summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Fix Relative Path Traversal Attack on note creationSheogorath2021-04-251-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact --- An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html). CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N PoC / Quicktest --- To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). - If you see a README page being rendered, you run an affected version. Analysis --- The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. Workarounds --- On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. For more information --- If you have any questions or comments about this advisory: * Open an topic on [our community forum](https://community.hedgedoc.org) * Join our [matrix room](https://chat.hedgedoc.org) Advisory link --- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
* Merge pull request #1022 from hedgedoc/fix/translateDavid Mehren2021-03-185-9/+9
|\ | | | | [1.x] Templates: Remove lang and add translation parameter
| * Templates: Remove lang and add translation parameterPhilip Molares2021-03-165-9/+9
| | | | | | | | | | | | | | | | | | | | | | Since the interface is not always in english, we mostly removed the lang attribute from all html tags. Since the error messages in error.ejs are not translated, but always in english, there the global lang="en" should be kept. Also in the slide and editor template the div, which contains the user generated text, has the attribute translate="no" now, to avoid unwanted translations. Since on the publish view (pretty.ejs) only the user generated content is shown, we set the lang to the language defined in yaml (or 'en') as a default, but that was also moved to the corresponding markdown div instead of html. Fixes #881 See also #437 Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | Merge pull request #1034 from hedgedoc/renovate/master-css-loader-5.xDavid Mehren2021-03-172-5/+5
|\ \ | | | | | | Update dependency css-loader to v5.1.3 (master)
| * | Update dependency css-loader to v5.1.3Renovate Bot2021-03-152-5/+5
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1025 from hedgedoc/1.x/replace-requestDavid Mehren2021-03-153-55/+64
|\ \ | | | | | | [1.x] Dependencies: Replace deprecated request library with node-fetch
| * | Replace request library with node-fetchErik Michelson2021-03-123-55/+64
| | | | | | | | | | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* | | Merge pull request #1013 from hedgedoc/renovate/master-lock-file-maintenanceDavid Mehren2021-03-151-38/+48
|\ \ \ | | | | | | | | Lock file maintenance (master)
| * | | Lock file maintenanceRenovate Bot2021-03-141-38/+48
|/ / / | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | Merge pull request #1028 from hedgedoc/renovate/master-lintersDavid Mehren2021-03-142-8/+20
|\ \ \ | | | | | | | | Update dependency eslint to v7.22.0 (master)
| * | | Update dependency eslint to v7.22.0Renovate Bot2021-03-142-8/+20
|/ / / | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | Merge pull request #1027 from hedgedoc/renovate/master-test-packagesDavid Mehren2021-03-142-5/+5
|\ \ \ | | | | | | | | Update dependency mocha to v8.3.2 (master)
| * | | Update dependency mocha to v8.3.2Renovate Bot2021-03-142-5/+5
| | | | | | | | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | | Merge pull request #1020 from hedgedoc/renovate/master-css-loader-5.xDavid Mehren2021-03-142-10/+10
|\ \ \ \ | |/ / / |/| | | Update dependency css-loader to v5.1.2 (master)
| * | | Update dependency css-loader to v5.1.2Renovate Bot2021-03-142-10/+10
|/ / / | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | Merge pull request #1029 from hedgedoc/renovate/master-mkdocs-material-7.xDavid Mehren2021-03-141-1/+1
|\ \ \ | |/ / |/| | Update dependency mkdocs-material to v7.0.6 (master)
| * | Update dependency mkdocs-material to v7.0.6Renovate Bot2021-03-141-1/+1
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #976 from hedgedoc/renovate/master-lock-file-maintenanceDavid Mehren2021-03-071-195/+197
|\ \ | | | | | | Lock file maintenance (master)
| * | Lock file maintenanceRenovate Bot2021-03-071-195/+197
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #996 from hedgedoc/renovate/master-test-packagesDavid Mehren2021-03-072-5/+5
|\ \ | | | | | | Update dependency mocha to v8.3.1 (master)
| * | Update dependency mocha to v8.3.1Renovate Bot2021-03-072-5/+5
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1010 from hedgedoc/renovate/master-mkdocs-material-7.xDavid Mehren2021-03-071-1/+1
|\ \ | | | | | | Update dependency mkdocs-material to v7.0.5 (master)
| * | Update dependency mkdocs-material to v7.0.5Renovate Bot2021-03-071-1/+1
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #997 from hedgedoc/docs/remove_sequelizercDavid Mehren2021-03-065-32/+8
|\ \ | |/ |/|
| * Update link to config docs in setup scriptDavid Mehren2021-03-061-1/+1
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add release notes entry for #969David Mehren2021-03-061-0/+5
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Remove .sequelizercDavid Mehren2021-03-064-31/+2
|/ | | | | | | | After https://github.com/hedgedoc/hedgedoc/pull/969 was merged, a separate configuration file for the sequelize-cli is no longer required. Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #973 from hedgedoc/renovate/master-lintersDavid Mehren2021-03-052-16/+15
|\ | | | | Update dependency eslint to v7.21.0 (master)
| * Update dependency eslint to v7.21.0Renovate Bot2021-03-052-16/+15
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #985 from hedgedoc/renovate/master-mkdocs-material-7.xDavid Mehren2021-03-051-1/+1
|\ | | | | Update dependency mkdocs-material to v7.0.4 (master)
| * Update dependency mkdocs-material to v7.0.4Renovate Bot2021-03-041-1/+1
| | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #979 from hedgedoc/renovate/master-css-loader-5.xDavid Mehren2021-03-052-5/+5
|\ \ | |/ |/| Update dependency css-loader to v5.1.1 (master)
| * Update dependency css-loader to v5.1.1Renovate Bot2021-03-042-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #969 from hedgedoc/feature/port_automated_migrationsDavid Mehren2021-03-046-315/+80
|\
| * Add docs about troubleshooting migrationsDavid Mehren2021-03-032-0/+26
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Run database migrations automatically on startupDavid Mehren2021-02-274-315/+54
|/ | | | | | | | | | This commit removes the need for separate migrations with the sequelize-cli by running them with umzug on application startup. This is a port of #384 Co-authored-by: Sheogorath <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #962 from hedgedoc/renovate/master-mkdocs-material-7.xDavid Mehren2021-02-261-1/+1
|\ | | | | Update dependency mkdocs-material to v7.0.3 (master)
| * Update dependency mkdocs-material to v7.0.3Renovate Bot2021-02-261-1/+1
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #889 from hedgedoc/renovate/master-uuid-8.xDavid Mehren2021-02-253-3/+8
|\
| * Use new uuid exportDavid Mehren2021-02-161-2/+2
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Update dependency uuid to v8Renovate Bot2021-02-162-1/+6
| | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #945 from hedgedoc/renovate/master-mkdocs-material-7.xDavid Mehren2021-02-251-1/+1
|\ \ | | | | | | Update dependency mkdocs-material to v7 (master)
| * | Update dependency mkdocs-material to v7Renovate Bot2021-02-251-1/+1
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #955 from ↵David Mehren2021-02-252-5/+5
|\ \ | | | | | | | | | | | | hedgedoc/renovate/master-mini-css-extract-plugin-1.x Update dependency mini-css-extract-plugin to v1.3.9 (master)
| * | Update dependency mini-css-extract-plugin to v1.3.9Renovate Bot2021-02-252-5/+5
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #954 from hedgedoc/renovate/master-css-loader-5.xDavid Mehren2021-02-252-7/+7
|\ \ | | | | | | Update dependency css-loader to v5.1.0 (master)
| * | Update dependency css-loader to v5.1.0Renovate Bot2021-02-252-7/+7
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #926 from hedgedoc/1.x/note-nonexistent-404David Mehren2021-02-192-3/+6
|\ \ | | | | | | Add HTTP 404 error on actions for non-existent notes
| * | Add HTTP 404 error on non-existent note downloadsErik Michelson2021-02-172-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | When FreeURL mode is enabled and you called the /download route, the note was created and the user redirected to the blank note. This is caused because the findNote method automatically creates a note when no existing one is found. This commit adds a new parameter to the findNote method which allows to disable this behaviour. In that case a HTTP 404 error will be returned. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* | | Merge pull request #930 from ↵David Mehren2021-02-182-5/+5
|\ \ \ | | | | | | | | | | | | | | | | hedgedoc/renovate/master-mini-css-extract-plugin-1.x Update dependency mini-css-extract-plugin to v1.3.8 (master)
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-20 20:34:25 +0000