summaryrefslogtreecommitdiff
path: root/lib/web (unfollow)
Commit message (Collapse)AuthorFilesLines
2021-04-22ImageRouterImgur: Replace imgur library with note-fetch requestPhilip Molares1-6/+24
This kinda is a backport of https://github.com/hedgedoc/hedgedoc/pull/961 Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-03-29Add better logging messagesErik Michelson1-2/+2
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-03-29Check for existing notes on POST and dont override themErik Michelson1-1/+14
Previously one could override notes in FreeURL-mode by sending multiple POST requests to the /new/<alias> endpoint. This commit adds a check for an already existing note with the requested alias and returns a HTTP 409 Conflict error in case that happens. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-03-29ImageUpload: Fix errors with .jpeg and .svgPhilip Molares1-2/+17
This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly Files that got identified as jpg, but have the extension .jpeg get their extension fixed. The files extensions will work in all cases now. Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-17Add HTTP 404 error on non-existent note downloadsErik Michelson2-3/+6
When FreeURL mode is enabled and you called the /download route, the note was created and the user redirected to the blank note. This is caused because the findNote method automatically creates a note when no existing one is found. This commit adds a new parameter to the findNote method which allows to disable this behaviour. In that case a HTTP 404 error will be returned. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-02-15Linter: Fix all lint errorsPhilip Molares19-66/+86
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-12Switch to minio v7 APIDavid Mehren1-1/+1
The secure parameter is now called useSSL https://github.com/minio/minio-js/releases/tag/7.0.0 Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-11Fix SAML auth error loggingDavid Mehren1-1/+1
As stated in https://github.com/node-saml/passport-saml/blob/master/CHANGELOG.md#v200-2020-11-03 and the corresponding PR https://github.com/node-saml/passport-saml/pull/412 passport-saml now always throws error objects instead of strings. This fixes our error logging to accommodate this change. Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-22Add config option which requires authentication in FreeURL modeNicolas Dietrich1-1/+1
This mitigates unintended note creation by bots or humans through a simple GET call. See discussion in #754. Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2021-01-22Minor refactoring of freeURL condition checkNicolas Dietrich1-4/+6
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2020-12-27Always save uploads to a tmpdir first and cleanup afterwardsDavid Mehren2-9/+24
This makes sure no unintended files are permanently saved. Co-authored-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27Improve MIME-type checks of uploaded filesDavid Mehren1-4/+22
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension. Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27Rework error messages for image uploadsSheogorath1-4/+4
This patch reworks the error messages for image uploads to make more sense. Instead of using the current `formidable error` for everything, all custom error detection now provide the (hopefully) more useful `Image Upload error` prefix for error messages. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27Fix unauthenticated file uploadsSheogorath1-0/+3
This patch fixes the issue of unauthenticated users, being able to upload files, even when anonymous edits are disabled. It's implemented by blocking uploads when either `allowAnonymous` is set to `false` for all unauthenticated users, unless `allowAnonymousEdits` is set to true, to make sure anonymous editors still experience the full feature set. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27Fix arbitary file upload for uploadimage API endpointSheogorath1-2/+8
This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-11-30Fix crash when OAuth2 config parameters are missingDavid Mehren1-12/+19
If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash. This commit adds handling of these cases and improves error logging in `checkAuthorization`. Fixes #608 Signed-off-by: David Mehren <git@herrmehren.de>
2020-11-26Remove pdf export codeTilman Vatteroth2-41/+0
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-11-25Add oauth2 authorizationJoachim Mathes1-1/+22
Signed-off-by: Joachim Mathes <joachim_mathes@web.de>
2020-11-14Replace CodiMD with HedgeDocErik Michelson2-2/+2
Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in public/views Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in README Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in SECURITY.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in LICENSE Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/configuration.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in bin/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/dev Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides/auth Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update various links in code to the new GitHub org. Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup/yunohost Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rebrand to HedgeDoc: Add banner and logo Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Remove note in docs/guides/auth/github Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace links in public/docs/features Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add todo placeholder in docs/history Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in public/views/index/body Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add logo to README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add note about the renaming to the front page Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Removed Travis from README.md and change CodiMD to HedgeDoc in some places Signed-off-by: Yannick Bungers <git@innay.de> Some more renaming to HedgeDoc - Fixed capitalization of HedgeDoc - Added renaming for etherpad migration doc Signed-off-by: Yannick Bungers <git@innay.de> Changed Repo name to hedgedoc Signed-off-by: Yannick Bungers <git@innay.de>
2020-11-11Save note title to database when creating a noteDavid Mehren1-1/+2
Currently, when creating a note with content via the API, a title is only saved to the database after visiting the note with the browser. This commit makes sure that a title is saved at creation time. Closes #306 Signed-off-by: David Mehren <git@herrmehren.de>
2020-10-22Generic OAuth2: Set state: trueDexter Chua1-1/+2
The OAuth2 specification RECOMMENDS setting the state to protect against CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to authenticate without the state set. This is a cherry-pick of 852868419dc03d5dec79e75a3d7692ab670c927f. Signed-off-by: haslersn <sebastian.hasler@gmx.net>
2020-08-27Add config option for cookie SameSite policyErik Michelson1-1/+2
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-07-11saml: make logger print actual error messageSimeon Keske1-2/+2
Signed-off-by: Simeon Keske <git@n0emis.eu> Signed-off-by: Leo Maroni <git@em0lar.de>
2020-07-11add error handling to saml-certsSimeon Keske1-2/+15
Signed-off-by: Simeon Keske <git@n0emis.eu> Signed-off-by: Leo Maroni <git@em0lar.de>
2020-07-11allow to set a saml client certificateSimeon Keske1-0/+1
Signed-off-by: Simeon Keske <git@n0emis.eu>
2020-07-04Fixed meta parsing of lang-attribute for using it in the published-viewErik Michelson1-1/+1
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-07-03Added dynamic lang-attr to pretty.ejsErik Michelson1-0/+1
CodiMD currently only uses the 'lang' attribute in YAML-metadata of a note for setting certain js-elements of the markdown-renderer. This commit adds the chosen lang into the published version of a note. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-06-20Backport of #278 for 1.6.1Victor Berger1-1/+2
This is a backport of #278 with the default value of `scope` changed to `undefined`. This is thus a fully backward-compatible change. Signed-off-by: Victor Berger <victor.berger@m4x.org>
2020-04-28findNoteOrCreate: Create new note with empty string instead of `null`Sandro1-1/+1
Backport of #345 to 1.x Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
2020-03-21Backport Fix for relative theme pathSheogorath1-1/+1
This commit backport 856fc01fb9b30489b254f2ef9d29de80aa189118 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-08Add Google oauth variable: hostedDomainike1-1/+1
Which is part of `passport-google-oauth2`. It could be used as whitelist to a domain supported by google oauth. Ref: https://github.com/jaredhanson/passport-google-oauth2/issues/3 Signed-off-by: ike <developer@ikewat.com>
2019-11-28Removing returnTo setting from referer in all other authentication sourcesRalph Krimmel12-28/+8
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-28Moving the storage of referrer information to main authorization check ↵Ralph Krimmel1-5/+3
instead of doing it in the authentication source Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-27Fixing linting problemsRalph Krimmel1-4/+3
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-27Fixing redirection after SAML loginfoobarable1-2/+5
Saving referer into session in SAML auth so passport can redirect correctly after SAML login. Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-10-29Fix crash in lutim integrationGirish Ramakrishnan1-1/+1
Signed-off-by: Girish Ramakrishnan <girish@cloudron.io>
2019-10-27Inline renderPublishSlideDavid Mehren1-8/+4
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27Inline responseCodiMDDavid Mehren1-18/+14
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27Inline publish and slideDavid Mehren1-10/+2
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27Inline renderPublishDavid Mehren1-8/+4
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27Move showPublishNote and publishNoteActions to note controllerDavid Mehren5-43/+99
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27Move showNote to note controllerDavid Mehren2-105/+19
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27Move note actions into their own fileDavid Mehren2-9/+131
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27Rename actions.js to controller.js and rename functions to be more descriptiveDavid Mehren2-20/+31
Move postNote to NoteController and rename to createFromPost Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27Move slide actions to own fileDavid Mehren2-2/+86
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27Fix errors constant in note/actions.jsDavid Mehren1-7/+7
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27Move note actions to their own file.David Mehren12-67/+325
Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-22Allow to generate lower case header references through the confighoijui1-1/+2
This makes the references consistent/compatible with GitHub, GitLab, Pandoc and many other tools. This behavior can be enabled in config.json with: ``` "linkifyHeaderStyle": "gfm" ``` Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-09-04Refactored note-creation with given noteIdErik Michelson1-3/+3
Known bugs/features: - pushing towards an existing note results in an error 500 Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-04Added endpoint for note-creation with given aliasErik Michelson1-0/+2
Signed-off-by: Erik Michelson <erik@liltv.de>