2017-03-14 01:02:43 -04:00
|
|
|
'use strict'
|
2016-04-20 06:03:55 -04:00
|
|
|
// external modules
|
2021-02-15 03:42:51 -05:00
|
|
|
const fs = require('fs')
|
|
|
|
const path = require('path')
|
|
|
|
const LZString = require('lz-string')
|
|
|
|
const base64url = require('base64url')
|
|
|
|
const md = require('markdown-it')()
|
|
|
|
const metaMarked = require('meta-marked')
|
|
|
|
const cheerio = require('cheerio')
|
|
|
|
const shortId = require('shortid')
|
|
|
|
const Sequelize = require('sequelize')
|
|
|
|
const async = require('async')
|
|
|
|
const moment = require('moment')
|
|
|
|
const DiffMatchPatch = require('diff-match-patch')
|
|
|
|
const dmp = new DiffMatchPatch()
|
|
|
|
const S = require('string')
|
2016-04-20 06:03:55 -04:00
|
|
|
|
|
|
|
// core
|
2021-02-15 03:42:51 -05:00
|
|
|
const config = require('../config')
|
|
|
|
const logger = require('../logger')
|
2016-04-20 06:03:55 -04:00
|
|
|
|
2017-03-08 05:45:51 -05:00
|
|
|
// ot
|
2021-02-15 03:42:51 -05:00
|
|
|
const ot = require('../ot')
|
2016-10-10 08:23:33 -04:00
|
|
|
|
2016-04-20 06:03:55 -04:00
|
|
|
// permission types
|
2021-02-15 03:42:51 -05:00
|
|
|
const permissionTypes = ['freely', 'editable', 'limited', 'locked', 'protected', 'private']
|
2016-04-20 06:03:55 -04:00
|
|
|
|
|
|
|
module.exports = function (sequelize, DataTypes) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const Note = sequelize.define('Note', {
|
2017-03-08 05:45:51 -05:00
|
|
|
id: {
|
|
|
|
type: DataTypes.UUID,
|
|
|
|
primaryKey: true,
|
|
|
|
defaultValue: Sequelize.UUIDV4
|
|
|
|
},
|
|
|
|
shortid: {
|
|
|
|
type: DataTypes.STRING,
|
|
|
|
unique: true,
|
|
|
|
allowNull: false,
|
|
|
|
defaultValue: shortId.generate
|
|
|
|
},
|
|
|
|
alias: {
|
|
|
|
type: DataTypes.STRING,
|
|
|
|
unique: true
|
|
|
|
},
|
|
|
|
permission: {
|
|
|
|
type: DataTypes.ENUM,
|
|
|
|
values: permissionTypes
|
|
|
|
},
|
|
|
|
viewcount: {
|
|
|
|
type: DataTypes.INTEGER,
|
|
|
|
allowNull: false,
|
|
|
|
defaultValue: 0
|
|
|
|
},
|
|
|
|
title: {
|
|
|
|
type: DataTypes.TEXT,
|
|
|
|
get: function () {
|
|
|
|
return sequelize.processData(this.getDataValue('title'), '')
|
|
|
|
},
|
|
|
|
set: function (value) {
|
|
|
|
this.setDataValue('title', sequelize.stripNullByte(value))
|
|
|
|
}
|
|
|
|
},
|
|
|
|
content: {
|
2017-10-16 04:12:39 -04:00
|
|
|
type: DataTypes.TEXT('long'),
|
2017-03-08 05:45:51 -05:00
|
|
|
get: function () {
|
|
|
|
return sequelize.processData(this.getDataValue('content'), '')
|
|
|
|
},
|
|
|
|
set: function (value) {
|
|
|
|
this.setDataValue('content', sequelize.stripNullByte(value))
|
|
|
|
}
|
|
|
|
},
|
|
|
|
authorship: {
|
2018-02-09 08:27:06 -05:00
|
|
|
type: DataTypes.TEXT('long'),
|
2017-03-08 05:45:51 -05:00
|
|
|
get: function () {
|
|
|
|
return sequelize.processData(this.getDataValue('authorship'), [], JSON.parse)
|
|
|
|
},
|
|
|
|
set: function (value) {
|
|
|
|
this.setDataValue('authorship', JSON.stringify(value))
|
|
|
|
}
|
|
|
|
},
|
|
|
|
lastchangeAt: {
|
|
|
|
type: DataTypes.DATE
|
|
|
|
},
|
|
|
|
savedAt: {
|
|
|
|
type: DataTypes.DATE
|
|
|
|
}
|
|
|
|
}, {
|
2018-05-25 08:50:31 -04:00
|
|
|
paranoid: false,
|
2019-04-12 00:05:32 -04:00
|
|
|
hooks: {
|
|
|
|
beforeCreate: function (note, options) {
|
|
|
|
return new Promise(function (resolve, reject) {
|
|
|
|
// if no content specified then use default note
|
|
|
|
if (!note.content) {
|
2021-02-15 03:42:51 -05:00
|
|
|
let body = null
|
2019-04-12 00:05:32 -04:00
|
|
|
let filePath = null
|
2021-02-01 18:38:54 -05:00
|
|
|
if (note.alias) {
|
Fix Relative Path Traversal Attack on note creation
Impact
---
An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).
CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
PoC / Quicktest
---
To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.
Analysis
---
The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.
If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.
This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them.
The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.
Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.
For more information
---
If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)
Advisory link
---
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87
Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
2021-03-22 19:02:30 -04:00
|
|
|
filePath = path.join(config.docsPath, path.basename(note.alias) + '.md')
|
2019-04-12 00:05:32 -04:00
|
|
|
}
|
2021-02-01 18:38:54 -05:00
|
|
|
if (!filePath || !Note.checkFileExist(filePath)) {
|
|
|
|
filePath = config.defaultNotePath
|
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
if (Note.checkFileExist(filePath)) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const fsCreatedTime = moment(fs.statSync(filePath).ctime)
|
2019-04-12 00:05:32 -04:00
|
|
|
body = fs.readFileSync(filePath, 'utf8')
|
|
|
|
note.title = Note.parseNoteTitle(body)
|
|
|
|
note.content = body
|
|
|
|
if (filePath !== config.defaultNotePath) {
|
|
|
|
note.createdAt = fsCreatedTime
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// if no permission specified and have owner then give default permission in config, else default permission is freely
|
|
|
|
if (!note.permission) {
|
|
|
|
if (note.ownerId) {
|
|
|
|
note.permission = config.defaultPermission
|
|
|
|
} else {
|
|
|
|
note.permission = 'freely'
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return resolve(note)
|
2017-03-08 05:45:51 -05:00
|
|
|
})
|
|
|
|
},
|
2019-04-12 00:05:32 -04:00
|
|
|
afterCreate: function (note, options, callback) {
|
|
|
|
return new Promise(function (resolve, reject) {
|
|
|
|
sequelize.models.Revision.saveNoteRevision(note, function (err, revision) {
|
|
|
|
if (err) {
|
|
|
|
return reject(err)
|
|
|
|
}
|
|
|
|
return resolve(note)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
Note.associate = function (models) {
|
|
|
|
Note.belongsTo(models.User, {
|
|
|
|
foreignKey: 'ownerId',
|
|
|
|
as: 'owner',
|
|
|
|
constraints: false,
|
|
|
|
onDelete: 'CASCADE',
|
|
|
|
hooks: true
|
|
|
|
})
|
|
|
|
Note.belongsTo(models.User, {
|
|
|
|
foreignKey: 'lastchangeuserId',
|
|
|
|
as: 'lastchangeuser',
|
|
|
|
constraints: false
|
|
|
|
})
|
|
|
|
Note.hasMany(models.Revision, {
|
|
|
|
foreignKey: 'noteId',
|
|
|
|
constraints: false
|
|
|
|
})
|
|
|
|
Note.hasMany(models.Author, {
|
|
|
|
foreignKey: 'noteId',
|
|
|
|
as: 'authors',
|
|
|
|
constraints: false
|
|
|
|
})
|
|
|
|
}
|
|
|
|
Note.checkFileExist = function (filePath) {
|
|
|
|
try {
|
|
|
|
return fs.statSync(filePath).isFile()
|
|
|
|
} catch (err) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
Note.encodeNoteId = function (id) {
|
|
|
|
// remove dashes in UUID and encode in url-safe base64
|
2021-02-15 03:42:51 -05:00
|
|
|
const str = id.replace(/-/g, '')
|
|
|
|
const hexStr = Buffer.from(str, 'hex')
|
2019-04-12 00:05:32 -04:00
|
|
|
return base64url.encode(hexStr)
|
|
|
|
}
|
|
|
|
Note.decodeNoteId = function (encodedId) {
|
|
|
|
// decode from url-safe base64
|
2021-02-15 03:42:51 -05:00
|
|
|
const id = base64url.toBuffer(encodedId).toString('hex')
|
2019-04-12 00:05:32 -04:00
|
|
|
// add dashes between the UUID string parts
|
2021-02-15 03:42:51 -05:00
|
|
|
const idParts = []
|
2019-04-12 00:05:32 -04:00
|
|
|
idParts.push(id.substr(0, 8))
|
|
|
|
idParts.push(id.substr(8, 4))
|
|
|
|
idParts.push(id.substr(12, 4))
|
|
|
|
idParts.push(id.substr(16, 4))
|
|
|
|
idParts.push(id.substr(20, 12))
|
|
|
|
return idParts.join('-')
|
|
|
|
}
|
|
|
|
Note.checkNoteIdValid = function (id) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i
|
|
|
|
const result = id.match(uuidRegex)
|
2019-04-12 00:05:32 -04:00
|
|
|
if (result && result.length === 1) { return true } else { return false }
|
|
|
|
}
|
|
|
|
Note.parseNoteId = function (noteId, callback) {
|
|
|
|
async.series({
|
|
|
|
parseNoteIdByAlias: function (_callback) {
|
|
|
|
// try to parse note id by alias (e.g. doc)
|
|
|
|
Note.findOne({
|
|
|
|
where: {
|
|
|
|
alias: noteId
|
|
|
|
}
|
|
|
|
}).then(function (note) {
|
|
|
|
if (note) {
|
Fix Relative Path Traversal Attack on note creation
Impact
---
An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).
CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
PoC / Quicktest
---
To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.
Analysis
---
The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.
If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.
This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them.
The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.
Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.
For more information
---
If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)
Advisory link
---
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87
Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
2021-03-22 19:02:30 -04:00
|
|
|
const filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
|
2019-04-12 00:05:32 -04:00
|
|
|
if (Note.checkFileExist(filePath)) {
|
|
|
|
// if doc in filesystem have newer modified time than last change time
|
|
|
|
// then will update the doc in db
|
2021-02-15 03:42:51 -05:00
|
|
|
const fsModifiedTime = moment(fs.statSync(filePath).mtime)
|
|
|
|
const dbModifiedTime = moment(note.lastchangeAt || note.createdAt)
|
|
|
|
const body = fs.readFileSync(filePath, 'utf8')
|
|
|
|
const contentLength = body.length
|
|
|
|
const title = Note.parseNoteTitle(body)
|
2019-04-12 00:05:32 -04:00
|
|
|
if (fsModifiedTime.isAfter(dbModifiedTime) && note.content !== body) {
|
|
|
|
note.update({
|
2022-05-01 15:14:27 -04:00
|
|
|
title,
|
2019-04-12 00:05:32 -04:00
|
|
|
content: body,
|
|
|
|
lastchangeAt: fsModifiedTime
|
|
|
|
}).then(function (note) {
|
|
|
|
sequelize.models.Revision.saveNoteRevision(note, function (err, revision) {
|
|
|
|
if (err) return _callback(err, null)
|
|
|
|
// update authorship on after making revision of docs
|
2021-02-15 03:42:51 -05:00
|
|
|
const patch = dmp.patch_fromText(revision.patch)
|
|
|
|
const operations = Note.transformPatchToOperations(patch, contentLength)
|
|
|
|
let authorship = note.authorship
|
2019-04-12 00:05:32 -04:00
|
|
|
for (let i = 0; i < operations.length; i++) {
|
|
|
|
authorship = Note.updateAuthorshipByOperation(operations[i], null, authorship)
|
|
|
|
}
|
2017-03-08 05:45:51 -05:00
|
|
|
note.update({
|
2022-05-01 15:14:27 -04:00
|
|
|
authorship
|
2017-03-08 05:45:51 -05:00
|
|
|
}).then(function (note) {
|
2019-04-12 00:05:32 -04:00
|
|
|
return callback(null, note.id)
|
2017-03-08 05:45:51 -05:00
|
|
|
}).catch(function (err) {
|
|
|
|
return _callback(err, null)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}).catch(function (err) {
|
|
|
|
return _callback(err, null)
|
|
|
|
})
|
|
|
|
} else {
|
2019-04-12 00:05:32 -04:00
|
|
|
return callback(null, note.id)
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
} else {
|
|
|
|
return callback(null, note.id)
|
|
|
|
}
|
|
|
|
} else {
|
Fix Relative Path Traversal Attack on note creation
Impact
---
An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).
CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
PoC / Quicktest
---
To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.
Analysis
---
The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/web/note/util.js#L10) utility function, that will pass it on the the [`parseNoteId()`](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L188-L258)-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.
If no note exists the [note creation-function is called](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L240-L245), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](https://github.com/hedgedoc/hedgedoc/blob/78a732abe691b496fa3692aa2add37f7344db1fa/lib/models/note.js#L99) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.
This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them.
The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.
Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.
For more information
---
If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)
Advisory link
---
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87
Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
2021-03-22 19:02:30 -04:00
|
|
|
const filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
|
2019-04-12 00:05:32 -04:00
|
|
|
if (Note.checkFileExist(filePath)) {
|
|
|
|
Note.create({
|
|
|
|
alias: noteId,
|
|
|
|
owner: null,
|
|
|
|
permission: 'locked'
|
|
|
|
}).then(function (note) {
|
|
|
|
return callback(null, note.id)
|
|
|
|
}).catch(function (err) {
|
|
|
|
return _callback(err, null)
|
|
|
|
})
|
|
|
|
} else {
|
|
|
|
return _callback(null, null)
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
}).catch(function (err) {
|
|
|
|
return _callback(err, null)
|
2017-03-08 05:45:51 -05:00
|
|
|
})
|
|
|
|
},
|
2019-04-12 00:05:32 -04:00
|
|
|
// parse note id by LZString is deprecated, here for compability
|
|
|
|
parseNoteIdByLZString: function (_callback) {
|
|
|
|
// Calculate minimal string length for an UUID that is encoded
|
|
|
|
// base64 encoded and optimize comparsion by using -1
|
|
|
|
// this should make a lot of LZ-String parsing errors obsolete
|
|
|
|
// as we can assume that a nodeId that is 48 chars or longer is a
|
|
|
|
// noteID.
|
|
|
|
const base64UuidLength = ((4 * 36) / 3) - 1
|
|
|
|
if (!(noteId.length > base64UuidLength)) {
|
|
|
|
return _callback(null, null)
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
// try to parse note id by LZString Base64
|
|
|
|
try {
|
2021-02-15 03:42:51 -05:00
|
|
|
const id = LZString.decompressFromBase64(noteId)
|
2019-04-12 00:05:32 -04:00
|
|
|
if (id && Note.checkNoteIdValid(id)) { return callback(null, id) } else { return _callback(null, null) }
|
|
|
|
} catch (err) {
|
|
|
|
if (err.message === 'Cannot read property \'charAt\' of undefined') {
|
|
|
|
logger.warning('Looks like we can not decode "' + noteId + '" with LZString. Can be ignored.')
|
|
|
|
} else {
|
|
|
|
logger.error(err)
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
return _callback(null, null)
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
},
|
|
|
|
parseNoteIdByBase64Url: function (_callback) {
|
|
|
|
// try to parse note id by base64url
|
|
|
|
try {
|
2021-02-15 03:42:51 -05:00
|
|
|
const id = Note.decodeNoteId(noteId)
|
2019-04-12 00:05:32 -04:00
|
|
|
if (id && Note.checkNoteIdValid(id)) { return callback(null, id) } else { return _callback(null, null) }
|
|
|
|
} catch (err) {
|
|
|
|
logger.error(err)
|
|
|
|
return _callback(null, null)
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
|
|
|
},
|
2019-04-12 00:05:32 -04:00
|
|
|
parseNoteIdByShortId: function (_callback) {
|
|
|
|
// try to parse note id by shortId
|
2017-03-08 05:45:51 -05:00
|
|
|
try {
|
2019-04-12 00:05:32 -04:00
|
|
|
if (shortId.isValid(noteId)) {
|
|
|
|
Note.findOne({
|
|
|
|
where: {
|
|
|
|
shortid: noteId
|
|
|
|
}
|
|
|
|
}).then(function (note) {
|
|
|
|
if (!note) return _callback(null, null)
|
|
|
|
return callback(null, note.id)
|
|
|
|
}).catch(function (err) {
|
|
|
|
return _callback(err, null)
|
|
|
|
})
|
|
|
|
} else {
|
|
|
|
return _callback(null, null)
|
|
|
|
}
|
2017-03-08 05:45:51 -05:00
|
|
|
} catch (err) {
|
2019-04-12 00:05:32 -04:00
|
|
|
return _callback(err, null)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}, function (err, result) {
|
|
|
|
if (err) {
|
|
|
|
logger.error(err)
|
|
|
|
return callback(err, null)
|
|
|
|
}
|
|
|
|
return callback(null, null)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
Note.parseNoteInfo = function (body) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const parsed = Note.extractMeta(body)
|
|
|
|
const $ = cheerio.load(md.render(parsed.markdown))
|
2019-04-12 00:05:32 -04:00
|
|
|
return {
|
|
|
|
title: Note.extractNoteTitle(parsed.meta, $),
|
|
|
|
tags: Note.extractNoteTags(parsed.meta, $)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
Note.parseNoteTitle = function (body) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const parsed = Note.extractMeta(body)
|
|
|
|
const $ = cheerio.load(md.render(parsed.markdown))
|
2019-04-12 00:05:32 -04:00
|
|
|
return Note.extractNoteTitle(parsed.meta, $)
|
|
|
|
}
|
|
|
|
Note.extractNoteTitle = function (meta, $) {
|
2021-02-15 03:42:51 -05:00
|
|
|
let title = ''
|
2019-04-12 00:05:32 -04:00
|
|
|
if (meta.title && (typeof meta.title === 'string' || typeof meta.title === 'number')) {
|
|
|
|
title = meta.title
|
|
|
|
} else {
|
2021-02-15 03:42:51 -05:00
|
|
|
const h1s = $('h1')
|
2019-04-12 00:05:32 -04:00
|
|
|
if (h1s.length > 0 && h1s.first().text().split('\n').length === 1) { title = S(h1s.first().text()).stripTags().s }
|
|
|
|
}
|
|
|
|
if (!title) title = 'Untitled'
|
|
|
|
return title
|
|
|
|
}
|
|
|
|
Note.generateDescription = function (markdown) {
|
|
|
|
return markdown.substr(0, 100).replace(/(?:\r\n|\r|\n)/g, ' ')
|
|
|
|
}
|
|
|
|
Note.decodeTitle = function (title) {
|
|
|
|
return title || 'Untitled'
|
|
|
|
}
|
|
|
|
Note.generateWebTitle = function (title) {
|
2020-07-02 11:22:52 -04:00
|
|
|
title = !title || title === 'Untitled' ? 'HedgeDoc - Collaborative markdown notes' : title + ' - HedgeDoc'
|
2019-04-12 00:05:32 -04:00
|
|
|
return title
|
|
|
|
}
|
|
|
|
Note.extractNoteTags = function (meta, $) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const tags = []
|
|
|
|
const rawtags = []
|
2019-04-12 00:05:32 -04:00
|
|
|
if (meta.tags && (typeof meta.tags === 'string' || typeof meta.tags === 'number')) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const metaTags = ('' + meta.tags).split(',')
|
2019-04-12 00:05:32 -04:00
|
|
|
for (let i = 0; i < metaTags.length; i++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const text = metaTags[i].trim()
|
2019-04-12 00:05:32 -04:00
|
|
|
if (text) rawtags.push(text)
|
|
|
|
}
|
|
|
|
} else {
|
2021-02-15 03:42:51 -05:00
|
|
|
const h6s = $('h6')
|
2019-04-12 00:05:32 -04:00
|
|
|
h6s.each(function (key, value) {
|
|
|
|
if (/^tags/gmi.test($(value).text())) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const codes = $(value).find('code')
|
2019-04-12 00:05:32 -04:00
|
|
|
for (let i = 0; i < codes.length; i++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const text = S($(codes[i]).text().trim()).stripTags().s
|
2019-04-12 00:05:32 -04:00
|
|
|
if (text) rawtags.push(text)
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
})
|
|
|
|
}
|
|
|
|
for (let i = 0; i < rawtags.length; i++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
let found = false
|
2019-04-12 00:05:32 -04:00
|
|
|
for (let j = 0; j < tags.length; j++) {
|
|
|
|
if (tags[j] === rawtags[i]) {
|
|
|
|
found = true
|
|
|
|
break
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
}
|
|
|
|
if (!found) { tags.push(rawtags[i]) }
|
|
|
|
}
|
|
|
|
return tags
|
|
|
|
}
|
|
|
|
Note.extractMeta = function (content) {
|
2021-02-15 03:42:51 -05:00
|
|
|
let obj = null
|
2019-04-12 00:05:32 -04:00
|
|
|
try {
|
|
|
|
obj = metaMarked(content)
|
|
|
|
if (!obj.markdown) obj.markdown = ''
|
|
|
|
if (!obj.meta) obj.meta = {}
|
|
|
|
} catch (err) {
|
|
|
|
obj = {
|
|
|
|
markdown: content,
|
|
|
|
meta: {}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return obj
|
|
|
|
}
|
|
|
|
Note.parseMeta = function (meta) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const _meta = {}
|
2019-04-12 00:05:32 -04:00
|
|
|
if (meta) {
|
|
|
|
if (meta.title && (typeof meta.title === 'string' || typeof meta.title === 'number')) { _meta.title = meta.title }
|
|
|
|
if (meta.description && (typeof meta.description === 'string' || typeof meta.description === 'number')) { _meta.description = meta.description }
|
|
|
|
if (meta.robots && (typeof meta.robots === 'string' || typeof meta.robots === 'number')) { _meta.robots = meta.robots }
|
2020-07-03 21:37:19 -04:00
|
|
|
if (meta.lang && (typeof meta.lang === 'string')) { _meta.lang = meta.lang }
|
2019-04-12 00:05:32 -04:00
|
|
|
if (meta.GA && (typeof meta.GA === 'string' || typeof meta.GA === 'number')) { _meta.GA = meta.GA }
|
|
|
|
if (meta.disqus && (typeof meta.disqus === 'string' || typeof meta.disqus === 'number')) { _meta.disqus = meta.disqus }
|
|
|
|
if (meta.slideOptions && (typeof meta.slideOptions === 'object')) { _meta.slideOptions = meta.slideOptions }
|
2019-10-04 13:49:45 -04:00
|
|
|
if (meta.opengraph && (typeof meta.opengraph === 'object')) { _meta.opengraph = meta.opengraph }
|
2019-04-12 00:05:32 -04:00
|
|
|
}
|
|
|
|
return _meta
|
|
|
|
}
|
2019-10-04 13:49:45 -04:00
|
|
|
Note.parseOpengraph = function (meta, title) {
|
2021-02-15 03:42:51 -05:00
|
|
|
let _ogdata = {}
|
2019-10-04 13:49:45 -04:00
|
|
|
if (meta.opengraph) { _ogdata = meta.opengraph }
|
|
|
|
if (!(_ogdata.title && (typeof _ogdata.title === 'string' || typeof _ogdata.title === 'number'))) { _ogdata.title = title }
|
|
|
|
if (!(_ogdata.description && (typeof _ogdata.description === 'string' || typeof _ogdata.description === 'number'))) { _ogdata.description = meta.description || '' }
|
|
|
|
if (!(_ogdata.type && (typeof _ogdata.type === 'string'))) { _ogdata.type = 'website' }
|
|
|
|
return _ogdata
|
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
Note.updateAuthorshipByOperation = function (operation, userId, authorships) {
|
2021-02-15 03:42:51 -05:00
|
|
|
let index = 0
|
|
|
|
const timestamp = Date.now()
|
2019-04-12 00:05:32 -04:00
|
|
|
for (let i = 0; i < operation.length; i++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const op = operation[i]
|
2019-04-12 00:05:32 -04:00
|
|
|
if (ot.TextOperation.isRetain(op)) {
|
|
|
|
index += op
|
|
|
|
} else if (ot.TextOperation.isInsert(op)) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const opStart = index
|
|
|
|
const opEnd = index + op.length
|
|
|
|
let inserted = false
|
2019-04-12 00:05:32 -04:00
|
|
|
// authorship format: [userId, startPos, endPos, createdAt, updatedAt]
|
|
|
|
if (authorships.length <= 0) authorships.push([userId, opStart, opEnd, timestamp, timestamp])
|
|
|
|
else {
|
|
|
|
for (let j = 0; j < authorships.length; j++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const authorship = authorships[j]
|
2019-04-12 00:05:32 -04:00
|
|
|
if (!inserted) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const nextAuthorship = authorships[j + 1] || -1
|
2019-04-12 00:05:32 -04:00
|
|
|
if ((nextAuthorship !== -1 && nextAuthorship[1] >= opEnd) || j >= authorships.length - 1) {
|
|
|
|
if (authorship[1] < opStart && authorship[2] > opStart) {
|
|
|
|
// divide
|
2021-02-15 03:42:51 -05:00
|
|
|
const postLength = authorship[2] - opStart
|
2017-03-08 05:45:51 -05:00
|
|
|
authorship[2] = opStart
|
|
|
|
authorship[4] = timestamp
|
2019-04-12 00:05:32 -04:00
|
|
|
authorships.splice(j + 1, 0, [userId, opStart, opEnd, timestamp, timestamp])
|
|
|
|
authorships.splice(j + 2, 0, [authorship[0], opEnd, opEnd + postLength, authorship[3], timestamp])
|
|
|
|
j += 2
|
|
|
|
inserted = true
|
|
|
|
} else if (authorship[1] >= opStart) {
|
|
|
|
authorships.splice(j, 0, [userId, opStart, opEnd, timestamp, timestamp])
|
|
|
|
j += 1
|
|
|
|
inserted = true
|
|
|
|
} else if (authorship[2] <= opStart) {
|
|
|
|
authorships.splice(j + 1, 0, [userId, opStart, opEnd, timestamp, timestamp])
|
|
|
|
j += 1
|
|
|
|
inserted = true
|
2016-04-20 06:03:55 -04:00
|
|
|
}
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
if (authorship[1] >= opStart) {
|
|
|
|
authorship[1] += op.length
|
|
|
|
authorship[2] += op.length
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
index += op.length
|
|
|
|
} else if (ot.TextOperation.isDelete(op)) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const opStart = index
|
|
|
|
const opEnd = index - op
|
2019-04-12 00:05:32 -04:00
|
|
|
if (operation.length === 1) {
|
|
|
|
authorships = []
|
|
|
|
} else if (authorships.length > 0) {
|
|
|
|
for (let j = 0; j < authorships.length; j++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const authorship = authorships[j]
|
2019-04-12 00:05:32 -04:00
|
|
|
if (authorship[1] >= opStart && authorship[1] <= opEnd && authorship[2] >= opStart && authorship[2] <= opEnd) {
|
|
|
|
authorships.splice(j, 1)
|
|
|
|
j -= 1
|
|
|
|
} else if (authorship[1] < opStart && authorship[1] < opEnd && authorship[2] > opStart && authorship[2] > opEnd) {
|
|
|
|
authorship[2] += op
|
|
|
|
authorship[4] = timestamp
|
|
|
|
} else if (authorship[2] >= opStart && authorship[2] <= opEnd) {
|
|
|
|
authorship[2] = opStart
|
|
|
|
authorship[4] = timestamp
|
|
|
|
} else if (authorship[1] >= opStart && authorship[1] <= opEnd) {
|
|
|
|
authorship[1] = opEnd
|
|
|
|
authorship[4] = timestamp
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
if (authorship[1] >= opEnd) {
|
|
|
|
authorship[1] += op
|
|
|
|
authorship[2] += op
|
2016-04-20 06:03:55 -04:00
|
|
|
}
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
index += op
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
}
|
|
|
|
// merge
|
|
|
|
for (let j = 0; j < authorships.length; j++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const authorship = authorships[j]
|
2019-04-12 00:05:32 -04:00
|
|
|
for (let k = j + 1; k < authorships.length; k++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const nextAuthorship = authorships[k]
|
2019-04-12 00:05:32 -04:00
|
|
|
if (nextAuthorship && authorship[0] === nextAuthorship[0] && authorship[2] === nextAuthorship[1]) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const minTimestamp = Math.min(authorship[3], nextAuthorship[3])
|
|
|
|
const maxTimestamp = Math.max(authorship[3], nextAuthorship[3])
|
2019-04-12 00:05:32 -04:00
|
|
|
authorships.splice(j, 1, [authorship[0], authorship[1], nextAuthorship[2], minTimestamp, maxTimestamp])
|
|
|
|
authorships.splice(k, 1)
|
|
|
|
j -= 1
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// clear
|
|
|
|
for (let j = 0; j < authorships.length; j++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const authorship = authorships[j]
|
2019-04-12 00:05:32 -04:00
|
|
|
if (!authorship[0]) {
|
|
|
|
authorships.splice(j, 1)
|
|
|
|
j -= 1
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return authorships
|
|
|
|
}
|
|
|
|
Note.transformPatchToOperations = function (patch, contentLength) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const operations = []
|
2019-04-12 00:05:32 -04:00
|
|
|
if (patch.length > 0) {
|
|
|
|
// calculate original content length
|
|
|
|
for (let j = patch.length - 1; j >= 0; j--) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const p = patch[j]
|
2019-04-12 00:05:32 -04:00
|
|
|
for (let i = 0; i < p.diffs.length; i++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const diff = p.diffs[i]
|
2019-04-12 00:05:32 -04:00
|
|
|
switch (diff[0]) {
|
|
|
|
case 1: // insert
|
|
|
|
contentLength -= diff[1].length
|
|
|
|
break
|
|
|
|
case -1: // delete
|
|
|
|
contentLength += diff[1].length
|
|
|
|
break
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
}
|
|
|
|
// generate operations
|
2021-02-15 03:42:51 -05:00
|
|
|
let bias = 0
|
|
|
|
let lengthBias = 0
|
2019-04-12 00:05:32 -04:00
|
|
|
for (let j = 0; j < patch.length; j++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const operation = []
|
|
|
|
const p = patch[j]
|
|
|
|
let currIndex = p.start1
|
|
|
|
const currLength = contentLength - bias
|
2019-04-12 00:05:32 -04:00
|
|
|
for (let i = 0; i < p.diffs.length; i++) {
|
2021-02-15 03:42:51 -05:00
|
|
|
const diff = p.diffs[i]
|
2019-04-12 00:05:32 -04:00
|
|
|
switch (diff[0]) {
|
|
|
|
case 0: // retain
|
|
|
|
if (i === 0) {
|
|
|
|
// first
|
|
|
|
operation.push(currIndex + diff[1].length)
|
|
|
|
} else if (i !== p.diffs.length - 1) {
|
|
|
|
// mid
|
|
|
|
operation.push(diff[1].length)
|
|
|
|
} else {
|
|
|
|
// last
|
|
|
|
operation.push(currLength + lengthBias - currIndex)
|
|
|
|
}
|
|
|
|
currIndex += diff[1].length
|
|
|
|
break
|
|
|
|
case 1: // insert
|
|
|
|
operation.push(diff[1])
|
|
|
|
lengthBias += diff[1].length
|
|
|
|
currIndex += diff[1].length
|
|
|
|
break
|
|
|
|
case -1: // delete
|
|
|
|
operation.push(-diff[1].length)
|
|
|
|
bias += diff[1].length
|
|
|
|
currIndex += diff[1].length
|
|
|
|
break
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
2016-04-20 06:03:55 -04:00
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
operations.push(operation)
|
2017-03-08 05:45:51 -05:00
|
|
|
}
|
|
|
|
}
|
2019-04-12 00:05:32 -04:00
|
|
|
return operations
|
|
|
|
}
|
2016-04-20 06:03:55 -04:00
|
|
|
|
2017-03-08 05:45:51 -05:00
|
|
|
return Note
|
|
|
|
}
|