As we already decleared in earlier versions, this patch removes PDF
export entirely. It's a not acceptable security risk for every CodiMD
instance.
The current implementation allowed to extract arbitary files from the
CodiMD host and therefore leaking secrets from a `/etc/passwd` to
CodiMD's own config files and all secrets contained in it.
Thanks to Joona for finding this vulnerability in August last year,
which lead to an emergency disabling of PDF exports in 1.5.0.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Before this patch the non-TypeScript version of the slide mode causes
problems with the TypeScript code. Therefore, in order to get things
working, this patch does minimalistic changes to the slide mode
controller to bring it into TypeScript convention. And unbreak slide
mode. Further changes are required, but this gets slide mode back to a
usable state.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
TypeScript considers null and undefined as fine for all variable by
default. This patch enables `strictNullChecks`, which should cause
errors to be thrown as soon as a variable is null or undefined without
having it explicitly decleared for itself.[1]
[1]: https://www.typescriptlang.org/docs/handbook/migrating-from-javascript.html#strict-null--undefined-checks
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Because of circular import problems, this commit also moves the error messages from response.js to errors.js
Signed-off-by: David Mehren <dmehren1@gmail.com>
This makes the references consistent/compatible with GitHub,
GitLab, Pandoc and many other tools.
This behavior can be enabled in config.json with:
```
"linkifyHeaderStyle": "gfm"
```
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
We have various places with overly simple if statements that could be
handled by our logging library. Also a lot of those logs are not marked
as debug logs but as info logs, which can cause confusion during
debugging.
This patch removed unneeded if clauses around debug logging statements,
reworks debug log messages towards ECMA templates and add some new
logging statements which might be helpful in order to debug things like
image uploads.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.
There should no functional change be introduced.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
With very low CPU frequency or bad IO situation, as well as not-loaded
JS CodiMD happens to present unneeded "I'm busy"-messages to users.
This patch allows to configure the lag. The default is taken from the
libray but set in our own default configs.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
disableRequestedAuthnContext: true|false
By default only Password authmethod is accepted, this option allows any other method.
Issue and option described here:
https://github.com/bergie/passport-saml/issues/226
Signed-off-by: Emmanuel Ormancey <emmanuel.ormancey@cern.ch>
Since Google+ is shutting down soon, we need to get the profile data
from another URL. Since the library already supports it, all we need to
do is adding a single line of code.
Details:
https://github.com/hackmdio/codimd/issues/1160
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Fix wrong config options
In `./lib/web/auth/` some config includes still used `config.serverurl` instead of the correct `config.serverURL`. This causes wrong URL in worst case.
This patch should fix those problems and migrate the wrong statements to camelcase.
This commit also refactors the code a bit, and adds a '-' separator
between a filename and its duplicate index.
This commit fixes#1079.
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style
Signed-off-by: Claudius Coenen <opensource@amenthes.de>
This fixes part of #1056: an error while obtaining the profile
would have `502`-crashed the server.
Signed-off-by: Claudius Coenen <opensource@amenthes.de>
Currently we only provide the version from `package.json`. This means
that during updates of instances, e.g. the demo instance, which runs
latest master instead of a stable release, changes are not reflected to
the webclient.
This patch adds a fullversion string that contains the current commit
and this way makes that clients are notified about changes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
With OpenID every OpenID capable provider can provide authentication for
users of a CodiMD instance. This means we have federated
authentication.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
As it turns out, expressjs doesn't detect the right mimetype and it
seems like I didn't bother to test this enough. So lets fix it for the
next release.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
