Commit graph

673 commits

Author SHA1 Message Date
David Mehren
380587b7fd Ensure case-sensitive DB queries on MySQL/MariaDB
MySQLs string comparisons are case-insensitive by default.
This allows to hide notes by creating a new note with an alias that
equals the lower-cased alias of another note.
The new note is returned first by MySQL, so the original one is not
accessible anymore.

This fixes the problem by using an explicit binary comparison in the
affected queries.

See https://dev.mysql.com/doc/refman/8.0/en/case-sensitivity.html

Signed-off-by: David Mehren <git@herrmehren.de>
2024-09-01 13:54:18 +02:00
David Mehren
1f8f09c539 fix(deps): use meta-marked from NPM
Signed-off-by: David Mehren <git@herrmehren.de>
2024-08-31 18:44:35 +02:00
Erik Michelson
858d7bf5d1 feat: option to disable note creation
The abuse of the demo instance required us to disallow note creation

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-07-21 11:03:35 +02:00
Erik Michelson
c85b11463d fix(minio): metadata as object not string
A change in the minio JS SDK resulted in uploads being stored
with a defect metadata object in minio, resulting in all
files served as application/octet-stream. This was caused as
the fifth argument to putObject is a metadata object and not
the content-type alone anymore.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-06-20 21:58:17 +02:00
Sheogorath
1f1b2bd386 fix(oauth2): Fix crash in rolesClaim extraction
This patch adds a try-catch around the rolesClaim extraction to prevent
full crashes of HedgeDoc when a user profile is read, that doesn't
contain any such claim, which can happen with some IdPs, like Keycloak,
that omit the attribute when it's empty.

As a result an authorized user would crash the entire server, which is
definitely unintended behaviour. The simply try-catch should resolve the
issue and make sure that roles is always defined even if the
`extractProfileAttribute` call fails.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2023-10-19 19:34:44 +02:00
Tilman Vatteroth
cd26aaa86e fix: use better already-exist check in note creation
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-07-18 23:18:21 +02:00
Tilman Vatteroth
d856c0acb5 fix: accept request body only if string
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-07-18 23:18:21 +02:00
Tilman Vatteroth
e7327afbae fix: don't create notes if not found in presentation route
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-07-18 21:13:29 +02:00
Dennis Gaida
e371d6dcfa Update dockerSecret.js
Adding OAUTH2 secrets so they can be set using docker secrets.

Signed-off-by: Dennis Gaida <2392217+DennisGaida@users.noreply.github.com>
2023-06-09 17:03:17 +02:00
Erik Michelson
143864b8d9 enhancement(metrics): allow disabling via config option
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2023-06-04 21:03:46 +02:00
Julian Rother
2eb4c8e05f Fix premature note cleanup on error
Connection forbidden errors cause cleanup of note state without first
checking if other clients are still connected to the note. This leads
to inconsistent pad content and changes not being saved properly.

This change reverts parts of 725e982 (Fix realtime on forbidden not clean
up properly ...). The call to `interruptConnection()` on permission errors
is redundant, since `failConnection()` and `disconnect()` already perform
all required cleanup in this case. The other call to `interruptConnection()`
only happens when a client (the first client for a note) disconnects while
the note is being loaded from the database. It is refactored for clarity.

Fixes #3894

Co-authored-by: David Mehren <git@herrmehren.de>
Signed-off-by: Julian Rother <julian@jrother.eu>
2023-05-28 16:10:51 +02:00
Erik Michelson
9949e3a875 feat(healthcheck): add /_health endpoint
This endpoint returns the internal readiness state used by
the realtime code to indicate whether HedgeDoc is performing
properly. As it only returns the state of a variable, it is
less resource hungry compared to a call to /status for
checking the health of HedgeDoc.

By prepending the route with an underscore, it should not be conflicting with already created pads in FreeURL mode.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2023-03-19 22:09:16 +01:00
Jordi Mallach
9bda8f2180 Allow setting documentMaxLength via CMD_DOCUMENT_MAX_LENGTH
Signed-off-by: Jordi Mallach <jordi@igalia.com>
2023-03-09 10:20:42 +01:00
Tilman Vatteroth
e2b84e134a fix: extend parsing of boolean environment vars
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-03-02 21:12:27 +01:00
Tilman Vatteroth
fec5e09664 fix(image-router): correct usage of rimraf
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-02-12 20:58:02 +01:00
Stéphane Maniaci
488e5f8a0a Revert "config: Add a flag to control the /metrics and /status endpoints"
This reverts commit d10ead4c6c.

Signed-off-by: Stéphane Maniaci <stephane.maniaci@beta.gouv.fr>
2023-02-05 20:39:13 +01:00
Stéphane Maniaci
d10ead4c6c config: Add a flag to control the /metrics and /status endpoints
It can be a security concern in some environments to expose system
capabilities even though they don't expose any PII. Add some
flags (defaulted `true` to maintain existing behaviour) to control
whether the /metrics and /status (and anything in the StatusRouter)
are exposed.

Signed-off-by: Stéphane Maniaci <stephane.maniaci@beta.gouv.fr>
2023-01-31 10:26:41 +01:00
Erik Michelson
0a9939cfb4 fix(user-export): sanitize filenames in zip properly
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-11-27 20:51:37 +01:00
David Mehren
f606a7825f refactor(migrations): move cleanup code into migration
We cannot execute the cleanup script as a subprocess with sqlite,
as we now wrap the migrations in a SAVEPOINT, which blocks a second
process.

This moves the cleanup code into the migration file, so it can be
executed in-process.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-11-06 22:24:48 +01:00
David Mehren
c83eb7ec7e style(migrations): fix formatting errors
Signed-off-by: David Mehren <git@herrmehren.de>
2022-11-06 22:24:48 +01:00
Philip Molares
638c2f6740 fix(migrations): don't run with foreign keys activated
This PR deactivates and reactivates the foreign_keys in the DB for the duration of all migrations.
This prevents a cascade of deletion, when table columns are changed and tables get recreated by sequelize.

Fixes #2809

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-11-06 22:24:48 +01:00
David Mehren
63f33f1737 Fix express deprecation warning
Signed-off-by: David Mehren <git@herrmehren.de>
2022-10-30 22:15:16 +01:00
David Mehren
3aeb2a619b Pass through breaks option to published note
The markdown for the publish-view is generated
using the `Note.extractMeta` method.
It uses meta-marked to separate the metadata from markdown.
Only the raw markdown is then sent to the client,
so it cannot respect the `breaks` option.

This adds an evil hack to send the `breaks` option with the markdown
if it is contained in the metadata block.

Fixes https://github.com/hedgedoc/hedgedoc/issues/2358

Signed-off-by: David Mehren <git@herrmehren.de>
2022-10-03 20:18:16 +02:00
Tilman Vatteroth
68466f6f09 fix: Change data type of history attribute in user table to long text
When using mysql the normal text attribute has a fixed size. When this size is reached then the json will be cut off and becomes invalid.

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2022-09-25 11:09:23 +02:00
Tilman Vatteroth
9254c0dc39 Convert history attribute in user table to longtext
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2022-09-25 11:09:23 +02:00
David Mehren
9ab8bf3cac Fix crash in LDAP authentication
Since https://github.com/vesse/node-ldapauth-fork/commit
/741a648df98d789856b3301d65103b74872fdeea, ldapauth-fork calls `push` on
 the attributes array.

 Since we deep-freeze our config object in https://github
 .com/hedgedoc/hedgedoc/blob/master/lib/config/index.js#L200, this
 causes a crash.

 This commit fixes the crash by creating a mutable clone of the LDAP
 config and passing that to the LDAP strategy.

 Fixes https://github.com/hedgedoc/hedgedoc/issues/2561

Signed-off-by: David Mehren <git@herrmehren.de>
2022-08-22 09:01:04 +02:00
Lautaro Alvarez
3585dc9ee6 Upload file to s3: make public a file on upload and allow to configure destination folder
New configurations:
- s3folder: (string) folder to save the files inside bucket
- s3publicFiles: (boolean) indicate if should send ACL parameters

Signed-off-by: Lautaro Alvarez <lautarolalvarez@gmail.com>
2022-07-10 17:44:17 +02:00
Renovate Bot
0e8631a5dc fix(deps): update dependency passport to ^0.6.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2022-06-05 22:36:55 +02:00
Sheogorath
dd539273fb fix(migrations): Remove unexpected shell call
This patch removes the call of `/usr/bin/env` when calling the migration
script in favour of using the processes own nodejs invocation path.

This should drop the requirement for `/usr/bin/env` to exist on a
system/in a container that runs hedgedoc.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2022-05-17 14:04:02 +02:00
David Mehren
d26dcd04a1
Adapt code for eslint-config-standard 17
Signed-off-by: David Mehren <git@herrmehren.de>
2022-05-01 21:19:44 +02:00
David Mehren
f544b15eea
Ignore stderr when calling git executable
This hopefully prevents confusing error messages in the docker image.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:25 +02:00
Erik Michelson
0093aa4783 Fix GitLab snippet export
The snippet export broke due to two reasons.
First of all, the request to GitLab fail in the
default configuration due to the CSP not being
set properly. This commit adds the configured
GitLab base url to the connect-src directives.
The second problem is a change in the GitLab API
spec. Instead of `code` and `file_name` the
GitLab API now requires an `files` array with
`content` and `file_path` entries per snippet.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-04-10 21:24:30 +02:00
David Mehren
0195f16d9a
Fix linter errors in imageRouter
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:16:35 +02:00
Sheogorath
9e2f9e21e9 fix(imageRouter): Fix enumerable image upload issue
This patch adds an own filename function for `formidable`, which will
make sure to generate a random file name, using UUIDv4. This should
resolve GHSA-q6vv-2q26-j7rx.

This change is required due to a change in behaviour from version 1 to
version 2 of formidable. Formidable version 2 will generate predictable
filenames by default, which results in potential access to images, that
were uploaded while formidable v2 was used in Hedgedoc. This affects the
versions `1.9.1` and `1.9.2`.

Files generated previous to this commit will look like this:

```
<random string generated on app start><counter>.<file-extension>
38e56506ec2dcab52e9282c00.jpg
38e56506ec2dcab52e9282c01.jpg
38e56506ec2dcab52e9282c02.jpg
```

After this patch it'll look like this:

```
<uuid v4>.<file-extension>
a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg
56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg
2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg
```

This patch was implemented using `uuid` since we already utilise this
package elsewhere in the project as well as using a secure function to
generate random strings. UUIDv4 is ideal for that. In order to be
consumable by formidable, it was wrapped in a function that makes sure
to keep the file extension.

This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/).

References:
https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574
https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762
https://www.npmjs.com/package/uuid
2022-04-10 21:08:32 +02:00
Moritz Schlarb
e6fc9f01a3 Allow SAML authentication provider to be named
Using `CMD_SAML_PROVIDERNAME` and the respective auth provider objects
in the configuration structures.

Signed-off-by: Moritz Schlarb <schlarbm@uni-mainz.de>
2022-03-20 19:59:53 +01:00
Erik Michelson
d8faf3e342
Use identicons as fallback for libravatar
The usage of identicons makes users more distinguishable as when only the default librvatar image is used.
This only applies to users that have no avatar on libravatar or gravatar.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-01-07 14:03:26 +01:00
Erik Michelson
6e983ba5dc
Use libravatar image if email address is defined
We use the attribute `emails` (plural) for email addresses with other auth providers like LDAP or SAML. In case of OAuth2 we used the attribute `email` (singular) which resulted in problems.
Furthermore the OAuth2 strategy fell into the default fallback of the provider switch statement. This statement did not check email addresses but did generate the letter-avatar instantly.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-01-07 14:01:32 +01:00
Yannick Bungers
386c08a339
Merge branch 'master' into renovate/master-formidable-2.x 2021-12-02 19:59:39 +01:00
David Mehren
6acb23f26d
Fix checkUploadType after upgrade to file-type 17
This package is now ESM-only, so we need to `import()` it and
raise the oldest supported Node version.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-02 17:30:47 +01:00
David Mehren
7c5c2f7981
Fix imageRouter after upgrade to formidable 2
file.path is now file.filepath, and we need to use the proper constructor

See https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md#200

Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-02 17:19:24 +01:00
Tilman Vatteroth
d7a3e0f58c
Don't throw error if gitlab response is not okay-ish
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-10-29 20:57:20 +02:00
Tilman Vatteroth
d7986b1920
Refactor existing code to add the configured domain to connect-src
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-09-16 19:43:20 +02:00
David Mehren
957d7d553e
Merge pull request #1394 from hedgedoc/remove-cdn 2021-08-15 20:11:26 +02:00
David Mehren
e6d167c63c
CSP: Allow all sources for media
Otherwise, `video` tags and reveal background video
does not work

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:35:57 +02:00
David Mehren
6c722f0ad6
Add config option to disallow embedding PDFs
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
c002c7b681
CSP: Allow self as manifest-src
Chrome complains otherwise, as it can't download the Web Manifest.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
46cd60c510
CSP: Allow self as frame-src
The reveal.js speaker view uses frames to display the slides

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00
David Mehren
1642242078
CSP: Allow styles from /css/
Reveal.js styles are hosted there

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00
David Mehren
1c0af5f75d
Cleanup csp.js
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00
David Mehren
bd44cbc16c
Add config option to disallow framing via CSP
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00