diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/config/default.js | 2 | ||||
| -rw-r--r-- | lib/config/environment.js | 2 | ||||
| -rw-r--r-- | lib/config/hackmdEnvironment.js | 2 | ||||
| -rw-r--r-- | lib/config/index.js | 8 | ||||
| -rw-r--r-- | lib/csp.js | 6 | ||||
| -rw-r--r-- | lib/letter-avatars.js | 11 | ||||
| -rw-r--r-- | lib/response.js | 4 | ||||
| -rw-r--r-- | lib/web/auth/google/index.js | 3 | ||||
| -rw-r--r-- | lib/web/auth/oauth2/index.js | 4 | ||||
| -rw-r--r-- | lib/web/auth/openid/index.js | 4 | ||||
| -rw-r--r-- | lib/web/imageRouter/filesystem.js | 4 | ||||
| -rw-r--r-- | lib/web/userRouter.js | 20 |
12 files changed, 41 insertions, 29 deletions
diff --git a/lib/config/default.js b/lib/config/default.js index 5a7ae0a0..9e401f38 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -151,5 +151,5 @@ module.exports = { allowEmailRegister: true, allowGravatar: true, allowPDFExport: true, - openID: true + openID: false } diff --git a/lib/config/environment.js b/lib/config/environment.js index a57fe0db..fc757cf1 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -14,7 +14,7 @@ module.exports = { useSSL: toBooleanConfig(process.env.CMD_USESSL), hsts: { enable: toBooleanConfig(process.env.CMD_HSTS_ENABLE), - maxAgeSeconds: process.env.CMD_HSTS_MAX_AGE, + maxAgeSeconds: toIntegerConfig(process.env.CMD_HSTS_MAX_AGE), includeSubdomains: toBooleanConfig(process.env.CMD_HSTS_INCLUDE_SUBDOMAINS), preload: toBooleanConfig(process.env.CMD_HSTS_PRELOAD) }, diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js index e1c11569..bc20e58a 100644 --- a/lib/config/hackmdEnvironment.js +++ b/lib/config/hackmdEnvironment.js @@ -10,7 +10,7 @@ module.exports = { useSSL: toBooleanConfig(process.env.HMD_USESSL), hsts: { enable: toBooleanConfig(process.env.HMD_HSTS_ENABLE), - maxAgeSeconds: process.env.HMD_HSTS_MAX_AGE, + maxAgeSeconds: toIntegerConfig(process.env.HMD_HSTS_MAX_AGE), includeSubdomains: toBooleanConfig(process.env.HMD_HSTS_INCLUDE_SUBDOMAINS), preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD) }, diff --git a/lib/config/index.js b/lib/config/index.js index c1005b0b..e5d02dc1 100644 --- a/lib/config/index.js +++ b/lib/config/index.js @@ -101,6 +101,10 @@ config.serverURL = (function getserverurl () { return url })() +if (config.serverURL === '') { + logger.warn('Neither \'domain\' nor \'CMD_DOMAIN\' is configured. This can cause issues with various components.\nHint: Make sure \'protocolUseSSL\' and \'urlAddPort\' or \'CMD_PROTOCOL_USESSL\' and \'CMD_URL_ADDPORT\' are configured properly.') +} + config.Environment = Environment // auth method @@ -124,7 +128,7 @@ if (config.gitlab && config.gitlab.version !== 'v4' && config.gitlab.version !== config.gitlab.version = 'v4' } // If gitlab scope is api, enable snippets Export/import -config.isGitlabSnippetsEnable = (!config.gitlab.scope || config.gitlab.scope === 'api') +config.isGitlabSnippetsEnable = (!config.gitlab.scope || config.gitlab.scope === 'api') && config.isGitLabEnable // Only update i18n files in development setups config.updateI18nFiles = (env === Environment.development) @@ -161,7 +165,7 @@ if (config.sessionSecret === 'secret') { // Validate upload upload providers if (['filesystem', 's3', 'minio', 'imgur', 'azure'].indexOf(config.imageUploadType) === -1) { - logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio", "azure" or "imgur". Defaulting to "imgur"') + logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio", "azure" or "imgur". Defaulting to "filesystem"') config.imageUploadType = 'filesystem' } @@ -8,7 +8,7 @@ var defaultDirectives = { scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''], // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594 imgSrc: ['*'], - styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views + styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'], objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ mediaSrc: ['*'], @@ -23,7 +23,7 @@ var cdnDirectives = { } var disqusDirectives = { - scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'], + scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'], styleSrc: ['https://*.disquscdn.com'], fontSrc: ['https://*.disquscdn.com'] } @@ -71,7 +71,7 @@ function addInlineScriptExceptions (directives) { directives.scriptSrc.push(getCspNonce) // TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html // Any more clean solution appreciated. - directives.scriptSrc.push('\'sha256-L0TsyAQLAc0koby5DCbFAwFfRs9ZxesA+4xg0QDSrdI=\'') + directives.scriptSrc.push('\'sha256-Lc+VnBdinzYTTAkFrIoUqdoA9EQFeS1AF9ybmF+LLfM=\'') } function getCspNonce (req, res) { diff --git a/lib/letter-avatars.js b/lib/letter-avatars.js index 55cf9c3a..a5dd8207 100644 --- a/lib/letter-avatars.js +++ b/lib/letter-avatars.js @@ -1,6 +1,6 @@ 'use strict' // external modules -const md5 = require('blueimp-md5') +const crypto = require('crypto') const randomcolor = require('randomcolor') const config = require('./config') @@ -30,16 +30,21 @@ exports.generateAvatarURL = function (name, email = '', big = true) { if (typeof email !== 'string') { email = '' + name + '@example.com' } + name=encodeURIComponent(name) + + let hash = crypto.createHash('md5') + hash.update(email.toLowerCase()) + let hexDigest = hash.digest('hex') if (email !== '' && config.allowGravatar) { - photo = 'https://www.gravatar.com/avatar/' + md5(email.toLowerCase()) + photo = 'https://www.gravatar.com/avatar/' + hexDigest; if (big) { photo += '?s=400' } else { photo += '?s=96' } } else { - photo = config.serverURL + '/user/' + (name || email.substring(0, email.lastIndexOf('@')) || md5(email.toLowerCase())) + '/avatar.svg' + photo = config.serverURL + '/user/' + (name || email.substring(0, email.lastIndexOf('@')) || hexDigest) + '/avatar.svg' } return photo } diff --git a/lib/response.js b/lib/response.js index b94f473a..76793a46 100644 --- a/lib/response.js +++ b/lib/response.js @@ -23,7 +23,7 @@ var response = { responseError(res, '403', 'Forbidden', 'oh no.') } else { req.flash('error', 'You are not allowed to access this page. Maybe try logging in?') - res.redirect(config.serverURL) + res.redirect(config.serverURL + '/') } }, errorNotFound: function (res) { @@ -320,7 +320,7 @@ function actionPDF (req, res, note) { res.setHeader('Content-Type', 'application/pdf; charset=UTF-8') res.setHeader('X-Robots-Tag', 'noindex, nofollow') // prevent crawling stream.pipe(res) - fs.unlink(path) + fs.unlinkSync(path) }) } diff --git a/lib/web/auth/google/index.js b/lib/web/auth/google/index.js index 60282cf5..0a4fd55e 100644 --- a/lib/web/auth/google/index.js +++ b/lib/web/auth/google/index.js @@ -11,7 +11,8 @@ let googleAuth = module.exports = Router() passport.use(new GoogleStrategy({ clientID: config.google.clientID, clientSecret: config.google.clientSecret, - callbackURL: config.serverURL + '/auth/google/callback' + callbackURL: config.serverURL + '/auth/google/callback', + userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo" }, passportGeneralCallback)) googleAuth.get('/auth/google', function (req, res, next) { diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js index b9160f6e..57ab9b9a 100644 --- a/lib/web/auth/oauth2/index.js +++ b/lib/web/auth/oauth2/index.js @@ -100,7 +100,7 @@ oauth2Auth.get('/auth/oauth2', function (req, res, next) { // github auth callback oauth2Auth.get('/auth/oauth2/callback', passport.authenticate('oauth2', { - successReturnToOrRedirect: config.serverurl + '/', - failureRedirect: config.serverurl + '/' + successReturnToOrRedirect: config.serverURL + '/', + failureRedirect: config.serverURL + '/' }) ) diff --git a/lib/web/auth/openid/index.js b/lib/web/auth/openid/index.js index 96f61807..c45c6d71 100644 --- a/lib/web/auth/openid/index.js +++ b/lib/web/auth/openid/index.js @@ -55,7 +55,7 @@ openIDAuth.post('/auth/openid', urlencodedParser, function (req, res, next) { // openID auth callback openIDAuth.get('/auth/openid/callback', passport.authenticate('openid', { - successReturnToOrRedirect: config.serverurl + '/', - failureRedirect: config.serverurl + '/' + successReturnToOrRedirect: config.serverURL + '/', + failureRedirect: config.serverURL + '/' }) ) diff --git a/lib/web/imageRouter/filesystem.js b/lib/web/imageRouter/filesystem.js index a2f8700d..7c876d66 100644 --- a/lib/web/imageRouter/filesystem.js +++ b/lib/web/imageRouter/filesystem.js @@ -1,5 +1,5 @@ 'use strict' -const url = require('url') +const URL = require('url').URL const path = require('path') const config = require('../../config') @@ -16,5 +16,5 @@ exports.uploadImage = function (imagePath, callback) { return } - callback(null, url.URL.resolve(config.serverURL + '/uploads/', path.basename(imagePath))) + callback(null, (new URL(path.basename(imagePath), config.serverURL + '/uploads/')).href) } diff --git a/lib/web/userRouter.js b/lib/web/userRouter.js index db786d53..ca364422 100644 --- a/lib/web/userRouter.js +++ b/lib/web/userRouter.js @@ -90,18 +90,20 @@ UserRouter.get('/me/export', function (req, res) { ownerId: user.id } }).then(function (notes) { - let list = [] + let filenames = {} async.each(notes, function (note, callback) { - let title - let extension = '' + let basename = note.title.replace(/\//g, '-') // Prevent subdirectories + let filename + let suffix = '' do { - title = note.title + extension - extension++ - } while (list.indexOf(title) !== -1) + let seperator = typeof suffix === 'number' ? '-' : '' + filename = basename + seperator + suffix + '.md' + suffix++ + } while (filenames[filename]) + filenames[filename] = true - list.push(title) - logger.debug('Write: ' + title + '.md') - archive.append(Buffer.from(note.content), { name: title + '.md', date: note.lastchangeAt }) + logger.debug('Write: ' + filename) + archive.append(Buffer.from(note.content), { name: filename, date: note.lastchangeAt }) callback(null, null) }, function (err) { if (err) { |