Commit graph

3151 commits

Author SHA1 Message Date
David Mehren
e9d4587344
Bump version to 1.7.2
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-15 20:37:30 +01:00
Yannick Bungers
8af470634a
Merge pull request #730 from hedgedoc/maint/master-deps-upgrade 2021-01-15 20:22:38 +01:00
David Mehren
f3412146ba
Regenerate yarn.lock
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-14 23:31:53 +01:00
David Mehren
606d92997a
Upgrade to socket.io 2.4.1
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-14 23:31:53 +01:00
David Mehren
a4801187b7
Update yarn.lock
archiver@5.2.0, aws-sdk@2.828.0, file-type@16.2.0, prismjs@1.23.0, socket.io-client@2.4.0, bufferutil@4.0.3, utf-8-validate@5.0.4

Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-14 23:31:53 +01:00
David Mehren
2b8aac289a
Merge pull request #727 from hedgedoc/fix/slideOptionsSanitation 2021-01-14 21:57:07 +01:00
Yannick Bungers
f8757382af
Merge pull request #722 from hedgedoc/docs/various-fixes 2021-01-14 21:48:58 +01:00
David Mehren
3d4f1e163c
Merge pull request #728 from hedgedoc/fix/statusBarCover
fixed last line statusbar cover problem
2021-01-14 21:39:20 +01:00
Philip Molares
8e611e42ee added theme to the sanitization of slideOptions
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 16:42:53 +01:00
Philip Molares
a52982c7d2 fixed a problem that the last line of code becomes covered by status bar and can't be moved without changing the note.
Thanks to @mhdrone for reporting this and suggesting the fix

fixes #724

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 11:51:32 +01:00
Philip Molares
1546786c63 changed the SCRIPT_END_PLACEHOLDER regex to case insensitive
this was suggested by @TobiasHoll in https://github.com/hackmdio/codimd/issues/1648

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 11:35:17 +01:00
Philip Molares
35b0d39a12 added sanitation to the slideMode in frontmatter
This should prevent the issue mentioned in https://github.com/hackmdio/codimd/issues/1648

Specifically left out are
- dependency (user can't really include anything anyway, because CSP forbids most domains)
- autoSlideMethod (nothing our users should be able to change as they won't write JS to be affected by this)
- keyboard (this let's users write arbitrary code and seems therefore to problematic)

See:
https://github.com/hakimel/reveal.js/blob/3.9.2/README.md#configuration
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 11:18:09 +01:00
David Mehren
eaa7a15615
Docs: Reorder navigation links
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-13 20:59:32 +01:00
David Mehren
c8a7984fa4
Docs: Various formatting fixes
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-13 20:59:32 +01:00
David Mehren
1256eb3cd3
Docs: Use extensions to make markdown parsing more like GFM
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-13 20:59:32 +01:00
David Mehren
512fc2a914
GitLab Auth Guide: Fix indentation
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-11 12:05:31 +01:00
David Mehren
bf7d4ddcd8
GitHub Auth Guide: Fix indentation
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-11 12:04:56 +01:00
David Mehren
ee83c85eb0
SAML Auth Guide: Fix indentation
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-11 12:03:48 +01:00
David Mehren
80d8cc79f6
Docs: Unify code block languages
Use `yaml` for Dockerfiles, `shell` for environment variables and `json` for our config file.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-11 12:00:33 +01:00
David Mehren
877bc26078
Docs: Replace :smile with actual 😃 emoji
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-11 11:54:33 +01:00
David Mehren
1d92a81755
Docs: Enable SuperFences extension
This allows indented code blocks in lists

Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-11 11:54:33 +01:00
Simon C
6dab69de60
docs: Fix indentation of code
(cherry picked from commit 4559d52d52)
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-11 11:12:57 +01:00
Tilman Vatteroth
5bdb392413
Several theme changes (#659)
* Several theme changes

- Add max width of 1440px
- Rename css file
- Fix edit button
- Add local Roboto font

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-05 22:55:00 +01:00
Yannick Bungers
73d237165e
Merge pull request #656 from hedgedoc/docs/move-content
Move docs into subdirectory to make structor work
2021-01-05 17:27:24 +01:00
Tilman Vatteroth
d39c7deb32
Change history link
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-05 17:18:45 +01:00
Tilman Vatteroth
929a27d393
Change links in README
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-05 17:13:44 +01:00
Tilman Vatteroth
bcc99f7979
Use svg in readme
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-05 17:04:41 +01:00
Tilman Vatteroth
eaeb88401d
Move docs into subdirectory to make mkdocs work in a subdirectory
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-05 13:15:32 +01:00
Yannick Bungers
d52d1d255a
Merge pull request #655 from hedgedoc/remove-ie11
Remove IE11 support from README
2021-01-04 22:29:57 +01:00
David Mehren
642316abb1
Remove IE11 support from README
Apparently we have stopped supporting IE11. It shows a syntax error for our JS. I have spent half an hour trying to add IE11 to our Babel config, but that did not resolve the issue. It seems bigger changes to our Webpack config might be necessary to support IE11 again, which I don't think is worthwhile. It's probably reasonable to just remove IE from the list of supported browsers.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-04 22:21:51 +01:00
David Mehren
fdc86538c6
Merge pull request #650 from hedgedoc/mkdocs 2021-01-04 18:35:08 +01:00
Philip Molares
90371c1c00 added documentation about how the write, build and deploy this
documentation.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-04 14:26:39 +01:00
David Mehren
9f191bd58f
Merge pull request #646 from hedgedoc/kubernetes 2021-01-04 13:35:24 +01:00
Philip Molares
825d56f216 removed kubernetes from navigation
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-04 13:11:41 +01:00
Philip Molares
133416973d removed kubernetes from README
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-04 13:07:44 +01:00
Philip Molares
0911bf96e9 added all necessary configs to use structor
see https://github.com/traefik/structor

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-03 22:15:12 +01:00
Philip Molares
dfa12e52e6 remove old documentation
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-03 16:10:27 +01:00
Philip Molares
55d653a1a2 started work on a mkdocs documentation for readthedocs.org
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-03 16:00:25 +01:00
Philip Molares
d462675fc8 Update docs/setup/kubernetes.md
Co-authored-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-02 16:14:22 +01:00
Philip Molares
d7ef5e83c2 changed kubernetes setup doc
currently we don't provide our own and still linking to hackmd/codimd is
not helpful

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-02 11:01:34 +01:00
David Mehren
5b3d62e494
Fix typo in release notes
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 21:21:12 +01:00
David Mehren
7d2c433b1b
Bump version to 1.7.1
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 20:54:39 +01:00
David Mehren
591f0c10f0
Update yarn.lock
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:54:06 +01:00
David Mehren
e9306991cd
Merge pull request from GHSA-wcr3-xhv7-8gxc
Fix arbitrary file upload
2020-12-27 19:52:42 +01:00
David Mehren
6932cc4df7
Always save uploads to a tmpdir first and cleanup afterwards
This makes sure no unintended files are permanently saved.

Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:51:14 +01:00
David Mehren
cf4344d9e0
Improve MIME-type checks of uploaded files
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:51:12 +01:00
Sheogorath
f83e4d66ed
Rework error messages for image uploads
This patch reworks the error messages for image uploads to make more
sense.

Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:02 +01:00
Sheogorath
d097211c54
Fix unauthenticated file uploads
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.

It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
Sheogorath
dc29a286e6
Fix arbitary file upload for uploadimage API endpoint
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.

This issue was reported by Thomas Lambertz.

To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.

```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```

Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.

Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.

References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
David Mehren
58276ebbf4
Merge pull request from GHSA-g6w6-7xf9-m95p
Don't store mermaid diagrams in innerHTML
2020-12-27 19:49:57 +01:00