Commit graph

102 commits

Author SHA1 Message Date
David Mehren
f552b14e11
Sanitize username and photo URL
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.

This commit sanitizes the username and photo URL by passing them
through the `xss` library.

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:28:44 +02:00
Erik Michelson
e54236d057
Remove unneeded polyfill
This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore.

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-04-26 17:05:20 +02:00
Sheogorath
44b7f607a5
Fix Relative Path Traversal Attack on note creation
Impact
---

An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).

CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

PoC / Quicktest
---

To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.

Analysis
---

The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](78a732abe6/lib/web/note/util.js (L10)) utility function, that will pass it on the the [`parseNoteId()`](78a732abe6/lib/models/note.js (L188-L258))-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.

If no note exists the [note creation-function is called](78a732abe6/lib/models/note.js (L240-L245)), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](78a732abe6/lib/models/note.js (L99)) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.

This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also  observes changes to them.

The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.

Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.

For more information
---

If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)

Advisory link
---

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87

Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
2021-04-25 20:40:17 +02:00
David Mehren
0db862f3c9
Run database migrations automatically on startup
This commit removes the need for separate migrations with the sequelize-cli
by running them with umzug on application startup.

This is a port of #384

Co-authored-by: Sheogorath <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-27 21:33:05 +01:00
Philip Molares
136d895d15 Linter: Fix all lint errors
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 12:15:14 +01:00
Erik Michelson
3808c08c2d
Fix note creation in FreeURL mode not using template
As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access.

Co-Authored-By: @evanlinde
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-02-02 00:38:54 +01:00
Erik Michelson
b28839484d
Replace CodiMD with HedgeDoc
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in public/views

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in README

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in SECURITY.md

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in LICENSE

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in docs/configuration.md

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in bin/setup

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/guides

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/dev

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/guides/auth

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/setup

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update various links in code to the new GitHub org.

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js

Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: References in docs/setup/yunohost

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rebrand to HedgeDoc: Add banner and logo

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Remove note in docs/guides/auth/github

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Replace links in public/docs/features

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Add todo placeholder in docs/history

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Replace github link in public/views/index/body

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Replace github link in README

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Add logo to README

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Rename to HedgeDoc: Add note about the renaming to the front page

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>

Removed Travis from README.md and change CodiMD to HedgeDoc in some places

Signed-off-by: Yannick Bungers <git@innay.de>

Some more renaming to HedgeDoc
- Fixed capitalization of HedgeDoc
- Added renaming for etherpad migration doc

Signed-off-by: Yannick Bungers <git@innay.de>

Changed Repo name to hedgedoc

Signed-off-by: Yannick Bungers <git@innay.de>
2020-11-14 21:18:36 +01:00
Erik Michelson
e4214f32a0
Fixed meta parsing of lang-attribute for using it in the published-view
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-07-04 03:37:19 +02:00
Erik Michelson
2881f8211a
Added customizable og-metadata to notes
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-10-04 19:49:45 +02:00
BoHong Li
63c96e7359
fix: upgrade sequelize to latest version to fix CVE
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-06-11 00:41:50 +02:00
Sheogorath
b5fc6db75d
Rework debug logging
We have various places with overly simple if statements that could be
handled by our logging library. Also a lot of those logs are not marked
as debug logs but as info logs, which can cause confusion during
debugging.

This patch removed unneeded if clauses around debug logging statements,
reworks debug log messages towards ECMA templates and add some new
logging statements which might be helpful in order to debug things like
image uploads.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-06-08 21:27:29 +02:00
Sheogorath
4da68597f7
Fix eslint warnings
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.

There should no functional change be introduced.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31 00:30:29 +02:00
Sheogorath
0dff8796ac
Fix missing pictures for OpenID
Currently a problem appears when using OpenID for authentication as
there is no method to add a profile picture right now.

This patch makes sure that all undefined login methods get a profile
picture.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-26 03:53:59 +02:00
Claudius
4833f300c5 polyfilling scrypt for node 8.5+
Signed-off-by: Claudius <opensource@amenthes.de>
2019-05-13 19:37:21 +02:00
Claudius
1d403e183d asyncified setting and verifying the password
Signed-off-by: Claudius <opensource@amenthes.de>
2019-05-13 19:37:21 +02:00
Claudius
df666dd214 getting password hashing into a hook where it could be async
Signed-off-by: Claudius <opensource@amenthes.de>
2019-05-13 14:37:08 +02:00
Sheogorath
cee2aa92f9
Switch scrypt library to a successor
Since our previous scrypt library is unmaintained since 3 years, it's
time to look for an alternative.

A refactoring towards another password algorithm was worked on and this
is probably still the way to go. But for now the successor of our
previous library should already be enough.

https://www.npmjs.com/package/scrypt (old library)
https://github.com/ml1nk/node-scrypt (new library)
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-21 01:33:34 +01:00
Claudius Coenen
858a59529e switching to eslint for code checking
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 23:15:36 +01:00
WilliButz
bd2f7cef49
lib/models/revision.js: make independent of exec-path
Previously calling `app.js` from another directory than
the base directory of CodiMD would result in an error being
thrown because `lib/workers/dmpWorker.js` could not be found.

This change makes the function call independent of the path CodiMD
is started from.

Signed-off-by: WilliButz <wbutz@cyberfnord.de>
2018-09-26 16:56:36 +02:00
Sheogorath
db5b86df4c
Further improvement of error handling for LZString
This does some more in depth check on the error message and minimizes
the log noise that is caused by LZString.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-07-27 15:42:58 +02:00
Sheogorath
4b060c7dba
Rebrand HackMD to CodiMD
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 13:24:12 +02:00
Sheogorath
318b2d378f
Allow to disable gravatar
Since Gravatar is an external image source and not perfect from a
privacy perspective, forbidding it allows to improve privacy.

This commit also simplifies and optimizes the avatar code.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 23:40:55 +02:00
Christoph (Sheogorath) Kern
56d78a7d6c
Merge pull request #830 from SISheogorath/feature/GDPR
GDPR compliant part 1
2018-06-17 23:33:57 +02:00
Christoph (Sheogorath) Kern
551840ad57
Merge pull request #784 from pferreir/add-oauth2-support
Add "generic" OAuth2 support
2018-06-04 15:54:47 +02:00
Sheogorath
70df29790a
Add token based security feature
In the current setup users could be tricked into deleting their data by
providing a malicious link like `[click me](/me/delete)`. This commit
prevents such an easy attack and need the user's deleteToken to get his
data deleted. In case someone requests his deletion by email you can
also ask him for this token.

We can add a GUI that shows it later on.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 18:26:06 +02:00
Sheogorath
e31d204d74
Fix requests for deleted users
When users are requested from the authorship which no longer exist, they
shouldn't cause a 500.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 16:15:18 +02:00
Sheogorath
408ab7ae1d
Use cascaded deletes
When we delete a user we should delete all the notes that belong to this
user including the revisions of these notes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:55:18 +02:00
Sheogorath
8aa5c03213
Use hard delete instead of soft delete
Right now we only flag notes as deleted. This is no longer allowed under
GDPR. Make sure you do regular backups!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:50:37 +02:00
Christoph (Sheogorath) Kern
763479bea8
Merge pull request #803 from SISheogorath/fix/letterAvatarCSP
Move letter-avatars into own request
2018-04-17 22:29:37 +02:00
Sheogorath
69aed93282
Move letter-avatars into own request
To prevent further weakening of our CSP policies, moving the Avatars
into a non-inline version is the way to go.

This implementation probably needs some beautification. But already fixes
the bug.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-17 19:06:59 +02:00
Sheogorath
735b806d5d
Add check for noteId length
As we know the length of an UUID we can check if the base64 string
of the provided UUID is long enough for a legacy base64 encoded nodeId
and stop processing it in legacy mode, if it's not the case.

This should make the ugly warning way less common.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 16:10:34 +02:00
Pedro Ferreira
34df7ccce8 Use TEXT instead of STRING for tokens
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Sheogorath
2411dffa2c
Change config to camel case with backwards compatibility
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Max Wu
5e975cbe69 Fix to log instead of throwing error on parse note id
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-11 02:52:24 +08:00
Max Wu
c7657ae81e Fix parseNoteId order to fix some edge case
that LZString note url could be parsed by base64url note url and thus return wrong note id

Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-10 16:52:24 +08:00
Max Wu
fe429e9ac1 Update to use buffer in encode/decode note id
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-27 20:57:31 +08:00
Max Wu
baa0418fb5 Remove and replace all note id compression in LZString with base64url
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 16:43:29 +08:00
Max Wu
bb5e021f20 Fix field type to prevent data truncation of authorship (#721)
* Fix field type to prevent data truncation of authorship
2018-02-09 14:27:06 +01:00
Sheogorath
8bf8a1aef1
Ignore empty values for revision.
Fixes #420
2018-01-18 11:19:47 +01:00
Christoph (Sheogorath) Kern
af082d9347
Merge pull request #567 from ccoenen/fix-mysql-text-length
converting all content fields to MEDIUMTEXT (affects MySQL only)
2018-01-18 11:16:59 +01:00
Norihito Nakae
4a4ae9d332 Initial support for SAML authentication 2017-11-28 18:52:24 +09:00
Christoph Witzany
5cda55086a Add mattermost authentication 2017-10-31 10:34:51 +01:00
Claudius Coenen
cc49ce55c8 Fix #521 by converting content fields to LONGTEXT in MySQL, to prevent truncation of data. 2017-10-16 10:13:11 +02:00
Claudius Coenen
724a6bc26f createdAt DESC with quotation marks did not work with MySQL fixes #565 2017-10-09 14:03:33 +02:00
Sheogorath
500207545f
Fix broken profile images 2017-09-22 12:40:43 +02:00
Wu Cheng-Han
20c5c78c29 Fix typo in the db config 2017-06-05 03:52:25 +08:00
BoHong Li
ecb0533605 refactor(config.js): Extract config file
* Separate different config source to each files
* Freeze config object
2017-05-08 19:29:07 +08:00
BoHong Li
aca01f064d refactor: Remove require extension filename 2017-05-08 19:29:06 +08:00
Wu Cheng-Han
4a1d08c653 Fix strip null byte in model should cast to string to use replace function 2017-03-15 22:12:24 +08:00
Wu Cheng-Han
baf13072c1 Fix update doc from filesystem cause redundant authorship stringify 2017-03-14 17:11:52 +08:00