summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Fix possible MathJax XSS issue [Security Issue]Max Wu2019-03-033-0/+6
| | | | | | see more at: http://docs.mathjax.org/en/latest/safe-mode.html Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Force upgrade of some outdated dependenciesSheogorath2019-03-022-180/+12
| | | | | | | | | | | I don't really like the way to go here, but I guess having those forcefully upgraded is better than staying around with vulnerable dependencies. This patch fixes some vulnerbilities in dependencies that were categories as high severity. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update yarn.lockSheogorath2019-03-021-377/+360
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix wrong domain in app.jsonSheogorath2019-03-021-1/+1
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1150 from SISheogorath/fix/speakerdeckChristoph (Sheogorath) Kern2019-02-213-34/+9
|\ | | | | Remove broken speakerdeck embedding
| * Fix CI errors for unused variablesSheogorath2019-02-211-3/+2
| | | | | | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Remove broken speakerdeck embeddingSheogorath2019-02-212-31/+7
| | | | | | | | | | | | | | | | | | | | | | | | The current speakerdeck implementation is broken. An alternative implementation using oembed doesn't work due to CORS, which could be solved by proxying the speakerdeck API, but we decided to not do this. This patch provides the link to the speakerdeck presentation instead, and this way doesn't break existing notes. This is right now the best solution we could come up with. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Update yarn.lockSheogorath2019-02-151-390/+379
| |
* | Update handlebar to version 4.0.13Sheogorath2019-02-151-1/+1
| | | | | | | | | | | | | | Synk found an security vulnerbility in the version we provide, that in theory can provide an RCE. Details: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
* | Merge pull request #1148 from felixonmars/patch-1Claudius Coenen2019-02-141-3/+3
|\ \ | | | | | | Fix several typos in auth/saml.md
| * | Fix several typos in auth/saml.mdFelix Yan2019-02-151-3/+3
|/ / | | | | | | Signed-off-by: Felix Yan <felixonmars@archlinux.org>
* / Update ja.json (POEditor.com)Christoph (Sheogorath) Kern2019-01-311-1/+3
|/
* Disable OpenID by defaultSheogorath2019-01-251-1/+1
| | | | | | | | | We talked about that during a community call. It turned out that not everyone likes to have OpenID on their instance. This patch disables OpenID by default. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1127 from SISheogorath/fix/unlinkFixChristoph (Sheogorath) Kern2019-01-251-1/+1
|\ | | | | Fix broken PDF export by wrong unlink call
| * Fix broken PDF export by wrong unlink callSheogorath2019-01-241-1/+1
|/ | | | | | | | | | | We used `fs.unlink()` to remove the pdf file after we send it out to the client. This breaks in Node 10, when no function as second parameter is supplied. This patches changes it to the `fs.unlinkSync` function that doesn't have this requirement and this way doesn't crash. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update yarn.lockSheogorath2019-01-241-135/+96
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1125 from hackmdio/dependency-node-6-fixClaudius Coenen2019-01-241-0/+3
|\ | | | | Fixing deep dependency problem with node 6.x
| * Fixing deep dependency problem with node 6.xClaudius Coenen2019-01-231-0/+3
|/ | | | | | | | this commit has been blatantly stolen from @samselikoff in ember-cli-addon-docs. It prevents an issue introduced via a deep dependency that no longer supports node 6 (which we still would like to support). see: https://github.com/ember-learn/ember-cli-addon-docs/commit/231275b5a4bed59bbac798ddaa1bde94319047cb see: https://github.com/salesforce/tough-cookie/pull/141 Signed-off-by: Claudius Coenen <opensource@amenthes.de>
* Merge pull request #1124 from phrix32/patch-1Christoph (Sheogorath) Kern2019-01-221-1/+1
|\ | | | | Fix reference to SAML guide in README
| * Fix reference to SAML guide in READMEJonathan2019-01-221-1/+1
|/ | | | Signed-off-by: Jonathan Klauck <jonathan.klauck@aoe.com>
* Merge pull request #1123 from SISheogorath/fix/lintingTestsChristoph (Sheogorath) Kern2019-01-212-8/+10
|\ | | | | Add linting for tests
| * Add linting for testsSheogorath2019-01-212-8/+10
| | | | | | | | | | | | | | | | | | | | The tests are currently not linted. This causes a different coding style than the rest of the sources. This patch adds the `./test` directory to the eslint testing and fixes linting for existing tests. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1121 from SISheogorath/test/CSPChristoph (Sheogorath) Kern2019-01-212-0/+125
|\| | | | | Add tests for csp.js
| * Add tests for csp.jsSheogorath2019-01-192-0/+125
|/ | | | | | | | | | Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update yarn.lockSheogorath2019-01-181-504/+561
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1116 from dsprenkels/manage_usersChristoph (Sheogorath) Kern2019-01-121-1/+1
|\ | | | | Fix broken manage_users after Winston upgrade
| * Fix broken manage_users after Winston upgradeDaan Sprenkels2019-01-101-1/+1
| | | | | | | | | | | | | | | | Commit c3584770 upgrades Winston and with that version `logger.transports.console` becomes undefined. This commit updates the code to prevent the crash. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* | Merge pull request #1117 from SISheogorath/upgrade/bootstrapChristoph (Sheogorath) Kern2019-01-127-9/+9
|\ \ | |/ |/| Update bootstrap from 3.3.7 to 3.4.0
| * Update bootstrap from 3.3.7 to 3.4.0Sheogorath2019-01-117-9/+9
|/ | | | | | | | | | | | | Seems like finally there is a new bootstrap version for old version 3. This patch implements this new version with CodiMD and this way fixes some possible security issues in the frontend code. See: https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72889 https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72890 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1114 from SISheogorath/fix/samlVersionChristoph (Sheogorath) Kern2019-01-091-1/+1
|\ | | | | Update SAML to version 1.0.0
| * Update SAML to version 1.0.0Sheogorath2019-01-091-1/+1
|/ | | | | | | | | | Seems like there was a security problem with the library. This patch updates to version 1.0.0 which fixed the details. Details: https://snyk.io/vuln/SNYK-JS-PASSPORTSAML-72411 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1110 from dsprenkels/issue_1106Christoph (Sheogorath) Kern2019-01-053-5/+20
|\ | | | | Remove blueimp-md5 dependency
| * Remove blueimp-md5 dependencyDaan Sprenkels2018-12-222-4/+7
| | | | | | | | Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
| * Add a test for gravatar urlsDaan Sprenkels2018-12-222-1/+13
| | | | | | | | Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* | Merge pull request #1112 from hackmdio/fix-XSS-issuesChristoph (Sheogorath) Kern2018-12-292-2/+2
|\ \ | |/ |/| Fix some XSS issues
| * Fix to escape html comment tag [Security Issue]Max Wu2018-12-281-1/+1
| | | | | | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
| * Fix to sanitize disqus shortnames to remove slashes [Security Issue]Max Wu2018-12-281-1/+1
|/ | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Merge pull request #1105 from SISheogorath/fix/gistCSPChristoph (Sheogorath) Kern2018-12-211-1/+1
|\ | | | | Fix broken Gist embedding
| * Fix broken Gist embeddingSheogorath2018-12-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | Looks like GitHub changed their asset system and our CSP prevented them from getting loaded. This patch should fix the Gist embedding with enabled CSP by replacing the old URL `https://assets-cdn.github.com` with the new `https://github.githubassets.com`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1108 from dsprenkels/patch-1Christoph (Sheogorath) Kern2018-12-211-1/+1
|\ \ | | | | | | Update upload provider error message
| * | Update upload provider error messageDaan Sprenkels2018-12-211-1/+1
|/ / | | | | | | | | | | Fixes #1107. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* | Merge pull request #1103 from SISheogorath/fix/localImageUploadChristoph (Sheogorath) Kern2018-12-201-2/+2
|\ \ | | | | | | Fix usage of new URL API
| * | Fix usage of new URL APISheogorath2018-12-181-2/+2
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to the deprecation of the old `url`-API provided by NodeJS we replaced `url.resolve` with `url.URL.resolve`, which doesn't exist. This patch fixes the local filesystem upload of CodiMD by using the new API correctly. Creating an URL object and using its href. Some more background: https://nodejs.org/api/url.html#url_url_href https://nodejs.org/api/url.html#url_url_resolve_from_to Fixes https://github.com/hackmdio/codimd/issues/1102 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Update ru.json (POEditor.com)Christoph (Sheogorath) Kern2018-12-131-103/+116
| |
* | Merge pull request #1091 from SISheogorath/fix/speakerNotesCSPChristoph (Sheogorath) Kern2018-12-061-1/+1
|\ \ | | | | | | Fix CSP for speaker notes
| * | Fix CSP for speaker notesSheogorath2018-12-051-1/+1
| |/ | | | | | | | | | | | | | | | | | | | | Looks like I was wrong in my previous commit to update revealjs.[1] The speaker notes broke again with the CSPs. So this patch updates the hash and this way the speaker notes. [1]: bcebf1e8d285184f8c905f00e0270621790e7b80 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1092 from SISheogorath/fix/disqusCSPChristoph (Sheogorath) Kern2018-12-061-1/+1
|\ \ | |/ |/| Fix disqus CSP
| * Fix disqus CSPSheogorath2018-12-051-1/+1
|/ | | | | | | | | | | | Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update yarn.lockSheogorath2018-12-041-362/+499
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1085 from SISheogorath/update/socket.ioChristoph (Sheogorath) Kern2018-12-012-3/+3
|\ | | | | Update socket.io