116. deferred.resolve(messages);
  117. };
  118. $.ajax({
  119. type: 'GET',
  120. url: url,
  121. complete: afterCall,
  122. allowAuthErrors: true
  123. });
  124. return deferred.promise();
  125. },
  126. /**
  127. * Runs setup checks on the server side
  128. *
  129. * @return $.Deferred object resolved with an array of error messages
  130. */
  131. checkSetup: function() {
  132. var deferred = $.Deferred();
  133. var afterCall = function(data, statusText, xhr) {
  134. var messages = [];
  135. if (xhr.status === 200 && data) {
  136. if (window.location.protocol === 'https:' && data.reverseProxyGeneratedURL.split('/')[0] !== 'https:') {
  137. messages.push({
  138. msg: t('core', 'You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read {linkstart}the documentation page about this ↗{linkend}.')
  139. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + data.reverseProxyDocs + '">')
  140. .replace('{linkend}', '</a>'),
  141. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  142. })
  143. }
  144. if (Object.keys(data.generic).length > 0) {
  145. Object.keys(data.generic).forEach(function(key){
  146. Object.keys(data.generic[key]).forEach(function(title){
  147. if (data.generic[key][title].severity != 'success') {
  148. data.generic[key][title].pass = false;
  149. OC.SetupChecks.addGenericSetupCheck(data.generic[key], title, messages);
  150. }
  151. });
  152. });
  153. }
  154. } else {
  155. messages.push({
  156. msg: t('core', 'Error occurred while checking server setup'),
  157. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  158. });
  159. }
  160. deferred.resolve(messages);
  161. };
  162. $.ajax({
  163. type: 'GET',
  164. url: OC.generateUrl('settings/ajax/checksetup'),
  165. allowAuthErrors: true
  166. }).then(afterCall, afterCall);
  167. return deferred.promise();
  168. },
  169. escapeHTML: function(text) {
  170. return text.toString()
  171. .split('&').join('&amp;')
  172. .split('<').join('&lt;')
  173. .split('>').join('&gt;')
  174. .split('"').join('&quot;')
  175. .split('\'').join('&#039;')
  176. },
  177. /**
  178. * @param message The message string containing placeholders.
  179. * @param parameters An object with keys as placeholders and values as their replacements.
  180. *
  181. * @return The message with placeholders replaced by values.
  182. */
  183. richToParsed: function (message, parameters) {
  184. for (var [placeholder, parameter] of Object.entries(parameters)) {
  185. var replacement;
  186. if (parameter.type === 'user') {
  187. replacement = '@' + this.escapeHTML(parameter.name);
  188. } else if (parameter.type === 'file') {
  189. replacement = this.escapeHTML(parameter.path) || this.escapeHTML(parameter.name);
  190. } else if (parameter.type === 'highlight') {
  191. replacement = '<a href="' + encodeURI(parameter.link) + '">' + this.escapeHTML(parameter.name) + '</a>';
  192. } else {
  193. replacement = this.escapeHTML(parameter.name);
  194. }
  195. message = message.replace('{' + placeholder + '}', replacement);
  196. }
  197. return message;
  198. },
  199. addGenericSetupCheck: function(data, check, messages) {
  200. var setupCheck = data[check] || { pass: true, description: '', severity: 'info', linkToDoc: null}
  201. var type = OC.SetupChecks.MESSAGE_TYPE_INFO
  202. if (setupCheck.severity === 'warning') {
  203. type = OC.SetupChecks.MESSAGE_TYPE_WARNING
  204. } else if (setupCheck.severity === 'error') {
  205. type = OC.SetupChecks.MESSAGE_TYPE_ERROR
  206. }
  207. var message = setupCheck.description;
  208. if (message) {
  209. message = this.escapeHTML(message)
  210. }
  211. if (setupCheck.descriptionParameters) {
  212. message = this.richToParsed(message, setupCheck.descriptionParameters);
  213. }
  214. if (setupCheck.linkToDoc) {
  215. message += ' ' + t('core', 'For more details see the {linkstart}documentation ↗{linkend}.')
  216. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + setupCheck.linkToDoc + '">')
  217. .replace('{linkend}', '</a>');
  218. }
  219. if (setupCheck.elements) {
  220. message += '<br><ul>'
  221. setupCheck.elements.forEach(function(element){
  222. message += '<li>';
  223. message += element
  224. message += '</li>';
  225. });
  226. message += '</ul>'
  227. }
  228. if (!setupCheck.pass) {
  229. messages.push({
  230. msg: message,
  231. type: type,
  232. })
  233. }
  234. },
  235. /**
  236. * Runs generic checks on the server side, the difference to dedicated
  237. * methods is that we use the same XHR object for all checks to save
  238. * requests.
  239. *
  240. * @return $.Deferred object resolved with an array of error messages
  241. */
  242. checkGeneric: function() {
  243. var self = this;
  244. var deferred = $.Deferred();
  245. var afterCall = function(data, statusText, xhr) {
  246. var messages = [];
  247. messages = messages.concat(self._checkSecurityHeaders(xhr));
  248. messages = messages.concat(self._checkSSL(xhr));
  249. deferred.resolve(messages);
  250. };
  251. $.ajax({
  252. type: 'GET',
  253. url: OC.generateUrl('heartbeat'),
  254. allowAuthErrors: true
  255. }).then(afterCall, afterCall);
  256. return deferred.promise();
  257. },
  258. checkDataProtected: function() {
  259. var deferred = $.Deferred();
  260. if(oc_dataURL === false){
  261. return deferred.resolve([]);
  262. }
  263. var afterCall = function(xhr) {
  264. var messages = [];
  265. // .ocdata is an empty file in the data directory - if this is readable then the data dir is not protected
  266. if (xhr.status === 200 && xhr.responseText === '') {
  267. messages.push({
  268. msg: t('core', 'Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.'),
  269. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  270. });
  271. }
  272. deferred.resolve(messages);
  273. };
  274. $.ajax({
  275. type: 'GET',
  276. url: OC.linkTo('', oc_dataURL+'/.ocdata?t=' + (new Date()).getTime()),
  277. complete: afterCall,
  278. allowAuthErrors: true
  279. });
  280. return deferred.promise();
  281. },
  282. /**
  283. * Runs check for some generic security headers on the server side
  284. *
  285. * @param {Object} xhr
  286. * @return {Array} Array with error messages
  287. */
  288. _checkSecurityHeaders: function(xhr) {
  289. var messages = [];
  290. if (xhr.status === 200) {
  291. var securityHeaders = {
  292. 'X-Content-Type-Options': ['nosniff'],
  293. 'X-Robots-Tag': ['noindex, nofollow'],
  294. 'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
  295. 'X-Permitted-Cross-Domain-Policies': ['none'],
  296. };
  297. for (var header in securityHeaders) {
  298. var option = securityHeaders[header][0];
  299. if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).replace(/, /, ',').toLowerCase() !== option.replace(/, /, ',').toLowerCase()) {
  300. var msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
  301. if(xhr.getResponseHeader(header) && securityHeaders[header].length > 1 && xhr.getResponseHeader(header).toLowerCase() === securityHeaders[header][1].toLowerCase()) {
  302. msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". Some features might not work correctly, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
  303. }
  304. messages.push({
  305. msg: msg,
  306. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  307. });
  308. }
  309. }
  310. var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : [];
  311. if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
  312. messages.push({
  313. msg: t('core', 'The "{header}" HTTP header does not contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
  314. {
  315. header: 'X-XSS-Protection',
  316. expected: '1; mode=block'
  317. }),
  318. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  319. });
  320. }
  321. const referrerPolicy = xhr.getResponseHeader('Referrer-Policy')
  322. if (referrerPolicy === null || !/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/.test(referrerPolicy)) {
  323. messages.push({
  324. msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}", "{val4}" or "{val5}". This can leak referer information. See the {linkstart}W3C Recommendation ↗{linkend}.',
  325. {
  326. header: 'Referrer-Policy',
  327. val1: 'no-referrer',
  328. val2: 'no-referrer-when-downgrade',
  329. val3: 'strict-origin',
  330. val4: 'strict-origin-when-cross-origin',
  331. val5: 'same-origin'
  332. })
  333. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">')
  334. .replace('{linkend}', '</a>'),
  335. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  336. })
  337. }
  338. } else {
  339. messages.push({
  340. msg: t('core', 'Error occurred while checking server setup'),
  341. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  342. });
  343. }
  344. return messages;
  345. },
  346. /**
  347. * Runs check for some SSL configuration issues on the server side
  348. *
  349. * @param {Object} xhr
  350. * @return {Array} Array with error messages
  351. */
  352. _checkSSL: function(xhr) {
  353. var messages = [];
  354. if (xhr.status === 200) {
  355. var tipsUrl = OC.theme.docPlaceholderUrl.replace('PLACEHOLDER', 'admin-security');
  356. if(OC.getProtocol() === 'https') {
  357. // Extract the value of 'Strict-Transport-Security'
  358. var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
  359. if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
  360. var firstComma = transportSecurityValidity.indexOf(";");
  361. if(firstComma !== -1) {
  362. transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);
  363. } else {
  364. transportSecurityValidity = transportSecurityValidity.substring(8);
  365. }
  366. }
  367. var minimumSeconds = 15552000;
  368. if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
  369. messages.push({
  370. msg: t('core', 'The "Strict-Transport-Security" HTTP header is not set to at least "{seconds}" seconds. For enhanced security, it is recommended to enable HSTS as described in the {linkstart}security tips ↗{linkend}.', {'seconds': minimumSeconds})
  371. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + tipsUrl + '">')
  372. .replace('{linkend}', '</a>'),
  373. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  374. });
  375. }
  376. } else if (!/(?:^(?:localhost|127\.0\.0\.1|::1)|\.onion)$/.exec(window.location.hostname)) {
  377. messages.push({
  378. msg: t('core', 'Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead, as described in the {linkstart}security tips ↗{linkend}. Without it some important web functionality like "copy to clipboard" or "service workers" will not work!')
  379. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + tipsUrl + '">')
  380. .replace('{linkend}', '</a>'),
  381. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  382. });
  383. }
  384. } else {
  385. messages.push({
  386. msg: t('core', 'Error occurred while checking server setup'),
  387. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  388. });
  389. }
  390. return messages;
  391. }
  392. };
  393. })();