summaryrefslogtreecommitdiff
path: root/lib/models/note.js (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Fix Relative Path Traversal Attack on note creationSheogorath2021-04-251-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact --- An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html). CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N PoC / Quicktest --- To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). - If you see a README page being rendered, you run an affected version. Analysis --- The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. Workarounds --- On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. For more information --- If you have any questions or comments about this advisory: * Open an topic on [our community forum](https://community.hedgedoc.org) * Join our [matrix room](https://chat.hedgedoc.org) Advisory link --- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
* Linter: Fix all lint errorsPhilip Molares2021-02-151-83/+83
| | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Fix note creation in FreeURL mode not using templateErik Michelson2021-02-021-3/+4
| | | | | | | As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access. Co-Authored-By: @evanlinde Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Replace CodiMD with HedgeDocErik Michelson2020-11-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in public/views Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in README Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in SECURITY.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in LICENSE Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/configuration.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in bin/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/dev Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides/auth Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update various links in code to the new GitHub org. Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup/yunohost Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rebrand to HedgeDoc: Add banner and logo Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Remove note in docs/guides/auth/github Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace links in public/docs/features Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add todo placeholder in docs/history Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in public/views/index/body Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add logo to README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add note about the renaming to the front page Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Removed Travis from README.md and change CodiMD to HedgeDoc in some places Signed-off-by: Yannick Bungers <git@innay.de> Some more renaming to HedgeDoc - Fixed capitalization of HedgeDoc - Added renaming for etherpad migration doc Signed-off-by: Yannick Bungers <git@innay.de> Changed Repo name to hedgedoc Signed-off-by: Yannick Bungers <git@innay.de>
* Fixed meta parsing of lang-attribute for using it in the published-viewErik Michelson2020-07-041-0/+1
| | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Added customizable og-metadata to notesErik Michelson2019-10-041-0/+9
| | | | Signed-off-by: Erik Michelson <erik@liltv.de>
* fix: upgrade sequelize to latest version to fix CVEBoHong Li2019-06-111-434/+440
| | | | Signed-off-by: BoHong Li <a60814billy@gmail.com>
* Further improvement of error handling for LZStringSheogorath2018-07-271-1/+5
| | | | | | | This does some more in depth check on the error message and minimizes the log noise that is caused by LZString. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Rebrand HackMD to CodiMDSheogorath2018-06-241-1/+1
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Use cascaded deletesSheogorath2018-05-251-1/+3
| | | | | | | When we delete a user we should delete all the notes that belong to this user including the revisions of these notes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Use hard delete instead of soft deleteSheogorath2018-05-251-1/+1
| | | | | | | Right now we only flag notes as deleted. This is no longer allowed under GDPR. Make sure you do regular backups! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add check for noteId lengthSheogorath2018-04-101-0/+9
| | | | | | | | | | As we know the length of an UUID we can check if the base64 string of the provided UUID is long enough for a legacy base64 encoded nodeId and stop processing it in legacy mode, if it's not the case. This should make the ugly warning way less common. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Change config to camel case with backwards compatibilitySheogorath2018-03-251-6/+6
| | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix to log instead of throwing error on parse note idMax Wu2018-03-111-2/+4
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Fix parseNoteId order to fix some edge caseMax Wu2018-03-101-7/+7
| | | | | | that LZString note url could be parsed by base64url note url and thus return wrong note id Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Update to use buffer in encode/decode note idMax Wu2018-02-271-2/+4
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Remove and replace all note id compression in LZString with base64urlMax Wu2018-02-261-0/+27
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Fix field type to prevent data truncation of authorship (#721)Max Wu2018-02-091-1/+1
| | | | * Fix field type to prevent data truncation of authorship
* Fix #521 by converting content fields to LONGTEXT in MySQL, to prevent ↵Claudius Coenen2017-10-161-1/+1
| | | | truncation of data.
* refactor: Remove `require` extension filenameBoHong Li2017-05-081-3/+3
|
* Fix update doc from filesystem cause redundant authorship stringifyWu Cheng-Han2017-03-141-1/+1
|
* Use strict mode in all backend filesBoHong Li2017-03-141-0/+1
| | | | add ‘use strict’ in all backend file
* Use JavaScript Standard StyleBoHong Li2017-03-081-511/+500
| | | | | Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code.
* Add default permission configNV2017-02-101-2/+2
|
* Fix permission order and keep wording consistencyWu Cheng-Han2017-01-121-1/+1
|
* Adjust permission order to more clarly蒼時弦也2017-01-101-1/+1
|
* Add limited and protected permission蒼時弦也2017-01-101-3/+3
|
* Fix and refactor extracting content using metaMarked directly might lead in ↵Wu Cheng-Han2017-01-041-23/+20
| | | | invalid object
* Refactor data processing to model definitionWu Cheng-Han2017-01-021-0/+9
|
* Update to remove null byte before saving to DB and remove null byte on changesWu Cheng-Han2017-01-021-3/+12
|
* Remove LZString compression for data storageWu Cheng-Han2017-01-021-11/+6
|
* Update to auto generate meta description based on content in publish note ↵Wu Cheng-Han2016-11-261-0/+3
| | | | and slide
* Fix note extract tags might get encoded HTML entityWu Cheng-Han2016-10-121-1/+1
|
* Fix doc updating revision not stringify and compress authorship before saveWu Cheng-Han2016-10-111-1/+1
|
* Update to support delete noteWu Cheng-Han2016-10-101-0/+1
|
* Update to make note history count in server-side when user loggedWu Cheng-Han2016-10-101-2/+55
|
* Workaround cheerio text method shouldn't preserve html tags on fetching note ↵Wu Cheng-Han2016-10-101-1/+2
| | | | title
* Update to move authorship calculation code to note model and support update ↵Wu Cheng-Han2016-10-101-1/+176
| | | | authorship after making revision of docs
* Update slide mode to show extra info and support url actions and support ↵Wu Cheng-Han2016-08-151-0/+2
| | | | disqus via yaml-metadata
* Fix meta might be null issueWu Cheng-Han2016-08-151-1/+2
|
* Update to make doc only update while the filesystem content not equals db ↵Wu Cheng-Han2016-08-141-4/+7
| | | | content
* Update to support slideOptions in the YAML metadataWu Cheng-Han2016-08-011-0/+2
|
* Add support of saving authors and authorshipWu Cheng-Han2016-07-301-0/+8
|
* Update to change server-side pre-rendering engine from marked to markdown-itWu Cheng-Han2016-07-021-2/+2
|
* Update to support new metadata: title, description, tags and ↵Cheng-Han, Wu2016-06-211-6/+32
| | | | google-analytics (GA) and refactor render publish slide response function
* Fix create new note should not use default note created timeCheng-Han, Wu2016-06-171-1/+3
|
* Add support of saving note revision and improve app start and stop procedure ↵Cheng-Han, Wu2016-06-171-5/+21
| | | | to ensure data integrity
* Update note model on create doc will use the created time of the doc in ↵Cheng-Han, Wu2016-06-011-0/+2
| | | | filesystem
* Update note model if doc in filesystem have newer modified will update it in dbCheng-Han, Wu2016-05-301-1/+23
|
* Update project titleCheng-Han, Wu2016-05-281-1/+1
|