Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.
This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.
For Details:
https://github.com/markedjs/marked/releases/tag/v0.7.0https://github.com/markedjs/marked/pull/1515
What is a ReDOS?
A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.
For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Credit:
Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.
Also thanks to the `marked`-team for fixing things already.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
I just noticed that shields.io provides some nice new badges including
one explicitly for Matrix and one for Mastodon. Since those are really
our platforms, let's get them into our README. Just a cosmetic change.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
The current documents might end up confusing people and are not
completely accessible. This minor fixes should clear up the situation
and add alt texts to all badges, explain the links at the end of the
docs, and list LinuxServer.io in the supported provider section of the
README.
Some reasoning on the change in the listing:
Since we maintain an own container image which is for sure kept updated
on release, this is our first listing, as well as general solutions that
are build on that image, like the K8s integration.
The next listings are integrated provides which allow self-hosting, like
Cloudron and I also consider LinuxServer.io as this kind of providers.
Which try to enable people to run CodiMD on their own hardware or rented
servers in a very easy way, but by using their own images.
As third category I would look at hosted offers, like Heroku, which are
not completely SaaS but far enough away from the self-hostability that
I consider them as an own category. PaaS-based solutions are not as
FOSS-style as we want our setups to be, but of course still supported.
Finally the manual setup. We keep it down here, because we support it,
but don't recommend it in general. It's hard to upgrade and can cause
problems when dependencies are not correctly updated or people don't run
the db migrations.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Add simple SVG image detecetion base on the file extension .svg.
This fixes the SVG being delivered as binary/octet-stream and makes it possible to embedd the SVG.
Signed-off-by: Lennart Weller <lennart.weller@hansemerkur.de>
The DCO currently resides in an own directory creating a pointless
additional click/tab in order to reach end read it. It also just
clutteres the directory structure of the project.
Therefore this patch provides moves the DCO into an own legal section in
the docs directory, which is hopefully a more reasonable place.
This section can also be extended in future in order to host other legal
documents as well.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Do Not Track (DNT) is an old web standard in order to notify pages that
the user doesn't want to be tracked. Even while a lot of pages either
ignore this header or even worse, use it for tracking purposes, the
orignal intention of this header is good and should be adopted.
This patch implements a respect of the DNT header by no longer including
the optional Google Analytics and disqus integrations when sending a DNT
header. This should reduce outside resource usage and help to stay more
private.
This should later-on extended towards other document content (i.e.
iframe based content).
The reason to not change the CDN handling is that CDNs will be
deprecated with next release and removed in long term.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
We have various places with overly simple if statements that could be
handled by our logging library. Also a lot of those logs are not marked
as debug logs but as info logs, which can cause confusion during
debugging.
This patch removed unneeded if clauses around debug logging statements,
reworks debug log messages towards ECMA templates and add some new
logging statements which might be helpful in order to debug things like
image uploads.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.
There should no functional change be introduced.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
In order to have a better experience when linking to headlines based on
their ID, a patch[1] introduced a new CSS construct to add some space in
front of HTML tags with an id field. Therefore they would no longer be
hidden by a visible navbar.
This cause a regression bug by moving the rendered mathjax out of its
visible area. This patch fixes the problem by restricting the previous
change to headlines only.
[1]: commit c9af13cf34
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
As we are about to announce the community forum, we should provide a
link to it in the footer. This patch adds Discouse between Riot, GitHub
and Mastodon as platform to follow our progress.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
There was some awesome work by Hồng in the recent days who translated
CodiMD completely into Vietnamese language! This patch provides this
awesome contributions.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Currently a problem appears when using OpenID for authentication as
there is no method to add a profile picture right now.
This patch makes sure that all undefined login methods get a profile
picture.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
As it may happens that the codemirror content flows underneath the
status bar, this patch should help to avoid it. It adds the size of the
status bar as margin-bottom so the codemirror window itself is forced
above the statusbar.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
With very low CPU frequency or bad IO situation, as well as not-loaded
JS CodiMD happens to present unneeded "I'm busy"-messages to users.
This patch allows to configure the lag. The default is taken from the
libray but set in our own default configs.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>