summaryrefslogtreecommitdiff
path: root/lib/models (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Sanitize username and photo URLDavid Mehren2021-05-091-2/+3
| | | | | | | | | | | | | HedgeDoc displays the username and user photo at various places by rendering the respective variables into an `ejs` template. As the values are user-provided or generated from user-provided data, it may be possible to inject unwanted HTML. This commit sanitizes the username and photo URL by passing them through the `xss` library. Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
* Remove unneeded polyfillErik Michelson2021-04-261-9/+0
| | | | | | This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* Fix Relative Path Traversal Attack on note creationSheogorath2021-04-251-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact --- An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html). CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N PoC / Quicktest --- To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). - If you see a README page being rendered, you run an affected version. Analysis --- The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. Workarounds --- On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. For more information --- If you have any questions or comments about this advisory: * Open an topic on [our community forum](https://community.hedgedoc.org) * Join our [matrix room](https://chat.hedgedoc.org) Advisory link --- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
* Run database migrations automatically on startupDavid Mehren2021-02-271-0/+31
| | | | | | | | | | This commit removes the need for separate migrations with the sequelize-cli by running them with umzug on application startup. This is a port of #384 Co-authored-by: Sheogorath <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
* Linter: Fix all lint errorsPhilip Molares2021-02-156-125/+127
| | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Fix note creation in FreeURL mode not using templateErik Michelson2021-02-021-3/+4
| | | | | | | As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access. Co-Authored-By: @evanlinde Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Replace CodiMD with HedgeDocErik Michelson2020-11-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in public/views Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in README Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in SECURITY.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in LICENSE Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/configuration.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in bin/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/dev Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides/auth Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update various links in code to the new GitHub org. Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup/yunohost Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rebrand to HedgeDoc: Add banner and logo Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Remove note in docs/guides/auth/github Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace links in public/docs/features Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add todo placeholder in docs/history Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in public/views/index/body Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add logo to README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add note about the renaming to the front page Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Removed Travis from README.md and change CodiMD to HedgeDoc in some places Signed-off-by: Yannick Bungers <git@innay.de> Some more renaming to HedgeDoc - Fixed capitalization of HedgeDoc - Added renaming for etherpad migration doc Signed-off-by: Yannick Bungers <git@innay.de> Changed Repo name to hedgedoc Signed-off-by: Yannick Bungers <git@innay.de>
* Fixed meta parsing of lang-attribute for using it in the published-viewErik Michelson2020-07-041-0/+1
| | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Added customizable og-metadata to notesErik Michelson2019-10-041-0/+9
| | | | Signed-off-by: Erik Michelson <erik@liltv.de>
* fix: upgrade sequelize to latest version to fix CVEBoHong Li2019-06-115-745/+752
| | | | Signed-off-by: BoHong Li <a60814billy@gmail.com>
* Rework debug loggingSheogorath2019-06-081-3/+2
| | | | | | | | | | | | | | We have various places with overly simple if statements that could be handled by our logging library. Also a lot of those logs are not marked as debug logs but as info logs, which can cause confusion during debugging. This patch removed unneeded if clauses around debug logging statements, reworks debug log messages towards ECMA templates and add some new logging statements which might be helpful in order to debug things like image uploads. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix eslint warningsSheogorath2019-05-311-8/+8
| | | | | | | | | | | Since we are about to release it's time to finally fix our linting. This patch basically runs eslint --fix and does some further manual fixes. Also it sets up eslint to fail on every warning on order to make warnings visable in the CI process. There should no functional change be introduced. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix missing pictures for OpenIDSheogorath2019-05-261-0/+3
| | | | | | | | | | Currently a problem appears when using OpenID for authentication as there is no method to add a profile picture right now. This patch makes sure that all undefined login methods get a profile picture. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* polyfilling scrypt for node 8.5+Claudius2019-05-131-4/+13
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* asyncified setting and verifying the passwordClaudius2019-05-131-9/+7
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* getting password hashing into a hook where it could be asyncClaudius2019-05-131-6/+14
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* Switch scrypt library to a successorSheogorath2018-11-211-1/+1
| | | | | | | | | | | | | Since our previous scrypt library is unmaintained since 3 years, it's time to look for an alternative. A refactoring towards another password algorithm was worked on and this is probably still the way to go. But for now the successor of our previous library should already be enough. https://www.npmjs.com/package/scrypt (old library) https://github.com/ml1nk/node-scrypt (new library) Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* switching to eslint for code checkingClaudius Coenen2018-11-142-1/+2
| | | | | | | most rules degraded to WARN, so we don't go insane. This will change over time. The aim is to conform to a common style Signed-off-by: Claudius Coenen <opensource@amenthes.de>
* lib/models/revision.js: make independent of exec-pathWilliButz2018-09-261-1/+2
| | | | | | | | | | | Previously calling `app.js` from another directory than the base directory of CodiMD would result in an error being thrown because `lib/workers/dmpWorker.js` could not be found. This change makes the function call independent of the path CodiMD is started from. Signed-off-by: WilliButz <wbutz@cyberfnord.de>
* Further improvement of error handling for LZStringSheogorath2018-07-271-1/+5
| | | | | | | This does some more in depth check on the error message and minimizes the log noise that is caused by LZString. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Rebrand HackMD to CodiMDSheogorath2018-06-241-1/+1
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Allow to disable gravatarSheogorath2018-06-231-25/+5
| | | | | | | | | Since Gravatar is an external image source and not perfect from a privacy perspective, forbidding it allows to improve privacy. This commit also simplifies and optimizes the avatar code. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #830 from SISheogorath/feature/GDPRChristoph (Sheogorath) Kern2018-06-174-5/+20
|\ | | | | GDPR compliant part 1
| * Add token based security featureSheogorath2018-05-251-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Fix requests for deleted usersSheogorath2018-05-251-0/+3
| | | | | | | | | | | | | | When users are requested from the authorship which no longer exist, they shouldn't cause a 500. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Use cascaded deletesSheogorath2018-05-253-4/+12
| | | | | | | | | | | | | | When we delete a user we should delete all the notes that belong to this user including the revisions of these notes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Use hard delete instead of soft deleteSheogorath2018-05-251-1/+1
| | | | | | | | | | | | | | Right now we only flag notes as deleted. This is no longer allowed under GDPR. Make sure you do regular backups! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #784 from pferreir/add-oauth2-supportChristoph (Sheogorath) Kern2018-06-041-2/+2
|\ \ | |/ |/| Add "generic" OAuth2 support
| * Use TEXT instead of STRING for tokensPedro Ferreira2018-03-261-2/+2
| | | | | | | | Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
* | Merge pull request #803 from SISheogorath/fix/letterAvatarCSPChristoph (Sheogorath) Kern2018-04-171-5/+5
|\ \ | | | | | | Move letter-avatars into own request
| * | Move letter-avatars into own requestSheogorath2018-04-171-5/+5
| |/ | | | | | | | | | | | | | | | | | | To prevent further weakening of our CSP policies, moving the Avatars into a non-inline version is the way to go. This implementation probably needs some beautification. But already fixes the bug. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* / Add check for noteId lengthSheogorath2018-04-101-0/+9
|/ | | | | | | | | | As we know the length of an UUID we can check if the base64 string of the provided UUID is long enough for a legacy base64 encoded nodeId and stop processing it in legacy mode, if it's not the case. This should make the ugly warning way less common. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Change config to camel case with backwards compatibilitySheogorath2018-03-252-8/+8
| | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix to log instead of throwing error on parse note idMax Wu2018-03-111-2/+4
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Fix parseNoteId order to fix some edge caseMax Wu2018-03-101-7/+7
| | | | | | that LZString note url could be parsed by base64url note url and thus return wrong note id Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Update to use buffer in encode/decode note idMax Wu2018-02-271-2/+4
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Remove and replace all note id compression in LZString with base64urlMax Wu2018-02-261-0/+27
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Fix field type to prevent data truncation of authorship (#721)Max Wu2018-02-092-2/+2
| | | | * Fix field type to prevent data truncation of authorship
* Ignore empty values for revision.Sheogorath2018-01-181-2/+2
| | | | Fixes #420
* Merge pull request #567 from ccoenen/fix-mysql-text-lengthChristoph (Sheogorath) Kern2018-01-182-4/+4
|\ | | | | converting all content fields to MEDIUMTEXT (affects MySQL only)
| * Fix #521 by converting content fields to LONGTEXT in MySQL, to prevent ↵Claudius Coenen2017-10-162-4/+4
| | | | | | | | truncation of data.
* | Initial support for SAML authenticationNorihito Nakae2017-11-281-0/+9
| |
* | Add mattermost authenticationChristoph Witzany2017-10-311-0/+9
|/
* createdAt DESC with quotation marks did not work with MySQL fixes #565Claudius Coenen2017-10-091-4/+4
|
* Fix broken profile imagesSheogorath2017-09-221-2/+6
|
* Fix typo in the db configWu Cheng-Han2017-06-051-1/+1
|
* refactor(config.js): Extract config fileBoHong Li2017-05-081-2/+3
| | | | | * Separate different config source to each files * Freeze config object
* refactor: Remove `require` extension filenameBoHong Li2017-05-084-9/+9
|
* Fix strip null byte in model should cast to string to use replace functionWu Cheng-Han2017-03-151-0/+1
|
* Fix update doc from filesystem cause redundant authorship stringifyWu Cheng-Han2017-03-141-1/+1
|