summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Add release notes for 1.8.1David Mehren2021-05-061-0/+17
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Fix 1.8.0 changelogDavid Mehren2021-05-061-1/+1
| | | | | | | CVE-2021-29475 has been fixed since HedgeDoc 1.5.0, instead of 1.6.0 Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #1240 from hedgedoc/renovate/master-pin-dependenciesDavid Mehren2021-05-062-67/+67
|\ | | | | Pin dependencies (master)
| * Pin dependenciesRenovate Bot2021-05-062-67/+67
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1227 from hedgedoc/enhancement/esbuildDavid Mehren2021-05-064-11/+48
|\ | | | | Use esbuild to minify frontend JS
| * Use esbuild to minify frontend JSDavid Mehren2021-05-064-11/+48
| | | | | | | | | | | | This speeds up build times massively Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #1237 from hedgedoc/renovate/master-mkdocs-material-7.xDavid Mehren2021-05-061-1/+1
|\ \ | | | | | | Update dependency mkdocs-material to v7.1.4 (master)
| * | Update dependency mkdocs-material to v7.1.4Renovate Bot2021-05-061-1/+1
| |/ | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1236 from hedgedoc/renovate/master-webpack-cli-4.xDavid Mehren2021-05-062-22/+21
|\ \ | | | | | | Update dependency webpack-cli to v4.7.0 (master)
| * | Update dependency webpack-cli to v4.7.0Renovate Bot2021-05-062-22/+21
| |/ | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1223 from hedgedoc/fix/useSSLDavid Mehren2021-05-061-4/+11
|\ \ | | | | | | Automatically enable protocolUseSSL when useSSL is set
| * | Automatically enable protocolUseSSL when useSSL is setDavid Mehren2021-05-061-4/+11
|/ / | | | | | | | | | | | | | | This makes the behavior consistent with the docs and saves the user from having to both set `useSSL` and `protocolUseSSL`. Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #1222 from hedgedoc/fix/upgrade_insecure_requestsDavid Mehren2021-05-061-2/+2
|\ \ | | | | | | Fix upgradeInsecureRequests CSP directive
| * | Fix upgradeInsecureRequests CSP directiveDavid Mehren2021-05-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1233 from hedgedoc/fix/insertOnStartOfLinesDavid Mehren2021-05-061-4/+7
|\ \ \ | |_|/ |/| | Fix insertOnStartOfLines behaviour
| * | Fix insertOnStartOfLines behaviourDavid Mehren2021-05-051-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A bug in insertOnStartOfLines lead to duplicated text, if the cursor was not at the start of a line. This fixes the behaviour of insertOnStartOfLines to always use the complete first and last line of the selection, even if they were only partially selected. Fixes #1231 Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1226 from hedgedoc/enhancement/devDependenciesDavid Mehren2021-05-062-35/+34
|\ \ \
| * | | Only install production dependencies in bin/setupDavid Mehren2021-05-051-2/+1
| | | | | | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | | Move frontend-only deps to devDependenciesDavid Mehren2021-05-051-33/+33
| |/ / | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1234 from hedgedoc/fix/numbered-task-listsDavid Mehren2021-05-061-6/+6
|\ \ \ | |/ / |/| | Fix click handler for numbered task lists
| * | Fix click handler for numbered task listsErik Michelson2021-05-051-6/+6
|/ / | | | | | | | | | | | | The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc). This commit changes the regex to allow both. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* | Merge pull request #1219 from hedgedoc/release/1.8.0David Mehren2021-05-035-14/+12
|\|
| * Remove mention of .sequelizerc from docsDavid Mehren2021-05-031-7/+3
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Bump version to 1.8.0David Mehren2021-05-034-5/+5
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add release notes for 1.8.0David Mehren2021-05-031-2/+4
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #1213 from hedgedoc/renovate/master-lock-file-maintenanceYannick Bungers2021-05-031-46/+57
|\ | | | | Lock file maintenance (master)
| * Lock file maintenanceRenovate Bot2021-05-031-46/+57
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1218 from hedgedoc/maintenance/master/update_meta-markedYannick Bungers2021-05-031-14/+15
|\ | | | | Update meta-marked
| * Update meta-marked in yarn.lockDavid Mehren2021-05-031-14/+15
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #1210 from ↵David Mehren2021-05-032-5/+5
|\ \ | |/ |/| | | | | hedgedoc/renovate/master-mini-css-extract-plugin-1.x Update dependency mini-css-extract-plugin to v1.6.0 (master)
| * Update dependency mini-css-extract-plugin to v1.6.0Renovate Bot2021-04-302-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1204 from ↵Yannick Bungers2021-04-292-5/+5
|\ | | | | | | | | hedgedoc/renovate/master-mini-css-extract-plugin-1.x Update dependency mini-css-extract-plugin to v1.5.1 (master)
| * Update dependency mini-css-extract-plugin to v1.5.1Renovate Bot2021-04-282-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1191 from hedgedoc/release/1.8.0-rc1David Mehren2021-04-2625-201/+1163
|\
| * Extract list of supported languages in separate fileErik Michelson2021-04-264-45/+49
| | | | | | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
| * Fix wrong placeholder in translationsDavid Mehren2021-04-262-6/+6
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add changelog for 1.8.0-rc1David Mehren2021-04-261-5/+29
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add support for freshly imported languagesDavid Mehren2021-04-263-2/+11
| | | | | | | | | | | | New languages: bg, fa, gl, he, hu, oc, pt-br Signed-off-by: David Mehren <git@herrmehren.de>
| * Add translators to the list of contributors for 1.8.0-rc1David Mehren2021-04-261-1/+15
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Update translations from POEditor.comDavid Mehren2021-04-2618-157/+1068
| | | | | | | | | | | | | | New languages: bg, fa, gl, he, hu, oc, pt-br Updated languages: ar, en, eo, es, hi, ja, ko, pl, pt, tr, zh-TW Signed-off-by: David Mehren <git@herrmehren.de>
| * Bump version to 1.8.0-rc1David Mehren2021-04-262-2/+2
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #1196 from hedgedoc/renovate/master-lock-file-maintenanceDavid Mehren2021-04-261-42/+41
|\ | | | | Lock file maintenance (master)
| * Lock file maintenanceRenovate Bot2021-04-261-42/+41
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1201 from hedgedoc/remove-polyfillDavid Mehren2021-04-263-15/+0
|\
| * Uninstall scrypt-asyncDavid Mehren2021-04-262-6/+0
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Remove unneeded polyfillErik Michelson2021-04-261-9/+0
|/ | | | | | This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* Merge pull request #1193 from hedgedoc/fix/logo-in-readmeYannick Bungers2021-04-251-1/+1
|\ | | | | Fix logo link in README.md
| * Fix logo link in README.mdTilman Vatteroth2021-04-251-1/+1
|/ | | | Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
* Merge pull request from GHSA-p528-555r-pf87David Mehren2021-04-251-3/+3
|\ | | | | Fix Relative Path Traversal Attack on note creation
| * Fix Relative Path Traversal Attack on note creationSheogorath2021-04-251-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact --- An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html). CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N PoC / Quicktest --- To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). - If you see a README page being rendered, you run an affected version. Analysis --- The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. Workarounds --- On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. For more information --- If you have any questions or comments about this advisory: * Open an topic on [our community forum](https://community.hedgedoc.org) * Join our [matrix room](https://chat.hedgedoc.org) Advisory link --- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 10:16:54 +0000