hedgedoc/lib/models, branch cindy Hedgedoc with support for CindyScript Sanitize username and photo URL 2021-05-09T17:28:44+00:00 David Mehren 2021-05-09T13:35:06+00:00 f552b14e11761a73237b3b3834827dde151b8b28 HedgeDoc displays the username and user photo at various places by rendering the respective variables into an `ejs` template. As the values are user-provided or generated from user-provided data, it may be possible to inject unwanted HTML. This commit sanitizes the username and photo URL by passing them through the `xss` library. Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de> 
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.

This commit sanitizes the username and photo URL by passing them
through the `xss` library.

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
Remove unneeded polyfill 2021-04-26T15:05:20+00:00 Erik Michelson 2021-04-26T15:05:20+00:00 e54236d05715d952f030524df03b1d8c1f99e60e This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu> 
This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore.

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
Fix Relative Path Traversal Attack on note creation 2021-04-25T18:40:17+00:00 Sheogorath 2021-03-22T23:02:30+00:00 44b7f607a542abc2f47ac141f2fd6cd1d34ed1c5 Impact --- An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html). CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N PoC / Quicktest --- To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). - If you see a README page being rendered, you run an affected version. Analysis --- The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. Workarounds --- On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. For more information --- If you have any questions or comments about this advisory: * Open an topic on [our community forum](https://community.hedgedoc.org) * Join our [matrix room](https://chat.hedgedoc.org) Advisory link --- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> 
Impact
---

An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).

CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

PoC / Quicktest
---

To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.

Analysis
---

The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.

If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.

This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also  observes changes to them.

The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.

Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.

For more information
---

If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)

Advisory link
---

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87

Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Run database migrations automatically on startup 2021-02-27T20:33:05+00:00 David Mehren 2021-02-27T20:33:05+00:00 0db862f3c9318f3e214d6b09604760a9844dcfd5 This commit removes the need for separate migrations with the sequelize-cli by running them with umzug on application startup. This is a port of #384 Co-authored-by: Sheogorath <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de> 
This commit removes the need for separate migrations with the sequelize-cli
by running them with umzug on application startup.

This is a port of #384

Co-authored-by: Sheogorath <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
Linter: Fix all lint errors 2021-02-15T11:15:14+00:00 Philip Molares 2021-02-15T08:42:51+00:00 136d895d155f28c2e75b3af206549acaa2a354ed Signed-off-by: Philip Molares <philip.molares@udo.edu> 
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Fix note creation in FreeURL mode not using template 2021-02-01T23:38:54+00:00 Erik Michelson 2021-02-01T23:38:54+00:00 3808c08c2db3641b0928f6dc743feb3a31bcbf43 As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access. Co-Authored-By: @evanlinde Signed-off-by: Erik Michelson <github@erik.michelson.eu> 
As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access.

Co-Authored-By: @evanlinde
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Replace CodiMD with HedgeDoc 2020-11-14T20:18:36+00:00 Erik Michelson 2020-07-02T15:22:52+00:00 b28839484d120c04c5a06e7f8318650c78ab195b Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in public/views Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in README Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in SECURITY.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in LICENSE Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/configuration.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in bin/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/dev Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides/auth Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update various links in code to the new GitHub org. Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup/yunohost Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rebrand to HedgeDoc: Add banner and logo Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Remove note in docs/guides/auth/github Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace links in public/docs/features Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add todo placeholder in docs/history Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in public/views/index/body Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add logo to README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add note about the renaming to the front page Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Removed Travis from README.md and change CodiMD to HedgeDoc in some places Signed-off-by: Yannick Bungers <git@innay.de> Some more renaming to HedgeDoc - Fixed capitalization of HedgeDoc - Added renaming for etherpad migration doc Signed-off-by: Yannick Bungers <git@innay.de> Changed Repo name to hedgedoc Signed-off-by: Yannick Bungers <git@innay.de> 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in public/views

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in README

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in SECURITY.md

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in LICENSE

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in docs/configuration.md

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in bin/setup

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/guides

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/dev

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/guides/auth

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/setup

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update various links in code to the new GitHub org.

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/setup/yunohost

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rebrand to HedgeDoc: Add banner and logo

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Remove note in docs/guides/auth/github

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Replace links in public/docs/features

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Add todo placeholder in docs/history

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Replace github link in public/views/index/body

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Replace github link in README

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Add logo to README

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Add note about the renaming to the front page

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Removed Travis from README.md and change CodiMD to HedgeDoc in some places

Signed-off-by: Yannick Bungers <git@innay.de>

Some more renaming to HedgeDoc
- Fixed capitalization of HedgeDoc
- Added renaming for etherpad migration doc

Signed-off-by: Yannick Bungers <git@innay.de>

Changed Repo name to hedgedoc

Signed-off-by: Yannick Bungers <git@innay.de>
Fixed meta parsing of lang-attribute for using it in the published-view 2020-07-04T01:37:19+00:00 Erik Michelson 2020-07-04T01:37:19+00:00 e4214f32a043acf186b91126a7f9e5f5ab1e4b14 Signed-off-by: Erik Michelson <github@erik.michelson.eu> 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Added customizable og-metadata to notes 2019-10-04T17:49:45+00:00 Erik Michelson 2019-10-04T17:49:45+00:00 2881f8211aaaa2def3f3cedabf635f03733ac82e Signed-off-by: Erik Michelson <erik@liltv.de> 
Signed-off-by: Erik Michelson <erik@liltv.de>
fix: upgrade sequelize to latest version to fix CVE 2019-06-10T22:41:50+00:00 BoHong Li 2019-04-12T04:05:32+00:00 63c96e7359fff1cbb6198ac0d684cff0cc675667 Signed-off-by: BoHong Li <a60814billy@gmail.com> 
Signed-off-by: BoHong Li <a60814billy@gmail.com>