| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.
It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.
This issue was reported by Thomas Lambertz.
To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.
```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```
Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.
Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.
References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
|
|\
| |
| | |
First steps in refactoring the backend code
|
| |
| |
| |
| |
| |
| | |
Because of circular import problems, this commit also moves the error messages from response.js to errors.js
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
|/
|
|
| |
Signed-off-by: Girish Ramakrishnan <girish@cloudron.io>
|
|\
| |
| | |
make aws s3 endpoint configurable
|
| |
| |
| |
| | |
Signed-off-by: Mathias Merscher <Mathias.Merscher@dg-i.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We have various places with overly simple if statements that could be
handled by our logging library. Also a lot of those logs are not marked
as debug logs but as info logs, which can cause confusion during
debugging.
This patch removed unneeded if clauses around debug logging statements,
reworks debug log messages towards ECMA templates and add some new
logging statements which might be helpful in order to debug things like
image uploads.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.
There should no functional change be introduced.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
| |
| |
| | |
Signed-off-by: Dylan Dervaux <dylanderv05@gmail.com>
|
|/
|
|
| |
Signed-off-by: Thor77 <thor77@thor77.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the deprecation of the old `url`-API provided by NodeJS we
replaced `url.resolve` with `url.URL.resolve`, which doesn't exist.
This patch fixes the local filesystem upload of CodiMD by using the new
API correctly. Creating an URL object and using its href.
Some more background:
https://nodejs.org/api/url.html#url_url_href
https://nodejs.org/api/url.html#url_url_resolve_from_to
Fixes https://github.com/hackmdio/codimd/issues/1102
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
|
|
|
|
|
| |
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style
Signed-off-by: Claudius Coenen <opensource@amenthes.de>
|
|
|
|
|
|
|
| |
Images are now properly served when `config.uploadsPath`
differs from its default value.
Signed-off-by: WilliButz <wbutz@cyberfnord.de>
|
|
|
|
|
|
|
|
| |
The image upload regex breaks with the new path for uploads.
This commit fixes it.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
|
|
|
|
|
|
|
|
| |
In https://github.com/hackmdio/hackmd/issues/834 is described how
starting HackMD crashes when using the wrong working dir.
This is caused by a relative path in our upload routine. This change
should fix it and prevent future crashes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
|
|
| |
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
|
|
|
|
| |
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
|
|
|
|
|
|
|
|
| |
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
This should make the imageRouter more modular and easier to extent. Also
a lot of code duplication was removed which should simplify maintenance
in future.
In the new setup we only need to provide a new module file which exports
a function called `uploadImage` and takes a filePath and a callback as
argument. The callback itself takes an error and an url as parameter.
This eliminates the need of a try-catch-block around the statement and
re-enabled the optimization in NodeJS.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|