This patch removes the call of `/usr/bin/env` when calling the migration
script in favour of using the processes own nodejs invocation path.
This should drop the requirement for `/usr/bin/env` to exist on a
system/in a container that runs hedgedoc.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
minio 7.0.27 requires node < 16.8, breaking compatibility with the
latest LTS version.
We downgrade minio until a fixed version is available.
https://github.com/minio/minio-js/issues/1017
Signed-off-by: David Mehren <git@herrmehren.de>
The snippet export broke due to two reasons.
First of all, the request to GitLab fail in the
default configuration due to the CSP not being
set properly. This commit adds the configured
GitLab base url to the connect-src directives.
The second problem is a change in the GitLab API
spec. Instead of `code` and `file_name` the
GitLab API now requires an `files` array with
`content` and `file_path` entries per snippet.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This patch adds an own filename function for `formidable`, which will
make sure to generate a random file name, using UUIDv4. This should
resolve GHSA-q6vv-2q26-j7rx.
This change is required due to a change in behaviour from version 1 to
version 2 of formidable. Formidable version 2 will generate predictable
filenames by default, which results in potential access to images, that
were uploaded while formidable v2 was used in Hedgedoc. This affects the
versions `1.9.1` and `1.9.2`.
Files generated previous to this commit will look like this:
```
<random string generated on app start><counter>.<file-extension>
38e56506ec2dcab52e9282c00.jpg
38e56506ec2dcab52e9282c01.jpg
38e56506ec2dcab52e9282c02.jpg
```
After this patch it'll look like this:
```
<uuid v4>.<file-extension>
a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg
56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg
2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg
```
This patch was implemented using `uuid` since we already utilise this
package elsewhere in the project as well as using a secure function to
generate random strings. UUIDv4 is ideal for that. In order to be
consumable by formidable, it was wrapped in a function that makes sure
to keep the file extension.
This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/).
References:
https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762https://www.npmjs.com/package/uuid
The hex2rgb function seems to previously have been available globally.
It probably got lost in the great Webpack refactoring and nobody noticed
that.
This copies the function into its own file (to make importing it easy)
and adds an import in index.js.
Fixes https://github.com/hedgedoc/hedgedoc/issues/2248
Signed-off-by: David Mehren <git@herrmehren.de>
