Commit graph

623 commits

Author SHA1 Message Date
David Mehren
bd44cbc16c
Add config option to disallow framing via CSP
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00
David Mehren
9499add64c
Tighten up default Content-Security-Policy
This commit changes the
- default-src to none, so everything is disallowed by default
- base-uri, connect-uri and font-src to self,
  so these are restricted to the current origin
- frame-src to allow SlideShare, Vimeo and YouTube
- script-src to the specific paths that are used by HedgeDoc to serve scripts.
  This explicitly does not include the /uploads route
 - style-src to the specific paths that are used by HedgeDoc to serve styles
 -

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00
David Mehren
8b69ac1bcf
Fix unescaped line break in git output
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:16:46 +02:00
David Mehren
cc76201cfb
Merge pull request #1533 from hedgedoc/feature/database-env
feat(config): Improve configurability of database by env
2021-08-14 23:41:58 +02:00
David Mehren
de64142511
Merge pull request #1540 from hedgedoc/fix/get_git_commit 2021-08-14 21:47:18 +02:00
Sheogorath
c025d6abee
fix(image-upload): Fix swallowing of errors for filesystem
This patch fixes the swollowing of the actual error message that appears
when a file fails to move, after being uploaded to Hedgedoc on an
instance that is using the upload-method `filesystem` active.

This became apparent when the error messages provided by some users,
where less than helpful.

As a solution the error message of the copy command was added to the
error that is output to the console.

https://community.hedgedoc.org/t/image-upload-fail-docker/439

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2021-08-14 20:04:08 +02:00
David Mehren
b719ce79db
Fix crash while getting current git commit
HedgeDoc crashed with
`uncaughtException: ENOENT: no such file or directory`
on startup, when `.git/ref/heads` did not contain
a file for the current branch. This seems to happen
regularly with current Git versions.

This fixes the crash by first trying to use the `git` executable for
getting the current commit SHA (before running our own parsing code)
and introducing a separate check to prevent accessing a nonexistent
file in `.git/ref/heads`.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 16:08:55 +02:00
Sheogorath
1428a8e006
feat(config): Improve configurability of database by env
This patch implements 6 additional environment variables that are used
for configuration of the database in order to allow easier configuration
in containerised environments, such as Kubernetes.

An example is the upcoming deployment of the demo instance that will use
an operator-backed postgresql database. This operator exposes username
and password as separate variables and while it's obviously possible to
generate a dbURL from that, this won't be possible without additional
code. Aiming for a solution in Hedgedoc itself, will help us to enable
other people in using Hedgedoc on Kubernetes without resulting in overly
customised setups for simple tasks like this.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2021-08-13 01:58:53 +02:00
Matej Cotman
65fac143f6 fix(s3): replace dash with dot for s3 endpoint
According to the AWS documentation there is no situation that there is a dash in `s3-<region>.amazonaws.com`, the correct way is with a dot `s3.<region>.amazonaws.com`
Source: https://docs.aws.amazon.com/general/latest/gr/s3.html

Signed-off-by: Matej Cotman <matej.cotman@eficode.com>
2021-08-04 16:09:08 +03:00
David Mehren
84571ac0e8
Merge pull request #1474 from hedgedoc/failing-migrations-notice
[1.x] Add help link and short explanation for failing migrations
2021-08-01 18:22:37 +02:00
Erik Michelson
95a8b5c5be
Add help link and short explanation for failing migrations
See #1419

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-07-21 00:06:07 +02:00
Erik Michelson
90c5ab0833
Exclude /metrics and /status routes from session initialization
This commit adds a `useUnless` helper method which can be used as a middleware for express.
It receives an express-middleware and an array of paths.
When a request matches one of the given paths, this middleware does nothing.
Otherwise the given middleware is called.

For the express-session middleware this helper middleware is used to avoid session creation on purely status routes.
See #1446

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-07-20 23:56:54 +02:00
Yannick Bungers
1d082ae827
Merge pull request #1369 from hedgedoc/feature/remove_unsafe_eval 2021-06-08 22:16:07 +02:00
David Mehren
3cd169a650
Remove unsafe-eval from default CSP
As script-loader was removed in the previous commits,
we can finally tighten up security.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 23:04:45 +02:00
David Mehren
7283ccd5e8
Allow configuring Disqus & GA CSP with env vars
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 22:57:12 +02:00
David Mehren
52231f688d
Disable GA and Disqus in default CSP
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 22:57:12 +02:00
David Mehren
7f3c04c9fc
SAML: Use privateKey option
The old `privateCert` option was removed in
https://github.com/node-saml/passport-saml/pull/569

Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-17 18:46:00 +02:00
David Mehren
f552b14e11
Sanitize username and photo URL
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.

This commit sanitizes the username and photo URL by passing them
through the `xss` library.

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:28:44 +02:00
David Mehren
aece96f539
Automatically enable protocolUseSSL when useSSL is set
This makes the behavior consistent with the docs and
 saves the user from having to both set
 `useSSL` and `protocolUseSSL`.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-06 21:19:14 +02:00
David Mehren
0b61f48129
Fix upgradeInsecureRequests CSP directive
The `upgradeInsecureRequests` option of Helmets CSP middleware
was a boolean in Helmet 3, but with Helmet 4,
everything changed to lists.
This commit adjusts the addUpgradeUnsafeRequestsOptionTo
function accordingly.

Closes #1221

See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy

Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-04 11:10:53 +02:00
Erik Michelson
e54236d057
Remove unneeded polyfill
This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore.

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-04-26 17:05:20 +02:00
David Mehren
59f669e593
Merge pull request from GHSA-p528-555r-pf87
Fix Relative Path Traversal Attack on note creation
2021-04-25 21:28:18 +02:00
Sheogorath
44b7f607a5
Fix Relative Path Traversal Attack on note creation
Impact
---

An attacker can read arbitrary `.md` files from the server's filesystem due to an [improper input validation](https://cwe.mitre.org/data/definitions/20.html), which results in the ability to perform a [relative path traversal](https://cwe.mitre.org/data/definitions/23.html).

CVSSv3 string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

PoC / Quicktest
---

To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`).
- If you see a README page being rendered, you run an affected version.

Analysis
---

The attack works due the fact that [the internal router, passes the url-encoded alias](https://github.com/hedgedoc/hedgedoc/blob/master/lib/web/note/router.js#L26) to the `noteController.showNote`-function. This function passes the input directly to [`findNote()`](78a732abe6/lib/web/note/util.js (L10)) utility function, that will pass it on the the [`parseNoteId()`](78a732abe6/lib/models/note.js (L188-L258))-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated.

If no note exists the [note creation-function is called](78a732abe6/lib/models/note.js (L240-L245)), which pass this unvalidated alias, with a `.md` appended, into a [`path.join()`-function](78a732abe6/lib/models/note.js (L99)) which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note.

This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also  observes changes to them.

The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited.

Workarounds
---
On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path.

For more information
---

If you have any questions or comments about this advisory:
* Open an topic on [our community forum](https://community.hedgedoc.org)
* Join our [matrix room](https://chat.hedgedoc.org)

Advisory link
---

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87

Signed-off-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
2021-04-25 20:40:17 +02:00
David Mehren
5c70cc021f
Add custom prometheus metrics
This reuses the `realtime.getStatus` method to get the state of the
application state on every prometheus scrape cycle.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-04-25 20:06:56 +02:00
Philip Molares
f34d927e8c ImageRouterImgur: Replace imgur library with note-fetch request
This kinda is a backport of https://github.com/hedgedoc/hedgedoc/pull/961

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-04-22 21:23:27 +02:00
Erik Michelson
f948de1d48
Remove yahoo domain from default CSP rules
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-03-29 23:35:12 +02:00
Yannick Bungers
1534d7029b
Merge pull request #1079 from hedgedoc/fix/mimeTypes 2021-03-29 23:14:53 +02:00
Erik Michelson
dcea082286
Add better logging messages
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-03-29 23:07:11 +02:00
Erik Michelson
124b064252
Check for existing notes on POST and dont override them
Previously one could override notes in FreeURL-mode by sending multiple POST requests to the /new/<alias> endpoint. This commit adds a check for an already existing note with the requested alias and returns a HTTP 409 Conflict error in case that happens.

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-03-29 23:00:34 +02:00
Philip Molares
5dbe99b4c7 ImageUpload: Fix errors with .jpeg and .svg
This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly
Files that got identified as jpg, but have the extension .jpeg get their extension fixed.
The files extensions will work in all cases now.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-03-29 22:38:42 +02:00
Philip Molares
be3eee1603 Config: Remove image/jpg
This was done because both .jpg and .jpeg get the mime type 'image/jpeg' by FileType

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-03-28 22:28:35 +02:00
Erik Michelson
731fb24500
Replace request library with node-fetch
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-03-12 22:27:49 +01:00
David Mehren
0db862f3c9
Run database migrations automatically on startup
This commit removes the need for separate migrations with the sequelize-cli
by running them with umzug on application startup.

This is a port of #384

Co-authored-by: Sheogorath <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-27 21:33:05 +01:00
David Mehren
d98393e431
Merge pull request #889 from hedgedoc/renovate/master-uuid-8.x 2021-02-25 20:49:03 +01:00
Erik Michelson
7e597226ec
Add HTTP 404 error on non-existent note downloads
When FreeURL mode is enabled and you called the /download route, the note was created and the user redirected to the blank note.
This is caused because the findNote method automatically creates a note when no existing one is found.
This commit adds a new parameter to the findNote method which allows to disable this behaviour. In that case a HTTP 404 error will be returned.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-02-17 22:02:47 +01:00
David Mehren
67cb3c89f5
Use new uuid export
Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-16 22:25:38 +01:00
Philip Molares
136d895d15 Linter: Fix all lint errors
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 12:15:14 +01:00
David Mehren
252141560f
Switch to minio v7 API
The secure parameter is now called useSSL
https://github.com/minio/minio-js/releases/tag/7.0.0

Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-12 23:11:37 +01:00
David Mehren
4655e9c785
Fix SAML auth error logging
As stated in https://github.com/node-saml/passport-saml/blob/master/CHANGELOG.md#v200-2020-11-03
and the corresponding PR https://github.com/node-saml/passport-saml/pull/412
passport-saml now always throws error objects instead of strings.
This fixes our error logging to accommodate this change.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-11 22:00:22 +01:00
Erik Michelson
3808c08c2d
Fix note creation in FreeURL mode not using template
As explained in #391, the previous note creation logic didn't handle the case "alias is set, but it's not a file on disk". The fix introduces a separate if-statement for this scenario at the cost of a doubled filesystem read access.

Co-Authored-By: @evanlinde
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-02-02 00:38:54 +01:00
Nicolas Dietrich
ad056d7dbb Don't add new config option in hackmd compatibility layer
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2021-01-23 16:20:03 +01:00
Nicolas Dietrich
5e269e4af9 Keep JS and env varibale name in sync (requireFreeURLAuthentication)
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2021-01-23 14:14:47 +01:00
Nicolas Dietrich
497569fee4 Add config option which requires authentication in FreeURL mode
This mitigates unintended note creation by bots or humans through a
simple GET call.

See discussion in #754.

Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2021-01-22 16:52:49 +01:00
Nicolas Dietrich
3331c0947c Minor refactoring of freeURL condition check
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
2021-01-22 16:52:49 +01:00
David Mehren
6932cc4df7
Always save uploads to a tmpdir first and cleanup afterwards
This makes sure no unintended files are permanently saved.

Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:51:14 +01:00
David Mehren
cf4344d9e0
Improve MIME-type checks of uploaded files
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:51:12 +01:00
Sheogorath
f83e4d66ed
Rework error messages for image uploads
This patch reworks the error messages for image uploads to make more
sense.

Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:02 +01:00
Sheogorath
d097211c54
Fix unauthenticated file uploads
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.

It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
Sheogorath
dc29a286e6
Fix arbitary file upload for uploadimage API endpoint
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.

This issue was reported by Thomas Lambertz.

To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.

```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```

Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.

Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.

References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
David Mehren
0989ae426e
Merge pull request #609 from hedgedoc/fix/oauth2-auth
Fix crash when OAuth2 config parameters are missing
2020-12-02 20:48:12 +01:00