| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Pin dependencies (master)
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\
| |
| | |
Use esbuild to minify frontend JS
|
| |
| |
| |
| |
| |
| | |
This speeds up build times massively
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \
| | |
| | | |
Update dependency mkdocs-material to v7.1.4 (master)
|
| |/
| |
| |
| | |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\ \
| | |
| | | |
Update dependency webpack-cli to v4.7.0 (master)
|
| |/
| |
| |
| | |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\ \
| | |
| | | |
Automatically enable protocolUseSSL when useSSL is set
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
This makes the behavior consistent with the docs and
saves the user from having to both set
`useSSL` and `protocolUseSSL`.
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \
| | |
| | | |
Fix upgradeInsecureRequests CSP directive
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The `upgradeInsecureRequests` option of Helmets CSP middleware
was a boolean in Helmet 3, but with Helmet 4,
everything changed to lists.
This commit adjusts the addUpgradeUnsafeRequestsOptionTo
function accordingly.
Closes #1221
See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \ \
| |_|/
|/| | |
Fix insertOnStartOfLines behaviour
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
A bug in insertOnStartOfLines lead to duplicated text,
if the cursor was not at the start of a line.
This fixes the behaviour of insertOnStartOfLines to always use
the complete first and last line of the selection,
even if they were only partially selected.
Fixes #1231
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |/ /
| | |
| | |
| | | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \ \
| |/ /
|/| | |
Fix click handler for numbered task lists
|
|/ /
| |
| |
| |
| |
| |
| | |
The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc).
This commit changes the regex to allow both.
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
|
|\| |
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|/
|
|
| |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\
| |
| | |
Lock file maintenance (master)
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\
| |
| | |
Update meta-marked
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \
| |/
|/|
| |
| | |
hedgedoc/renovate/master-mini-css-extract-plugin-1.x
Update dependency mini-css-extract-plugin to v1.6.0 (master)
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\
| |
| |
| |
| | |
hedgedoc/renovate/master-mini-css-extract-plugin-1.x
Update dependency mini-css-extract-plugin to v1.5.1 (master)
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| |
| |
| | |
New languages: bg, fa, gl, he, hu, oc, pt-br
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| |
| |
| |
| | |
New languages: bg, fa, gl, he, hu, oc, pt-br
Updated languages: ar, en, eo, es, hi, ja, ko, pl, pt, tr, zh-TW
Signed-off-by: David Mehren <git@herrmehren.de>
|
|/
|
|
| |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\
| |
| | |
Lock file maintenance (master)
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|/
|
|
|
|
| |
This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore.
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
|
|\
| |
| | |
Fix logo link in README.md
|
|/
|
|
| |
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
|
|\
| |
| | |
Fix Relative Path Traversal Attack on note creation
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Impact
---
An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).
CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
PoC / Quicktest
---
To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.
Analysis
---
The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.
If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.
This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them.
The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.
Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.
For more information
---
If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)
Advisory link
---
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87
Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Update dependency mkdocs-material to v7.1.3 (master)
|
| | |
| | |
| | |
| | | |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|