Table of contents
Open Table of contents
Overview
ONLYOFFICE Desktop Editors is a cross-platform office suite that utilizes a native C++ core wrapped in a web-based interface. It operates under the AGPL v3 license, providing offline capabilities for DOCX, XLSX, and PPTX formats while offering optional cloud integration. This audit examines the source code—specifically the networking, file system, and cryptographic utility modules—to verify data handling, security posture, and privacy claims.
Privacy & Security Audit
This audit is based on the analysis of the following source code files (FileTransporter_private.cpp, SystemUtils.cpp, Base64.cpp, Directory.cpp, Path.cpp, File.cpp).
Telemetry & Network Control
The application includes a programmable mechanism to completely disable network activity, ensuring suitability for air-gapped environments.
- **Technical Evidence (Network Kill Switch): The file
FileTransporter_private.hdefines the thread execution logic. Before initiating any connection, it checks an environment variable.
// FileTransporter_private.h
bool bIsCanUseNetwork = true;
if (NSProcessEnv::IsPresent(NSProcessEnv::Converter::gc_allowNetworkRequest))
bIsCanUseNetwork = NSProcessEnv::GetBoolValue(NSProcessEnv::Converter::gc_allowNetworkRequest);
if (bIsCanUseNetwork) {
// Perform network operation
}Finding: The presence of gc_allowNetworkRequest allows administrators to force the application into a strictly offline mode by toggling an environment variable, effectively neutralizing telemetry or update checks.
- **Network Implementation & Fallback: The primary download mechanism uses Windows
WinINetAPI. However, a fallback mechanism exists which invokes PowerShell.
// FileTransporter_private.cpp
// Fallback to PowerShell if standard download fails
std::wstring sApp = L"powershell.exe –c \"(new-object System.Net.WebClient).DownloadFile('" + sFileURL + L"','" + sFileDst + L"')\"";
CreateProcessW(NULL, pCommandLine, ...);Finding: While the code attempts to sanitize input via EscapeQuotesPS, relying on CreateProcessW to spawn a shell for downloads is a significant security surface. It ensures download reliability in restricted networks but increases the risk of command injection if URL sanitization fails.
Cryptography
The application relies on standard encoding schemes to handle encrypted data structures internally.
- **Technical Evidence (Base64 Implementation): The
Base64.cppfile implements a manual, dependency-free encoding algorithm using lookup tables.
// Base64.cpp
static const char s_chBase64EncodingTable[64] = {
'A', 'B', 'C', ... 'Z', 'a', 'b', ... 'z', '0', ... '9', '+', '/'
};Finding: The manual implementation of Base64 (and Base32) confirms the application can process the binary blobs resulting from AES encryption (found in password-protected files) without relying on external crypto libraries for the encoding step.
File System Security
The Directory.cpp and Path.cpp modules enforce security boundaries to prevent unauthorized file access.
- **Technical Evidence (Hidden File Exclusion): On Linux/macOS, the file scanner explicitly skips hidden directories.
// Directory.cpp
if(dirp->d_name[0] != '.')
{
// Process file
}Finding: This prevents the application from inadvertently scanning system configuration folders (like .ssh or .config), limiting data access to user-visible files.
- **Technical Evidence (Path Traversal Protection): The
Path.cppmodule contains a custom path normalizer to resolve..sequences.
// Path.cpp
if (pData[nStart] == (CHAR)'.' && pData[nStart + 1] == (CHAR)'.')
{
if (nCurrentSlash > 0)
{
--nCurrentSlash; // Move back one directory
nCurrentW = pSlashPoints[nCurrentSlash];
}
}Finding: By tracking directory slashes and adjusting the write pointer backward when encountering .., the code prevents path traversal attacks that could escape the intended working directory.
- **Technical Evidence (Secure Temp Files): The
File.cppmodule uses OS-secure APIs for temporary files.
// File.cpp (Linux)
int res = mkstemp(pcRes); // Creates file with mode 0600Finding: The use of mkstemp (Unix) and GetTempFileNameW (Windows) ensures temporary files are created with restrictive permissions, preventing other local users from reading sensitive document fragments.
Source Code & Auditing
- License: All provided modules are licensed under AGPL v3, ensuring the source remains open for independent verification.
- Data Storage:
SystemUtils.cppconfirms that configuration data is stored in standard OS locations (%LOCALAPPDATA%on Windows,~/.local/shareon Linux), respecting multi-user isolation.
Usability
The application uses standard XDG and Windows Shell APIs to determine user directories, ensuring files are saved where users expect them. The modular design separates networking (NSNetwork) from file I/O (NSFile), making the codebase maintainable and auditable.
Pros & Cons
Pros:
- Offline Capability: The
gc_allowNetworkRequesttoggle provides a definitive method to block all internet traffic. - Local Processing: Core file operations (encoding, path normalization) happen locally via native C++.
- Security Boundaries: Explicit exclusion of hidden files and path normalization prevent basic system access exploits.
Cons:
- PowerShell Fallback: Using
powershell.exeto download files is a high-risk strategy that increases the attack surface for command injection. - Legacy User Agent: The network client identifies as “MSIE 5.0”, which can bypass security filters but is a form of obfuscation.
Verdict
ONLYOFFICE Desktop Editors provides a robust local editing environment. The source code audit confirms strong file system isolation and the availability of a network kill-switch for privacy. However, the reliance on a PowerShell fallback for downloads represents a notable security trade-off for reliability. For privacy-focused users, deploying the application with the gc_allowNetworkRequest environment variable disabled is the recommended configuration.