summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Automatically enable protocolUseSSL when useSSL is setDavid Mehren2021-05-061-4/+11
| | | | | | | | This makes the behavior consistent with the docs and saves the user from having to both set `useSSL` and `protocolUseSSL`. Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #1222 from hedgedoc/fix/upgrade_insecure_requestsDavid Mehren2021-05-061-2/+2
|\ | | | | Fix upgradeInsecureRequests CSP directive
| * Fix upgradeInsecureRequests CSP directiveDavid Mehren2021-05-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #1233 from hedgedoc/fix/insertOnStartOfLinesDavid Mehren2021-05-061-4/+7
|\ \ | | | | | | Fix insertOnStartOfLines behaviour
| * | Fix insertOnStartOfLines behaviourDavid Mehren2021-05-051-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A bug in insertOnStartOfLines lead to duplicated text, if the cursor was not at the start of a line. This fixes the behaviour of insertOnStartOfLines to always use the complete first and last line of the selection, even if they were only partially selected. Fixes #1231 Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1226 from hedgedoc/enhancement/devDependenciesDavid Mehren2021-05-062-35/+34
|\ \ \
| * | | Only install production dependencies in bin/setupDavid Mehren2021-05-051-2/+1
| | | | | | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | | Move frontend-only deps to devDependenciesDavid Mehren2021-05-051-33/+33
| |/ / | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1234 from hedgedoc/fix/numbered-task-listsDavid Mehren2021-05-061-6/+6
|\ \ \ | |/ / |/| | Fix click handler for numbered task lists
| * | Fix click handler for numbered task listsErik Michelson2021-05-051-6/+6
|/ / | | | | | | | | | | | | The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc). This commit changes the regex to allow both. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* | Merge pull request #1219 from hedgedoc/release/1.8.0David Mehren2021-05-035-14/+12
|\|
| * Remove mention of .sequelizerc from docsDavid Mehren2021-05-031-7/+3
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Bump version to 1.8.0David Mehren2021-05-034-5/+5
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add release notes for 1.8.0David Mehren2021-05-031-2/+4
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #1213 from hedgedoc/renovate/master-lock-file-maintenanceYannick Bungers2021-05-031-46/+57
|\ | | | | Lock file maintenance (master)
| * Lock file maintenanceRenovate Bot2021-05-031-46/+57
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1218 from hedgedoc/maintenance/master/update_meta-markedYannick Bungers2021-05-031-14/+15
|\ | | | | Update meta-marked
| * Update meta-marked in yarn.lockDavid Mehren2021-05-031-14/+15
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #1210 from ↵David Mehren2021-05-032-5/+5
|\ \ | |/ |/| | | | | hedgedoc/renovate/master-mini-css-extract-plugin-1.x Update dependency mini-css-extract-plugin to v1.6.0 (master)
| * Update dependency mini-css-extract-plugin to v1.6.0Renovate Bot2021-04-302-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1204 from ↵Yannick Bungers2021-04-292-5/+5
|\ | | | | | | | | hedgedoc/renovate/master-mini-css-extract-plugin-1.x Update dependency mini-css-extract-plugin to v1.5.1 (master)
| * Update dependency mini-css-extract-plugin to v1.5.1Renovate Bot2021-04-282-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1191 from hedgedoc/release/1.8.0-rc1David Mehren2021-04-2625-201/+1163
|\
| * Extract list of supported languages in separate fileErik Michelson2021-04-264-45/+49
| | | | | | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
| * Fix wrong placeholder in translationsDavid Mehren2021-04-262-6/+6
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add changelog for 1.8.0-rc1David Mehren2021-04-261-5/+29
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add support for freshly imported languagesDavid Mehren2021-04-263-2/+11
| | | | | | | | | | | | New languages: bg, fa, gl, he, hu, oc, pt-br Signed-off-by: David Mehren <git@herrmehren.de>
| * Add translators to the list of contributors for 1.8.0-rc1David Mehren2021-04-261-1/+15
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Update translations from POEditor.comDavid Mehren2021-04-2618-157/+1068
| | | | | | | | | | | | | | New languages: bg, fa, gl, he, hu, oc, pt-br Updated languages: ar, en, eo, es, hi, ja, ko, pl, pt, tr, zh-TW Signed-off-by: David Mehren <git@herrmehren.de>
| * Bump version to 1.8.0-rc1David Mehren2021-04-262-2/+2
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #1196 from hedgedoc/renovate/master-lock-file-maintenanceDavid Mehren2021-04-261-42/+41
|\ | | | | Lock file maintenance (master)
| * Lock file maintenanceRenovate Bot2021-04-261-42/+41
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1201 from hedgedoc/remove-polyfillDavid Mehren2021-04-263-15/+0
|\
| * Uninstall scrypt-asyncDavid Mehren2021-04-262-6/+0
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Remove unneeded polyfillErik Michelson2021-04-261-9/+0
|/ | | | | | This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* Merge pull request #1193 from hedgedoc/fix/logo-in-readmeYannick Bungers2021-04-251-1/+1
|\ | | | | Fix logo link in README.md
| * Fix logo link in README.mdTilman Vatteroth2021-04-251-1/+1
|/ | | | Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
* Merge pull request from GHSA-p528-555r-pf87David Mehren2021-04-251-3/+3
|\ | | | | Fix Relative Path Traversal Attack on note creation
| * Fix Relative Path Traversal Attack on note creationSheogorath2021-04-251-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact --- An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html). CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N PoC / Quicktest --- To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). - If you see a README page being rendered, you run an affected version. Analysis --- The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. Workarounds --- On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. For more information --- If you have any questions or comments about this advisory: * Open an topic on [our community forum](https://community.hedgedoc.org) * Join our [matrix room](https://chat.hedgedoc.org) Advisory link --- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
* | Merge pull request #1176 from hedgedoc/renovate/master-mkdocs-material-7.xDavid Mehren2021-04-251-1/+1
|\ \ | | | | | | Update dependency mkdocs-material to v7.1.3 (master)
| * | Update dependency mkdocs-material to v7.1.3Renovate Bot2021-04-251-1/+1
| | | | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | Merge pull request #1174 from hedgedoc/renovate/master-lintersDavid Mehren2021-04-252-5/+5
|\ \ \ | |/ / |/| | Update dependency eslint to v7.25.0 (master)
| * | Update dependency eslint to v7.25.0Renovate Bot2021-04-252-5/+5
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1150 from hedgedoc/feature/prometheus_metricsDavid Mehren2021-04-256-10/+221
|\ \
| * | Document new Prometheus endpointDavid Mehren2021-04-252-4/+8
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | Add custom prometheus metricsDavid Mehren2021-04-252-0/+51
| | | | | | | | | | | | | | | | | | | | | This reuses the `realtime.getStatus` method to get the state of the application state on every prometheus scrape cycle. Signed-off-by: David Mehren <git@herrmehren.de>
| * | Add prometheus endpoint at /metricsDavid Mehren2021-04-223-6/+162
| | | | | | | | | | | | | | | | | | This is currently just using the default metrics of prometheus-api-metrics. Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1167 from hedgedoc/maintenance/master/remove_node_10David Mehren2021-04-255-8/+11
|\ \ \ | |/ / |/| |
| * | Fix version error wording in bin/setupDavid Mehren2021-04-221-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previous error message stated that the version of Node or Yarn is "outdated", which might be accurate coincidentally, but is not what the script checks. This commit changes the wording to use "not supported", which is more accurate to the true check in the script. Signed-off-by: David Mehren <git@herrmehren.de>
| * | CI: Stop running tests with Node.js 10David Mehren2021-04-221-2/+2
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>