Commit graph

3643 commits

Author SHA1 Message Date
Renovate Bot
5b07cbd5e7 fix(deps): update dependency cookie to ^0.5.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-21 02:37:02 +02:00
Renovate Bot
30c5df8a9e chore(deps): update dependency prismjs to v1.28.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-18 16:40:22 +02:00
Renovate Bot
7103bb8851 chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-18 05:25:16 +00:00
David Mehren
3faa7fa2d5
Merge pull request #2263 from hedgedoc/docs/pin-dependencies 2022-04-14 16:36:40 +02:00
Sheogorath
3d7bf464d9
docs(manual): Adjust instructions to use only pinned dependencies
This patch adds `--frozen-lockfile` to our regular `yarn install` calls
during manual set up. This should ensure people get the expected
versions and not any newer or older versions that might behave
unexpectedly.

References:
https://github.com/yarnpkg/yarn/issues/5847#issuecomment-537521943
https://classic.yarnpkg.com/en/docs/cli/install#toc-yarn-install-frozen-lockfile

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2022-04-12 20:16:33 +02:00
David Mehren
7f09558b58
Merge pull request #2241 from hedgedoc/release/1.9.3 2022-04-10 22:19:22 +02:00
David Mehren
836bda0f85
Bump version to 1.9.3
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:36 +02:00
David Mehren
70d0e49142
Downgrade minio to 7.0.26
minio 7.0.27 requires node < 16.8, breaking compatibility with the
latest LTS version.

We downgrade minio until a fixed version is available.

https://github.com/minio/minio-js/issues/1017
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:36 +02:00
David Mehren
680e6917af
Add warning about MariaDB charset changes to changelog
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:35 +02:00
David Mehren
e48be9290f
Update yarn.lock
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:25 +02:00
David Mehren
f544b15eea
Ignore stderr when calling git executable
This hopefully prevents confusing error messages in the docker image.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:25 +02:00
David Mehren
3c8a20e35c
Update AUTHORS
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:25 +02:00
David Mehren
b611ecd037
Update mailmap
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:25 +02:00
David Mehren
fc0fe1908e
Import translations from POEditor
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:25 +02:00
David Mehren
5154598557
Update changelog for 1.9.3
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:49:23 +02:00
Erik Michelson
c99d30931d Remove duplicated jQuery selectors
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-04-10 21:24:30 +02:00
Erik Michelson
0093aa4783 Fix GitLab snippet export
The snippet export broke due to two reasons.
First of all, the request to GitLab fail in the
default configuration due to the CSP not being
set properly. This commit adds the configured
GitLab base url to the connect-src directives.
The second problem is a change in the GitLab API
spec. Instead of `code` and `file_name` the
GitLab API now requires an `files` array with
`content` and `file_path` entries per snippet.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-04-10 21:24:30 +02:00
David Mehren
0195f16d9a
Fix linter errors in imageRouter
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-10 21:16:35 +02:00
Sheogorath
9e2f9e21e9 fix(imageRouter): Fix enumerable image upload issue
This patch adds an own filename function for `formidable`, which will
make sure to generate a random file name, using UUIDv4. This should
resolve GHSA-q6vv-2q26-j7rx.

This change is required due to a change in behaviour from version 1 to
version 2 of formidable. Formidable version 2 will generate predictable
filenames by default, which results in potential access to images, that
were uploaded while formidable v2 was used in Hedgedoc. This affects the
versions `1.9.1` and `1.9.2`.

Files generated previous to this commit will look like this:

```
<random string generated on app start><counter>.<file-extension>
38e56506ec2dcab52e9282c00.jpg
38e56506ec2dcab52e9282c01.jpg
38e56506ec2dcab52e9282c02.jpg
```

After this patch it'll look like this:

```
<uuid v4>.<file-extension>
a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg
56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg
2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg
```

This patch was implemented using `uuid` since we already utilise this
package elsewhere in the project as well as using a secure function to
generate random strings. UUIDv4 is ideal for that. In order to be
consumable by formidable, it was wrapped in a function that makes sure
to keep the file extension.

This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/).

References:
https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574
https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762
https://www.npmjs.com/package/uuid
2022-04-10 21:08:32 +02:00
Yannick Bungers
8dbb92d063
Merge pull request #2249 from hedgedoc/2248-inline-authorship-coloration-doesnt-work-hexrgb-missing 2022-04-10 20:27:54 +02:00
Renovate Bot
1f40f28bb2 chore(deps): update linters
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-10 10:08:01 +02:00
Renovate Bot
fed86d629b chore(deps): update dependency mermaid to v9
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-10 10:07:17 +02:00
Renovate Bot
e596ce75bf fix(deps): update dependency moment to v2.29.2 [security]
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-09 11:23:11 +00:00
Renovate Bot
d34b8c0cfc chore(deps): update dependency mkdocs-material to v8.2.9
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-04-09 05:31:08 +00:00
David Mehren
e0021036ae
Fix missing inline authorship colors
The hex2rgb function seems to previously have been available globally.
It probably got lost in the great Webpack refactoring and nobody noticed
 that.

 This copies the function into its own file (to make importing it easy)
 and adds an import in index.js.

 Fixes https://github.com/hedgedoc/hedgedoc/issues/2248

Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-08 12:13:37 +02:00
Tilman Vatteroth
61e092e8af Force change of aria-hidden when modal shows or hides
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2022-04-03 22:52:53 +02:00
Tilman Vatteroth
bb4acb02bc Improve aria tags for view mode labels
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2022-04-03 22:40:07 +02:00
David Mehren
445a3787d9 bin/manage_users: fix formatting
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-03 22:14:27 +02:00
David Mehren
337173bb38 bin/manage_users: Don't allow empty passwords
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-03 22:14:27 +02:00
David Mehren
101bedaecd bin/manage_users: Always treat pass argument as string
Fixes #1945

Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-03 22:14:27 +02:00
David Mehren
d88dd31cc2 docs: add example for generating sessionSecret
Signed-off-by: David Mehren <git@herrmehren.de>
2022-04-03 20:41:08 +02:00
Renovate Bot
28555a58cc chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-28 04:13:41 +00:00
Renovate Bot
a61483a613 chore(deps): update dependency mkdocs-material to v8.2.8
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-27 17:05:50 +00:00
Renovate Bot
0f058214df chore(deps): update dependency eslint to v8.12.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-26 22:44:43 +01:00
Renovate Bot
7eb609a06e chore(deps): update dependency mkdocs to v1.3.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-26 22:43:38 +01:00
Renovate Bot
875150e1e9 chore(deps): update dependency mkdocs-material to v8.2.7
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-26 08:48:45 +00:00
Renovate Bot
78d3de61b6 chore(deps): update dependency abcjs to v6.0.2
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-26 04:35:19 +00:00
Renovate Bot
d780470f77 fix(deps): update dependency minimist to v1.2.6 [security]
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-23 23:22:23 +00:00
Renovate Bot
c722ccb269 chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-21 05:48:05 +00:00
Moritz Schlarb
e6fc9f01a3 Allow SAML authentication provider to be named
Using `CMD_SAML_PROVIDERNAME` and the respective auth provider objects
in the configuration structures.

Signed-off-by: Moritz Schlarb <schlarbm@uni-mainz.de>
2022-03-20 19:59:53 +01:00
Renovate Bot
002c7897d8 chore(deps): update dependency pymdown-extensions to v9.3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-20 19:55:07 +01:00
Renovate Bot
ee51d22fa4 chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-14 04:25:36 +00:00
Renovate Bot
f4543a380a chore(deps): update dependency eslint to v8.11.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-12 10:02:52 +01:00
Renovate Bot
b7946bcad6 chore(deps): update dependency mocha to v9.2.2
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-12 03:46:29 +00:00
David Mehren
99c7c01aa7 Remove explicit dependency resolutions
All our dependencies already use recent-enough
versions of these dependencies, so we don't need to override them anymore.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 14:03:09 +01:00
David Mehren
980739496b Switch to vscode fork of sqlite3
Microsoft maintains a fork of the sqlite3 package at
https://github.com/microsoft/vscode-node-sqlite3

Switching to that allows us to drop various very old dependencies,
removing 5 high security alerts in the process.

References:
https://github.com/mapbox/node-sqlite3/issues/1493#issuecomment-980521241
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 14:03:09 +01:00
Renovate Bot
32e5fc5114 chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-07 03:37:37 +00:00
Renovate Bot
6bb9720a81 chore(deps): update dependency mkdocs-material to v8.2.5
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-06 17:30:04 +01:00
Renovate Bot
f7530e86f9 fix(deps): update dependency mariadb to v3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-05 17:28:19 +01:00
Renovate Bot
6aa6b416cc chore(deps): update dependency abcjs to v6
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2022-03-05 14:59:14 +01:00