6 files changed, 40 insertions, 21 deletions

diff --git a/lib/config/default.js b/lib/config/default.js
index 9e401f38..12254d47 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -56,10 +56,15 @@ module.exports = {
   // socket.io
   heartbeatInterval: 5000,
   heartbeatTimeout: 10000,
+  // too busy timeout
+  tooBusyLag: 70,
   // document
   documentMaxLength: 100000,
-  // image upload setting, available options are imgur/s3/filesystem/azure
+  // image upload setting, available options are imgur/s3/filesystem/azure/lutim
   imageUploadType: 'filesystem',
+  lutim: {
+    url: 'https://framapic.org/'
+  },
   imgur: {
     clientID: undefined
   },
@@ -138,6 +143,7 @@ module.exports = {
     idpCert: undefined,
     issuer: undefined,
     identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+    disableRequestedAuthnContext: false,
     groupAttribute: undefined,
     externalGroups: [],
     requiredGroups: [],
diff --git a/lib/config/dockerSecret.js b/lib/config/dockerSecret.js
index fd66ddfe..50bf7fe2 100644
--- a/lib/config/dockerSecret.js
+++ b/lib/config/dockerSecret.js
@@ -13,11 +13,12 @@ function getSecret (secret) {
 
 if (fs.existsSync(basePath)) {
   module.exports = {
-    sessionsecret: getSecret('sessionsecret'),
-    sslkeypath: getSecret('sslkeypath'),
-    sslcertpath: getSecret('sslcertpath'),
-    sslcapath: getSecret('sslcapath'),
-    dhparampath: getSecret('dhparampath'),
+    dbURL: getSecret('dbURL'),
+    sessionSecret: getSecret('sessionsecret'),
+    sslKeyPath: getSecret('sslkeypath'),
+    sslCertPath: getSecret('sslcertpath'),
+    sslCAPath: getSecret('sslcapath'),
+    dhParamPath: getSecret('dhparampath'),
     s3: {
       accessKeyId: getSecret('s3_acccessKeyId'),
       secretAccessKey: getSecret('s3_secretAccessKey')
diff --git a/lib/config/environment.js b/lib/config/environment.js
index cdf87871..716f8b75 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -1,6 +1,6 @@
 'use strict'
 
-const {toBooleanConfig, toArrayConfig, toIntegerConfig} = require('./utils')
+const { toBooleanConfig, toArrayConfig, toIntegerConfig } = require('./utils')
 
 module.exports = {
   sourceURL: process.env.CMD_SOURCE_URL,
@@ -14,7 +14,7 @@ module.exports = {
   useSSL: toBooleanConfig(process.env.CMD_USESSL),
   hsts: {
     enable: toBooleanConfig(process.env.CMD_HSTS_ENABLE),
-    maxAgeSeconds: process.env.CMD_HSTS_MAX_AGE,
+    maxAgeSeconds: toIntegerConfig(process.env.CMD_HSTS_MAX_AGE),
     includeSubdomains: toBooleanConfig(process.env.CMD_HSTS_INCLUDE_SUBDOMAINS),
     preload: toBooleanConfig(process.env.CMD_HSTS_PRELOAD)
   },
@@ -33,6 +33,7 @@ module.exports = {
   dbURL: process.env.CMD_DB_URL,
   sessionSecret: process.env.CMD_SESSION_SECRET,
   sessionLife: toIntegerConfig(process.env.CMD_SESSION_LIFE),
+  tooBusyLag: toIntegerConfig(process.env.CMD_TOOBUSY_LAG),
   imageUploadType: process.env.CMD_IMAGE_UPLOAD_TYPE,
   imgur: {
     clientID: process.env.CMD_IMGUR_CLIENTID
@@ -50,6 +51,9 @@ module.exports = {
     secure: toBooleanConfig(process.env.CMD_MINIO_SECURE),
     port: toIntegerConfig(process.env.CMD_MINIO_PORT)
   },
+  lutim: {
+    url: process.env.CMD_LUTIM_URL
+  },
   s3bucket: process.env.CMD_S3_BUCKET,
   azure: {
     connectionString: process.env.CMD_AZURE_CONNECTION_STRING,
@@ -116,6 +120,7 @@ module.exports = {
     idpCert: process.env.CMD_SAML_IDPCERT,
     issuer: process.env.CMD_SAML_ISSUER,
     identifierFormat: process.env.CMD_SAML_IDENTIFIERFORMAT,
+    disableRequestedAuthnContext: toBooleanConfig(process.env.CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
     groupAttribute: process.env.CMD_SAML_GROUPATTRIBUTE,
     externalGroups: toArrayConfig(process.env.CMD_SAML_EXTERNALGROUPS, '|', []),
     requiredGroups: toArrayConfig(process.env.CMD_SAML_REQUIREDGROUPS, '|', []),
diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js
index e1c11569..dcfda0bc 100644
--- a/lib/config/hackmdEnvironment.js
+++ b/lib/config/hackmdEnvironment.js
@@ -1,6 +1,6 @@
 'use strict'
 
-const {toBooleanConfig, toArrayConfig, toIntegerConfig} = require('./utils')
+const { toBooleanConfig, toArrayConfig, toIntegerConfig } = require('./utils')
 
 module.exports = {
   domain: process.env.HMD_DOMAIN,
@@ -10,7 +10,7 @@ module.exports = {
   useSSL: toBooleanConfig(process.env.HMD_USESSL),
   hsts: {
     enable: toBooleanConfig(process.env.HMD_HSTS_ENABLE),
-    maxAgeSeconds: process.env.HMD_HSTS_MAX_AGE,
+    maxAgeSeconds: toIntegerConfig(process.env.HMD_HSTS_MAX_AGE),
     includeSubdomains: toBooleanConfig(process.env.HMD_HSTS_INCLUDE_SUBDOMAINS),
     preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
   },
@@ -109,6 +109,7 @@ module.exports = {
     idpCert: process.env.HMD_SAML_IDPCERT,
     issuer: process.env.HMD_SAML_ISSUER,
     identifierFormat: process.env.HMD_SAML_IDENTIFIERFORMAT,
+    disableRequestedAuthnContext: toBooleanConfig(process.env.HMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
     groupAttribute: process.env.HMD_SAML_GROUPATTRIBUTE,
     externalGroups: toArrayConfig(process.env.HMD_SAML_EXTERNALGROUPS, '|', []),
     requiredGroups: toArrayConfig(process.env.HMD_SAML_REQUIREDGROUPS, '|', []),
diff --git a/lib/config/index.js b/lib/config/index.js
index cbe6c39c..ee4817b3 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -4,11 +4,11 @@
 const crypto = require('crypto')
 const fs = require('fs')
 const path = require('path')
-const {merge} = require('lodash')
+const { merge } = require('lodash')
 const deepFreeze = require('deep-freeze')
-const {Environment, Permission} = require('./enum')
+const { Environment, Permission } = require('./enum')
 const logger = require('../logger')
-const {getGitCommit, getGitHubURL} = require('./utils')
+const { getGitCommit, getGitHubURL } = require('./utils')
 
 const appRootPath = path.resolve(__dirname, '../../')
 const env = process.env.NODE_ENV || Environment.development
@@ -17,7 +17,7 @@ const debugConfig = {
 }
 
 // Get version string from package.json
-const {version, repository} = require(path.join(appRootPath, 'package.json'))
+const { version, repository } = require(path.join(appRootPath, 'package.json'))
 
 const commitID = getGitCommit(appRootPath)
 const sourceURL = getGitHubURL(repository.url, commitID || version)
@@ -128,7 +128,7 @@ if (config.gitlab && config.gitlab.version !== 'v4' && config.gitlab.version !==
   config.gitlab.version = 'v4'
 }
 // If gitlab scope is api, enable snippets Export/import
-config.isGitlabSnippetsEnable = (!config.gitlab.scope || config.gitlab.scope === 'api')
+config.isGitlabSnippetsEnable = (!config.gitlab.scope || config.gitlab.scope === 'api') && config.isGitLabEnable
 
 // Only update i18n files in development setups
 config.updateI18nFiles = (env === Environment.development)
@@ -152,20 +152,20 @@ for (let i = keys.length; i--;) {
 
 // Notify users about the prefix change and inform them they use legacy prefix for environment variables
 if (Object.keys(process.env).toString().indexOf('HMD_') !== -1) {
-  logger.warn('Using legacy HMD prefix for environment variables. Please change your variables in future. For details see: https://github.com/hackmdio/codimd#environment-variables-will-overwrite-other-server-configs')
+  logger.warn('Using legacy HMD prefix for environment variables. Please change your variables in future. For details see: https://github.com/codimd/server#environment-variables-will-overwrite-other-server-configs')
 }
 
 // Generate session secret if it stays on default values
 if (config.sessionSecret === 'secret') {
   logger.warn('Session secret not set. Using random generated one. Please set `sessionSecret` in your config.js file. All users will be logged out.')
   config.sessionSecret = crypto.randomBytes(Math.ceil(config.sessionSecretLen / 2)) // generate crypto graphic random number
-        .toString('hex')                                                            // convert to hexadecimal format
-        .slice(0, config.sessionSecretLen)                                           // return required number of characters
+    .toString('hex') // convert to hexadecimal format
+    .slice(0, config.sessionSecretLen) // return required number of characters
 }
 
 // Validate upload upload providers
-if (['filesystem', 's3', 'minio', 'imgur', 'azure'].indexOf(config.imageUploadType) === -1) {
-  logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio", "azure" or "imgur". Defaulting to "filesystem"')
+if (['filesystem', 's3', 'minio', 'imgur', 'azure', 'lutim'].indexOf(config.imageUploadType) === -1) {
+  logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio", "azure", "lutim" or "imgur". Defaulting to "filesystem"')
   config.imageUploadType = 'filesystem'
 }
 
@@ -189,6 +189,12 @@ switch (config.imageUploadType) {
     ]
 }
 
+// Disable PDF export due to security issue
+if (config.allowPDFExport) {
+  config.allowPDFExport = false
+  logger.warn('PDF export was disabled for this release to mitigate a critical security issue. This feature will hopefully become available again in future releases.')
+}
+
 // generate correct path
 config.sslCAPath.forEach(function (capath, i, array) {
   array[i] = path.resolve(appRootPath, capath)
diff --git a/lib/config/oldEnvironment.js b/lib/config/oldEnvironment.js
index a3b13cb9..06047553 100644
--- a/lib/config/oldEnvironment.js
+++ b/lib/config/oldEnvironment.js
@@ -1,6 +1,6 @@
 'use strict'
 
-const {toBooleanConfig} = require('./utils')
+const { toBooleanConfig } = require('./utils')
 
 module.exports = {
   debug: toBooleanConfig(process.env.DEBUG),