CryptPad v4.14.0

« Changelog History

CryptPad v4.14.0 Release Notes

• Goals

  🚀 Our main goal for this release was to follow up on some of the findings of the Intigriti bug bounty program that was sponsored by the European Commission. We also aimed to deploy some features that we want to have in place before the deployment of our upcoming 5.0 release and a corresponding update to our project site (cryptpad.org). You can read more about all of this in our latest blog post.

  ⚡️ Update notes

  💥 This release includes BREAKING CHANGES, especially if you have not configured your instance correctly. We advise that you read the following section carefully and follow its recommendations as closely as possible if you operate your own CryptPad instance.

  🚀 First, some review: CryptPad is designed to be deployed using two domains. One is the primary domain which users enter into their address bar, while the second is a "sandbox" that is loaded indirectly. Sensitive operations like cryptographic key management are performed in the scope of the primary domain, while the sandbox is used to load the majority of the platform's UI. If there is a vulnerability in the sandbox, it is at least limited in scope because of measures we've taken to prevent it from accessing user accounts' keys. We initially introduced this system nearly five years ago, it is described in our admin installation guide, and we've done our best to make sure admins are aware of its importance. Even so, only a small number of our admins follow our recommendations.

  Since we've tried every other option we could think of to inform administrators of the risks of storing sensitive data on a misconfigured CryptPad instance, we are now adopting a more drastic policy where correct behaviour is enforced in the code itself. What that means for admins is that if you fail to implement configuration parameters which we consider essential, then various parts of the codebase will detect this and refuse to operate.

  If your instance is configured correctly, then this shouldn't impact you at all. If you're worried that you might be impacted, then the best course of action is to update to 4.13.0 (the previous release, if you aren't already running it) and to follow its recommendation to review the checkup page and ensure that your instance passes its self-diagnostic tests. 4.14.0 introduces a large number of new tests, but those that were already present in 4.13.0 should identify the major issues that will prevent your instance from loading after the update.

  Now, a bit about the situations in which CryptPad will fail to load:

  • 🔧 if CryptPad is loaded via any origin that does not match its configured httpUnsafeOrigin, then it will abort.
    • hint: for cryptpad.fr, this value is https://cryptpad.fr
  • if CryptPad's sandbox does not correctly block the use of eval, then it will abort.
    • the use of eval is blocked by the recommended Content-Security-Policy headers. These strict headers are applied to most resources loaded from the sandbox origin.
    • hint: for cryptpad.fr the httpSafeOrigin is https://sandbox.cryptpad.info, while our NGINX sets $sandbox_domain to sandbox.cryptpad.info.
  • 🔒 if CryptPad is loaded in a browser that does not enforce Content-Security-Policy (such as Internet Explorer or any other browser using a non-compliant configuration) then it will abort.
  • if CryptPad is embedded within an iframe and you have not explicitly enabled embedding via the admin panel (more on that later) it will abort.
  • if any CryptPad application that requires special permissions (drive, calendar, sheet, doc, presentation) is loaded in an iframe then it will abort.

  🔋 The reasons for blocking embedding will be described in the Features section below, so keep reading if you're curious.

  ⚡️ We're also recommending a few more updates, but we don't expect that these will stop the service from loading:

  • NodeJS v12.14.0 (which we have recommended for some time) will be considered End-Of-Life as of April 30th.
    • We recommend updating to NodeJS v16.14.2 via NVM.
    • The API server will check the version of its runtime when it launches. It will print a warning to your server logs and set a public flag in /api/config indicating that it should be updated. There is a corresponding test on the checkup page which checks for the presence of this flag for admins that aren't in the habit of reviewing their logs.
  • ✅ The recommended NGINX config file also includes some minor changes. You can compare the current version (in cryptpad/docs/example.nginx.conf) against your live config with a diff tool. There are also new tests on the checkup page which will identify whether the newly changed headers have been correctly applied.
  • ⚡️ There are updates to our dependencies using both npm and bower.
  • 🔧 There are a number of new configuration parameters that can be customized via application_config.js. Some are optional. A number of other parameters, such as URLs for a privacy policy and terms of service, will be expected if your instance permits registration. The checkup page will display warnings if these are absent. Configuration via application_config.js is described in our docs.

  We've also made a number of changes and additions to the instance admin panel:

  • 👉 controls for archiving and restoring documents can now be found under User storage, rather General.
    • Both sections now include an optional "note" field, allowing admins to specify the reason why a document was archived/restored. This value will be included in the server's logs.
  • 🐎 the Performance tab now includes two new settings which permit admins to enable a new API endpoint (/api/profiling) which exposes some live performance data as JSON endpoint. If you don't know what this means you probably don't need it.
  • 👍 The admin support ticket panel now responds somewhat more quickly thanks to some sorting optimizations.
  • The General tab now includes three new fields (instance name, instance description, hosting location).
    • These are primarily intended for admins who have opted in to inclusion in the directory of public instances which we plan to deploy along with our next release.
    • In the future we hope to use these values on the home page as well, making it easier to customize your instance.

  ⚡️ To update from 4.13.0 to 4.14.0:

  ⚡️ 0. Before updating, review your instance's checkup page to see whether you have any unresolved issues

  1. Install NodeJS v16.14.2 ⚡️ 2. Update your systemd service file (or whatever method you use to launch CryptPad) to use the newer NodeJS version ⚡️ 3. Update your NGINX configuration file to match the provided example
  2. Stop your server ✅ 5. Get the latest code with git ⚡️ 6. Install the latest dependencies with bower update and npm i
  3. Restart your server ✅ 8. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

  🔋 Features

  • 0️⃣ Embedding of CryptPad in iframes on third-party websites is now disabled by default because doing so prevents a number of possible attacks in cases of overly permissive HTTP headers.
    • CryptPad's editors will only load properly if the instance is explicitly configured via the admin panel to permit this behaviour.
    • Even where embedding is enabled, the properties, share, access, and insert menus are disabled. Attempts to use them cause a dialog to open which prompts users to open the current document/page in a dedicated tab/window.
    • The embed tab of the share menu (which generates code for embedding CryptPad documents in third-party sites) is only shown if the instance administrators have enabled embedding.
  • More information about the host instance is included in the About CryptPad dialog which can be opened via the account administration menu in the top-right corner of the screen.
    • specifically: it now displays the same configurable instance description which is displayed on the home page, as well as links to the instance's terms of service and source code (if they are available).
  • 👍 The support page has a number of new features:
    • A new tab is accessible via the left sidebar which displays a preview of the metadata which is included along with support tickets.
    • We revised the ticket categories which are listed in the dropdown menu. Users are prompted to choose a category. Once a category is chosen, more specific information is automatically requested with links to the relevant documentation.
  • The login page now features a reminder that administrators cannot reset passwords or recover accounts.
  • 🚚 Tracking parameters are automatically removed from the address bar after the page loads for cases where a third-party tool automatically added them.
  • Calendars in the sidebar of the calendar app are now sorted according to their title.
  • ✅ The checkup page features many new tests and improvements:
    • Errors are now sorted above warnings.
    • Errors and warnings are each sorted according to their test number.
    • In cases where multiple tests need to inspect the HTTP headers of a common resource, the resource is only requested once and subsequent requests access it from a cache, speeding up loading time and reducing network usage.
    • The Server header is displayed in the page summary if it is available.
    • The tests for CSP headers now describe the failures of each misconfigured CSP directive, rather than just the first one to fail.
    • Warnings are displayed for each of several important resources (privacy policy, terms of service, etc) when the instance allows registration but has not provided this information for new users.
    • Our test runner catches synchronously thrown errors and tries to display helpful messages.
    • Tests will time out after 25 seconds to ensure that the set of tests eventually completes.
    • A new script is executed before CryptPad's bootloader which should detect and handle bootloader errors such as missing dependencies or unreachable API endpoints.

  🐛 Bug fixes

  • 📜 The checkup page now handles and error that occurred when trying to parse CSP headers that were not provided (trying to parse null as a string).
  • The form app allowed authors to specify links (via markdown) in questions' descriptions and the form's submit message, but none of these links used CryptPad's typical link click handler. As a result these links failed to open.
  • Links specified on users' profile pages are opened via the bounce app, which warns users when a link will navigate outside CryptPad and blocks links which are clearly malicious in nature (trying to execute code).
  • 🛠 We discovered and fixed a deadlock that occurred in cases where users tried to download a folder that contained multiple Office documents.
  • The drive's history mode now displays the appropriate document id in the properties menu in cases where an earlier version of a document had a different id (due to a password change).
  • During development of a new feature we discovered that the server could respond to HTTP requests with stack traces in cases where the request triggered an error. These responses could contain information about the server's directory structure, so we now handle these errors and send the client a page indicating that there was an internal server error.
  • Attempting to convert office documents could mistakenly trigger two concurrent downloads of the client-side conversion engine. Now it is only downloaded once, so conversion should be roughly twice as fast for cases where the WebAssembly blob was not already cached.
  • A number of users reported various actions which could cause documents in their team drives to be duplicated. These duplicated entries are references to the same document as the original, not complete copies, so care should be taken not to use the destroy option when removing them from your drive. If a user accidentally destroys a document then it should be possible for an administrator to restore its content via the admin panel if the user can provide a safe link that they can find using the drive's history mode.

• All Versions
• Previous v4.13.0
• Next v4.14.1
• Latest Version