diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/config/default.js | 15 | ||||
| -rw-r--r-- | lib/config/environment.js | 11 | ||||
| -rw-r--r-- | lib/config/index.js | 2 | ||||
| -rw-r--r-- | lib/csp.js | 80 | ||||
| -rw-r--r-- | lib/realtime.js | 2 | ||||
| -rw-r--r-- | lib/response.js | 8 | ||||
| -rw-r--r-- | lib/web/imageRouter.js | 34 | ||||
| -rw-r--r-- | lib/web/noteRouter.js | 4 | ||||
| -rw-r--r-- | lib/web/utils.js | 7 |
9 files changed, 159 insertions, 4 deletions
diff --git a/lib/config/default.js b/lib/config/default.js index 40803476..28f4490c 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -13,9 +13,17 @@ module.exports = { includeSubdomains: true, preload: true }, + csp: { + enable: true, + directives: { + }, + addDefaults: true, + upgradeInsecureRequests: 'auto' + }, protocolusessl: false, usecdn: true, allowanonymous: true, + allowanonymousedits: false, allowfreeurl: false, defaultpermission: 'editable', dburl: '', @@ -54,6 +62,13 @@ module.exports = { secretAccessKey: undefined, region: undefined }, + minio: { + accessKey: undefined, + secretKey: undefined, + endPoint: undefined, + secure: true, + port: 9000 + }, s3bucket: undefined, // authentication facebook: { diff --git a/lib/config/environment.js b/lib/config/environment.js index 5a297382..e2112b6a 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -14,10 +14,14 @@ module.exports = { includeSubdomains: toBooleanConfig(process.env.HMD_HSTS_INCLUDE_SUBDOMAINS), preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD) }, + csp: { + enable: toBooleanConfig(process.env.HMD_CSP_ENABLE) + }, protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL), alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN), usecdn: toBooleanConfig(process.env.HMD_USECDN), allowanonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS), + allowanonymousedits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS), allowfreeurl: toBooleanConfig(process.env.HMD_ALLOW_FREEURL), defaultpermission: process.env.HMD_DEFAULT_PERMISSION, dburl: process.env.HMD_DB_URL, @@ -30,6 +34,13 @@ module.exports = { secretAccessKey: process.env.HMD_S3_SECRET_ACCESS_KEY, region: process.env.HMD_S3_REGION }, + minio: { + accessKey: process.env.HMD_MINIO_ACCESS_KEY, + secretKey: process.env.HMD_MINIO_SECRET_KEY, + endPoint: process.env.HMD_MINIO_ENDPOINT, + secure: toBooleanConfig(process.env.HMD_MINIO_SECURE), + port: process.env.HMD_MINIO_PORT + }, s3bucket: process.env.HMD_S3_BUCKET, facebook: { clientID: process.env.HMD_FACEBOOK_CLIENTID, diff --git a/lib/config/index.js b/lib/config/index.js index 13c4692c..4f6b4b6a 100644 --- a/lib/config/index.js +++ b/lib/config/index.js @@ -49,7 +49,7 @@ if (config.ldap.tlsca) { // Permission config.permission = Permission -if (!config.allowanonymous) { +if (!config.allowanonymous && !config.allowanonymousedits) { delete config.permission.freely } if (!(config.defaultpermission in config.permission)) { diff --git a/lib/csp.js b/lib/csp.js new file mode 100644 index 00000000..509bc530 --- /dev/null +++ b/lib/csp.js @@ -0,0 +1,80 @@ +var config = require('./config') +var uuid = require('uuid') + +var CspStrategy = {} + +var defaultDirectives = { + defaultSrc: ['\'self\''], + scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', 'https://*.disqus.com', '\'unsafe-eval\''], + // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/hackmd/issues/594 + imgSrc: ['*'], + styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views + fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'], + objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ + childSrc: ['*'], + connectSrc: ['*'] +} + +var cdnDirectives = { + scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'], + styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'], + fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com'] +} + +CspStrategy.computeDirectives = function () { + var directives = {} + mergeDirectives(directives, config.csp.directives) + mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives) + mergeDirectivesIf(config.usecdn, directives, cdnDirectives) + if (!areAllInlineScriptsAllowed(directives)) { + addInlineScriptExceptions(directives) + } + addUpgradeUnsafeRequestsOptionTo(directives) + return directives +} + +function mergeDirectives (existingDirectives, newDirectives) { + for (var propertyName in newDirectives) { + var newDirective = newDirectives[propertyName] + if (newDirective) { + var existingDirective = existingDirectives[propertyName] || [] + existingDirectives[propertyName] = existingDirective.concat(newDirective) + } + } +} + +function mergeDirectivesIf (condition, existingDirectives, newDirectives) { + if (condition) { + mergeDirectives(existingDirectives, newDirectives) + } +} + +function areAllInlineScriptsAllowed (directives) { + return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1 +} + +function addInlineScriptExceptions (directives) { + directives.scriptSrc.push(getCspNonce) + // TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html + // Any more clean solution appreciated. + directives.scriptSrc.push('\'sha256-EtvSSxRwce5cLeFBZbvZvDrTiRoyoXbWWwvEVciM5Ag=\'') +} + +function getCspNonce (req, res) { + return "'nonce-" + res.locals.nonce + "'" +} + +function addUpgradeUnsafeRequestsOptionTo (directives) { + if (config.csp.upgradeInsecureRequests === 'auto' && config.usessl) { + directives.upgradeInsecureRequests = true + } else if (config.csp.upgradeInsecureRequests === true) { + directives.upgradeInsecureRequests = true + } +} + +CspStrategy.addNonceToLocals = function (req, res, next) { + res.locals.nonce = uuid.v4() + next() +} + +module.exports = CspStrategy diff --git a/lib/realtime.js b/lib/realtime.js index e03e2d0b..c731e5b0 100644 --- a/lib/realtime.js +++ b/lib/realtime.js @@ -781,7 +781,7 @@ function connection (socket) { var note = notes[noteId] // Only owner can change permission if (note.owner && note.owner === socket.request.user.id) { - if (permission === 'freely' && !config.allowanonymous) return + if (permission === 'freely' && !config.allowanonymous && !config.allowanonymousedits) return note.permission = permission models.Note.update({ permission: permission diff --git a/lib/response.js b/lib/response.js index 9f3d5a44..445aa0d7 100644 --- a/lib/response.js +++ b/lib/response.js @@ -60,6 +60,7 @@ function showIndex (req, res, next) { url: config.serverurl, useCDN: config.usecdn, allowAnonymous: config.allowanonymous, + allowAnonymousEdits: config.allowanonymousedits, facebook: config.isFacebookEnable, twitter: config.isTwitterEnable, github: config.isGitHubEnable, @@ -93,6 +94,7 @@ function responseHackMD (res, note) { title: title, useCDN: config.usecdn, allowAnonymous: config.allowanonymous, + allowAnonymousEdits: config.allowanonymousedits, facebook: config.isFacebookEnable, twitter: config.isTwitterEnable, github: config.isGitHubEnable, @@ -117,7 +119,8 @@ function newNote (req, res, next) { } models.Note.create({ ownerId: owner, - alias: req.alias ? req.alias : null + alias: req.alias ? req.alias : null, + content: req.body ? req.body : '' }).then(function (note) { return res.redirect(config.serverurl + '/' + LZString.compressToBase64(note.id)) }).catch(function (err) { @@ -595,7 +598,8 @@ function showPublishSlide (req, res, next) { lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null, robots: meta.robots || false, // default allow robots GA: meta.GA, - disqus: meta.disqus + disqus: meta.disqus, + cspNonce: res.locals.nonce } return renderPublishSlide(data, res) }).catch(function (err) { diff --git a/lib/web/imageRouter.js b/lib/web/imageRouter.js index bebab302..b17cccbd 100644 --- a/lib/web/imageRouter.js +++ b/lib/web/imageRouter.js @@ -73,6 +73,40 @@ imageRouter.post('/uploadimage', function (req, res) { }) }) break + + case 'minio': + var utils = require('../utils') + var Minio = require('minio') + var minioClient = new Minio.Client({ + endPoint: config.minio.endPoint, + port: config.minio.port, + secure: config.minio.secure, + accessKey: config.minio.accessKey, + secretKey: config.minio.secretKey + }) + fs.readFile(files.image.path, function (err, buffer) { + if (err) { + logger.error(err) + res.status(500).end('upload image error') + return + } + + var key = path.join('uploads', path.basename(files.image.path)) + var protocol = config.minio.secure ? 'https' : 'http' + + minioClient.putObject(config.s3bucket, key, buffer, buffer.size, utils.getImageMimeType(files.image.path), function (err, data) { + if (err) { + logger.error(err) + res.status(500).end('upload image error') + return + } + res.send({ + link: `${protocol}://${config.minio.endPoint}:${config.minio.port}/${config.s3bucket}/${key}` + }) + }) + }) + break + case 'imgur': default: imgur.setClientId(config.imgur.clientID) diff --git a/lib/web/noteRouter.js b/lib/web/noteRouter.js index 007c02c2..41bf5f73 100644 --- a/lib/web/noteRouter.js +++ b/lib/web/noteRouter.js @@ -4,10 +4,14 @@ const Router = require('express').Router const response = require('../response') +const {markdownParser} = require('./utils') + const noteRouter = module.exports = Router() // get new note noteRouter.get('/new', response.newNote) +// post new note with content +noteRouter.post('/new', markdownParser, response.newNote) // get publish note noteRouter.get('/s/:shortid', response.showPublishNote) // publish note actions diff --git a/lib/web/utils.js b/lib/web/utils.js index c9016523..d58294ad 100644 --- a/lib/web/utils.js +++ b/lib/web/utils.js @@ -7,3 +7,10 @@ exports.urlencodedParser = bodyParser.urlencoded({ extended: false, limit: 1024 * 1024 * 10 // 10 mb }) + +// create text/markdown parser +exports.markdownParser = bodyParser.text({ + inflate: true, + type: ['text/plain', 'text/markdown'], + limit: 1024 * 1024 * 10 // 10 mb +}) |