snyk-bot
511873e58a
fix: package.json to reduce vulnerabilities
...
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HELMETCSP-469436
2019-09-30 05:32:48 +00:00
Sheogorath
494ff49503
Merge pull request #185 from codimd/snyk-fix-905c5c88626d5047fb1568d93ce366ca
...
[Snyk] Fix for 1 vulnerabilities
2019-09-26 13:49:50 +02:00
Sheogorath
e313b47b92
Merge pull request #170 from ErikMichelson/post-note-url
...
Added endpoint for note-creation with given alias
2019-09-26 12:20:57 +02:00
snyk-bot
0185add27f
fix: package.json to reduce vulnerabilities
...
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063
2019-09-26 05:32:43 +00:00
Sheogorath
7f69ec5bca
Merge pull request #180 from ErikMichelson/fix/trailingSlashRedirect
...
Fixed #179 (redirect loop with a trailing slash)
2019-09-18 22:59:43 +02:00
Erik Michelson
9e1cc2159f
Updated forbiddenNoteIDs
...
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-18 22:54:08 +02:00
Erik Michelson
4d62e6b0b5
Fixed #179 (redirect loop with a trailing slash)
...
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-18 22:18:22 +02:00
Sheogorath
110eef691e
Merge pull request #173 from ErikMichelson/docs
...
Extended config.js documentation on login methods and libravatar
2019-09-18 21:36:19 +02:00
Sheogorath
10a6e7c816
Merge pull request #176 from SISheogorath/docs/security
...
Add security note to repository
2019-09-12 21:35:19 +02:00
Sheogorath
42d42d5b6f
Add security note to repository
...
In order to simplify the communication with security researcher and
allow reporting of issues, this document should provide a rough idea
about:
1. What versions are supported
2. Who to contact
3. How to send findings properly secured
4. What to expect from an approved security issue
5. What if it's not considered a security issue
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-09-10 14:11:23 +02:00
Erik Michelson
6110aafc5b
Added link to libravatar.org
...
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-09 15:20:09 +02:00
Erik Michelson
efe246f183
Extended login methods section
...
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-09 01:48:22 +02:00
Erik Michelson
5a359ab648
Changed Gravatar to Libravatar
...
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-09 00:47:22 +02:00
Sheogorath
c6e4f3757e
Merge pull request #171 from soulchild/master
...
Move sequelize-cli from devDependencies to dependencies, because it is needed to run migrations at run-time
2019-09-07 20:26:54 +02:00
Tobias Kremer
ea3c824978
Move sequelize-cli from devDependencies to dependencies, because it is needed to run migrations at run-time
...
Signed-off-by: Tobias Kremer <tobias.kremer@gmail.com>
2019-09-06 10:42:30 +02:00
Erik Michelson
6e5e6696ad
Refactored note-creation with given noteId
...
Known bugs/features:
- pushing towards an existing note results in an error 500
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-04 20:25:32 +02:00
Erik Michelson
8d29d74b02
Added endpoint for note-creation with given alias
...
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-04 12:28:44 +02:00
Sheogorath
529075fd67
Merge pull request #168 from dargmuesli/fix/docker-secret-buffer
...
Config: Return String Instead Of Buffer For Docker Secrets
2019-09-03 18:11:47 +02:00
Jonas Thelemann
0be784351d
Docker Secrets: Use Encoding Parameter Directly
...
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-09-03 17:58:58 +02:00
Sheogorath
f08fcd30fb
Merge pull request #167 from dargmuesli/fix/docker-secret-path
...
Docker Secrets: Correct Source Path
2019-09-03 09:26:08 +03:00
Jonas Thelemann
3d9c97fc65
Config: Return String Instead Of Buffer For Docker Secrets
...
Prevents "TypeError: Cannot freeze array buffer views with elements".
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-09-03 00:28:44 +02:00
Jonas Thelemann
326b38dff9
Docker Secrets: Correct Source Path
...
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-09-02 18:45:16 +02:00
Sheogorath
6755d1b989
Merge pull request #147 from codimd/snyk-fix-0aa72a9ec7fcf1d8b1832518c29b6f4c
...
[Snyk] Fix for 2 vulnerable dependencies
2019-09-02 19:25:42 +03:00
Sheogorath
c765f34d03
Merge pull request #143 from Fonata/improve-docs
...
Slightly improve documentation
2019-09-02 19:24:04 +03:00
Sheogorath
2e627099d8
Merge pull request #32 from codimd/aws-endpoints
...
make aws s3 endpoint configurable
2019-09-02 18:50:29 +03:00
Sheogorath
2b0300e2f2
Merge pull request #165 from morpheus-87/imprint-docs
...
Add documentation for the new imprint feature
2019-09-02 18:49:59 +03:00
Matthias Lindinger
e07f70c231
Remove useless blank line
...
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
2019-09-02 13:09:23 +02:00
Matthias Lindinger
eef2b57bde
Add documentation for the new imprint feature
...
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
2019-09-02 13:05:17 +02:00
Sheogorath
a9b5b754f5
Merge pull request #158 from morpheus-87/add-imprint-link
...
Add link to imprint
2019-09-02 13:36:43 +03:00
Matthias Lindinger
fe2c8634d3
Add link to imprint
...
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
2019-08-26 14:57:44 +02:00
snyk-test
47d2b99582
fix: package.json to reduce vulnerabilities
...
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AUTOLINKER-73494
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
2019-08-20 05:32:45 +00:00
Christian Bläul
d21ede4df8
Documentation: improved 'Users and Privileges' section
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 12:19:34 +02:00
Christian Bläul
3684c65f10
Documentation: improved English
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 12:14:51 +02:00
Christian Bläul
49663390d1
Not serverurl, but serverURL is used as a default for issuer
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 12:14:24 +02:00
Christian Bläul
ef857a565c
Documentation: improved sessionLife description
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 11:56:31 +02:00
Christian Bläul
32f00e9830
Documentation: improved 'Email (local account)' sections
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 11:53:49 +02:00
Christian Bläul
29e1ff7699
Documentation: improved dbURL description
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 11:40:53 +02:00
Christian Bläul
60d6a6a15d
Documentation: Improved descriptions of 'Users and Privileges' section
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 10:53:17 +02:00
Christian Bläul
374ee58790
Documentation: converted descriptions to sentences to allow more details
...
No content was added; this is just a formatting commit.
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 10:49:03 +02:00
Christian Bläul
4b392f4b12
Improved docs for YAML metadata
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:41 +02:00
Christian Bläul
305525aa0c
Config documentation: Improved spelling and capitalization of services
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:37 +02:00
Christian Bläul
f49bbf4c45
Documentation of config options: Improve loglevel
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:29 +02:00
Christian Bläul
c065d45da8
Documentation of config options: Improve db
...
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:04 +02:00
Sheogorath
9c1665ae5b
Release version 1.5.0
2019-08-15 23:30:37 +02:00
Sheogorath
09e1584800
Update yarn.lock
...
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:25:30 +02:00
Sheogorath
fce0e18ad0
Add arabian translation
...
Thanks to our great translators that made it to translate the major
parts of CodiMD into Arabic!
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:20:52 +02:00
Sheogorath
c178947402
Disable PDF export due to security issue
...
As a temporary fix, to keep you and your users save, this patch disables
the PDF export feature. Details of the attack along with a fix for
future versions of CodiMD will be released in future.
I hope you can live with this solution for this release because I'm
super short on time and the alternative would be to ship no fix at all.
This appears to be the better solution for this release.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:54 +02:00
Sheogorath
e574ae7588
Switch mysql library to mysql2
...
The recent sequelize upgrade introduced some other dependencies, this is
one of them. This patch replaces the old `mysql` library with `mysql2`.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:53 +02:00
Sheogorath
c07ae7eda1
Fix variable names for docker secrets
...
It seems like since we switched to camelcase we missed to update some
variable names in the config section. This patch fixes those.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:53 +02:00
Sheogorath
c4053ea7ce
Update meta-marked to latest version
...
Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.
This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.
For Details:
https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515
What is a ReDOS?
A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.
For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Credit:
Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.
Also thanks to the `marked`-team for fixing things already.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:48 +02:00