Commit graph

2437 commits

Author SHA1 Message Date
Sheogorath
383d791a50
Ensure session cookies are secure
While HSTS should take care of most of this, setting cookies to be
secure, and only applied on same site helps to improve situations where
for whatever reason, downgrade attacks are still a thing.

This patch adds the `sameSite` and `secure` to the session cookie and
this way prevent all accidents where a browser may doesn't support HSTS
or HSTS is intentionally dropped.

Reference:
https://www.npmjs.com/package/express-session#cookiesecure

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-06-08 16:09:49 +02:00
Sheogorath
49de5f5bd6
Merge pull request #375 from codingHahn/fix-checksums
Fix checksums of mermaid
2020-05-28 18:06:30 +02:00
Nick Hahn
043f2c3193 Fix checksums of mermaid
Signed-off-by: Nick Hahn <nick.hahn@posteo.de>
2020-05-28 14:06:33 +02:00
Sheogorath
407c53b9d9
Merge pull request #373 from codingHahn/update-mermaid
Update to mermaid 8.5.1
2020-05-27 19:42:28 +02:00
Nick Hahn
26144a5091 Update all other dependencies
because I can't figure out how to just update mermaid

Signed-off-by: Nick Hahn <nick.hahn@posteo.de>
2020-05-27 14:10:19 +02:00
Nick Hahn
ae7772a3f3 Update to mermaid 8.5.1
Signed-off-by: Nick Hahn <nick.hahn@posteo.de>
2020-05-27 14:06:03 +02:00
Sheogorath
54bde6b11f
Add translations for permissions
Adding translations for permissions for a possible 1.6.1 release doesn't
hurt but might helps some usecases of running CodiMD and we'll need the
translations in the new frontend anyway.

This patch adds the translations as well as the english local file.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-05-26 16:22:41 +02:00
Sheogorath
a9fea54db0
Upgrade jquery to 3.5.1
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-05-26 16:16:49 +02:00
Sheogorath
d30e022c7f
Merge pull request #344 from SuperSandro2000/fix-links-1.x
Fix redirected, outdated links and convert all to https
2020-05-17 15:01:41 +02:00
Sheogorath
4fc7f0c5a2
Merge pull request #335 from ErikMichelson/docs/url-scheme
Add document explaining different URLs
2020-05-10 17:14:14 +02:00
Sheogorath
b79341f406
Merge pull request #347 from codimd/backport-345
findNoteOrCreate: Create new note with empty string instead of `null`
2020-04-28 18:40:39 +02:00
Sandro
4c0094a1f8
findNoteOrCreate: Create new note with empty string instead of null
Backport of #345 to 1.x

Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
2020-04-28 00:56:35 +02:00
Sandro Jäckel
91b2e4c9ef
Update outdated links
Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
2020-04-26 21:57:43 +02:00
Sandro Jäckel
24f388a7c4
Update all links with https
Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
2020-04-26 21:57:42 +02:00
Erik Michelson
2e7488870e
Add document explaining different URLs
Signed-off-by: Erik Michelson <erik@liltv.de>
2020-04-25 01:27:07 +02:00
Sheogorath
68174c0c6f
Merge pull request #309 from margau/master
Make "transform-style: preserve-3d;" screen-only.
2020-04-21 14:31:39 +02:00
Sheogorath
49e8be44e1
Merge pull request #321 from codimd/snyk-fix-36a009650e9001b5861c54337c2b192d
[Snyk] Security upgrade jquery from 3.4.1 to 3.5.0
2020-04-16 15:49:06 +02:00
snyk-bot
dae60e784d fix: package.json & yarn.lock to reduce vulnerabilities
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JQUERY-565129
2020-04-14 05:36:30 +00:00
Marvin Gaube
70b8b78f96 Make "transform-style: preserve-3d;" screen-only.
Signed-off-by: Marvin Gaube <dev@marvingaube.de>
2020-03-23 20:57:06 +01:00
Sheogorath
9425caf6c3
Merge pull request #305 from ErikMichelson/fix/eslint
Fixed eslint errors in cleanup-script
2020-03-22 00:19:18 +01:00
Erik Michelson
e0f729e014
Fixed eslint errors (whitespaces)
Signed-off-by: Erik Michelson <erik@liltv.de>
2020-03-21 23:27:00 +01:00
Sheogorath
f42304c967
Clean up all foreign-key constraints
This patch cleans up the remaining possible foreign-key constraint. This
case seem to appear, when notes are deleted, but due to missing database
contraints not their authroships.

This function should clean that up as well and complete the preparation
for the new db contraints.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-03-21 21:05:52 +01:00
Sheogorath
41b13e71b6
Reduce requested arguments on cleanup
In order to prevent OOM situations due to large databases, this patch
should reduce the amount of data requested from the database
drastically.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-03-21 19:30:44 +01:00
Sheogorath
4884292b68
fixup! Add fix for missing deletion of notes on user-deletion request 2020-03-21 18:13:20 +01:00
Sheogorath
1ed522bd85 Update fr.json (POEditor.com) 2020-03-21 16:58:56 +01:00
Sheogorath
034a96a48e Update ar.json (POEditor.com) 2020-03-21 16:58:54 +01:00
Sheogorath
d389f45818
Fix broken redirect on login
This patch fixes the currently broken redirect on login when people try
to access a site they have no access to, they are redirected to the main
page to log in. After a successful login they should be redirected to
the original note, but instead are redirect to the index page again.

This aptch fixes the typo that causes the behavior and brings people
back to the note they edited.

Thanks to @clvs7-gh on Github[1], who submitted the patch via email.

On their behalf I hereby submit the change.

[1]: https://github.com/clvs7-gh

Note: I had to ajust this patch to work properly.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-03-21 16:56:09 +01:00
Sheogorath
840109b129
Backport Fix for relative theme path
This commit backport 856fc01fb9

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-03-21 16:20:01 +01:00
Sheogorath
a9d98d4b52
Add fix for missing deletion of notes on user-deletion request
Depending on how the system was setup, this bug lead to keep user's data
around even after a successful deletion of user'S account. This patch
will make sure the missing database constraints are implemented and
missed out deletions are executed.

This bug was introduced to insufficent testing after implementing the
feature initially. It was well tested, using the app process itself, but
the migrations where missed out. I'm currently not sure, if there was
also a change in how sequelize handles cassaded deletion, since I'm
unter the impression that before switching to sequelize 5, this feature
has worked. But I haven't verified this.

No matter what, the cleanup process is rather straight forward and will
be invoked on migration, but can also be done manually using the new
`bin/cleanup` script.

This change will result in a release 1.6.1.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-03-21 16:14:43 +01:00
Sheogorath
8ce7b28563
Release version 1.6.0
Thanks for all contributions, this community is awesome.
2020-02-18 00:17:48 +01:00
Sheogorath
1686edfd97 Update sv.json (POEditor.com) 2020-02-17 00:01:08 +01:00
Sheogorath
c84753a409 Update es.json (POEditor.com) 2020-02-17 00:01:07 +01:00
Sheogorath
75db992bee Update ru.json (POEditor.com) 2020-02-17 00:01:05 +01:00
Sheogorath
51a9b6cede Update pt.json (POEditor.com) 2020-02-17 00:01:03 +01:00
Sheogorath
4a74bac43b Update ja.json (POEditor.com) 2020-02-17 00:01:00 +01:00
Sheogorath
62b758b906 Update de.json (POEditor.com) 2020-02-17 00:00:58 +01:00
Sheogorath
a728b71514 Update nl.json (POEditor.com) 2020-02-17 00:00:48 +01:00
Sheogorath
d812bf1042 Update zh-CN.json (POEditor.com) 2020-02-17 00:00:46 +01:00
Sheogorath
a5659210a3
Remove Tests for EOL node version 8
Node 8 is End of Life since the beginning of 2020.[1] Due to not
deprecating it earlier, the next release will be the last release
supporting it. There are no breaking changes to be expected anymore,
therefore removing the Tests can be considered safe and the release can
start its existence with a green CI.

This patch removes the test for NodeJS version 8 from the TravisCI jobs.

[1]: https://nodejs.org/en/about/releases/
2020-02-16 23:41:28 +01:00
Sheogorath
afe38bcbb7
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-16 23:41:12 +01:00
Sheogorath
acd333c6da
Merge pull request #271 from SuperSandro2000/patch-2
Replace dead browser icons and add missing
2020-02-16 23:27:20 +01:00
Sandro
1fb3da3a1e
Replace dead browser icons and add missing
Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
2020-02-16 04:23:55 +01:00
Sheogorath
d49844d075
Merge pull request #268 from stefandesu/patch-1
Adjust description of CMD_ALLOW_ANONYMOUS_EDITS
2020-02-11 14:18:18 +01:00
Stefan Peters
5ee3213086
Adjust description of CMD_ALLOW_ANONYMOUS_EDITS
`CMD_ALLOW_ANONYMOUS_EDITS` is only applied when `CMD_ALLOW_ANONYMOUS` is `false`, see [here](9c1665ae5b/lib/config/index.js (L71-L73)).

Signed-off-by: Stefan Peters <stefandesu@exo.pm>
2020-02-11 13:32:22 +09:00
Sheogorath
ea2ab05ffc
Merge pull request #267 from SISheogorath/fix/revisionLinks
Fix revision redirect to index page
2020-02-10 21:55:09 +01:00
Sheogorath
487298a574
Merge pull request #264 from Belphemur/update-mermaid
Update mermaid
2020-02-10 21:26:03 +01:00
Antoine Aflalo
adf37550be Update mermaid in CDN
Signed-off-by: Antoine Aflalo <antoine@warrantymaster.com>
2020-02-10 17:12:31 +00:00
Antoine Aflalo
85e1eb4b90 Update mermaid
Signed-off-by: Antoine Aflalo <antoine@warrantymaster.com>
2020-02-10 17:12:31 +00:00
Sheogorath
45cc1325fb
Fix revision redirect to index page
The revision view had a bug that clicking on a list entry would redirect
the user back to the index page instead of providing the revision diff.

This was cased by the baseurl which is now used as reference for hrefs.
Therefore when clicking on the `href="#"` this was actually pointing at
`<baseurl>#` which is usually the index page.

This patch simply removes the href from the list items and therefore the
link functionality. This fixes the whole problem by removing 9
characters from our source code.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-10 17:45:43 +01:00
Sheogorath
2a28c832fc
Merge pull request #266 from SISheogorath/feature/change-cdn-defaults
Update CDN defaults
2020-02-10 17:34:57 +01:00