summaryrefslogtreecommitdiff
path: root/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Sanitize username and photo URLDavid Mehren2021-05-091-2/+3
| | | | | | | | | | | | | HedgeDoc displays the username and user photo at various places by rendering the respective variables into an `ejs` template. As the values are user-provided or generated from user-provided data, it may be possible to inject unwanted HTML. This commit sanitizes the username and photo URL by passing them through the `xss` library. Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
* Automatically enable protocolUseSSL when useSSL is setDavid Mehren2021-05-061-4/+11
| | | | | | | | This makes the behavior consistent with the docs and saves the user from having to both set `useSSL` and `protocolUseSSL`. Signed-off-by: David Mehren <git@herrmehren.de>
* Fix upgradeInsecureRequests CSP directiveDavid Mehren2021-05-041-2/+2
| | | | | | | | | | | | | | The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de>
* Remove unneeded polyfillErik Michelson2021-04-261-9/+0
| | | | | | This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* Merge pull request from GHSA-p528-555r-pf87David Mehren2021-04-251-3/+3
|\ | | | | Fix Relative Path Traversal Attack on note creation
| * Fix Relative Path Traversal Attack on note creationSheogorath2021-04-251-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact --- An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html). CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N PoC / Quicktest --- To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). - If you see a README page being rendered, you run an affected version. Analysis --- The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. Workarounds --- On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path. For more information --- If you have any questions or comments about this advisory: * Open an topic on [our community forum](https://community.hedgedoc.org) * Join our [matrix room](https://chat.hedgedoc.org) Advisory link --- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
* | Add custom prometheus metricsDavid Mehren2021-04-251-0/+49
| | | | | | | | | | | | | | This reuses the `realtime.getStatus` method to get the state of the application state on every prometheus scrape cycle. Signed-off-by: David Mehren <git@herrmehren.de>
* | ImageRouterImgur: Replace imgur library with note-fetch requestPhilip Molares2021-04-221-6/+24
| | | | | | | | | | | | This kinda is a backport of https://github.com/hedgedoc/hedgedoc/pull/961 Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | Remove yahoo domain from default CSP rulesErik Michelson2021-03-291-1/+1
| | | | | | | | Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* | Merge pull request #1079 from hedgedoc/fix/mimeTypesYannick Bungers2021-03-292-4/+17
|\ \
| * | ImageUpload: Fix errors with .jpeg and .svgPhilip Molares2021-03-291-2/+17
| | | | | | | | | | | | | | | | | | | | | | | | This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly Files that got identified as jpg, but have the extension .jpeg get their extension fixed. The files extensions will work in all cases now. Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * | Config: Remove image/jpgPhilip Molares2021-03-281-2/+0
| |/ | | | | | | | | | | This was done because both .jpg and .jpeg get the mime type 'image/jpeg' by FileType Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | Add better logging messagesErik Michelson2021-03-291-2/+2
| | | | | | | | Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* | Check for existing notes on POST and dont override themErik Michelson2021-03-292-1/+17
|/ | | | | | Previously one could override notes in FreeURL-mode by sending multiple POST requests to the /new/<alias> endpoint. This commit adds a check for an already existing note with the requested alias and returns a HTTP 409 Conflict error in case that happens. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* Replace request library with node-fetchErik Michelson2021-03-121-47/+58
| | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Run database migrations automatically on startupDavid Mehren2021-02-271-0/+31
| | | | | | | | | | This commit removes the need for separate migrations with the sequelize-cli by running them with umzug on application startup. This is a port of #384 Co-authored-by: Sheogorath <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #889 from hedgedoc/renovate/master-uuid-8.xDavid Mehren2021-02-251-2/+2
|\
| * Use new uuid exportDavid Mehren2021-02-161-2/+2
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Add HTTP 404 error on non-existent note downloadsErik Michelson2021-02-172-3/+6
|/ | | | | | | | When FreeURL mode is enabled and you called the /download route, the note was created and the user redirected to the blank note. This is caused because the findNote method automatically creates a note when no existing one is found. This commit adds a new parameter to the findNote method which allows to disable this behaviour. In that case a HTTP 404 error will be returned. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Linter: Fix all lint errorsPhilip Molares2021-02-1533-425/+464
| | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Switch to minio v7 APIDavid Mehren2021-02-121-1/+1
| | | | | | | The secure parameter is now called useSSL https://github.com/minio/minio-js/releases/tag/7.0.0 Signed-off-by: David Mehren <git@herrmehren.de>
* Fix SAML auth error loggingDavid Mehren2021-02-111-1/+1
| | | | | | | | | As stated in https://github.com/node-saml/passport-saml/blob/master/CHANGELOG.md#v200-2020-11-03 and the corresponding PR https://github.com/node-saml/passport-saml/pull/412 passport-saml now always throws error objects instead of strings. This fixes our error logging to accommodate this change. Signed-off-by: David Mehren <git@herrmehren.de>
* Fix note creation in FreeURL mode not using templateErik Michelson2021-02-021-3/+4
| | | | | | | As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access. Co-Authored-By: @evanlinde Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Don't add new config option in hackmd compatibility layerNicolas Dietrich2021-01-231-1/+0
| | | | Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
* Keep JS and env varibale name in sync (requireFreeURLAuthentication)Nicolas Dietrich2021-01-231-1/+1
| | | | Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
* Add config option which requires authentication in FreeURL modeNicolas Dietrich2021-01-224-1/+4
| | | | | | | | | This mitigates unintended note creation by bots or humans through a simple GET call. See discussion in #754. Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
* Minor refactoring of freeURL condition checkNicolas Dietrich2021-01-221-4/+6
| | | | Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
* Always save uploads to a tmpdir first and cleanup afterwardsDavid Mehren2020-12-272-9/+24
| | | | | | | This makes sure no unintended files are permanently saved. Co-authored-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <git@herrmehren.de>
* Improve MIME-type checks of uploaded filesDavid Mehren2020-12-271-4/+22
| | | | | | This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension. Signed-off-by: David Mehren <git@herrmehren.de>
* Rework error messages for image uploadsSheogorath2020-12-271-4/+4
| | | | | | | | | | | This patch reworks the error messages for image uploads to make more sense. Instead of using the current `formidable error` for everything, all custom error detection now provide the (hopefully) more useful `Image Upload error` prefix for error messages. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
* Fix unauthenticated file uploadsSheogorath2020-12-271-0/+3
| | | | | | | | | | | | This patch fixes the issue of unauthenticated users, being able to upload files, even when anonymous edits are disabled. It's implemented by blocking uploads when either `allowAnonymous` is set to `false` for all unauthenticated users, unless `allowAnonymousEdits` is set to true, to make sure anonymous editors still experience the full feature set. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
* Fix arbitary file upload for uploadimage API endpointSheogorath2020-12-271-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
* Merge pull request #609 from hedgedoc/fix/oauth2-authDavid Mehren2020-12-021-12/+19
|\ | | | | Fix crash when OAuth2 config parameters are missing
| * Fix crash when OAuth2 config parameters are missingDavid Mehren2020-11-301-12/+19
| | | | | | | | | | | | | | | | | | | | If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash. This commit adds handling of these cases and improves error logging in `checkAuthorization`. Fixes #608 Signed-off-by: David Mehren <git@herrmehren.de>
* | Add missing catchTilman Vatteroth2020-12-021-1/+2
| | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* | Catch more errorsTilman Vatteroth2020-12-029-10/+31
| | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* | [Migrations] Replace similar codeTilman Vatteroth2020-11-301-2/+1
| | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* | [Migrations] Add variant of error message to catch blockTilman Vatteroth2020-11-301-1/+4
|/ | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* Merge pull request #597 from hedgedoc/fix/install-docsDavid Mehren2020-11-291-3/+3
|\
| * Replace mentions of `config.js` with `config.json`David Mehren2020-11-271-3/+3
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #596 from hedgedoc/remove-pdf-export-codeDavid Mehren2020-11-277-54/+2
|\ \ | | | | | | Remove pdf export code
| * | Remove pdf export codeTilman Vatteroth2020-11-267-54/+2
| |/ | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* / Add oauth2 authorizationJoachim Mathes2020-11-252-2/+26
|/ | | | Signed-off-by: Joachim Mathes <joachim_mathes@web.de>
* apply review suggestionsTilman Vatteroth2020-11-151-1/+1
|
* Correct repo nameTilman Vatteroth2020-11-141-1/+1
| | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* Replace CodiMD with HedgeDocErik Michelson2020-11-146-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in public/views Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in README Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in SECURITY.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in LICENSE Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/configuration.md Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in bin/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/dev Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/guides/auth Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update various links in code to the new GitHub org. Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js Signed-off-by: David Mehren <git@herrmehren.de> Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: References in docs/setup/yunohost Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rebrand to HedgeDoc: Add banner and logo Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Remove note in docs/guides/auth/github Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace links in public/docs/features Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add todo placeholder in docs/history Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in public/views/index/body Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Replace github link in README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add logo to README Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Rename to HedgeDoc: Add note about the renaming to the front page Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Removed Travis from README.md and change CodiMD to HedgeDoc in some places Signed-off-by: Yannick Bungers <git@innay.de> Some more renaming to HedgeDoc - Fixed capitalization of HedgeDoc - Added renaming for etherpad migration doc Signed-off-by: Yannick Bungers <git@innay.de> Changed Repo name to hedgedoc Signed-off-by: Yannick Bungers <git@innay.de>
* Merge pull request #509 from pierreozoux/quick-fixDavid Mehren2020-11-131-1/+1
|\ | | | | Makes the mime also work with upper case extension
| * Makes the mime also work with upper case extensionpierreozoux2020-11-121-1/+1
| | | | | | | | Signed-off-by: pierreozoux <pierre@ozoux.net>
* | Save note title to database when creating a noteDavid Mehren2020-11-111-1/+2
| | | | | | | | | | | | | | | | Currently, when creating a note with content via the API, a title is only saved to the database after visiting the note with the browser. This commit makes sure that a title is saved at creation time. Closes #306 Signed-off-by: David Mehren <git@herrmehren.de>
* | Generic OAuth2: Set state: trueDexter Chua2020-10-221-1/+2
| | | | | | | | | | | | | | | | | | | | The OAuth2 specification RECOMMENDS setting the state to protect against CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to authenticate without the state set. This is a cherry-pick of 852868419dc03d5dec79e75a3d7692ab670c927f. Signed-off-by: haslersn <sebastian.hasler@gmx.net>