Commit graph

134 commits

Author SHA1 Message Date
Yannick Bungers
89563110c5
Remove CSPDirectives as own Type
Signed-off-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:13 +02:00
Philip Molares
5c8541e65d
changed imageUploadType to an UnionType of all the possible uploadTypes
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:09 +02:00
David Mehren
9b323ba996
config/index.ts: Use const where possible, use new config type definition
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:08 +02:00
David Mehren
1437cf3ea5
config/enum.ts: Refactor enums into interface and object
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:08 +02:00
David Mehren
37c2cd0731
config/: Cleanups in defaultSSL.ts and dockerSecret.ts
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:08 +02:00
David Mehren
ad0b0834e5
config/default.ts: Add missing attributes, cleanup superfluous attributes
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:08 +02:00
David Mehren
5ec041d22d
Add type definitions for config
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:08 +02:00
David Mehren
3389a86689
config/utils.ts: toBooleanConfig can return undefined
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:08 +02:00
David Mehren
3340780157
Migrate config templates to TypeScript
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:05 +02:00
David Mehren
dd11483f44
Migrate config/index.js to TypeScript
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:04 +02:00
Erik Michelson
7838f9b03a
Added config property for locales
There's a new config property 'localesPath' - pointing to './locales' by default. The path resolution is similar to the docsPath, uploadsPath etc.

Signed-off-by: Erik Michelson <erik@liltv.de>
2020-04-24 19:09:18 +02:00
Sheogorath
d2ace4b2a0
Merge pull request #330 from Skgland/master
Pass through ldap starttls option
2020-04-23 23:34:46 +02:00
Sheogorath
4104f9835d
Merge pull request #278 from elespike/master
Add OIDC scopes for email & profile retrieval
2020-04-22 20:56:58 +02:00
Bennet Bleßmann
5fad6a25a8
Pass through ldap starttls option
Fixing Issue #329

(cherry picked from commit b9169eb279020f21b372a843a83c71929fb6fd1d)

Signed-off-by: Bennet Bleßmann <bb-github@t-online.de>
2020-04-20 10:55:50 +02:00
Sheogorath
a2522888b2
Remove PDF export
As we already decleared in earlier versions, this patch removes PDF
export entirely. It's a not acceptable security risk for every CodiMD
instance.

The current implementation allowed to extract arbitary files from the
CodiMD host and therefore leaking secrets from a `/etc/passwd` to
CodiMD's own config files and all secrets contained in it.

Thanks to Joona for finding this vulnerability in August last year,
which lead to an emergency disabling of PDF exports in 1.5.0.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-26 15:05:54 +01:00
Erik Michelson
c976217c12
Remove mattermost integration
Signed-off-by: Erik Michelson <erik@liltv.de>
2020-02-25 14:33:30 +01:00
Sheogorath
95355b8f01
Fix broken assets
Since switching to TypeScript our assets are broken due to the move of
app.js to the `./lib` subdirectory and the relative patch specified for
the public directory.

This patch solves the problem by adding a proper config element for the
path and referencing it in `./lib/app.js`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-25 11:21:48 +01:00
Marius
574781ed6e Add environment variables and doc entries
Signed-off-by: Marius <elespike@lab26.net>
2020-02-22 00:16:26 -05:00
Marius
6332fce5d8 Add OIDC scopes for email & profile retrieval
Signed-off-by: Marius <elespike@lab26.net>
2020-02-22 00:16:16 -05:00
Sheogorath
651db60985
Update CDN defaults
As we noticed in our poll about CDN usage, that most people
intentionally turn it off, but very little intetionally turn it on or
leave it on. [1]

There is also strong indicators that CDNs don't really provide any
benefits in loading time and due to the small deployments of CodiMD,
there is no big savings due to CDNs either. [2]

Therefore this patch changes the CDN default settings to off in order to
reduce the exposed user data.

[1]: https://community.codimd.org/t/poll-on-cdn-usage/28
[2]: https://csswizardry.com/2019/05/self-host-your-static-assets/

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-09 21:59:17 +01:00
ike
197223dc81 Add Google oauth variable: hostedDomain
Which is part of `passport-google-oauth2`.
It could be used as whitelist to a domain supported by google oauth.
Ref: https://github.com/jaredhanson/passport-google-oauth2/issues/3

Signed-off-by: ike <developer@ikewat.com>
2020-02-08 15:57:22 +08:00
hoijui
e1ff73877b allow to define header link generation style via environment var
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-30 17:46:38 +01:00
hoijui
cfa2ec38c5 document linkifyHeaderStyle in default.js
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-30 17:46:17 +01:00
hoijui
e654ca8a31 Allow to generate lower case header references through the config
This makes the references consistent/compatible with GitHub,
GitLab, Pandoc and many other tools.

This behavior can be enabled in config.json with:

```
"linkifyHeaderStyle": "gfm"
```

Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-22 09:05:37 +02:00
Erik Michelson
9e1cc2159f
Updated forbiddenNoteIDs
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-18 22:54:08 +02:00
Sheogorath
529075fd67
Merge pull request #168 from dargmuesli/fix/docker-secret-buffer
Config: Return String Instead Of Buffer For Docker Secrets
2019-09-03 18:11:47 +02:00
Jonas Thelemann
0be784351d
Docker Secrets: Use Encoding Parameter Directly
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-09-03 17:58:58 +02:00
Jonas Thelemann
3d9c97fc65
Config: Return String Instead Of Buffer For Docker Secrets
Prevents "TypeError: Cannot freeze array buffer views with elements".

Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-09-03 00:28:44 +02:00
Jonas Thelemann
326b38dff9
Docker Secrets: Correct Source Path
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-09-02 18:45:16 +02:00
Sheogorath
2e627099d8
Merge pull request #32 from codimd/aws-endpoints
make aws s3 endpoint configurable
2019-09-02 18:50:29 +03:00
Sheogorath
c178947402
Disable PDF export due to security issue
As a temporary fix, to keep you and your users save, this patch disables
the PDF export feature. Details of the attack along with a fix for
future versions of CodiMD will be released in future.

I hope you can live with this solution for this release because I'm
super short on time and the alternative would be to ship no fix at all.
This appears to be the better solution for this release.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:54 +02:00
Sheogorath
c07ae7eda1
Fix variable names for docker secrets
It seems like since we switched to camelcase we missed to update some
variable names in the config section. This patch fixes those.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:53 +02:00
Jonas Thelemann
cc78dd0428
Docker Secrets: Add DB URL Support
As the connection string may include a password it should be supported by Docker Secrets.

Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-07-01 19:43:42 +02:00
Sheogorath
4da68597f7
Fix eslint warnings
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.

There should no functional change be introduced.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31 00:30:29 +02:00
Sheogorath
6c62efae2a
Add config for toobusy middleware
With very low CPU frequency or bad IO situation, as well as not-loaded
JS CodiMD happens to present unneeded "I'm busy"-messages to users.

This patch allows to configure the lag. The default is taken from the
libray but set in our own default configs.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-25 21:08:38 +02:00
Dylan Dervaux
208070d2e7
Add lutim support
Signed-off-by: Dylan Dervaux <dylanderv05@gmail.com>
2019-04-10 01:37:12 +02:00
Emmanuel Ormancey
df53f465c0
Added a configuration option for passport-saml:
disableRequestedAuthnContext: true|false

By default only Password authmethod is accepted, this option allows any other method.

Issue and option described here:
https://github.com/bergie/passport-saml/issues/226

Signed-off-by: Emmanuel Ormancey <emmanuel.ormancey@cern.ch>
2019-04-06 17:54:58 +02:00
Sheogorath
7cde6958f3
Update links to new repositories
After a long discussion, it turned out that CodiMD as community project
and HackMD as a company, have fundamental different views on the project
governance.

Due to this, it came to point where the decision for a fork was made.
After the fork and move towards an own organisation, this patch updates
all links inside the project to the new repositories.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-27 19:31:34 +01:00
Sheogorath
bcb7972607
Fix shown but broken GitLab snippets
To provide a GitLab integration we need the GitLab integration to be
configured. Otherwise we shouldn't show the Snippet button.

This patch adds the requirement to the variable that decides if the
import from snippets button shows up or not.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-05 18:16:04 +01:00
Sheogorath
b51a048777
Fix wrong value type for HSTS environment variable
Seem like also environment variables are affected. This patch fixes that
as well.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-04 17:13:43 +01:00
Mathias Merscher
9613197f5d
make aws s3 endpoint configurable
Signed-off-by: Mathias Merscher <Mathias.Merscher@dg-i.net>
2019-02-11 17:45:24 +01:00
Sheogorath
806f403045
Disable OpenID by default
We talked about that during a community call. It turned out that not
everyone likes to have OpenID on their instance.

This patch disables OpenID by default.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-25 19:31:34 +01:00
Daan Sprenkels
8835a09d95 Update upload provider error message
Fixes #1107.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-12-21 15:30:06 +01:00
Sheogorath
a4941be3de
Warn on missing serverURL
We see some issues that are based on not properly configured
`config.serverURL`.

This patch adds a warning when `config.serverURL` is an empty value.
This should provide users direct feedback about how to improve their
configs.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-28 14:38:49 +01:00
Sheogorath
0aa3116805
Fix wrong maxAgeSeconds multiplication
It seems like the inital work on the hsts module expected milliseconds.
This has either changed or was never true. Either way, it caused that
the current defaults resulted in theory in a 1000 year HSTS policy.
Luckily helmet was smart enough to not go higher than 1 year.

Anyway, this patch fixes the multiplication of the configured size with
1000 by removing this multiplication.

Also to simplify the reading of the defaults, we split them into their
components, 60 times 60 seconds so we get one hour. 24 of those hours so
we get a day and finally 365 days to get our original wanted default of
one year.

Reference:
d69d65ea74
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-19 22:01:54 +01:00
Christoph (Sheogorath) Kern
5f0d04334b
Merge pull request #1053 from dsprenkels/robots.txt
Disallow creation of robots.txt in freeurl
2018-11-17 13:30:06 +01:00
Daan Sprenkels
4bd8d7eb91 Disallow creation of robots.txt in freeurl
Add a configuration setting to "hard"-disable creation of notes as
set by the configuration value. This defaults to `['robots.txt',
'favicon.ico']`, because these files are often accidentally created
by bots and browsers.

This commit fixes #1052.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-11-17 13:23:03 +01:00
Sheogorath
c3584770f2
Upgrade winston
Our log library got a new major version which should be implemented.

That's exactly what this patch does. Implementing the new version of the
logging library.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-14 00:47:11 +01:00
Christoph (Sheogorath) Kern
4a39017fe0
Merge pull request #1051 from SISheogorath/feature/fullversion
Fix wrong reading from commit
2018-11-12 14:21:03 +01:00
Sheogorath
4b0528ac4f
Fix wrong reading from commit
Right now we use a substr after reading the commit. That's definitely
wrong and leads to wrong commit hashes since the first 5 chars are
missing.

This patch removes the substr usage here and this way fixes the
generated links.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-12 11:18:38 +01:00