hedgedoc/lib, branch cindy Hedgedoc with support for CindyScript Sanitize username and photo URL 2021-05-09T17:28:44+00:00 David Mehren 2021-05-09T13:35:06+00:00 f552b14e11761a73237b3b3834827dde151b8b28 HedgeDoc displays the username and user photo at various places by rendering the respective variables into an `ejs` template. As the values are user-provided or generated from user-provided data, it may be possible to inject unwanted HTML. This commit sanitizes the username and photo URL by passing them through the `xss` library. Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de> 
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.

This commit sanitizes the username and photo URL by passing them
through the `xss` library.

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
Automatically enable protocolUseSSL when useSSL is set 2021-05-06T19:19:14+00:00 David Mehren 2021-05-04T09:51:06+00:00 aece96f53909c3945b66b1f2f726b07b5fb6489f This makes the behavior consistent with the docs and saves the user from having to both set `useSSL` and `protocolUseSSL`. Signed-off-by: David Mehren <git@herrmehren.de> 
 This makes the behavior consistent with the docs and
 saves the user from having to both set
 `useSSL` and `protocolUseSSL`.

Signed-off-by: David Mehren <git@herrmehren.de>
Fix upgradeInsecureRequests CSP directive 2021-05-04T09:10:53+00:00 David Mehren 2021-05-04T09:10:53+00:00 0b61f48129e666eed4c34dbbf759ab0013153022 The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de> 
The `upgradeInsecureRequests` option of Helmets CSP middleware
was a boolean in Helmet 3, but with Helmet 4,
everything changed to lists.
This commit adjusts the addUpgradeUnsafeRequestsOptionTo
function accordingly.

Closes #1221

See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy

Signed-off-by: David Mehren <git@herrmehren.de>
Remove unneeded polyfill 2021-04-26T15:05:20+00:00 Erik Michelson 2021-04-26T15:05:20+00:00 e54236d05715d952f030524df03b1d8c1f99e60e This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu> 
This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore.

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
Merge pull request from GHSA-p528-555r-pf87 2021-04-25T19:28:18+00:00 David Mehren 2021-04-25T19:28:18+00:00 59f669e593bd408a9b5540a8002d7392d31849c4 Fix Relative Path Traversal Attack on note creation 
Fix Relative Path Traversal Attack on note creation
 Fix Relative Path Traversal Attack on note creation 2021-04-25T18:40:17+00:00 Sheogorath 2021-03-22T23:02:30+00:00 44b7f607a542abc2f47ac141f2fd6cd1d34ed1c5 Impact --- An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html). CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N PoC / Quicktest --- To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). - If you see a README page being rendered, you run an affected version. Analysis --- The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. Workarounds --- On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. For more information --- If you have any questions or comments about this advisory: * Open an topic on [our community forum](https://community.hedgedoc.org) * Join our [matrix room](https://chat.hedgedoc.org) Advisory link --- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> 
Impact
---

An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).

CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

PoC / Quicktest
---

To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.

Analysis
---

The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.

If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.

This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also  observes changes to them.

The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.

Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.

For more information
---

If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)

Advisory link
---

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87

Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Add custom prometheus metrics 2021-04-25T18:06:56+00:00 David Mehren 2021-04-18T11:20:43+00:00 5c70cc021fb1b372e7a54b222e0524e3c6626e02 This reuses the `realtime.getStatus` method to get the state of the application state on every prometheus scrape cycle. Signed-off-by: David Mehren <git@herrmehren.de> 
This reuses the `realtime.getStatus` method to get the state of the
application state on every prometheus scrape cycle.

Signed-off-by: David Mehren <git@herrmehren.de>
ImageRouterImgur: Replace imgur library with note-fetch request 2021-04-22T19:23:27+00:00 Philip Molares 2021-04-19T10:31:14+00:00 f34d927e8cec45cf65ccee3197b46f4482b2b273 This kinda is a backport of https://github.com/hedgedoc/hedgedoc/pull/961 Signed-off-by: Philip Molares <philip.molares@udo.edu> 
This kinda is a backport of https://github.com/hedgedoc/hedgedoc/pull/961

Signed-off-by: Philip Molares <philip.molares@udo.edu>
Remove yahoo domain from default CSP rules 2021-03-29T21:35:12+00:00 Erik Michelson 2021-03-29T21:35:12+00:00 f948de1d48e9daa2181e23fc0f7136f75210acaf Signed-off-by: Erik Michelson <opensource@erik.michelson.eu> 
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
Merge pull request #1079 from hedgedoc/fix/mimeTypes 2021-03-29T21:14:53+00:00 Yannick Bungers 2021-03-29T21:14:53+00:00 1534d7029bf82c74d5b927e8b179a763ccb1cae4