summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #1114 from SISheogorath/fix/samlVersionChristoph (Sheogorath) Kern2019-01-091-1/+1
|\ | | | | Update SAML to version 1.0.0
| * Update SAML to version 1.0.0Sheogorath2019-01-091-1/+1
|/ | | | | | | | | | Seems like there was a security problem with the library. This patch updates to version 1.0.0 which fixed the details. Details: https://snyk.io/vuln/SNYK-JS-PASSPORTSAML-72411 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1110 from dsprenkels/issue_1106Christoph (Sheogorath) Kern2019-01-053-5/+20
|\ | | | | Remove blueimp-md5 dependency
| * Remove blueimp-md5 dependencyDaan Sprenkels2018-12-222-4/+7
| | | | | | | | Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
| * Add a test for gravatar urlsDaan Sprenkels2018-12-222-1/+13
| | | | | | | | Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* | Merge pull request #1112 from hackmdio/fix-XSS-issuesChristoph (Sheogorath) Kern2018-12-292-2/+2
|\ \ | |/ |/| Fix some XSS issues
| * Fix to escape html comment tag [Security Issue]Max Wu2018-12-281-1/+1
| | | | | | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
| * Fix to sanitize disqus shortnames to remove slashes [Security Issue]Max Wu2018-12-281-1/+1
|/ | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Merge pull request #1105 from SISheogorath/fix/gistCSPChristoph (Sheogorath) Kern2018-12-211-1/+1
|\ | | | | Fix broken Gist embedding
| * Fix broken Gist embeddingSheogorath2018-12-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | Looks like GitHub changed their asset system and our CSP prevented them from getting loaded. This patch should fix the Gist embedding with enabled CSP by replacing the old URL `https://assets-cdn.github.com` with the new `https://github.githubassets.com`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1108 from dsprenkels/patch-1Christoph (Sheogorath) Kern2018-12-211-1/+1
|\ \ | | | | | | Update upload provider error message
| * | Update upload provider error messageDaan Sprenkels2018-12-211-1/+1
|/ / | | | | | | | | | | Fixes #1107. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* | Merge pull request #1103 from SISheogorath/fix/localImageUploadChristoph (Sheogorath) Kern2018-12-201-2/+2
|\ \ | | | | | | Fix usage of new URL API
| * | Fix usage of new URL APISheogorath2018-12-181-2/+2
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to the deprecation of the old `url`-API provided by NodeJS we replaced `url.resolve` with `url.URL.resolve`, which doesn't exist. This patch fixes the local filesystem upload of CodiMD by using the new API correctly. Creating an URL object and using its href. Some more background: https://nodejs.org/api/url.html#url_url_href https://nodejs.org/api/url.html#url_url_resolve_from_to Fixes https://github.com/hackmdio/codimd/issues/1102 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Update ru.json (POEditor.com)Christoph (Sheogorath) Kern2018-12-131-103/+116
| |
* | Merge pull request #1091 from SISheogorath/fix/speakerNotesCSPChristoph (Sheogorath) Kern2018-12-061-1/+1
|\ \ | | | | | | Fix CSP for speaker notes
| * | Fix CSP for speaker notesSheogorath2018-12-051-1/+1
| |/ | | | | | | | | | | | | | | | | | | | | Looks like I was wrong in my previous commit to update revealjs.[1] The speaker notes broke again with the CSPs. So this patch updates the hash and this way the speaker notes. [1]: bcebf1e8d285184f8c905f00e0270621790e7b80 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1092 from SISheogorath/fix/disqusCSPChristoph (Sheogorath) Kern2018-12-061-1/+1
|\ \ | |/ |/| Fix disqus CSP
| * Fix disqus CSPSheogorath2018-12-051-1/+1
|/ | | | | | | | | | | | Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update yarn.lockSheogorath2018-12-041-362/+499
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1085 from SISheogorath/update/socket.ioChristoph (Sheogorath) Kern2018-12-012-3/+3
|\ | | | | Update socket.io
| * Update socket.ioSheogorath2018-11-282-3/+3
| | | | | | | | | | | | | | | | | | | | Our socket.io version is 2.0.4 while the current socket.io version is 2.1.1. This patch updates socket.io to version 2.1.1 and takes care of the CDN client version. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1086 from SISheogorath/feature/urlWarningChristoph (Sheogorath) Kern2018-12-011-0/+4
|\ \ | | | | | | Warn on missing serverURL
| * | Warn on missing serverURLSheogorath2018-11-281-0/+4
| |/ | | | | | | | | | | | | | | | | | | | | We see some issues that are based on not properly configured `config.serverURL`. This patch adds a warning when `config.serverURL` is an empty value. This should provide users direct feedback about how to improve their configs. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1082 from cloudyu/pullChristoph (Sheogorath) Kern2018-11-282-4/+4
|\ \ | |/ |/| | | | | | | | | Fix wrong config options In `./lib/web/auth/` some config includes still used `config.serverurl` instead of the correct `config.serverURL`. This causes wrong URL in worst case. This patch should fix those problems and migrate the wrong statements to camelcase.
| * Fix typoCloudYu2018-11-272-4/+4
| | | | | | | | Signed-off-by: CloudYu <cloudyu322@gmail.com>
* | Merge pull request #1084 from dsprenkels/export-subdirsChristoph (Sheogorath) Kern2018-11-281-9/+11
|\ \ | |/ |/| Prevent subdirectories in user export
| * Prevent subdirectories in user exportDaan Sprenkels2018-11-281-9/+11
|/ | | | | | | | | This commit also refactors the code a bit, and adds a '-' separator between a filename and its duplicate index. This commit fixes #1079. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* Merge pull request #1072 from SISheogorath/update/doctocChristoph (Sheogorath) Kern2018-11-241-1/+1
|\ | | | | Update doctoc to version 1.4.0
| * Update doctoc to version 1.4.0Sheogorath2018-11-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | When installing doctoc it throws some warnings about the markdown-to-ast package that moved to an own namespace. This patch updates to the version containing the new, namespaced, package. References: https://github.com/thlorenz/doctoc/pull/151 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1069 from SISheogorath/fix/to-markdownChristoph (Sheogorath) Kern2018-11-242-3/+8
|\ \ | | | | | | Update from to-markdown to turndown
| * | Update from to-markdown to turndownSheogorath2018-11-212-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We got a security alert for a regular expression DoS attack on our used library `to-markdown`. After checking `to-markdown` to be maintained or not, it turned out they renamed the library to `turndown`. So upgrading to `turndown` should fix this vulnerbility. References: https://www.npmjs.com/package/to-markdown https://github.com/domchristie/turndown/wiki/Migrating-from-to-markdown-to-Turndown Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | Merge pull request #1071 from SISheogorath/fix/node-uuidChristoph (Sheogorath) Kern2018-11-241-1/+0
|\ \ \ | | | | | | | | Remove node-uuid
| * | | Remove node-uuidSheogorath2018-11-211-1/+0
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We currently install `uuid` and `node-uuid`. `node-uuid` is deprecated in favor of `uuid`. It seems like we already switched a while ago, but somehow missed to remove the dependency. This patch does exactly that. It removes the dependency from `package.json` and this way removes the warning during install about `node-uuid` being deprecated. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | Update ko.json (POEditor.com)Christoph (Sheogorath) Kern2018-11-231-3/+11
| | |
* | | Update it.json (POEditor.com)Christoph (Sheogorath) Kern2018-11-231-1/+2
|/ /
* | Update yarn.lockSheogorath2018-11-211-1760/+1657
| | | | | | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1070 from SISheogorath/fix/configExampleChristoph (Sheogorath) Kern2018-11-211-1/+1
|\ \ | |/ |/| Fix typo in config.json.example
| * Fix typo in config.json.exampleSheogorath2018-11-211-1/+1
|/ | | | | | | | | | We recently added the new logging option. As it turns out, the new option was not added correctly, which points out that our current json linting is **not working**. It throws an error but doesn't break. This patch fixes the typo in the example. It does not fix the CI part. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1063 from SISheogorath/fix/nodeVersionChristoph (Sheogorath) Kern2018-11-212-1/+7
|\ | | | | After removing ws, node version 10 should work
| * After removing ws, node version 10 should workSheogorath2018-11-192-1/+7
| | | | | | | | | | | | | | | | | | | | In my local environment I switched to Fedora 29. Fedora 29 comes with NodeJS version 10. As far as I can say, it works, so let's try to remove the restriction to "<10.x" Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1066 from SISheogorath/update/scryptChristoph (Sheogorath) Kern2018-11-212-2/+2
|\ \ | | | | | | Switch scrypt library to a successor
| * | Switch scrypt library to a successorSheogorath2018-11-212-2/+2
|/ / | | | | | | | | | | | | | | | | | | | | | | | | Since our previous scrypt library is unmaintained since 3 years, it's time to look for an alternative. A refactoring towards another password algorithm was worked on and this is probably still the way to go. But for now the successor of our previous library should already be enough. https://www.npmjs.com/package/scrypt (old library) https://github.com/ml1nk/node-scrypt (new library) Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1065 from SISheogorath/update/reveal.jsChristoph (Sheogorath) Kern2018-11-212-4/+4
|\ \ | | | | | | Update reveal.js to version 3.7.0
| * | Update reveal.js to version 3.7.0Sheogorath2018-11-192-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a new reveal.js version out. As we try to keep up with upstream, time to integreate it. This patch updates reveal.js in for CDN-using instances as well as the ones using the libraries. Checked that speaker view in slide mode still works, so no CSP change needed. https://github.com/hakimel/reveal.js/releases/tag/3.7.0 https://github.com/hackmdio/codimd/blob/2d241b93002a3a23f81ffe8fab82f2c6c98feca4/lib/csp.js#L72-L74 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | Merge pull request #1064 from SISheogorath/fix/hstsSecondsChristoph (Sheogorath) Kern2018-11-212-2/+2
|\ \ \ | |/ / |/| | Fix wrong maxAgeSeconds multiplication
| * | Fix wrong maxAgeSeconds multiplicationSheogorath2018-11-192-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It seems like the inital work on the hsts module expected milliseconds. This has either changed or was never true. Either way, it caused that the current defaults resulted in theory in a 1000 year HSTS policy. Luckily helmet was smart enough to not go higher than 1 year. Anyway, this patch fixes the multiplication of the configured size with 1000 by removing this multiplication. Also to simplify the reading of the defaults, we split them into their components, 60 times 60 seconds so we get one hour. 24 of those hours so we get a day and finally 365 days to get our original wanted default of one year. Reference: https://github.com/hackmdio/CodiMD/commit/d69d65ea7434eee85db4b905f0852f4d8fa7ecce Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | Update yarn.lockSheogorath2018-11-191-397/+383
|/ / | | | | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1043 from SISheogorath/fix/tocEmptyHeadChristoph (Sheogorath) Kern2018-11-193-6/+9
|\ \ | | | | | | Fix ToC breaking documents with empty h* elements
| * | Fix wrong anchorsSheogorath2018-11-192-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While experimenting with the ToC changes, it became obvious that anchors for those unnamed headers don't work. This patch fixes those links by running the autolinkify twice and make sure linkify only adds links to non-empty ids. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>