This patch adds an own filename function for `formidable`, which will
make sure to generate a random file name, using UUIDv4. This should
resolve GHSA-q6vv-2q26-j7rx.
This change is required due to a change in behaviour from version 1 to
version 2 of formidable. Formidable version 2 will generate predictable
filenames by default, which results in potential access to images, that
were uploaded while formidable v2 was used in Hedgedoc. This affects the
versions `1.9.1` and `1.9.2`.
Files generated previous to this commit will look like this:
```
<random string generated on app start><counter>.<file-extension>
38e56506ec2dcab52e9282c00.jpg
38e56506ec2dcab52e9282c01.jpg
38e56506ec2dcab52e9282c02.jpg
```
After this patch it'll look like this:
```
<uuid v4>.<file-extension>
a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg
56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg
2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg
```
This patch was implemented using `uuid` since we already utilise this
package elsewhere in the project as well as using a secure function to
generate random strings. UUIDv4 is ideal for that. In order to be
consumable by formidable, it was wrapped in a function that makes sure
to keep the file extension.
This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/).
References:
https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762https://www.npmjs.com/package/uuid
The hex2rgb function seems to previously have been available globally.
It probably got lost in the great Webpack refactoring and nobody noticed
that.
This copies the function into its own file (to make importing it easy)
and adds an import in index.js.
Fixes https://github.com/hedgedoc/hedgedoc/issues/2248
Signed-off-by: David Mehren <git@herrmehren.de>
Using `CMD_SAML_PROVIDERNAME` and the respective auth provider objects
in the configuration structures.
Signed-off-by: Moritz Schlarb <schlarbm@uni-mainz.de>
All our dependencies already use recent-enough
versions of these dependencies, so we don't need to override them anymore.
Signed-off-by: David Mehren <git@herrmehren.de>
The example docker-compose.yml in the docker guide sets CMD_DOMAIN to
localhost. This results in HedgeDoc only being startable from
http://localhost:3000 as the Content-Security-Policy forbids access
to e.g. http://127.0.0.1:3000. Despite that the docs used 127.0.0.1
for linking to the instance prior to this commit.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>