diff options
| -rw-r--r-- | SECURITY.md | 32 | ||||
| -rw-r--r-- | app.js | 6 | ||||
| -rw-r--r-- | docs/configuration-config-file.md | 47 | ||||
| -rw-r--r-- | docs/configuration-env-vars.md | 2 | ||||
| -rw-r--r-- | lib/config/default.js | 2 | ||||
| -rw-r--r-- | package.json | 2 |
6 files changed, 82 insertions, 9 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..3819d0af --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# Security Policy + +## Supported Versions + +Only the latest release of CodiMD is supported. We don't have the +ressources to maintain multiple versions. + +## Reporting a Vulnerability + +If you find a vulnerability for [this repository](https://github.com/codimd/server), please report it to +[@SISheogorath](https://github.com/SISheogorath). + +Please report your findings OpenPGP encrypted. If you are not aware of +how to use OpenPGP, please refer to [@SISheogorath's OpenPGP page](https://shivering-isles.com/pgpme), +which will take care of the encryption for you. + +We'll get back to you as soon as possible. You can expect an answer within +3 days, in rare cases within a month. If you don't get a reply within a month, +please reach out for other contact addresses in the [community chat](https://riot.im/app/#/room/#codimd:matrix.org). + +When your findings are accepted as a security issue, we'll work an a fix or +at least a workaround for the next release. With the release that contained +the fix, we want to encurage you to publish your findings as you like. + +We'll also credit you in the release notes. + +When your findings are not accepted as a security issue, feel free to write +a fix yourself and contribute it to CodiMD, as well as publish them as you +like and allow people to make in informed decision about using CodiMD. + +If you have any further questions, feel free to reach out to the +[community chat](https://riot.im/app/#/room/#codimd:matrix.org) or the mentioned contacts above. @@ -126,9 +126,9 @@ app.use(i18n.init) // routes without sessions // static files -app.use('/', express.static(path.join(__dirname, '/public'), { maxAge: config.staticCacheTime, index: false })) -app.use('/docs', express.static(path.resolve(__dirname, config.docsPath), { maxAge: config.staticCacheTime })) -app.use('/uploads', express.static(path.resolve(__dirname, config.uploadsPath), { maxAge: config.staticCacheTime })) +app.use('/', express.static(path.join(__dirname, '/public'), { maxAge: config.staticCacheTime, index: false, redirect: false })) +app.use('/docs', express.static(path.resolve(__dirname, config.docsPath), { maxAge: config.staticCacheTime, redirect: false })) +app.use('/uploads', express.static(path.resolve(__dirname, config.uploadsPath), { maxAge: config.staticCacheTime, redirect: false })) app.use('/default.md', express.static(path.resolve(__dirname, config.defaultNotePath), { maxAge: config.staticCacheTime })) // session diff --git a/docs/configuration-config-file.md b/docs/configuration-config-file.md index 39c5c204..d24abce6 100644 --- a/docs/configuration-config-file.md +++ b/docs/configuration-config-file.md @@ -81,7 +81,7 @@ these are rarely used for various reasons. | variables | example values | description | | --------- | ------ | ----------- | -| `allowGravatar` | `true` or `false` | set to `false` to disable Gravatar as profile picture source on your instance | +| `allowGravatar` | `true` or `false` | set to `false` to disable [Libravatar](https://www.libravatar.org/) as profile picture source on your instance. Libravatar is a federated open-source alternative to Gravatar. | | `useCDN` | `true` or `false` | set to use CDN resources or not (default is `true`) | ## Users and Privileges @@ -99,8 +99,6 @@ these are rarely used for various reasons. ## Login methods -Most of these have never been documented for the config.json, feel free to expand these - ### Email (local account) | variables | example values | description | @@ -109,12 +107,47 @@ Most of these have never been documented for the config.json, feel free to expan | `allowEmailRegister` | `true` or `false` | Set to allow registration of new accounts using an email address. If set to `false`, you can still create accounts using the command line - see `bin/manage_users` for details. This setting has no effect if `email` is `false`. The default for `allowEmailRegister` is `true`. | ### Dropbox Login + +| variables | example values | description | +| --------- | ------ | ----------- | +| `dropbox` | `{clientID: ..., clientSecret: ...}` | An object containing the client ID and the client secret obtained by the [Dropbox developer tools](https://www.dropbox.com/developers/apps) | + ### Facebook Login + +| variables | example values | description | +| --------- | ------ | ----------- | +| `facebook` | `{clientID: ..., clientSecret: ...}` | An object containing the client ID and the client secret obtained by the [Facebook app console](https://developers.facebook.com/apps) | + ### GitHub Login + +| variables | example values | description | +| --------- | ------ | ----------- | +| `github` | `{clientID: ..., clientSecret: ...}` | An object containing the client ID and the client secret obtained by the GitHub developer page. For more details have a look at the [GitHub auth guide](guides/auth/github.md). | + ### GitLab Login + +| variables | example values | description | +| --------- | ------ | ----------- | +| `gitlab` | `{baseURL: ..., scope: ..., version: ..., clientID: ..., clientSecret: ...}` | An object containing your GitLab application data. Refer to the [GitLab guide](guides/auth/gitlab-self-hosted.md) for more details! | + ### Google Login + +| variables | example values | description | +| --------- | ------ | ----------- | +| `google` | `{clientID: ..., clientSecret: ...}` | An object containing the client ID and the client secret obtained by the [Google API console](https://console.cloud.google.com/apis) | + ### LDAP Login + +| variables | example values | description | +| --------- | ------ | ----------- | +| `ldap` | `{providerName: ..., url: ..., bindDn: ..., bindCredentials: ..., searchBase: ..., searchFilter: ..., searchAttributes: ..., usernameField: ..., useridField: ..., tlsca: ...}` | An object detailing the LDAP connection. Refer to the [LDAP-AD guide](guides/auth/ldap-AD.md) for more details! | + ### Mattermost Login + +| variables | example values | description | +| --------- | ------ | ----------- | +| `mattermost` | `{baseURL: ..., clientID: ..., clientSecret: ...}` | An object containing the base URL of your Mattermost application data. Refer to the [Mattermost guide](guides/auth/mattermost-self-hosted.md) for more details! | + ### OAuth2 Login | variables | example values | description | @@ -122,8 +155,16 @@ Most of these have never been documented for the config.json, feel free to expan | `oauth2` | `{baseURL: ..., userProfileURL: ..., userProfileUsernameAttr: ..., userProfileDisplayNameAttr: ..., userProfileEmailAttr: ..., tokenURL: ..., authorizationURL: ..., clientID: ..., clientSecret: ...}` | An object detailing your OAuth2 provider. Refer to the [Mattermost](guides/auth/mattermost-self-hosted.md) or [Nextcloud](guides/auth/nextcloud.md) examples for more details!| ### SAML Login + +| variables | example values | description | +| --------- | ------ | ----------- | +| `saml` | `{idpSsoUrl: ..., idpCert: ..., issuer: ..., identifierFormat: ..., disableRequestedAuthnContext: ..., groupAttribute: ..., externalGroups: [], requiredGroups: [], attribute: {id: ..., username: ..., email: ...}}` | An object detailing your SAML provider. Refer to the [OneLogin](guides/auth/saml-onelogin.md) and [SAML](guides/auth/saml.md) guides for more details! | + ### Twitter Login +| variables | example values | description | +| --------- | ------ | ----------- | +| `twitter` | `{consumerKey: ..., consumerSecret: ...}` | An object containing the consumer key and secret obtained by the [Twitter developer tools](https://developer.twitter.com/apps). For more details have a look at the [Twitter auth guide](guides/auth/twitter.md) | ## Upload Storage diff --git a/docs/configuration-env-vars.md b/docs/configuration-env-vars.md index 1f44083e..84155847 100644 --- a/docs/configuration-env-vars.md +++ b/docs/configuration-env-vars.md @@ -68,7 +68,7 @@ defaultNotePath can't be set from env-vars | variable | example value | description | | -------- | ------------- | ----------- | -| `CMD_ALLOW_GRAVATAR` | `true` or `false` | set to `false` to disable gravatar as profile picture source on your instance | +| `CMD_ALLOW_GRAVATAR` | `true` or `false` | set to `false` to disable [Libravatar](https://www.libravatar.org/) as profile picture source on your instance. Libravatar is a federated open-source alternative to Gravatar. | | `CMD_USECDN` | `true` or `false` | set to use CDN resources or not| diff --git a/lib/config/default.js b/lib/config/default.js index 12254d47..19bbeb21 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -32,7 +32,7 @@ module.exports = { allowAnonymous: true, allowAnonymousEdits: false, allowFreeURL: false, - forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api'], + forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views'], defaultPermission: 'editable', dbURL: '', db: {}, diff --git a/package.json b/package.json index 396f6f1f..9c456218 100644 --- a/package.json +++ b/package.json @@ -114,6 +114,7 @@ "scrypt-kdf": "^2.0.1", "select2": "^3.5.2-browserify", "sequelize": "^5.15.1", + "sequelize-cli": "^5.5.1", "shortid": "2.2.8", "socket.io": "~2.1.1", "socket.io-client": "~2.1.1", @@ -194,7 +195,6 @@ "mock-require": "^3.0.3", "optimize-css-assets-webpack-plugin": "^5.0.0", "script-loader": "^0.7.2", - "sequelize-cli": "^5.4.0", "string-loader": "^0.0.1", "style-loader": "^0.21.0", "uglifyjs-webpack-plugin": "^1.2.7", |