summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #730 from hedgedoc/maint/master-deps-upgradeYannick Bungers2021-01-151-479/+400
|\
| * Regenerate yarn.lockDavid Mehren2021-01-141-342/+319
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Upgrade to socket.io 2.4.1David Mehren2021-01-141-106/+21
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Update yarn.lockDavid Mehren2021-01-141-54/+83
|/ | | | | | archiver@5.2.0, aws-sdk@2.828.0, file-type@16.2.0, prismjs@1.23.0, socket.io-client@2.4.0, bufferutil@4.0.3, utf-8-validate@5.0.4 Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #727 from hedgedoc/fix/slideOptionsSanitationDavid Mehren2021-01-142-2/+52
|\
| * added theme to the sanitization of slideOptionsPhilip Molares2021-01-141-0/+1
| | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * changed the SCRIPT_END_PLACEHOLDER regex to case insensitivePhilip Molares2021-01-141-1/+1
| | | | | | | | | | | | this was suggested by @TobiasHoll in https://github.com/hackmdio/codimd/issues/1648 Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * added sanitation to the slideMode in frontmatterPhilip Molares2021-01-141-1/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | This should prevent the issue mentioned in https://github.com/hackmdio/codimd/issues/1648 Specifically left out are - dependency (user can't really include anything anyway, because CSP forbids most domains) - autoSlideMethod (nothing our users should be able to change as they won't write JS to be affected by this) - keyboard (this let's users write arbitrary code and seems therefore to problematic) See: https://github.com/hakimel/reveal.js/blob/3.9.2/README.md#configuration Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | Merge pull request #722 from hedgedoc/docs/various-fixesYannick Bungers2021-01-1414-83/+106
|\ \
| * | Docs: Reorder navigation linksDavid Mehren2021-01-131-6/+6
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | Docs: Various formatting fixesDavid Mehren2021-01-135-8/+11
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | Docs: Use extensions to make markdown parsing more like GFMDavid Mehren2021-01-132-0/+3
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | GitLab Auth Guide: Fix indentationDavid Mehren2021-01-111-12/+13
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | GitHub Auth Guide: Fix indentationDavid Mehren2021-01-111-2/+2
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | SAML Auth Guide: Fix indentationDavid Mehren2021-01-111-10/+15
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | Docs: Unify code block languagesDavid Mehren2021-01-1110-20/+20
| | | | | | | | | | | | | | | | | | Use `yaml` for Dockerfiles, `shell` for environment variables and `json` for our config file. Signed-off-by: David Mehren <git@herrmehren.de>
| * | Docs: Replace `:smile` with actual 😃 emojiDavid Mehren2021-01-116-8/+9
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | Docs: Enable SuperFences extensionDavid Mehren2021-01-111-0/+1
| | | | | | | | | | | | | | | | | | This allows indented code blocks in lists Signed-off-by: David Mehren <git@herrmehren.de>
| * | docs: Fix indentation of codeSimon C2021-01-111-23/+32
| |/ | | | | | | | | (cherry picked from commit 4559d52d521939739b0d3aad0c84e39d2aa5c960) Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #728 from hedgedoc/fix/statusBarCoverDavid Mehren2021-01-141-1/+1
|\ \ | |/ |/| fixed last line statusbar cover problem
| * fixed a problem that the last line of code becomes covered by status bar and ↵Philip Molares2021-01-141-1/+1
|/ | | | | | | | | | can't be moved without changing the note. Thanks to @mhdrone for reporting this and suggesting the fix fixes #724 Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Several theme changes (#659)Tilman Vatteroth2021-01-057-1/+35
| | | | | | | | | | * Several theme changes - Add max width of 1440px - Rename css file - Fix edit button - Add local Roboto font Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* Merge pull request #656 from hedgedoc/docs/move-contentYannick Bungers2021-01-0594-56/+83
|\ | | | | Move docs into subdirectory to make structor work
| * Change history linkTilman Vatteroth2021-01-051-1/+1
| | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * Change links in READMETilman Vatteroth2021-01-051-10/+20
| | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * Use svg in readmeTilman Vatteroth2021-01-051-1/+1
| | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * Move docs into subdirectory to make mkdocs work in a subdirectoryTilman Vatteroth2021-01-0594-45/+62
|/ | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* Merge pull request #655 from hedgedoc/remove-ie11Yannick Bungers2021-01-041-2/+4
|\ | | | | Remove IE11 support from README
| * Remove IE11 support from READMEDavid Mehren2021-01-041-2/+4
|/ | | | | | Apparently we have stopped supporting IE11. It shows a syntax error for our JS. I have spent half an hour trying to add IE11 to our Babel config, but that did not resolve the issue. It seems bigger changes to our Webpack config might be necessary to support IE11 again, which I don't think is worthwhile. It's probably reasonable to just remove IE from the list of supported browsers. Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #650 from hedgedoc/mkdocsDavid Mehren2021-01-048-1/+111
|\
| * added documentation about how the write, build and deploy thisPhilip Molares2021-01-044-2/+32
| | | | | | | | | | | | documentation. Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * removed kubernetes from navigationPhilip Molares2021-01-041-1/+0
| | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * added all necessary configs to use structorPhilip Molares2021-01-036-9/+42
| | | | | | | | | | | | see https://github.com/traefik/structor Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * started work on a mkdocs documentation for readthedocs.orgPhilip Molares2021-01-033-0/+48
| | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | Merge pull request #646 from hedgedoc/kubernetesDavid Mehren2021-01-042-3/+2
|\ \ | |/ |/|
| * removed kubernetes from READMEPhilip Molares2021-01-041-1/+0
| | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * remove old documentationPhilip Molares2021-01-031-4/+0
| | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * Update docs/setup/kubernetes.mdPhilip Molares2021-01-021-1/+1
| | | | | | | | | | Co-authored-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * changed kubernetes setup docPhilip Molares2021-01-021-2/+6
| | | | | | | | | | | | | | currently we don't provide our own and still linking to hackmd/codimd is not helpful Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | Fix typo in release notesDavid Mehren2020-12-271-1/+1
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Bump version to 1.7.1David Mehren2020-12-273-2/+10
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Update yarn.lockDavid Mehren2020-12-271-217/+40
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request from GHSA-wcr3-xhv7-8gxcDavid Mehren2020-12-274-55/+333
|\ \ | | | | | | Fix arbitrary file upload
| * | Always save uploads to a tmpdir first and cleanup afterwardsDavid Mehren2020-12-273-9/+25
| | | | | | | | | | | | | | | | | | | | | This makes sure no unintended files are permanently saved. Co-authored-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <git@herrmehren.de>
| * | Improve MIME-type checks of uploaded filesDavid Mehren2020-12-273-49/+302
| | | | | | | | | | | | | | | | | | This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension. Signed-off-by: David Mehren <git@herrmehren.de>
| * | Rework error messages for image uploadsSheogorath2020-12-271-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reworks the error messages for image uploads to make more sense. Instead of using the current `formidable error` for everything, all custom error detection now provide the (hopefully) more useful `Image Upload error` prefix for error messages. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
| * | Fix unauthenticated file uploadsSheogorath2020-12-271-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the issue of unauthenticated users, being able to upload files, even when anonymous edits are disabled. It's implemented by blocking uploads when either `allowAnonymous` is set to `false` for all unauthenticated users, unless `allowAnonymousEdits` is set to true, to make sure anonymous editors still experience the full feature set. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
| * | Fix arbitary file upload for uploadimage API endpointSheogorath2020-12-271-2/+8
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
* | Merge pull request from GHSA-g6w6-7xf9-m95pDavid Mehren2020-12-271-1/+1
|\ \ | | | | | | Don't store mermaid diagrams in innerHTML
| * | Don't store mermaid diagrams in innerHTMLDavid Mehren2020-12-271-1/+1
| | | | | | | | | | | | | | | | | | | | | Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements. Using `.text()` instead mitigates this issue. Signed-off-by: David Mehren <git@herrmehren.de>