summaryrefslogtreecommitdiff
path: root/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Disable PDF export due to security issueSheogorath2019-08-151-0/+6
| | | | | | | | | | | | As a temporary fix, to keep you and your users save, this patch disables the PDF export feature. Details of the attack along with a fix for future versions of CodiMD will be released in future. I hope you can live with this solution for this release because I'm super short on time and the alternative would be to ship no fix at all. This appears to be the better solution for this release. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix variable names for docker secretsSheogorath2019-08-151-5/+5
| | | | | | | It seems like since we switched to camelcase we missed to update some variable names in the config section. This patch fixes those. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* fix: migration should return promisechandi2019-08-123-18/+18
| | | | Signed-off-by: chandi <git@chandi.it>
* Merge pull request #104 from SISheogorath/feature/dntSheogorath2019-07-201-2/+4
|\ | | | | Respect DNT header
| * Respect DNT headerSheogorath2019-06-081-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Do Not Track (DNT) is an old web standard in order to notify pages that the user doesn't want to be tracked. Even while a lot of pages either ignore this header or even worse, use it for tracking purposes, the orignal intention of this header is good and should be adopted. This patch implements a respect of the DNT header by no longer including the optional Google Analytics and disqus integrations when sending a DNT header. This should reduce outside resource usage and help to stay more private. This should later-on extended towards other document content (i.e. iframe based content). The reason to not change the CDN handling is that CDNs will be deprecated with next release and removed in long term. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #128 from dargmuesli/docker-secretsSheogorath2019-07-201-0/+1
|\ \ | | | | | | DB URL: Secret File Support
| * | Docker Secrets: Add DB URL SupportJonas Thelemann2019-07-011-0/+1
| | | | | | | | | | | | | | | | | | As the connection string may include a password it should be supported by Docker Secrets. Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
* | | Merge pull request #119 from lhw/patch-1Sheogorath2019-07-011-0/+2
|\ \ \ | |/ / |/| | Add SVG image detection based on file extension
| * | Add SVG image detection based on file extensionLennart Weller2019-06-181-0/+2
| | | | | | | | | | | | | | | | | | | | | Add simple SVG image detecetion base on the file extension .svg. This fixes the SVG being delivered as binary/octet-stream and makes it possible to embedd the SVG. Signed-off-by: Lennart Weller <lennart.weller@hansemerkur.de>
* | | fix: upgrade sequelize to latest version to fix CVEBoHong Li2019-06-115-745/+752
|/ / | | | | | | Signed-off-by: BoHong Li <a60814billy@gmail.com>
* / Rework debug loggingSheogorath2019-06-0815-69/+54
|/ | | | | | | | | | | | | | We have various places with overly simple if statements that could be handled by our logging library. Also a lot of those logs are not marked as debug logs but as info logs, which can cause confusion during debugging. This patch removed unneeded if clauses around debug logging statements, reworks debug log messages towards ECMA templates and add some new logging statements which might be helpful in order to debug things like image uploads. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix eslint warningsSheogorath2019-05-3139-86/+94
| | | | | | | | | | | Since we are about to release it's time to finally fix our linting. This patch basically runs eslint --fix and does some further manual fixes. Also it sets up eslint to fail on every warning on order to make warnings visable in the CI process. There should no functional change be introduced. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #82 from SISheogorath/fix/doubleCountSheogorath2019-05-261-0/+3
|\ | | | | Fix missing pictures for OpenID
| * Fix missing pictures for OpenIDSheogorath2019-05-261-0/+3
| | | | | | | | | | | | | | | | | | | | Currently a problem appears when using OpenID for authentication as there is no method to add a profile picture right now. This patch makes sure that all undefined login methods get a profile picture. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Add config for toobusy middlewareSheogorath2019-05-253-0/+7
|/ | | | | | | | | | With very low CPU frequency or bad IO situation, as well as not-loaded JS CodiMD happens to present unneeded "I'm busy"-messages to users. This patch allows to configure the lag. The default is taken from the libray but set in our own default configs. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* polyfilling scrypt for node 8.5+Claudius2019-05-131-4/+13
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* asyncified setting and verifying the passwordClaudius2019-05-132-11/+15
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* getting password hashing into a hook where it could be asyncClaudius2019-05-131-6/+14
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* Add lutim supportDylan Dervaux2019-04-104-3/+40
| | | | Signed-off-by: Dylan Dervaux <dylanderv05@gmail.com>
* Added a configuration option for passport-saml:Emmanuel Ormancey2019-04-064-1/+5
| | | | | | | | | | | disableRequestedAuthnContext: true|false By default only Password authmethod is accepted, this option allows any other method. Issue and option described here: https://github.com/bergie/passport-saml/issues/226 Signed-off-by: Emmanuel Ormancey <emmanuel.ormancey@cern.ch>
* Hide port from minio URL for protocol default portThor772019-04-061-1/+3
| | | | Signed-off-by: Thor77 <thor77@thor77.org>
* change default mode to "both" when clicking editStéphane Guillou2019-04-051-2/+2
| | | | | | | | | | Add "both" mode to URLs because I assume most people want to straight away see the code when they click the "edit" button in a published note. Fixes https://github.com/codimd/server/issues/27 Not tested, followed instructions from @ccoenen , please do review! :) Signed-off-by: Stéphane Guillou <stephane.guillou@member.fsf.org>
* Merge pull request #7 from SISheogorath/feature/libravatarChristoph (Sheogorath) Kern2019-03-311-1/+1
|\ | | | | Use libravatar as drop-in replacement for gravatar
| * Use libravatar as drop-in replacement for gravatarSheogorath2019-03-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Since libravatar got a default fallback to Gravatar and in generell allows federated image hosting for avatars this shouldn't break any existing implementations. The federation functionality is not added yet. This would require to use the libravatar library. Details: https://wiki.libravatar.org/api/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Update links to new repositoriesSheogorath2019-03-271-1/+1
|/ | | | | | | | | | | | After a long discussion, it turned out that CodiMD as community project and HackMD as a company, have fundamental different views on the project governance. Due to this, it came to point where the decision for a fork was made. After the fork and move towards an own organisation, this patch updates all links inside the project to the new repositories. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1131 from SISheogorath/fix/gitlabSnippetsChristoph (Sheogorath) Kern2019-03-091-1/+1
|\ | | | | Fix shown but broken GitLab snippets
| * Fix shown but broken GitLab snippetsSheogorath2019-03-051-1/+1
| | | | | | | | | | | | | | | | | | | | To provide a GitLab integration we need the GitLab integration to be configured. Otherwise we shouldn't show the Snippet button. This patch adds the requirement to the variable that decides if the import from snippets button shows up or not. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Add required change for Google+ API deprecationSheogorath2019-03-091-1/+2
|/ | | | | | | | | | | Since Google+ is shutting down soon, we need to get the profile data from another URL. Since the library already supports it, all we need to do is adding a single line of code. Details: https://github.com/hackmdio/codimd/issues/1160 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1153 from toshi0123/for_empty_serverurlChristoph (Sheogorath) Kern2019-03-051-1/+1
|\ | | | | Fix empty serverURL did not redirect properly
| * Fix empty serverURL did not redirect properlytoshi01232019-03-041-1/+1
| | | | | | | | Signed-off-by: toshi0123 <7948737+toshi0123@users.noreply.github.com>
* | Fix wrong value type for HSTS environment variableSheogorath2019-03-042-2/+2
| | | | | | | | | | | | | | Seem like also environment variables are affected. This patch fixes that as well. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix names with spaces in letter-avatarsSheogorath2019-03-031-0/+1
|/ | | | | | | | Seems like there is a possible problem when a name containing a space is passed to this function. using urlencode on the name should fix possible problems here. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Disable OpenID by defaultSheogorath2019-01-251-1/+1
| | | | | | | | | We talked about that during a community call. It turned out that not everyone likes to have OpenID on their instance. This patch disables OpenID by default. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix broken PDF export by wrong unlink callSheogorath2019-01-241-1/+1
| | | | | | | | | | | We used `fs.unlink()` to remove the pdf file after we send it out to the client. This breaks in Node 10, when no function as second parameter is supplied. This patches changes it to the `fs.unlinkSync` function that doesn't have this requirement and this way doesn't crash. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Remove blueimp-md5 dependencyDaan Sprenkels2018-12-221-3/+7
| | | | Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* Merge pull request #1105 from SISheogorath/fix/gistCSPChristoph (Sheogorath) Kern2018-12-211-1/+1
|\ | | | | Fix broken Gist embedding
| * Fix broken Gist embeddingSheogorath2018-12-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | Looks like GitHub changed their asset system and our CSP prevented them from getting loaded. This patch should fix the Gist embedding with enabled CSP by replacing the old URL `https://assets-cdn.github.com` with the new `https://github.githubassets.com`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Update upload provider error messageDaan Sprenkels2018-12-211-1/+1
| | | | | | | | | | | | Fixes #1107. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* | Merge pull request #1103 from SISheogorath/fix/localImageUploadChristoph (Sheogorath) Kern2018-12-201-2/+2
|\ \ | | | | | | Fix usage of new URL API
| * | Fix usage of new URL APISheogorath2018-12-181-2/+2
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to the deprecation of the old `url`-API provided by NodeJS we replaced `url.resolve` with `url.URL.resolve`, which doesn't exist. This patch fixes the local filesystem upload of CodiMD by using the new API correctly. Creating an URL object and using its href. Some more background: https://nodejs.org/api/url.html#url_url_href https://nodejs.org/api/url.html#url_url_resolve_from_to Fixes https://github.com/hackmdio/codimd/issues/1102 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1091 from SISheogorath/fix/speakerNotesCSPChristoph (Sheogorath) Kern2018-12-061-1/+1
|\ \ | | | | | | Fix CSP for speaker notes
| * | Fix CSP for speaker notesSheogorath2018-12-051-1/+1
| |/ | | | | | | | | | | | | | | | | | | | | Looks like I was wrong in my previous commit to update revealjs.[1] The speaker notes broke again with the CSPs. So this patch updates the hash and this way the speaker notes. [1]: bcebf1e8d285184f8c905f00e0270621790e7b80 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* / Fix disqus CSPSheogorath2018-12-051-1/+1
|/ | | | | | | | | | | | Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1086 from SISheogorath/feature/urlWarningChristoph (Sheogorath) Kern2018-12-011-0/+4
|\ | | | | Warn on missing serverURL
| * Warn on missing serverURLSheogorath2018-11-281-0/+4
| | | | | | | | | | | | | | | | | | | | | | We see some issues that are based on not properly configured `config.serverURL`. This patch adds a warning when `config.serverURL` is an empty value. This should provide users direct feedback about how to improve their configs. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1082 from cloudyu/pullChristoph (Sheogorath) Kern2018-11-282-4/+4
|\ \ | |/ |/| | | | | | | | | Fix wrong config options In `./lib/web/auth/` some config includes still used `config.serverurl` instead of the correct `config.serverURL`. This causes wrong URL in worst case. This patch should fix those problems and migrate the wrong statements to camelcase.
| * Fix typoCloudYu2018-11-272-4/+4
| | | | | | | | Signed-off-by: CloudYu <cloudyu322@gmail.com>
* | Prevent subdirectories in user exportDaan Sprenkels2018-11-281-9/+11
|/ | | | | | | | | This commit also refactors the code a bit, and adds a '-' separator between a filename and its duplicate index. This commit fixes #1079. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* Switch scrypt library to a successorSheogorath2018-11-211-1/+1
| | | | | | | | | | | | | Since our previous scrypt library is unmaintained since 3 years, it's time to look for an alternative. A refactoring towards another password algorithm was worked on and this is probably still the way to go. But for now the successor of our previous library should already be enough. https://www.npmjs.com/package/scrypt (old library) https://github.com/ml1nk/node-scrypt (new library) Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix wrong maxAgeSeconds multiplicationSheogorath2018-11-191-1/+1
| | | | | | | | | | | | | | | | | | | It seems like the inital work on the hsts module expected milliseconds. This has either changed or was never true. Either way, it caused that the current defaults resulted in theory in a 1000 year HSTS policy. Luckily helmet was smart enough to not go higher than 1 year. Anyway, this patch fixes the multiplication of the configured size with 1000 by removing this multiplication. Also to simplify the reading of the defaults, we split them into their components, 60 times 60 seconds so we get one hour. 24 of those hours so we get a day and finally 365 days to get our original wanted default of one year. Reference: https://github.com/hackmdio/CodiMD/commit/d69d65ea7434eee85db4b905f0852f4d8fa7ecce Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>