hedgedoc/lib/web/imageRouter, branch cindy Hedgedoc with support for CindyScript ImageRouterImgur: Replace imgur library with note-fetch request 2021-04-22T19:23:27+00:00 Philip Molares 2021-04-19T10:31:14+00:00 f34d927e8cec45cf65ccee3197b46f4482b2b273 This kinda is a backport of https://github.com/hedgedoc/hedgedoc/pull/961 Signed-off-by: Philip Molares <philip.molares@udo.edu> 
This kinda is a backport of https://github.com/hedgedoc/hedgedoc/pull/961

Signed-off-by: Philip Molares <philip.molares@udo.edu>
ImageUpload: Fix errors with .jpeg and .svg 2021-03-29T20:38:42+00:00 Philip Molares 2021-03-28T20:37:01+00:00 5dbe99b4c7b8e136ebc6f05b6b618f044bfd4358 This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly Files that got identified as jpg, but have the extension .jpeg get their extension fixed. The files extensions will work in all cases now. Signed-off-by: Philip Molares <philip.molares@udo.edu> 
This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly
Files that got identified as jpg, but have the extension .jpeg get their extension fixed.
The files extensions will work in all cases now.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
Linter: Fix all lint errors 2021-02-15T11:15:14+00:00 Philip Molares 2021-02-15T08:42:51+00:00 136d895d155f28c2e75b3af206549acaa2a354ed Signed-off-by: Philip Molares <philip.molares@udo.edu> 
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Switch to minio v7 API 2021-02-12T22:11:37+00:00 David Mehren 2021-02-12T22:09:38+00:00 252141560f8ffcf88f18347f2161b5f3c78ffe12 The secure parameter is now called useSSL https://github.com/minio/minio-js/releases/tag/7.0.0 Signed-off-by: David Mehren <git@herrmehren.de> 
The secure parameter is now called useSSL
https://github.com/minio/minio-js/releases/tag/7.0.0

Signed-off-by: David Mehren <git@herrmehren.de>
Always save uploads to a tmpdir first and cleanup afterwards 2020-12-27T18:51:14+00:00 David Mehren 2020-12-27T14:52:26+00:00 6932cc4df7e0c2826e47b2d9ca2f0031f75b1b58 This makes sure no unintended files are permanently saved. Co-authored-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <git@herrmehren.de> 
This makes sure no unintended files are permanently saved.

Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
Improve MIME-type checks of uploaded files 2020-12-27T18:51:12+00:00 David Mehren 2020-12-27T10:31:01+00:00 cf4344d9e031d2e0bf70b8d8f75ab27ecf8d29ad This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension. Signed-off-by: David Mehren <git@herrmehren.de> 
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.

Signed-off-by: David Mehren <git@herrmehren.de>
Rework error messages for image uploads 2020-12-27T18:51:02+00:00 Sheogorath 2020-11-23T12:59:50+00:00 f83e4d66ed2b6a7f7f8939e2eb63d262387e9374 This patch reworks the error messages for image uploads to make more sense. Instead of using the current `formidable error` for everything, all custom error detection now provide the (hopefully) more useful `Image Upload error` prefix for error messages. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com> 
This patch reworks the error messages for image uploads to make more
sense.

Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
Fix unauthenticated file uploads 2020-12-27T18:51:01+00:00 Sheogorath 2020-11-23T11:50:39+00:00 d097211c545118ac13626e1b0a01390b08880ad7 This patch fixes the issue of unauthenticated users, being able to upload files, even when anonymous edits are disabled. It's implemented by blocking uploads when either `allowAnonymous` is set to `false` for all unauthenticated users, unless `allowAnonymousEdits` is set to true, to make sure anonymous editors still experience the full feature set. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com> 
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.

It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
Fix arbitary file upload for uploadimage API endpoint 2020-12-27T18:51:01+00:00 Sheogorath 2020-11-23T11:42:19+00:00 dc29a286e665555cccb92760908e50cd967fd2e7 This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com> 
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.

This issue was reported by Thomas Lambertz.

To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.

```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```

Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.

Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.

References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
Merge pull request #213 from davidmehren/refactor_backend_notes 2019-11-20T19:07:35+00:00 Sheogorath 2019-11-20T19:07:35+00:00 689f5a0a9583fdd774a271a9e6265ee5356d72a0 First steps in refactoring the backend code 
First steps in refactoring the backend code