summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #176 from SISheogorath/docs/securitySheogorath2019-09-121-0/+32
|\ | | | | Add security note to repository
| * Add security note to repositorySheogorath2019-09-101-0/+32
|/ | | | | | | | | | | | | | In order to simplify the communication with security researcher and allow reporting of issues, this document should provide a rough idea about: 1. What versions are supported 2. Who to contact 3. How to send findings properly secured 4. What to expect from an approved security issue 5. What if it's not considered a security issue Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #171 from soulchild/masterSheogorath2019-09-071-1/+1
|\ | | | | Move sequelize-cli from devDependencies to dependencies, because it is needed to run migrations at run-time
| * Move sequelize-cli from devDependencies to dependencies, because it is ↵Tobias Kremer2019-09-061-1/+1
|/ | | | | | needed to run migrations at run-time Signed-off-by: Tobias Kremer <tobias.kremer@gmail.com>
* Merge pull request #168 from dargmuesli/fix/docker-secret-bufferSheogorath2019-09-031-1/+1
|\ | | | | Config: Return String Instead Of Buffer For Docker Secrets
| * Docker Secrets: Use Encoding Parameter DirectlyJonas Thelemann2019-09-031-1/+1
| | | | | | | | Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
| * Config: Return String Instead Of Buffer For Docker SecretsJonas Thelemann2019-09-031-1/+1
| | | | | | | | | | | | Prevents "TypeError: Cannot freeze array buffer views with elements". Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
* | Merge pull request #167 from dargmuesli/fix/docker-secret-pathSheogorath2019-09-031-1/+1
|\ \ | |/ |/| Docker Secrets: Correct Source Path
| * Docker Secrets: Correct Source PathJonas Thelemann2019-09-021-1/+1
|/ | | | Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
* Merge pull request #147 from codimd/snyk-fix-0aa72a9ec7fcf1d8b1832518c29b6f4cSheogorath2019-09-021-2/+2
|\ | | | | [Snyk] Fix for 2 vulnerable dependencies
| * fix: package.json to reduce vulnerabilitiessnyk-test2019-08-201-2/+2
| | | | | | | | | | | | The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AUTOLINKER-73494 - https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
* | Merge pull request #143 from Fonata/improve-docsSheogorath2019-09-024-30/+31
|\ \ | | | | | | Slightly improve documentation
| * | Documentation: improved 'Users and Privileges' sectionChristian Bläul2019-08-172-5/+5
| | | | | | | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Documentation: improved EnglishChristian Bläul2019-08-171-2/+2
| | | | | | | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Not serverurl, but serverURL is used as a default for issuerChristian Bläul2019-08-172-2/+2
| | | | | | | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Documentation: improved sessionLife descriptionChristian Bläul2019-08-172-2/+2
| | | | | | | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Documentation: improved 'Email (local account)' sectionsChristian Bläul2019-08-172-4/+4
| | | | | | | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Documentation: improved dbURL descriptionChristian Bläul2019-08-172-2/+2
| | | | | | | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Documentation: Improved descriptions of 'Users and Privileges' sectionChristian Bläul2019-08-171-3/+3
| | | | | | | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Documentation: converted descriptions to sentences to allow more detailsChristian Bläul2019-08-171-7/+7
| | | | | | | | | | | | | | | | | | No content was added; this is just a formatting commit. Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Improved docs for YAML metadataChristian Bläul2019-08-171-2/+3
| | | | | | | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Config documentation: Improved spelling and capitalization of servicesChristian Bläul2019-08-171-6/+6
| | | | | | | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Documentation of config options: Improve loglevelChristian Bläul2019-08-171-1/+1
| | | | | | | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
| * | Documentation of config options: Improve dbChristian Bläul2019-08-171-1/+1
| |/ | | | | | | Signed-off-by: Christian Bläul <christian@blaeul.de>
* | Merge pull request #32 from codimd/aws-endpointsSheogorath2019-09-022-2/+5
|\ \ | | | | | | make aws s3 endpoint configurable
| * | make aws s3 endpoint configurableMathias Merscher2019-02-112-2/+5
| | | | | | | | | | | | Signed-off-by: Mathias Merscher <Mathias.Merscher@dg-i.net>
* | | Merge pull request #165 from morpheus-87/imprint-docsSheogorath2019-09-021-0/+9
|\ \ \ | | | | | | | | Add documentation for the new imprint feature
| * | | Remove useless blank lineMatthias Lindinger2019-09-021-1/+0
| | | | | | | | | | | | | | | | Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
| * | | Add documentation for the new imprint featureMatthias Lindinger2019-09-021-0/+10
|/ / / | | | | | | | | | Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
* | | Merge pull request #158 from morpheus-87/add-imprint-linkSheogorath2019-09-024-1/+4
|\ \ \ | |_|/ |/| | Add link to imprint
| * | Add link to imprintMatthias Lindinger2019-08-264-1/+4
|/ / | | | | | | Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
* | Release version 1.5.0Sheogorath2019-08-152-1/+48
| |
* | Update yarn.lockSheogorath2019-08-151-16/+49
| | | | | | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Add arabian translationSheogorath2019-08-153-1/+123
| | | | | | | | | | | | | | Thanks to our great translators that made it to translate the major parts of CodiMD into Arabic! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Disable PDF export due to security issueSheogorath2019-08-151-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | As a temporary fix, to keep you and your users save, this patch disables the PDF export feature. Details of the attack along with a fix for future versions of CodiMD will be released in future. I hope you can live with this solution for this release because I'm super short on time and the alternative would be to ship no fix at all. This appears to be the better solution for this release. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Switch mysql library to mysql2Sheogorath2019-08-151-1/+1
| | | | | | | | | | | | | | The recent sequelize upgrade introduced some other dependencies, this is one of them. This patch replaces the old `mysql` library with `mysql2`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix variable names for docker secretsSheogorath2019-08-151-5/+5
| | | | | | | | | | | | | | It seems like since we switched to camelcase we missed to update some variable names in the config section. This patch fixes those. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Update meta-marked to latest versionSheogorath2019-08-152-10/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Meta-marked 0.4.4 which we used from our git repository contains a RegexDOS attack in the marked dependency. The dependency was already updated in our meta-marked repository, but not updated in yarn. This made us still vulnerable to this ReDOS which was able to cause a DOS attack on the server when updating a note. For Details: https://github.com/markedjs/marked/releases/tag/v0.7.0 https://github.com/markedjs/marked/pull/1515 What is a ReDOS? A ReDOS attack is a DOS attack where an attacker targets a not-well-written Regular Expression. Regular expressions try to build a tree of all possibilities it can match in order to figure out if the given statement is valid or not. A ReDOS attack abuses this concept by providing a statement that doesn't match but causes extremly huge trees that simply lead to exhausting CPU usage. For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS Credit: Huge thanks to @bitinerant for finding this and handling it with a responsible disclosure. Also thanks to the `marked`-team for fixing things already. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Update id.json (POEditor.com)Sheogorath2019-08-151-1/+3
| |
* | Merge pull request #141 from alangecker/fix/migration-should-return-promiseSheogorath2019-08-123-18/+18
|\ \ | | | | | | fix: migration should return promise
| * | fix: migration should return promisechandi2019-08-123-18/+18
|/ / | | | | | | Signed-off-by: chandi <git@chandi.it>
* | Merge pull request #140 from SISheogorath/docs/updateIconsSheogorath2019-08-081-2/+2
|\ \ | | | | | | Update badge icons
| * | Update badge iconsSheogorath2019-08-031-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | I just noticed that shields.io provides some nice new badges including one explicitly for Matrix and one for Mastodon. Since those are really our platforms, let's get them into our README. Just a cosmetic change. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | Update de.json (POEditor.com)Sheogorath2019-08-031-14/+14
|/ /
* | Update yarn.lockSheogorath2019-08-011-74/+2744
| |
* | Slightly improve docker-linux-server.mdSalim B2019-08-011-4/+4
| | | | | | | | | | | | | | | | - fix typo - add link to PhantomJS - improve formatting Signed-off-by: Salim B <salim@posteo.de>
* | Merge pull request #114 from SISheogorath/fix/linuxServerDocsSheogorath2019-08-012-7/+7
|\ \ | | | | | | Fix some minor quirks in the LinuxServer.io docs
| * | Fix some minor quirks in the LinuxServer.io docsSheogorath2019-08-012-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current documents might end up confusing people and are not completely accessible. This minor fixes should clear up the situation and add alt texts to all badges, explain the links at the end of the docs, and list LinuxServer.io in the supported provider section of the README. Some reasoning on the change in the listing: Since we maintain an own container image which is for sure kept updated on release, this is our first listing, as well as general solutions that are build on that image, like the K8s integration. The next listings are integrated provides which allow self-hosting, like Cloudron and I also consider LinuxServer.io as this kind of providers. Which try to enable people to run CodiMD on their own hardware or rented servers in a very easy way, but by using their own images. As third category I would look at hosted offers, like Heroku, which are not completely SaaS but far enough away from the self-hostability that I consider them as an own category. PaaS-based solutions are not as FOSS-style as we want our setups to be, but of course still supported. Finally the manual setup. We keep it down here, because we support it, but don't recommend it in general. It's hard to upgrade and can cause problems when dependencies are not correctly updated or people don't run the db migrations. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | Merge pull request #137 from codimd/snyk-fix-90a963f5d1c4d3e15b1c30f372c2f444Sheogorath2019-08-011-1/+1
|\ \ \ | | | | | | | | [Snyk] Fix for 1 vulnerable dependencies
| * | | fix: package.json to reduce vulnerabilitiessnyk-test2019-07-241-1/+1
|/ / / | | | | | | | | | | | | The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MERMAID-174698