| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Update bootstrap from 3.3.7 to 3.4.0
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
Seems like finally there is a new bootstrap version for old version 3.
This patch implements this new version with CodiMD and this way fixes
some possible security issues in the frontend code.
See:
https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72889
https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72890
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Update SAML to version 1.0.0
|
|/
|
|
|
|
|
|
|
|
| |
Seems like there was a security problem with the library.
This patch updates to version 1.0.0 which fixed the details.
Details: https://snyk.io/vuln/SNYK-JS-PASSPORTSAML-72411
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Remove blueimp-md5 dependency
|
| |
| |
| |
| | |
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
|
| |
| |
| |
| | |
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
|
|\ \
| |/
|/| |
Fix some XSS issues
|
| |
| |
| |
| | |
Signed-off-by: Max Wu <jackymaxj@gmail.com>
|
|/
|
| |
Signed-off-by: Max Wu <jackymaxj@gmail.com>
|
|\
| |
| | |
Fix broken Gist embedding
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Looks like GitHub changed their asset system and our CSP prevented them
from getting loaded.
This patch should fix the Gist embedding with enabled CSP by replacing
the old URL `https://assets-cdn.github.com` with the new
`https://github.githubassets.com`.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Update upload provider error message
|
|/ /
| |
| |
| |
| |
| | |
Fixes #1107.
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
|
|\ \
| | |
| | | |
Fix usage of new URL API
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to the deprecation of the old `url`-API provided by NodeJS we
replaced `url.resolve` with `url.URL.resolve`, which doesn't exist.
This patch fixes the local filesystem upload of CodiMD by using the new
API correctly. Creating an URL object and using its href.
Some more background:
https://nodejs.org/api/url.html#url_url_href
https://nodejs.org/api/url.html#url_url_resolve_from_to
Fixes https://github.com/hackmdio/codimd/issues/1102
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| | |
|
|\ \
| | |
| | | |
Fix CSP for speaker notes
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Looks like I was wrong in my previous commit to update revealjs.[1]
The speaker notes broke again with the CSPs. So this patch updates the
hash and this way the speaker notes.
[1]: bcebf1e8d285184f8c905f00e0270621790e7b80
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| |/
|/| |
Fix disqus CSP
|
|/
|
|
|
|
|
|
|
|
|
|
| |
Disqus loads it's embed config.js from its root domain
(https://disqus.com). Our CSPs only allow subdomains (e.g.:
https://codimd.disqus.com). This causes the disqus embedding to fail.
This patch should fix this problem by adding https://disqus.com to the
CSP setting. From a security perspective there is no real change. Since
still the same parties are involved.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
|
|
| |
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Update socket.io
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Our socket.io version is 2.0.4 while the current socket.io version is
2.1.1.
This patch updates socket.io to version 2.1.1 and takes care of the CDN
client version.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Warn on missing serverURL
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We see some issues that are based on not properly configured
`config.serverURL`.
This patch adds a warning when `config.serverURL` is an empty value.
This should provide users direct feedback about how to improve their
configs.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
Fix wrong config options
In `./lib/web/auth/` some config includes still used `config.serverurl` instead of the correct `config.serverURL`. This causes wrong URL in worst case.
This patch should fix those problems and migrate the wrong statements to camelcase.
|
| |
| |
| |
| | |
Signed-off-by: CloudYu <cloudyu322@gmail.com>
|
|\ \
| |/
|/| |
Prevent subdirectories in user export
|
|/
|
|
|
|
|
|
|
| |
This commit also refactors the code a bit, and adds a '-' separator
between a filename and its duplicate index.
This commit fixes #1079.
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
|
|\
| |
| | |
Update doctoc to version 1.4.0
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When installing doctoc it throws some warnings about the markdown-to-ast
package that moved to an own namespace.
This patch updates to the version containing the new, namespaced,
package.
References:
https://github.com/thlorenz/doctoc/pull/151
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Update from to-markdown to turndown
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We got a security alert for a regular expression DoS attack on our used
library `to-markdown`.
After checking `to-markdown` to be maintained or not, it turned out they
renamed the library to `turndown`. So upgrading to `turndown` should fix
this vulnerbility.
References:
https://www.npmjs.com/package/to-markdown
https://github.com/domchristie/turndown/wiki/Migrating-from-to-markdown-to-Turndown
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \ \
| | | |
| | | | |
Remove node-uuid
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We currently install `uuid` and `node-uuid`. `node-uuid` is deprecated
in favor of `uuid`. It seems like we already switched a while ago, but
somehow missed to remove the dependency.
This patch does exactly that. It removes the dependency from
`package.json` and this way removes the warning during install about
`node-uuid` being deprecated.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| | | |
|
|/ / |
|
| |
| |
| |
| | |
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| |/
|/| |
Fix typo in config.json.example
|
|/
|
|
|
|
|
|
|
|
| |
We recently added the new logging option. As it turns out, the new
option was not added correctly, which points out that our current json
linting is **not working**. It throws an error but doesn't break.
This patch fixes the typo in the example. It does not fix the CI part.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
After removing ws, node version 10 should work
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In my local environment I switched to Fedora 29. Fedora 29 comes with
NodeJS version 10.
As far as I can say, it works, so let's try to remove the restriction to
"<10.x"
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Switch scrypt library to a successor
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since our previous scrypt library is unmaintained since 3 years, it's
time to look for an alternative.
A refactoring towards another password algorithm was worked on and this
is probably still the way to go. But for now the successor of our
previous library should already be enough.
https://www.npmjs.com/package/scrypt (old library)
https://github.com/ml1nk/node-scrypt (new library)
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Update reveal.js to version 3.7.0
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There is a new reveal.js version out. As we try to keep up with
upstream, time to integreate it.
This patch updates reveal.js in for CDN-using instances as well as the
ones using the libraries.
Checked that speaker view in slide mode still works, so no CSP change
needed.
https://github.com/hakimel/reveal.js/releases/tag/3.7.0
https://github.com/hackmdio/codimd/blob/2d241b93002a3a23f81ffe8fab82f2c6c98feca4/lib/csp.js#L72-L74
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \ \
| |/ /
|/| | |
Fix wrong maxAgeSeconds multiplication
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It seems like the inital work on the hsts module expected milliseconds.
This has either changed or was never true. Either way, it caused that
the current defaults resulted in theory in a 1000 year HSTS policy.
Luckily helmet was smart enough to not go higher than 1 year.
Anyway, this patch fixes the multiplication of the configured size with
1000 by removing this multiplication.
Also to simplify the reading of the defaults, we split them into their
components, 60 times 60 seconds so we get one hour. 24 of those hours so
we get a day and finally 365 days to get our original wanted default of
one year.
Reference:
https://github.com/hackmdio/CodiMD/commit/d69d65ea7434eee85db4b905f0852f4d8fa7ecce
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|/ /
| |
| |
| | |
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|