summaryrefslogtreecommitdiff
path: root/lib/models/note.js (unfollow)
Commit message (Collapse)AuthorFilesLines
2021-04-25Fix Relative Path Traversal Attack on note creationSheogorath1-3/+3
Impact --- An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html). CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N PoC / Quicktest --- To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). - If you see a README page being rendered, you run an affected version. Analysis --- The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. Workarounds --- On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. For more information --- If you have any questions or comments about this advisory: * Open an topic on [our community forum](https://community.hedgedoc.org) * Join our [matrix room](https://chat.hedgedoc.org) Advisory link --- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
2021-02-15Linter: Fix all lint errorsPhilip Molares1-83/+83
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-02Fix note creation in FreeURL mode not using templateErik Michelson1-3/+4
As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access. Co-Authored-By: @evanlinde Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-11-14Replace CodiMD with HedgeDocErik Michelson1-1/+1
Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in public/views Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in README Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in SECURITY.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in LICENSE Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/configuration.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in bin/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/dev Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides/auth Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update various links in code to the new GitHub org. Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup/yunohost Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rebrand to HedgeDoc: Add banner and logo Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Remove note in docs/guides/auth/github Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace links in public/docs/features Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add todo placeholder in docs/history Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in public/views/index/body Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add logo to README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add note about the renaming to the front page Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Removed Travis from README.md and change CodiMD to HedgeDoc in some places Signed-off-by: Yannick Bungers <git@innay.de> Some more renaming to HedgeDoc - Fixed capitalization of HedgeDoc - Added renaming for etherpad migration doc Signed-off-by: Yannick Bungers <git@innay.de> Changed Repo name to hedgedoc Signed-off-by: Yannick Bungers <git@innay.de>
2020-07-04Fixed meta parsing of lang-attribute for using it in the published-viewErik Michelson1-0/+1
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2019-10-04Added customizable og-metadata to notesErik Michelson1-0/+9
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-06-11fix: upgrade sequelize to latest version to fix CVEBoHong Li1-434/+440
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2018-07-27Further improvement of error handling for LZStringSheogorath1-1/+5
This does some more in depth check on the error message and minimizes the log noise that is caused by LZString. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24Rebrand HackMD to CodiMDSheogorath1-1/+1
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25Use cascaded deletesSheogorath1-1/+3
When we delete a user we should delete all the notes that belong to this user including the revisions of these notes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25Use hard delete instead of soft deleteSheogorath1-1/+1
Right now we only flag notes as deleted. This is no longer allowed under GDPR. Make sure you do regular backups! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10Add check for noteId lengthSheogorath1-0/+9
As we know the length of an UUID we can check if the base64 string of the provided UUID is long enough for a legacy base64 encoded nodeId and stop processing it in legacy mode, if it's not the case. This should make the ugly warning way less common. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25Change config to camel case with backwards compatibilitySheogorath1-6/+6
This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-11Fix to log instead of throwing error on parse note idMax Wu1-2/+4
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-10Fix parseNoteId order to fix some edge caseMax Wu1-7/+7
that LZString note url could be parsed by base64url note url and thus return wrong note id Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-27Update to use buffer in encode/decode note idMax Wu1-2/+4
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26Remove and replace all note id compression in LZString with base64urlMax Wu1-0/+27
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-09Fix field type to prevent data truncation of authorship (#721)Max Wu1-1/+1
* Fix field type to prevent data truncation of authorship
2017-10-16Fix #521 by converting content fields to LONGTEXT in MySQL, to prevent ↵Claudius Coenen1-1/+1
truncation of data.
2017-05-08refactor: Remove `require` extension filenameBoHong Li1-3/+3
2017-03-14Fix update doc from filesystem cause redundant authorship stringifyWu Cheng-Han1-1/+1
2017-03-14Use strict mode in all backend filesBoHong Li1-0/+1
add ‘use strict’ in all backend file
2017-03-08Use JavaScript Standard StyleBoHong Li1-511/+500
Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code.
2017-02-10Add default permission configNV1-2/+2
2017-01-12Fix permission order and keep wording consistencyWu Cheng-Han1-1/+1
2017-01-10Adjust permission order to more clarly蒼時弦也1-1/+1
2017-01-10Add limited and protected permission蒼時弦也1-3/+3
2017-01-04Fix and refactor extracting content using metaMarked directly might lead in ↵Wu Cheng-Han1-23/+20
invalid object
2017-01-02Refactor data processing to model definitionWu Cheng-Han1-0/+9
2017-01-02Update to remove null byte before saving to DB and remove null byte on changesWu Cheng-Han1-3/+12
2017-01-02Remove LZString compression for data storageWu Cheng-Han1-11/+6
2016-11-26Update to auto generate meta description based on content in publish note ↵Wu Cheng-Han1-0/+3
and slide
2016-10-12Fix note extract tags might get encoded HTML entityWu Cheng-Han1-1/+1
2016-10-11Fix doc updating revision not stringify and compress authorship before saveWu Cheng-Han1-1/+1
2016-10-10Update to support delete noteWu Cheng-Han1-0/+1
2016-10-10Update to make note history count in server-side when user loggedWu Cheng-Han1-2/+55
2016-10-10Workaround cheerio text method shouldn't preserve html tags on fetching note ↵Wu Cheng-Han1-1/+2
title
2016-10-10Update to move authorship calculation code to note model and support update ↵Wu Cheng-Han1-1/+176
authorship after making revision of docs
2016-08-15Update slide mode to show extra info and support url actions and support ↵Wu Cheng-Han1-0/+2
disqus via yaml-metadata
2016-08-15Fix meta might be null issueWu Cheng-Han1-1/+2
2016-08-14Update to make doc only update while the filesystem content not equals db ↵Wu Cheng-Han1-4/+7
content
2016-08-01Update to support slideOptions in the YAML metadataWu Cheng-Han1-0/+2
2016-07-30Add support of saving authors and authorshipWu Cheng-Han1-0/+8
2016-07-02Update to change server-side pre-rendering engine from marked to markdown-itWu Cheng-Han1-2/+2
2016-06-21Update to support new metadata: title, description, tags and ↵Cheng-Han, Wu1-6/+32
google-analytics (GA) and refactor render publish slide response function
2016-06-17Fix create new note should not use default note created timeCheng-Han, Wu1-1/+3
2016-06-17Add support of saving note revision and improve app start and stop procedure ↵Cheng-Han, Wu1-5/+21
to ensure data integrity
2016-06-01Update note model on create doc will use the created time of the doc in ↵Cheng-Han, Wu1-0/+2
filesystem
2016-05-30Update note model if doc in filesystem have newer modified will update it in dbCheng-Han, Wu1-1/+23
2016-05-28Update project titleCheng-Han, Wu1-1/+1
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-06 04:21:37 +0000