Commit graph

3629 commits

Author SHA1 Message Date
David Mehren
5154598557
Update changelog for 1.9.3
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:23 +02:00
Erik Michelson
c99d30931d Remove duplicated jQuery selectors
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-04-10 21:24:30 +02:00
Erik Michelson
0093aa4783 Fix GitLab snippet export
The snippet export broke due to two reasons.
First of all, the request to GitLab fail in the
default configuration due to the CSP not being
set properly. This commit adds the configured
GitLab base url to the connect-src directives.
The second problem is a change in the GitLab API
spec. Instead of `code` and `file_name` the
GitLab API now requires an `files` array with
`content` and `file_path` entries per snippet.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-04-10 21:24:30 +02:00
David Mehren
0195f16d9a
Fix linter errors in imageRouter
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:16:35 +02:00
Sheogorath
9e2f9e21e9 fix(imageRouter): Fix enumerable image upload issue
This patch adds an own filename function for `formidable`, which will
make sure to generate a random file name, using UUIDv4. This should
resolve GHSA-q6vv-2q26-j7rx.

This change is required due to a change in behaviour from version 1 to
version 2 of formidable. Formidable version 2 will generate predictable
filenames by default, which results in potential access to images, that
were uploaded while formidable v2 was used in Hedgedoc. This affects the
versions `1.9.1` and `1.9.2`.

Files generated previous to this commit will look like this:

```
<random string generated on app start><counter>.<file-extension>
38e56506ec2dcab52e9282c00.jpg
38e56506ec2dcab52e9282c01.jpg
38e56506ec2dcab52e9282c02.jpg
```

After this patch it'll look like this:

```
<uuid v4>.<file-extension>
a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg
56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg
2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg
```

This patch was implemented using `uuid` since we already utilise this
package elsewhere in the project as well as using a secure function to
generate random strings. UUIDv4 is ideal for that. In order to be
consumable by formidable, it was wrapped in a function that makes sure
to keep the file extension.

This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/).

References:
https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574
https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762
https://www.npmjs.com/package/uuid
2022-04-10 21:08:32 +02:00
Yannick Bungers
8dbb92d063
Merge pull request #2249 from hedgedoc/2248-inline-authorship-coloration-doesnt-work-hexrgb-missing 2022-04-10 20:27:54 +02:00
Renovate Bot
1f40f28bb2 chore(deps): update linters
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-10 10:08:01 +02:00
Renovate Bot
fed86d629b chore(deps): update dependency mermaid to v9
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-10 10:07:17 +02:00
Renovate Bot
e596ce75bf fix(deps): update dependency moment to v2.29.2 [security]
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-09 11:23:11 +00:00
Renovate Bot
d34b8c0cfc chore(deps): update dependency mkdocs-material to v8.2.9
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-09 05:31:08 +00:00
David Mehren
e0021036ae
Fix missing inline authorship colors
The hex2rgb function seems to previously have been available globally.
It probably got lost in the great Webpack refactoring and nobody noticed
 that.

 This copies the function into its own file (to make importing it easy)
 and adds an import in index.js.

 Fixes https://github.com/hedgedoc/hedgedoc/issues/2248

Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-08 12:13:37 +02:00
Tilman Vatteroth
61e092e8af Force change of aria-hidden when modal shows or hides
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2022-04-03 22:52:53 +02:00
Tilman Vatteroth
bb4acb02bc Improve aria tags for view mode labels
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2022-04-03 22:40:07 +02:00
David Mehren
445a3787d9 bin/manage_users: fix formatting
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-03 22:14:27 +02:00
David Mehren
337173bb38 bin/manage_users: Don't allow empty passwords
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-03 22:14:27 +02:00
David Mehren
101bedaecd bin/manage_users: Always treat pass argument as string
Fixes #1945

Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-03 22:14:27 +02:00
David Mehren
d88dd31cc2 docs: add example for generating sessionSecret
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-03 20:41:08 +02:00
Renovate Bot
28555a58cc chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-28 04:13:41 +00:00
Renovate Bot
a61483a613 chore(deps): update dependency mkdocs-material to v8.2.8
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-27 17:05:50 +00:00
Renovate Bot
0f058214df chore(deps): update dependency eslint to v8.12.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-26 22:44:43 +01:00
Renovate Bot
7eb609a06e chore(deps): update dependency mkdocs to v1.3.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-26 22:43:38 +01:00
Renovate Bot
875150e1e9 chore(deps): update dependency mkdocs-material to v8.2.7
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-26 08:48:45 +00:00
Renovate Bot
78d3de61b6 chore(deps): update dependency abcjs to v6.0.2
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-26 04:35:19 +00:00
Renovate Bot
d780470f77 fix(deps): update dependency minimist to v1.2.6 [security]
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-23 23:22:23 +00:00
Renovate Bot
c722ccb269 chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-21 05:48:05 +00:00
Moritz Schlarb
e6fc9f01a3 Allow SAML authentication provider to be named
Using `CMD_SAML_PROVIDERNAME` and the respective auth provider objects
in the configuration structures.

Signed-off-by: Moritz Schlarb <schlarbm@uni-mainz.de>
2022-03-20 19:59:53 +01:00
Renovate Bot
002c7897d8 chore(deps): update dependency pymdown-extensions to v9.3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-20 19:55:07 +01:00
Renovate Bot
ee51d22fa4 chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-14 04:25:36 +00:00
Renovate Bot
f4543a380a chore(deps): update dependency eslint to v8.11.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-12 10:02:52 +01:00
Renovate Bot
b7946bcad6 chore(deps): update dependency mocha to v9.2.2
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-12 03:46:29 +00:00
David Mehren
99c7c01aa7 Remove explicit dependency resolutions
All our dependencies already use recent-enough
versions of these dependencies, so we don't need to override them anymore.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 14:03:09 +01:00
David Mehren
980739496b Switch to vscode fork of sqlite3
Microsoft maintains a fork of the sqlite3 package at
https://github.com/microsoft/vscode-node-sqlite3

Switching to that allows us to drop various very old dependencies,
removing 5 high security alerts in the process.

References:
https://github.com/mapbox/node-sqlite3/issues/1493#issuecomment-980521241
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 14:03:09 +01:00
Renovate Bot
32e5fc5114 chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-07 03:37:37 +00:00
Renovate Bot
6bb9720a81 chore(deps): update dependency mkdocs-material to v8.2.5
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-06 17:30:04 +01:00
Renovate Bot
f7530e86f9 fix(deps): update dependency mariadb to v3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-05 17:28:19 +01:00
Renovate Bot
6aa6b416cc chore(deps): update dependency abcjs to v6
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-05 14:59:14 +01:00
Renovate Bot
14f6ff2e33 chore(deps): update dependency prismjs to v1.27.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-05 10:46:07 +01:00
Renovate Bot
6e3c4ae1a9 chore(deps): update actions/upload-artifact action to v3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-05 10:34:44 +01:00
Renovate Bot
53e55126c2 chore(deps): update actions/setup-node action to v3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-05 10:34:08 +01:00
Renovate Bot
1c81ea3ede chore(deps): update actions/checkout action to v3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-05 10:33:28 +01:00
Renovate Bot
a310bfa6a9 chore(deps): update dependency eslint to v8.10.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-05 09:27:06 +01:00
Renovate Bot
bdc55f2139 chore(deps): update dependency mkdocs-material to v8.2.4
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-05 02:53:28 +00:00
Renovate Bot
cb386ce5e7 chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-02-28 02:20:40 +00:00
Renovate Bot
b32c4c73e0 chore(deps): update dependency mkdocs-material to v8.2.3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-02-27 18:22:26 +01:00
Renovate Bot
e26648fb54 chore(deps): update dependency mkdocs-material to v8.2.2
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-02-26 11:12:53 +00:00
Renovate Bot
3692967e3b chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-02-21 02:37:35 +00:00
Renovate Bot
f4e8bef013 chore(deps): update dependency mkdocs-material to v8.2.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-02-19 20:36:23 +01:00
Renovate Bot
067450461f chore(deps): update dependency mocha to v9.2.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-02-19 14:03:42 +00:00
Erik Michelson
bbb61036c8 Use localhost instead of 127.0.0.1 in docker guide
The example docker-compose.yml in the docker guide sets CMD_DOMAIN to
localhost. This results in HedgeDoc only being startable from
http://localhost:3000 as the Content-Security-Policy forbids access
to e.g. http://127.0.0.1:3000. Despite that the docs used 127.0.0.1
for linking to the instance prior to this commit.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-02-14 15:38:33 +01:00
Renovate Bot
13fb485ba1 chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-02-14 02:33:52 +00:00