diff options
-rw-r--r-- | README.md | 5 | ||||
-rw-r--r-- | config.json.example | 4 | ||||
-rw-r--r-- | docs/guides/auth.md | 2 | ||||
-rw-r--r-- | lib/config/default.js | 5 | ||||
-rw-r--r-- | lib/config/environment.js | 11 | ||||
-rw-r--r-- | lib/config/utils.js | 7 | ||||
-rw-r--r-- | lib/csp.js | 7 | ||||
-rw-r--r-- | lib/migrations/20180306150303-fix-enum.js | 11 | ||||
-rw-r--r-- | lib/web/auth/ldap/index.js | 7 | ||||
-rw-r--r-- | package.json | 1 | ||||
-rw-r--r-- | public/css/markdown.css | 16 | ||||
-rw-r--r-- | public/js/render.js | 6 | ||||
-rw-r--r-- | webpackBaseConfig.js | 10 | ||||
-rw-r--r-- | yarn.lock | 77 |
14 files changed, 66 insertions, 103 deletions
@@ -171,11 +171,11 @@ There are some config settings you need to change in the files below. | `HMD_LDAP_URL` | `ldap://example.com` | URL of LDAP server | | `HMD_LDAP_BINDDN` | no example | bindDn for LDAP access | | `HMD_LDAP_BINDCREDENTIALS` | no example | bindCredentials for LDAP access | -| `HMD_LDAP_TOKENSECRET` | `supersecretkey` | secret used for generating access/refresh tokens | | `HMD_LDAP_SEARCHBASE` | `o=users,dc=example,dc=com` | LDAP directory to begin search from | | `HMD_LDAP_SEARCHFILTER` | `(uid={{username}})` | LDAP filter to search with | | `HMD_LDAP_SEARCHATTRIBUTES` | `displayName, mail` | LDAP attributes to search with (use comma to separate) | -| `HMD_LDAP_USERNAMEFIELD` | `uid` | The LDAP field which is used as the username on HackMD | +| `HMD_LDAP_USERIDFIELD` | `uidNumber` or `uid` or `sAMAccountName` | The LDAP field which is used uniquely identify a user on HackMD | +| `HMD_LDAP_USERNAMEFIELD` | Fallback to userid | The LDAP field which is used as the username on HackMD | | `HMD_LDAP_TLS_CA` | `server-cert.pem, root.pem` | Root CA for LDAP TLS in PEM format (use comma to separate) | | `HMD_LDAP_PROVIDERNAME` | `My institution` | Optional name to be displayed at login form indicating the LDAP provider | | `HMD_SAML_IDPSSOURL` | `https://idp.example.com/sso` | authentication endpoint of IdP. for details, see [guide](docs/guides/auth.md#saml-onelogin). | @@ -207,6 +207,7 @@ There are some config settings you need to change in the files below. | `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) | | `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) | | `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) | +| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations | ## Application settings `config.json` diff --git a/config.json.example b/config.json.example index 66a0227c..8d1b6abd 100644 --- a/config.json.example +++ b/config.json.example @@ -74,11 +74,11 @@ "url": "ldap://change_this", "bindDn": null, "bindCredentials": null, - "tokenSecret": "change this", "searchBase": "change this", "searchFilter": "change this", "searchAttributes": ["change this"], - "usernameField": "change this e.g. uid", + "usernameField": "change this e.g. cn", + "useridField": "change this e.g. uid", "tlsOptions": { "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback" } diff --git a/docs/guides/auth.md b/docs/guides/auth.md index 4f9ce445..aa629489 100644 --- a/docs/guides/auth.md +++ b/docs/guides/auth.md @@ -161,7 +161,7 @@ The basic procedure is the same as the case of OneLogin which is mentioned above * `attribute.id`: A primary key of user table for your HackMD * `attribute.username`: Attribute name of displaying user name on HackMD * `attribute.email`: Attribute name of email address, which will be also used for Gravatar - * _Note: Default value of all attributes is NameID of SAML response, which is email address if `idfentifierFormat` is default._ + * _Note: Default value of all attributes is NameID of SAML response, which is email address if `identifierFormat` is default._ * config.json: ````javascript { diff --git a/lib/config/default.js b/lib/config/default.js index 38dc21a4..7407ec60 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -18,7 +18,8 @@ module.exports = { directives: { }, addDefaults: true, - upgradeInsecureRequests: 'auto' + upgradeInsecureRequests: 'auto', + reportURI: undefined }, protocolusessl: false, usecdn: true, @@ -110,11 +111,11 @@ module.exports = { url: undefined, bindDn: undefined, bindCredentials: undefined, - tokenSecret: undefined, searchBase: undefined, searchFilter: undefined, searchAttributes: undefined, usernameField: undefined, + useridField: undefined, tlsca: undefined }, saml: { diff --git a/lib/config/environment.js b/lib/config/environment.js index 640f9e07..ddc09e10 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -1,11 +1,11 @@ 'use strict' -const {toBooleanConfig, toArrayConfig} = require('./utils') +const {toBooleanConfig, toArrayConfig, toIntegerConfig} = require('./utils') module.exports = { domain: process.env.HMD_DOMAIN, urlpath: process.env.HMD_URL_PATH, - port: process.env.HMD_PORT, + port: toIntegerConfig(process.env.HMD_PORT), urladdport: toBooleanConfig(process.env.HMD_URL_ADDPORT), usessl: toBooleanConfig(process.env.HMD_USESSL), hsts: { @@ -15,7 +15,8 @@ module.exports = { preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD) }, csp: { - enable: toBooleanConfig(process.env.HMD_CSP_ENABLE) + enable: toBooleanConfig(process.env.HMD_CSP_ENABLE), + reportURI: process.env.HMD_CSP_REPORTURI }, protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL), alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN), @@ -39,7 +40,7 @@ module.exports = { secretKey: process.env.HMD_MINIO_SECRET_KEY, endPoint: process.env.HMD_MINIO_ENDPOINT, secure: toBooleanConfig(process.env.HMD_MINIO_SECURE), - port: process.env.HMD_MINIO_PORT + port: toIntegerConfig(process.env.HMD_MINIO_PORT) }, s3bucket: process.env.HMD_S3_BUCKET, facebook: { @@ -79,11 +80,11 @@ module.exports = { url: process.env.HMD_LDAP_URL, bindDn: process.env.HMD_LDAP_BINDDN, bindCredentials: process.env.HMD_LDAP_BINDCREDENTIALS, - tokenSecret: process.env.HMD_LDAP_TOKENSECRET, searchBase: process.env.HMD_LDAP_SEARCHBASE, searchFilter: process.env.HMD_LDAP_SEARCHFILTER, searchAttributes: toArrayConfig(process.env.HMD_LDAP_SEARCHATTRIBUTES), usernameField: process.env.HMD_LDAP_USERNAMEFIELD, + useridField: process.env.HMD_LDAP_USERIDFIELD, tlsca: process.env.HMD_LDAP_TLS_CA }, saml: { diff --git a/lib/config/utils.js b/lib/config/utils.js index 9ff2f96d..b2406cf1 100644 --- a/lib/config/utils.js +++ b/lib/config/utils.js @@ -13,3 +13,10 @@ exports.toArrayConfig = function toArrayConfig (configValue, separator = ',', fa } return fallback } + +exports.toIntegerConfig = function toIntegerConfig (configValue) { + if (configValue && typeof configValue === 'string') { + return parseInt(configValue) + } + return configValue +} @@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () { addInlineScriptExceptions(directives) } addUpgradeUnsafeRequestsOptionTo(directives) + addReportURI(directives) return directives } @@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) { } } +function addReportURI (directives) { + if (config.csp.reportURI) { + directives.reportUri = config.csp.reportURI + } +} + CspStrategy.addNonceToLocals = function (req, res, next) { res.locals.nonce = uuid.v4() next() diff --git a/lib/migrations/20180306150303-fix-enum.js b/lib/migrations/20180306150303-fix-enum.js new file mode 100644 index 00000000..0ee58a94 --- /dev/null +++ b/lib/migrations/20180306150303-fix-enum.js @@ -0,0 +1,11 @@ +'use strict' + +module.exports = { + up: function (queryInterface, Sequelize) { + queryInterface.changeColumn('Notes', 'permission', {type: Sequelize.ENUM('freely', 'editable', 'limited', 'locked', 'protected', 'private')}) + }, + + down: function (queryInterface, Sequelize) { + queryInterface.changeColumn('Notes', 'permission', {type: Sequelize.ENUM('freely', 'editable', 'locked', 'private')}) + } +} diff --git a/lib/web/auth/ldap/index.js b/lib/web/auth/ldap/index.js index cc0d29ad..1a5c9938 100644 --- a/lib/web/auth/ldap/index.js +++ b/lib/web/auth/ldap/index.js @@ -24,8 +24,11 @@ passport.use(new LDAPStrategy({ } }, function (user, done) { var uuid = user.uidNumber || user.uid || user.sAMAccountName - var username = uuid + if (config.ldap.useridField && user[config.ldap.useridField]) { + uuid = user[config.ldap.useridField] + } + var username = uuid if (config.ldap.usernameField && user[config.ldap.usernameField]) { username = user[config.ldap.usernameField] } @@ -34,7 +37,7 @@ passport.use(new LDAPStrategy({ id: 'LDAP-' + uuid, username: username, displayName: user.displayName, - emails: user.mail ? [user.mail] : [], + emails: user.mail ? Array.isArray(user.mail) ? user.mail : [user.mail] : [], avatarUrl: null, profileUrl: null, provider: 'ldap' diff --git a/package.json b/package.json index beb01122..58e2afff 100644 --- a/package.json +++ b/package.json @@ -35,7 +35,6 @@ "diff-match-patch": "git+https://github.com/hackmdio/diff-match-patch.git", "ejs": "^2.5.5", "emojify.js": "~1.1.0", - "engine.io-client": "^1.8.2", "express": ">=4.14", "express-session": "^1.14.2", "file-saver": "^1.3.3", diff --git a/public/css/markdown.css b/public/css/markdown.css index 36e45781..eaa9ab5c 100644 --- a/public/css/markdown.css +++ b/public/css/markdown.css @@ -190,10 +190,22 @@ } /* Make details boxes look like on GitHub */ +.markdown-body summary { + display: list-item; +} + +.markdown-body summary:focus { + outline: none; +} + .markdown-body details summary { cursor: pointer; } -.markdown-body summary { - display: list-item; +.markdown-body details:not([open]) > *:not(summary) { + display: none; +} + +.markdown-body figure { + margin: 1em 40px; } diff --git a/public/js/render.js b/public/js/render.js index 860f8272..23b8934e 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -19,12 +19,12 @@ whiteList['style'] = [] whiteList['kbd'] = [] // allow ifram tag with some safe attributes whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'width', 'height'] -// allow details tag -whiteList['details'] = [] -// allow summary tag for details +// allow summary tag whiteList['summary'] = [] // allow ruby tag whiteList['ruby'] = [] +// allow rp tag for ruby +whiteList['rp'] = [] // allow rt tag for ruby whiteList['rt'] = [] // allow figure tag diff --git a/webpackBaseConfig.js b/webpackBaseConfig.js index 41a63e7d..e8630841 100644 --- a/webpackBaseConfig.js +++ b/webpackBaseConfig.js @@ -355,10 +355,7 @@ module.exports = { }, resolve: { - modulesDirectories: [ - path.resolve(__dirname, 'src'), - path.resolve(__dirname, 'node_modules') - ], + modulesDirectories: ['node_modules'], extensions: ['', '.js'], alias: { codemirror: path.join(__dirname, 'node_modules/codemirror/codemirror.min.js'), @@ -374,7 +371,8 @@ module.exports = { 'bootstrap-tooltip': path.join(__dirname, 'public/vendor/bootstrap/tooltip.min.js'), 'headjs': path.join(__dirname, 'node_modules/reveal.js/lib/js/head.min.js'), 'reveal-markdown': path.join(__dirname, 'public/js/reveal-markdown.js'), - abcjs: path.join(__dirname, 'public/vendor/abcjs_basic_3.1.1-min.js') + abcjs: path.join(__dirname, 'public/vendor/abcjs_basic_3.1.1-min.js'), + raphael: path.join(__dirname, 'node_modules/raphael/raphael.no-deps.js') } }, @@ -407,7 +405,7 @@ module.exports = { loader: ExtractTextPlugin.extract('style-loader', 'less-loader') }, { test: require.resolve('js-sequence-diagrams'), - loader: 'imports?_=lodash&Raphael=raphael' + loader: 'imports?_=lodash&Raphael=raphael&eve=eve' }, { test: /\.eot(\?v=\d+\.\d+\.\d+)?$/, loader: 'file' @@ -230,10 +230,6 @@ array.prototype.find@^2.0.1: define-properties "^1.1.2" es-abstract "^1.7.0" -arraybuffer.slice@0.0.6: - version "0.0.6" - resolved "https://registry.yarnpkg.com/arraybuffer.slice/-/arraybuffer.slice-0.0.6.tgz#f33b2159f0532a3f3107a272c0ccfbd1ad2979ca" - arraybuffer.slice@~0.0.7: version "0.0.7" resolved "https://registry.yarnpkg.com/arraybuffer.slice/-/arraybuffer.slice-0.0.7.tgz#3bbc4275dd584cc1b10809b89d4e8b63a69e7675" @@ -1720,12 +1716,6 @@ debug@2.2.0: dependencies: ms "0.7.1" -debug@2.3.3: - version "2.3.3" - resolved "https://registry.yarnpkg.com/debug/-/debug-2.3.3.tgz#40c453e67e6e13c901ddec317af8986cda9eff8c" - dependencies: - ms "0.7.2" - debug@2.6.7: version "2.6.7" resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.7.tgz#92bad1f6d05bbb6bba22cca88bcd0ec894c2861e" @@ -2020,23 +2010,6 @@ end-of-stream@~0.1.5: dependencies: once "~1.3.0" -engine.io-client@^1.8.2: - version "1.8.4" - resolved "https://registry.yarnpkg.com/engine.io-client/-/engine.io-client-1.8.4.tgz#9fe85dee25853ca6babe25bd2ad68710863e91c2" - dependencies: - component-emitter "1.2.1" - component-inherit "0.0.3" - debug "2.3.3" - engine.io-parser "1.3.2" - has-cors "1.1.0" - indexof "0.0.1" - parsejson "0.0.3" - parseqs "0.0.5" - parseuri "0.0.5" - ws "1.1.2" - xmlhttprequest-ssl "1.5.3" - yeast "0.1.2" - engine.io-client@~3.1.0: version "3.1.4" resolved "https://registry.yarnpkg.com/engine.io-client/-/engine.io-client-3.1.4.tgz#4fcf1370b47163bd2ce9be2733972430350d4ea1" @@ -2053,17 +2026,6 @@ engine.io-client@~3.1.0: xmlhttprequest-ssl "~1.5.4" yeast "0.1.2" -engine.io-parser@1.3.2: - version "1.3.2" - resolved "https://registry.yarnpkg.com/engine.io-parser/-/engine.io-parser-1.3.2.tgz#937b079f0007d0893ec56d46cb220b8cb435220a" - dependencies: - after "0.8.2" - arraybuffer.slice "0.0.6" - base64-arraybuffer "0.1.5" - blob "0.0.4" - has-binary "0.1.7" - wtf-8 "1.0.0" - engine.io-parser@~2.1.0, engine.io-parser@~2.1.1: version "2.1.2" resolved "https://registry.yarnpkg.com/engine.io-parser/-/engine.io-parser-2.1.2.tgz#4c0f4cff79aaeecbbdcfdea66a823c6085409196" @@ -3149,12 +3111,6 @@ has-binary2@~1.0.2: dependencies: isarray "2.0.1" -has-binary@0.1.7: - version "0.1.7" - resolved "https://registry.yarnpkg.com/has-binary/-/has-binary-0.1.7.tgz#68e61eb16210c9545a0a5cce06a873912fe1e68c" - dependencies: - isarray "0.0.1" - has-color@~0.1.0: version "0.1.7" resolved "https://registry.yarnpkg.com/has-color/-/has-color-0.1.7.tgz#67144a5260c34fc3cca677d041daf52fe7b78b2f" @@ -4728,10 +4684,6 @@ ms@0.7.1: version "0.7.1" resolved "https://registry.yarnpkg.com/ms/-/ms-0.7.1.tgz#9cd13c03adbff25b65effde7ce864ee952017098" -ms@0.7.2: - version "0.7.2" - resolved "https://registry.yarnpkg.com/ms/-/ms-0.7.2.tgz#ae25cf2512b3885a1d95d7f037868d8431124765" - ms@2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/ms/-/ms-2.0.0.tgz#5608aeadfc00be6c2901df5f9861788de0d597c8" @@ -5051,10 +5003,6 @@ optionator@^0.8.1, optionator@^0.8.2: type-check "~0.3.2" wordwrap "~1.0.0" -options@>=0.0.5: - version "0.0.6" - resolved "https://registry.yarnpkg.com/options/-/options-0.0.6.tgz#ec22d312806bb53e731773e7cdaefcf1c643128f" - orchestrator@^0.3.0: version "0.3.8" resolved "https://registry.yarnpkg.com/orchestrator/-/orchestrator-0.3.8.tgz#14e7e9e2764f7315fbac184e506c7aa6df94ad7e" @@ -5176,12 +5124,6 @@ parse5@^1.5.1: version "1.5.1" resolved "https://registry.yarnpkg.com/parse5/-/parse5-1.5.1.tgz#9b7f3b0de32be78dc2401b17573ccaf0f6f59d94" -parsejson@0.0.3: - version "0.0.3" - resolved "https://registry.yarnpkg.com/parsejson/-/parsejson-0.0.3.tgz#ab7e3759f209ece99437973f7d0f1f64ae0e64ab" - dependencies: - better-assert "~1.0.0" - parseqs@0.0.5: version "0.0.5" resolved "https://registry.yarnpkg.com/parseqs/-/parseqs-0.0.5.tgz#d5208a3738e46766e291ba2ea173684921a8b89d" @@ -7205,10 +7147,6 @@ uid2@0.0.x: version "0.0.3" resolved "https://registry.yarnpkg.com/uid2/-/uid2-0.0.3.tgz#483126e11774df2f71b8b639dcd799c376162b82" -ultron@1.0.x: - version "1.0.2" - resolved "https://registry.yarnpkg.com/ultron/-/ultron-1.0.2.tgz#ace116ab557cd197386a4e88f4685378c8b2e4fa" - ultron@~1.1.0: version "1.1.1" resolved "https://registry.yarnpkg.com/ultron/-/ultron-1.1.1.tgz#9fe1536a10a664a65266a1e3ccf85fd36302bc9c" @@ -7647,13 +7585,6 @@ write@^0.2.1: dependencies: mkdirp "^0.5.1" -ws@1.1.2: - version "1.1.2" - resolved "https://registry.yarnpkg.com/ws/-/ws-1.1.2.tgz#8a244fa052401e08c9886cf44a85189e1fd4067f" - dependencies: - options ">=0.0.5" - ultron "1.0.x" - ws@~3.3.1: version "3.3.3" resolved "https://registry.yarnpkg.com/ws/-/ws-3.3.3.tgz#f1cf84fe2d5e901ebce94efaece785f187a228f2" @@ -7662,10 +7593,6 @@ ws@~3.3.1: safe-buffer "~5.1.0" ultron "~1.1.0" -wtf-8@1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/wtf-8/-/wtf-8-1.0.0.tgz#392d8ba2d0f1c34d1ee2d630f15d0efb68e1048a" - x-xss-protection@1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/x-xss-protection/-/x-xss-protection-1.0.0.tgz#898afb93869b24661cf9c52f9ee8db8ed0764dd9" @@ -7731,10 +7658,6 @@ xmldom@=0.1.19: version "0.1.19" resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.1.19.tgz#631fc07776efd84118bf25171b37ed4d075a0abc" -xmlhttprequest-ssl@1.5.3: - version "1.5.3" - resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.3.tgz#185a888c04eca46c3e4070d99f7b49de3528992d" - xmlhttprequest-ssl@~1.5.4: version "1.5.5" resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz#c2876b06168aadc40e57d97e81191ac8f4398b3e" |