diff options
| -rw-r--r-- | README.md | 1 | ||||
| -rw-r--r-- | lib/config/default.js | 3 | ||||
| -rw-r--r-- | lib/config/environment.js | 9 | ||||
| -rw-r--r-- | lib/config/utils.js | 7 | ||||
| -rw-r--r-- | lib/csp.js | 7 | ||||
| -rw-r--r-- | lib/web/auth/ldap/index.js | 2 | ||||
| -rw-r--r-- | package.json | 1 | ||||
| -rw-r--r-- | webpackBaseConfig.js | 10 | ||||
| -rw-r--r-- | yarn.lock | 77 |
9 files changed, 27 insertions, 90 deletions
@@ -207,6 +207,7 @@ There are some config settings you need to change in the files below. | `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) | | `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) | | `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) | +| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations | ## Application settings `config.json` diff --git a/lib/config/default.js b/lib/config/default.js index 06e887f4..7407ec60 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -18,7 +18,8 @@ module.exports = { directives: { }, addDefaults: true, - upgradeInsecureRequests: 'auto' + upgradeInsecureRequests: 'auto', + reportURI: undefined }, protocolusessl: false, usecdn: true, diff --git a/lib/config/environment.js b/lib/config/environment.js index b83c67e5..ddc09e10 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -1,11 +1,11 @@ 'use strict' -const {toBooleanConfig, toArrayConfig} = require('./utils') +const {toBooleanConfig, toArrayConfig, toIntegerConfig} = require('./utils') module.exports = { domain: process.env.HMD_DOMAIN, urlpath: process.env.HMD_URL_PATH, - port: process.env.HMD_PORT, + port: toIntegerConfig(process.env.HMD_PORT), urladdport: toBooleanConfig(process.env.HMD_URL_ADDPORT), usessl: toBooleanConfig(process.env.HMD_USESSL), hsts: { @@ -15,7 +15,8 @@ module.exports = { preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD) }, csp: { - enable: toBooleanConfig(process.env.HMD_CSP_ENABLE) + enable: toBooleanConfig(process.env.HMD_CSP_ENABLE), + reportURI: process.env.HMD_CSP_REPORTURI }, protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL), alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN), @@ -39,7 +40,7 @@ module.exports = { secretKey: process.env.HMD_MINIO_SECRET_KEY, endPoint: process.env.HMD_MINIO_ENDPOINT, secure: toBooleanConfig(process.env.HMD_MINIO_SECURE), - port: process.env.HMD_MINIO_PORT + port: toIntegerConfig(process.env.HMD_MINIO_PORT) }, s3bucket: process.env.HMD_S3_BUCKET, facebook: { diff --git a/lib/config/utils.js b/lib/config/utils.js index 9ff2f96d..b2406cf1 100644 --- a/lib/config/utils.js +++ b/lib/config/utils.js @@ -13,3 +13,10 @@ exports.toArrayConfig = function toArrayConfig (configValue, separator = ',', fa } return fallback } + +exports.toIntegerConfig = function toIntegerConfig (configValue) { + if (configValue && typeof configValue === 'string') { + return parseInt(configValue) + } + return configValue +} @@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () { addInlineScriptExceptions(directives) } addUpgradeUnsafeRequestsOptionTo(directives) + addReportURI(directives) return directives } @@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) { } } +function addReportURI (directives) { + if (config.csp.reportURI) { + directives.reportUri = config.csp.reportURI + } +} + CspStrategy.addNonceToLocals = function (req, res, next) { res.locals.nonce = uuid.v4() next() diff --git a/lib/web/auth/ldap/index.js b/lib/web/auth/ldap/index.js index c6746473..1a5c9938 100644 --- a/lib/web/auth/ldap/index.js +++ b/lib/web/auth/ldap/index.js @@ -37,7 +37,7 @@ passport.use(new LDAPStrategy({ id: 'LDAP-' + uuid, username: username, displayName: user.displayName, - emails: user.mail ? [user.mail] : [], + emails: user.mail ? Array.isArray(user.mail) ? user.mail : [user.mail] : [], avatarUrl: null, profileUrl: null, provider: 'ldap' diff --git a/package.json b/package.json index ba8b05d7..18c985b6 100644 --- a/package.json +++ b/package.json @@ -34,7 +34,6 @@ "diff-match-patch": "git+https://github.com/hackmdio/diff-match-patch.git", "ejs": "^2.5.5", "emojify.js": "~1.1.0", - "engine.io-client": "^1.8.2", "express": ">=4.14", "express-session": "^1.14.2", "file-saver": "^1.3.3", diff --git a/webpackBaseConfig.js b/webpackBaseConfig.js index 41a63e7d..e8630841 100644 --- a/webpackBaseConfig.js +++ b/webpackBaseConfig.js @@ -355,10 +355,7 @@ module.exports = { }, resolve: { - modulesDirectories: [ - path.resolve(__dirname, 'src'), - path.resolve(__dirname, 'node_modules') - ], + modulesDirectories: ['node_modules'], extensions: ['', '.js'], alias: { codemirror: path.join(__dirname, 'node_modules/codemirror/codemirror.min.js'), @@ -374,7 +371,8 @@ module.exports = { 'bootstrap-tooltip': path.join(__dirname, 'public/vendor/bootstrap/tooltip.min.js'), 'headjs': path.join(__dirname, 'node_modules/reveal.js/lib/js/head.min.js'), 'reveal-markdown': path.join(__dirname, 'public/js/reveal-markdown.js'), - abcjs: path.join(__dirname, 'public/vendor/abcjs_basic_3.1.1-min.js') + abcjs: path.join(__dirname, 'public/vendor/abcjs_basic_3.1.1-min.js'), + raphael: path.join(__dirname, 'node_modules/raphael/raphael.no-deps.js') } }, @@ -407,7 +405,7 @@ module.exports = { loader: ExtractTextPlugin.extract('style-loader', 'less-loader') }, { test: require.resolve('js-sequence-diagrams'), - loader: 'imports?_=lodash&Raphael=raphael' + loader: 'imports?_=lodash&Raphael=raphael&eve=eve' }, { test: /\.eot(\?v=\d+\.\d+\.\d+)?$/, loader: 'file' @@ -230,10 +230,6 @@ array.prototype.find@^2.0.1: define-properties "^1.1.2" es-abstract "^1.7.0" -arraybuffer.slice@0.0.6: - version "0.0.6" - resolved "https://registry.yarnpkg.com/arraybuffer.slice/-/arraybuffer.slice-0.0.6.tgz#f33b2159f0532a3f3107a272c0ccfbd1ad2979ca" - arraybuffer.slice@~0.0.7: version "0.0.7" resolved "https://registry.yarnpkg.com/arraybuffer.slice/-/arraybuffer.slice-0.0.7.tgz#3bbc4275dd584cc1b10809b89d4e8b63a69e7675" @@ -1720,12 +1716,6 @@ debug@2.2.0: dependencies: ms "0.7.1" -debug@2.3.3: - version "2.3.3" - resolved "https://registry.yarnpkg.com/debug/-/debug-2.3.3.tgz#40c453e67e6e13c901ddec317af8986cda9eff8c" - dependencies: - ms "0.7.2" - debug@2.6.7: version "2.6.7" resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.7.tgz#92bad1f6d05bbb6bba22cca88bcd0ec894c2861e" @@ -2020,23 +2010,6 @@ end-of-stream@~0.1.5: dependencies: once "~1.3.0" -engine.io-client@^1.8.2: - version "1.8.4" - resolved "https://registry.yarnpkg.com/engine.io-client/-/engine.io-client-1.8.4.tgz#9fe85dee25853ca6babe25bd2ad68710863e91c2" - dependencies: - component-emitter "1.2.1" - component-inherit "0.0.3" - debug "2.3.3" - engine.io-parser "1.3.2" - has-cors "1.1.0" - indexof "0.0.1" - parsejson "0.0.3" - parseqs "0.0.5" - parseuri "0.0.5" - ws "1.1.2" - xmlhttprequest-ssl "1.5.3" - yeast "0.1.2" - engine.io-client@~3.1.0: version "3.1.4" resolved "https://registry.yarnpkg.com/engine.io-client/-/engine.io-client-3.1.4.tgz#4fcf1370b47163bd2ce9be2733972430350d4ea1" @@ -2053,17 +2026,6 @@ engine.io-client@~3.1.0: xmlhttprequest-ssl "~1.5.4" yeast "0.1.2" -engine.io-parser@1.3.2: - version "1.3.2" - resolved "https://registry.yarnpkg.com/engine.io-parser/-/engine.io-parser-1.3.2.tgz#937b079f0007d0893ec56d46cb220b8cb435220a" - dependencies: - after "0.8.2" - arraybuffer.slice "0.0.6" - base64-arraybuffer "0.1.5" - blob "0.0.4" - has-binary "0.1.7" - wtf-8 "1.0.0" - engine.io-parser@~2.1.0, engine.io-parser@~2.1.1: version "2.1.2" resolved "https://registry.yarnpkg.com/engine.io-parser/-/engine.io-parser-2.1.2.tgz#4c0f4cff79aaeecbbdcfdea66a823c6085409196" @@ -3149,12 +3111,6 @@ has-binary2@~1.0.2: dependencies: isarray "2.0.1" -has-binary@0.1.7: - version "0.1.7" - resolved "https://registry.yarnpkg.com/has-binary/-/has-binary-0.1.7.tgz#68e61eb16210c9545a0a5cce06a873912fe1e68c" - dependencies: - isarray "0.0.1" - has-color@~0.1.0: version "0.1.7" resolved "https://registry.yarnpkg.com/has-color/-/has-color-0.1.7.tgz#67144a5260c34fc3cca677d041daf52fe7b78b2f" @@ -4728,10 +4684,6 @@ ms@0.7.1: version "0.7.1" resolved "https://registry.yarnpkg.com/ms/-/ms-0.7.1.tgz#9cd13c03adbff25b65effde7ce864ee952017098" -ms@0.7.2: - version "0.7.2" - resolved "https://registry.yarnpkg.com/ms/-/ms-0.7.2.tgz#ae25cf2512b3885a1d95d7f037868d8431124765" - ms@2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/ms/-/ms-2.0.0.tgz#5608aeadfc00be6c2901df5f9861788de0d597c8" @@ -5051,10 +5003,6 @@ optionator@^0.8.1, optionator@^0.8.2: type-check "~0.3.2" wordwrap "~1.0.0" -options@>=0.0.5: - version "0.0.6" - resolved "https://registry.yarnpkg.com/options/-/options-0.0.6.tgz#ec22d312806bb53e731773e7cdaefcf1c643128f" - orchestrator@^0.3.0: version "0.3.8" resolved "https://registry.yarnpkg.com/orchestrator/-/orchestrator-0.3.8.tgz#14e7e9e2764f7315fbac184e506c7aa6df94ad7e" @@ -5176,12 +5124,6 @@ parse5@^1.5.1: version "1.5.1" resolved "https://registry.yarnpkg.com/parse5/-/parse5-1.5.1.tgz#9b7f3b0de32be78dc2401b17573ccaf0f6f59d94" -parsejson@0.0.3: - version "0.0.3" - resolved "https://registry.yarnpkg.com/parsejson/-/parsejson-0.0.3.tgz#ab7e3759f209ece99437973f7d0f1f64ae0e64ab" - dependencies: - better-assert "~1.0.0" - parseqs@0.0.5: version "0.0.5" resolved "https://registry.yarnpkg.com/parseqs/-/parseqs-0.0.5.tgz#d5208a3738e46766e291ba2ea173684921a8b89d" @@ -7205,10 +7147,6 @@ uid2@0.0.x: version "0.0.3" resolved "https://registry.yarnpkg.com/uid2/-/uid2-0.0.3.tgz#483126e11774df2f71b8b639dcd799c376162b82" -ultron@1.0.x: - version "1.0.2" - resolved "https://registry.yarnpkg.com/ultron/-/ultron-1.0.2.tgz#ace116ab557cd197386a4e88f4685378c8b2e4fa" - ultron@~1.1.0: version "1.1.1" resolved "https://registry.yarnpkg.com/ultron/-/ultron-1.1.1.tgz#9fe1536a10a664a65266a1e3ccf85fd36302bc9c" @@ -7647,13 +7585,6 @@ write@^0.2.1: dependencies: mkdirp "^0.5.1" -ws@1.1.2: - version "1.1.2" - resolved "https://registry.yarnpkg.com/ws/-/ws-1.1.2.tgz#8a244fa052401e08c9886cf44a85189e1fd4067f" - dependencies: - options ">=0.0.5" - ultron "1.0.x" - ws@~3.3.1: version "3.3.3" resolved "https://registry.yarnpkg.com/ws/-/ws-3.3.3.tgz#f1cf84fe2d5e901ebce94efaece785f187a228f2" @@ -7662,10 +7593,6 @@ ws@~3.3.1: safe-buffer "~5.1.0" ultron "~1.1.0" -wtf-8@1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/wtf-8/-/wtf-8-1.0.0.tgz#392d8ba2d0f1c34d1ee2d630f15d0efb68e1048a" - x-xss-protection@1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/x-xss-protection/-/x-xss-protection-1.0.0.tgz#898afb93869b24661cf9c52f9ee8db8ed0764dd9" @@ -7731,10 +7658,6 @@ xmldom@=0.1.19: version "0.1.19" resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.1.19.tgz#631fc07776efd84118bf25171b37ed4d075a0abc" -xmlhttprequest-ssl@1.5.3: - version "1.5.3" - resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.3.tgz#185a888c04eca46c3e4070d99f7b49de3528992d" - xmlhttprequest-ssl@~1.5.4: version "1.5.5" resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz#c2876b06168aadc40e57d97e81191ac8f4398b3e" |