summaryrefslogtreecommitdiff
path: root/lib/web/imageRouter (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Fix arbitary file upload for uploadimage API endpointSheogorath2020-12-271-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
* Merge pull request #213 from davidmehren/refactor_backend_notesSheogorath2019-11-201-2/+2
|\ | | | | First steps in refactoring the backend code
| * Move note actions to their own file.David Mehren2019-10-271-2/+2
| | | | | | | | | | | | Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com>
* | Fix crash in lutim integrationGirish Ramakrishnan2019-10-291-1/+1
|/ | | | Signed-off-by: Girish Ramakrishnan <girish@cloudron.io>
* Merge pull request #32 from codimd/aws-endpointsSheogorath2019-09-021-1/+3
|\ | | | | make aws s3 endpoint configurable
| * make aws s3 endpoint configurableMathias Merscher2019-02-111-1/+3
| | | | | | | | Signed-off-by: Mathias Merscher <Mathias.Merscher@dg-i.net>
* | Rework debug loggingSheogorath2019-06-086-25/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | We have various places with overly simple if statements that could be handled by our logging library. Also a lot of those logs are not marked as debug logs but as info logs, which can cause confusion during debugging. This patch removed unneeded if clauses around debug logging statements, reworks debug log messages towards ECMA templates and add some new logging statements which might be helpful in order to debug things like image uploads. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix eslint warningsSheogorath2019-05-313-10/+10
| | | | | | | | | | | | | | | | | | | | | | Since we are about to release it's time to finally fix our linting. This patch basically runs eslint --fix and does some further manual fixes. Also it sets up eslint to fail on every warning on order to make warnings visable in the CI process. There should no functional change be introduced. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Add lutim supportDylan Dervaux2019-04-101-0/+31
| | | | | | | | Signed-off-by: Dylan Dervaux <dylanderv05@gmail.com>
* | Hide port from minio URL for protocol default portThor772019-04-061-1/+3
|/ | | | Signed-off-by: Thor77 <thor77@thor77.org>
* Fix usage of new URL APISheogorath2018-12-181-2/+2
| | | | | | | | | | | | | | | | Due to the deprecation of the old `url`-API provided by NodeJS we replaced `url.resolve` with `url.URL.resolve`, which doesn't exist. This patch fixes the local filesystem upload of CodiMD by using the new API correctly. Creating an URL object and using its href. Some more background: https://nodejs.org/api/url.html#url_url_href https://nodejs.org/api/url.html#url_url_resolve_from_to Fixes https://github.com/hackmdio/codimd/issues/1102 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* switching to eslint for code checkingClaudius Coenen2018-11-141-1/+1
| | | | | | | most rules degraded to WARN, so we don't go insane. This will change over time. The aim is to conform to a common style Signed-off-by: Claudius Coenen <opensource@amenthes.de>
* imageRouter/filesystem: make callback path-independentWilliButz2018-09-261-1/+2
| | | | | | | Images are now properly served when `config.uploadsPath` differs from its default value. Signed-off-by: WilliButz <wbutz@cyberfnord.de>
* Fix breaking regexSheogorath2018-06-241-1/+1
| | | | | | | | The image upload regex breaks with the new path for uploads. This commit fixes it. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix possible error if HackMD is started with wrong workdirSheogorath2018-06-231-1/+1
| | | | | | | | | | In https://github.com/hackmdio/hackmd/issues/834 is described how starting HackMD crashes when using the wrong working dir. This is caused by a relative path in our upload routine. This change should fix it and prevent future crashes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix callback validationAdam Hoka2018-06-014-4/+7
| | | | Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
* Add Azure Blob Storage supportÁdám Hóka2018-06-011-0/+35
| | | | Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
* Change config to camel case with backwards compatibilitySheogorath2018-03-252-3/+3
| | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Refactoring imageRouter to modularitySheogorath2018-03-205-0/+183
This should make the imageRouter more modular and easier to extent. Also a lot of code duplication was removed which should simplify maintenance in future. In the new setup we only need to provide a new module file which exports a function called `uploadImage` and takes a filePath and a callback as argument. The callback itself takes an error and an url as parameter. This eliminates the need of a try-catch-block around the statement and re-enabled the optimization in NodeJS. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>