summaryrefslogtreecommitdiff
path: root/lib/web/imageRouter (unfollow)
Commit message (Collapse)AuthorFilesLines
2021-04-22ImageRouterImgur: Replace imgur library with note-fetch requestPhilip Molares1-6/+24
This kinda is a backport of https://github.com/hedgedoc/hedgedoc/pull/961 Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-03-29ImageUpload: Fix errors with .jpeg and .svgPhilip Molares1-2/+17
This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly Files that got identified as jpg, but have the extension .jpeg get their extension fixed. The files extensions will work in all cases now. Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15Linter: Fix all lint errorsPhilip Molares4-17/+35
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-12Switch to minio v7 APIDavid Mehren1-1/+1
The secure parameter is now called useSSL https://github.com/minio/minio-js/releases/tag/7.0.0 Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27Always save uploads to a tmpdir first and cleanup afterwardsDavid Mehren2-9/+24
This makes sure no unintended files are permanently saved. Co-authored-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27Improve MIME-type checks of uploaded filesDavid Mehren1-4/+22
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension. Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27Rework error messages for image uploadsSheogorath1-4/+4
This patch reworks the error messages for image uploads to make more sense. Instead of using the current `formidable error` for everything, all custom error detection now provide the (hopefully) more useful `Image Upload error` prefix for error messages. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27Fix unauthenticated file uploadsSheogorath1-0/+3
This patch fixes the issue of unauthenticated users, being able to upload files, even when anonymous edits are disabled. It's implemented by blocking uploads when either `allowAnonymous` is set to `false` for all unauthenticated users, unless `allowAnonymousEdits` is set to true, to make sure anonymous editors still experience the full feature set. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27Fix arbitary file upload for uploadimage API endpointSheogorath1-2/+8
This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2019-10-29Fix crash in lutim integrationGirish Ramakrishnan1-1/+1
Signed-off-by: Girish Ramakrishnan <girish@cloudron.io>
2019-10-27Move note actions to their own file.David Mehren1-2/+2
Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-06-08Rework debug loggingSheogorath6-25/+24
We have various places with overly simple if statements that could be handled by our logging library. Also a lot of those logs are not marked as debug logs but as info logs, which can cause confusion during debugging. This patch removed unneeded if clauses around debug logging statements, reworks debug log messages towards ECMA templates and add some new logging statements which might be helpful in order to debug things like image uploads. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31Fix eslint warningsSheogorath3-10/+10
Since we are about to release it's time to finally fix our linting. This patch basically runs eslint --fix and does some further manual fixes. Also it sets up eslint to fail on every warning on order to make warnings visable in the CI process. There should no functional change be introduced. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-04-10Add lutim supportDylan Dervaux1-0/+31
Signed-off-by: Dylan Dervaux <dylanderv05@gmail.com>
2019-04-06Hide port from minio URL for protocol default portThor771-1/+3
Signed-off-by: Thor77 <thor77@thor77.org>
2019-02-11make aws s3 endpoint configurableMathias Merscher1-1/+3
Signed-off-by: Mathias Merscher <Mathias.Merscher@dg-i.net>
2018-12-18Fix usage of new URL APISheogorath1-2/+2
Due to the deprecation of the old `url`-API provided by NodeJS we replaced `url.resolve` with `url.URL.resolve`, which doesn't exist. This patch fixes the local filesystem upload of CodiMD by using the new API correctly. Creating an URL object and using its href. Some more background: https://nodejs.org/api/url.html#url_url_href https://nodejs.org/api/url.html#url_url_resolve_from_to Fixes https://github.com/hackmdio/codimd/issues/1102 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-14switching to eslint for code checkingClaudius Coenen1-1/+1
most rules degraded to WARN, so we don't go insane. This will change over time. The aim is to conform to a common style Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-09-26imageRouter/filesystem: make callback path-independentWilliButz1-1/+2
Images are now properly served when `config.uploadsPath` differs from its default value. Signed-off-by: WilliButz <wbutz@cyberfnord.de>
2018-06-24Fix breaking regexSheogorath1-1/+1
The image upload regex breaks with the new path for uploads. This commit fixes it. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23Fix possible error if HackMD is started with wrong workdirSheogorath1-1/+1
In https://github.com/hackmdio/hackmd/issues/834 is described how starting HackMD crashes when using the wrong working dir. This is caused by a relative path in our upload routine. This change should fix it and prevent future crashes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-01Fix callback validationAdam Hoka4-4/+7
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
2018-06-01Add Azure Blob Storage supportÁdám Hóka1-0/+35
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
2018-03-25Change config to camel case with backwards compatibilitySheogorath2-3/+3
This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-20Refactoring imageRouter to modularitySheogorath5-0/+183
This should make the imageRouter more modular and easier to extent. Also a lot of code duplication was removed which should simplify maintenance in future. In the new setup we only need to provide a new module file which exports a function called `uploadImage` and takes a filePath and a callback as argument. The callback itself takes an error and an url as parameter. This eliminates the need of a try-catch-block around the statement and re-enabled the optimization in NodeJS. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>