Commit graph

2523 commits

Author SHA1 Message Date
snyk-bot
511873e58a fix: package.json to reduce vulnerabilities
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HELMETCSP-469436
2019-09-30 05:32:48 +00:00
Sheogorath
494ff49503
Merge pull request #185 from codimd/snyk-fix-905c5c88626d5047fb1568d93ce366ca
[Snyk] Fix for 1 vulnerabilities
2019-09-26 13:49:50 +02:00
Sheogorath
e313b47b92
Merge pull request #170 from ErikMichelson/post-note-url
Added endpoint for note-creation with given alias
2019-09-26 12:20:57 +02:00
snyk-bot
0185add27f fix: package.json to reduce vulnerabilities
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063
2019-09-26 05:32:43 +00:00
Sheogorath
7f69ec5bca
Merge pull request #180 from ErikMichelson/fix/trailingSlashRedirect
Fixed #179 (redirect loop with a trailing slash)
2019-09-18 22:59:43 +02:00
Erik Michelson
9e1cc2159f
Updated forbiddenNoteIDs
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-18 22:54:08 +02:00
Erik Michelson
4d62e6b0b5
Fixed #179 (redirect loop with a trailing slash)
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-18 22:18:22 +02:00
Sheogorath
110eef691e
Merge pull request #173 from ErikMichelson/docs
Extended config.js documentation on login methods and libravatar
2019-09-18 21:36:19 +02:00
Sheogorath
10a6e7c816
Merge pull request #176 from SISheogorath/docs/security
Add security note to repository
2019-09-12 21:35:19 +02:00
Sheogorath
42d42d5b6f
Add security note to repository
In order to simplify the communication with security researcher and
allow reporting of issues, this document should provide a rough idea
about:

1. What versions are supported
2. Who to contact
3. How to send findings properly secured
4. What to expect from an approved security issue
5. What if it's not considered a security issue

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-09-10 14:11:23 +02:00
Erik Michelson
6110aafc5b
Added link to libravatar.org
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-09 15:20:09 +02:00
Erik Michelson
efe246f183
Extended login methods section
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-09 01:48:22 +02:00
Erik Michelson
5a359ab648
Changed Gravatar to Libravatar
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-09 00:47:22 +02:00
Sheogorath
c6e4f3757e
Merge pull request #171 from soulchild/master
Move sequelize-cli from devDependencies to dependencies, because it is needed to run migrations at run-time
2019-09-07 20:26:54 +02:00
Tobias Kremer
ea3c824978 Move sequelize-cli from devDependencies to dependencies, because it is needed to run migrations at run-time
Signed-off-by: Tobias Kremer <tobias.kremer@gmail.com>
2019-09-06 10:42:30 +02:00
Erik Michelson
6e5e6696ad
Refactored note-creation with given noteId
Known bugs/features:
 - pushing towards an existing note results in an error 500

Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-04 20:25:32 +02:00
Erik Michelson
8d29d74b02 Added endpoint for note-creation with given alias
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-04 12:28:44 +02:00
Sheogorath
529075fd67
Merge pull request #168 from dargmuesli/fix/docker-secret-buffer
Config: Return String Instead Of Buffer For Docker Secrets
2019-09-03 18:11:47 +02:00
Jonas Thelemann
0be784351d
Docker Secrets: Use Encoding Parameter Directly
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-09-03 17:58:58 +02:00
Sheogorath
f08fcd30fb
Merge pull request #167 from dargmuesli/fix/docker-secret-path
Docker Secrets: Correct Source Path
2019-09-03 09:26:08 +03:00
Jonas Thelemann
3d9c97fc65
Config: Return String Instead Of Buffer For Docker Secrets
Prevents "TypeError: Cannot freeze array buffer views with elements".

Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-09-03 00:28:44 +02:00
Jonas Thelemann
326b38dff9
Docker Secrets: Correct Source Path
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-09-02 18:45:16 +02:00
Sheogorath
6755d1b989
Merge pull request #147 from codimd/snyk-fix-0aa72a9ec7fcf1d8b1832518c29b6f4c
[Snyk] Fix for 2 vulnerable dependencies
2019-09-02 19:25:42 +03:00
Sheogorath
c765f34d03
Merge pull request #143 from Fonata/improve-docs
Slightly improve documentation
2019-09-02 19:24:04 +03:00
Sheogorath
2e627099d8
Merge pull request #32 from codimd/aws-endpoints
make aws s3 endpoint configurable
2019-09-02 18:50:29 +03:00
Sheogorath
2b0300e2f2
Merge pull request #165 from morpheus-87/imprint-docs
Add documentation for the new imprint feature
2019-09-02 18:49:59 +03:00
Matthias Lindinger
e07f70c231 Remove useless blank line
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
2019-09-02 13:09:23 +02:00
Matthias Lindinger
eef2b57bde Add documentation for the new imprint feature
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
2019-09-02 13:05:17 +02:00
Sheogorath
a9b5b754f5
Merge pull request #158 from morpheus-87/add-imprint-link
Add link to imprint
2019-09-02 13:36:43 +03:00
Matthias Lindinger
fe2c8634d3 Add link to imprint
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
2019-08-26 14:57:44 +02:00
snyk-test
47d2b99582 fix: package.json to reduce vulnerabilities
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AUTOLINKER-73494
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
2019-08-20 05:32:45 +00:00
Christian Bläul
d21ede4df8 Documentation: improved 'Users and Privileges' section
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 12:19:34 +02:00
Christian Bläul
3684c65f10 Documentation: improved English
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 12:14:51 +02:00
Christian Bläul
49663390d1 Not serverurl, but serverURL is used as a default for issuer
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 12:14:24 +02:00
Christian Bläul
ef857a565c Documentation: improved sessionLife description
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 11:56:31 +02:00
Christian Bläul
32f00e9830 Documentation: improved 'Email (local account)' sections
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 11:53:49 +02:00
Christian Bläul
29e1ff7699 Documentation: improved dbURL description
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 11:40:53 +02:00
Christian Bläul
60d6a6a15d Documentation: Improved descriptions of 'Users and Privileges' section
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 10:53:17 +02:00
Christian Bläul
374ee58790 Documentation: converted descriptions to sentences to allow more details
No content was added; this is just a formatting commit.

Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 10:49:03 +02:00
Christian Bläul
4b392f4b12 Improved docs for YAML metadata
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:41 +02:00
Christian Bläul
305525aa0c Config documentation: Improved spelling and capitalization of services
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:37 +02:00
Christian Bläul
f49bbf4c45 Documentation of config options: Improve loglevel
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:29 +02:00
Christian Bläul
c065d45da8 Documentation of config options: Improve db
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:04 +02:00
Sheogorath
9c1665ae5b
Release version 1.5.0 2019-08-15 23:30:37 +02:00
Sheogorath
09e1584800
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:25:30 +02:00
Sheogorath
fce0e18ad0
Add arabian translation
Thanks to our great translators that made it to translate the major
parts of CodiMD into Arabic!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:20:52 +02:00
Sheogorath
c178947402
Disable PDF export due to security issue
As a temporary fix, to keep you and your users save, this patch disables
the PDF export feature. Details of the attack along with a fix for
future versions of CodiMD will be released in future.

I hope you can live with this solution for this release because I'm
super short on time and the alternative would be to ship no fix at all.
This appears to be the better solution for this release.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:54 +02:00
Sheogorath
e574ae7588
Switch mysql library to mysql2
The recent sequelize upgrade introduced some other dependencies, this is
one of them. This patch replaces the old `mysql` library with `mysql2`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:53 +02:00
Sheogorath
c07ae7eda1
Fix variable names for docker secrets
It seems like since we switched to camelcase we missed to update some
variable names in the config section. This patch fixes those.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:53 +02:00
Sheogorath
c4053ea7ce
Update meta-marked to latest version
Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.

This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.

For Details:

https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515

What is a ReDOS?

A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.

For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

Credit:

Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.

Also thanks to the `marked`-team for fixing things already.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:48 +02:00