summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Uninstall scrypt-asyncDavid Mehren2021-04-262-6/+0
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Remove unneeded polyfillErik Michelson2021-04-261-9/+0
| | | | | | This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* Merge pull request #1193 from hedgedoc/fix/logo-in-readmeYannick Bungers2021-04-251-1/+1
|\ | | | | Fix logo link in README.md
| * Fix logo link in README.mdTilman Vatteroth2021-04-251-1/+1
|/ | | | Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
* Merge pull request from GHSA-p528-555r-pf87David Mehren2021-04-251-3/+3
|\ | | | | Fix Relative Path Traversal Attack on note creation
| * Fix Relative Path Traversal Attack on note creationSheogorath2021-04-251-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact --- An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html). CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N PoC / Quicktest --- To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). - If you see a README page being rendered, you run an affected version. Analysis --- The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. Workarounds --- On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. For more information --- If you have any questions or comments about this advisory: * Open an topic on [our community forum](https://community.hedgedoc.org) * Join our [matrix room](https://chat.hedgedoc.org) Advisory link --- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
* | Merge pull request #1176 from hedgedoc/renovate/master-mkdocs-material-7.xDavid Mehren2021-04-251-1/+1
|\ \ | | | | | | Update dependency mkdocs-material to v7.1.3 (master)
| * | Update dependency mkdocs-material to v7.1.3Renovate Bot2021-04-251-1/+1
| | | | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | Merge pull request #1174 from hedgedoc/renovate/master-lintersDavid Mehren2021-04-252-5/+5
|\ \ \ | |/ / |/| | Update dependency eslint to v7.25.0 (master)
| * | Update dependency eslint to v7.25.0Renovate Bot2021-04-252-5/+5
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1150 from hedgedoc/feature/prometheus_metricsDavid Mehren2021-04-256-10/+221
|\ \
| * | Document new Prometheus endpointDavid Mehren2021-04-252-4/+8
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | Add custom prometheus metricsDavid Mehren2021-04-252-0/+51
| | | | | | | | | | | | | | | | | | | | | This reuses the `realtime.getStatus` method to get the state of the application state on every prometheus scrape cycle. Signed-off-by: David Mehren <git@herrmehren.de>
| * | Add prometheus endpoint at /metricsDavid Mehren2021-04-223-6/+162
| | | | | | | | | | | | | | | | | | This is currently just using the default metrics of prometheus-api-metrics. Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1167 from hedgedoc/maintenance/master/remove_node_10David Mehren2021-04-255-8/+11
|\ \ \ | |/ / |/| |
| * | Fix version error wording in bin/setupDavid Mehren2021-04-221-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previous error message stated that the version of Node or Yarn is "outdated", which might be accurate coincidentally, but is not what the script checks. This commit changes the wording to use "not supported", which is more accurate to the true check in the script. Signed-off-by: David Mehren <git@herrmehren.de>
| * | CI: Stop running tests with Node.js 10David Mehren2021-04-221-2/+2
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | Raise minimum required Node.js version to 12David Mehren2021-04-224-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | As Node 10 will be EOL at April 30th, we should stop supporting and/or promoting the usage of that version. See also https://endoflife.date/nodejs Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1153 from hedgedoc/renovate/master-lock-file-maintenanceDavid Mehren2021-04-221-50/+54
|\ \ \ | | | | | | | | Lock file maintenance (master)
| * | | Lock file maintenanceRenovate Bot2021-04-221-50/+54
|/ / / | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | Merge pull request #1117 from hedgedoc/improvement/use-upstream-imgurYannick Bungers2021-04-224-50/+30
|\ \ \ | |/ / |/| |
| * | Changelog: Mention removal of node-imgurPhilip Molares2021-04-221-1/+4
| | | | | | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * | ImageRouterImgur: Replace imgur library with note-fetch requestPhilip Molares2021-04-221-6/+24
| | | | | | | | | | | | | | | | | | This kinda is a backport of https://github.com/hedgedoc/hedgedoc/pull/961 Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * | Dependency: Remove imgurPhilip Molares2021-04-192-43/+2
| | | | | | | | | | | | | | | | | | This dependency is outdated anyway (it still uses the old imgur api) and for our purposes we can substitute it with a simple POST request via note-fetch. Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | | Merge pull request #1166 from hedgedoc/maintenance/master/node_16David Mehren2021-04-221-2/+2
|\ \ \ | | | | | | | | CI: Run tests with Node.js 16 [master]
| * | | CI: Run tests with Node.js 16David Mehren2021-04-221-2/+2
|/ / / | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1148 from hedgedoc/renovate/master-mkdocs-material-7.xDavid Mehren2021-04-221-1/+1
|\ \ \ | | | | | | | | Update dependency mkdocs-material to v7.1.2 (master)
| * | | Update dependency mkdocs-material to v7.1.2Renovate Bot2021-04-221-1/+1
|/ / / | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | Merge pull request #1163 from hedgedoc/revert/docsDavid Mehren2021-04-221-3/+7
|\ \ \ | | | | | | | | Docs: Revert changes to manual setup
| * | | Docs: Revert changes to manual setupPhilip Molares2021-04-221-3/+7
|/ / / | | | | | | | | | | | | | | | This reverts the documentation changes of bf0a7ebee72404eb7bce918f41162126bca24bf0. This is necessary as the omitted remarks about `.sequlizerc` can't be omitted until 1.8 is released. Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | | Merge pull request #1147 from ↵David Mehren2021-04-192-5/+5
|\ \ \ | | | | | | | | | | | | | | | | hedgedoc/renovate/master-mini-css-extract-plugin-1.x Update dependency mini-css-extract-plugin to v1.5.0 (master)
| * | | Update dependency mini-css-extract-plugin to v1.5.0Renovate Bot2021-04-192-5/+5
|/ / / | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | Merge pull request #1157 from hedgedoc/renovate/master-helmet-4.xDavid Mehren2021-04-192-5/+5
|\ \ \ | | | | | | | | Update dependency helmet to ^4.5.0 (master)
| * | | Update dependency helmet to ^4.5.0Renovate Bot2021-04-192-5/+5
| | | | | | | | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | | Merge pull request #1158 from hedgedoc/renovate/master-ws-7.xDavid Mehren2021-04-192-2/+7
|\ \ \ \ | | | | | | | | | | Update dependency ws to ^7.4.4 (master)
| * | | | Update dependency ws to ^7.4.4Renovate Bot2021-04-192-2/+7
| |/ / / | | | | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | | Merge pull request #1160 from hedgedoc/renovate/master-aws-sdk-2.xDavid Mehren2021-04-192-5/+5
|\ \ \ \ | | | | | | | | | | Update dependency aws-sdk to ^2.888.0 (master)
| * | | | Update dependency aws-sdk to ^2.888.0Renovate Bot2021-04-192-5/+5
| |/ / / | | | | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | | Merge pull request #1159 from hedgedoc/renovate/master-css-loader-5.xDavid Mehren2021-04-192-5/+5
|\ \ \ \ | |/ / / |/| | | Update dependency css-loader to v5.2.4 (master)
| * | | Update dependency css-loader to v5.2.4Renovate Bot2021-04-192-5/+5
|/ / / | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | Merge pull request #1145 from hedgedoc/docs/darkThemeDavid Mehren2021-04-187-11/+65
|\ \ \ | | | | | | | | Documentation: Add toggleable dark theme
| * | | Documentation: Add toggleable dark themePhilip Molares2021-04-187-11/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The dark theme is mostly built on top of the mkdocs slate theme. Signed-off-by: Philip Molares <philip.molares@udo.edu> Co-Authored-by: Tilman Vatteroth <git@tilmanvatteroth.de>
* | | | Merge pull request #984 from hedgedoc/docs/upgrade-instructionsYannick Bungers2021-04-175-104/+241
|\ \ \ \
| * | | | Docs: Fixup some wording in manual setup guideDavid Mehren2021-04-161-4/+4
| | | | | | | | | | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | | | Docs: Add hint about account creationDavid Mehren2021-04-161-0/+2
| | | | | | | | | | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | | | Docs: Include minimal config on manual setup pageDavid Mehren2021-04-161-2/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To make it easier to get started, this commit adds a minimal `config.json` snipped to the manual setup instruction. Signed-off-by: David Mehren <git@herrmehren.de>
| * | | | Docs: Cleanup docker pageDavid Mehren2021-04-161-20/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Build instructions are not relevant for most users. Contact info can already be found on the 'Home' page. Signed-off-by: David Mehren <git@herrmehren.de>
| * | | | Docs: Move migration hints to getting started pageDavid Mehren2021-04-162-17/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These are relevant for all installation methods, so they should be placed at a 'global' place. Signed-off-by: David Mehren <git@herrmehren.de>
| * | | | Docs: Include docker-compose snippetDavid Mehren2021-04-161-15/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Directing users to use the container repo to install HedgeDoc has caused upgrade-trouble in the past, after we made incompatible changes to the docker-compose.yml in the repo. This commit inserts a minimal docker-compose snipped in the docs, which can be used to get started. Upgrading can then be performed by just incrementing the referenced image version. Signed-off-by: David Mehren <git@herrmehren.de>
| * | | | Add an example systemd unit to installation docsDavid Mehren2021-04-161-1/+69
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Heavily inspired by the unit of Arch Linux: https://github.com/archlinux/svntogit-community/blob/packages/hedgedoc/trunk/hedgedoc.service Fixes https://github.com/hedgedoc/hedgedoc/issues/46 Signed-off-by: David Mehren <git@herrmehren.de>
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-09 06:17:23 +0000