Commit graph

2465 commits

Author SHA1 Message Date
Erik Michelson
e4214f32a0
Fixed meta parsing of lang-attribute for using it in the published-view
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-07-04 03:37:19 +02:00
Erik Michelson
ee4210a511 Added dynamic lang-attr to pretty.ejs
CodiMD currently only uses the 'lang' attribute in YAML-metadata of a note for setting certain js-elements of the markdown-renderer. This commit adds the chosen lang into the published version of a note.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-07-03 00:06:03 +02:00
Sheogorath
3cc957a88b
Upgrade LDAP-auth to fix RCE in ldapauth dependency
Synk reported an Remote Code Execution vulnerability for the
passport-ldapauth dependency `bunyan`. This RCE is due to wrong command
sanitizing but doesn't only affects the executable the libary provides.
It has no impact on CodiMD.

This patch just updates passport-ldapauth since it's long overdue anyway
and to silence annoying security scanners that pretend this is rather
critical for us.

Reference:
ea21d75f54
https://app.snyk.io/vuln/SNYK-JS-BUNYAN-573166
2020-06-27 13:04:54 +02:00
Sheogorath
c789b71cc3
Merge pull request #423 from codimd/SuperSandro2000-patch-1
Fix browser logo links
2020-06-26 10:55:45 +02:00
Sandro
e95de9b102
Fix browser logo links
Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
2020-06-26 09:48:24 +02:00
Sheogorath
5c45b35a82
Merge pull request #419 from vberger/master
Backport of #278 for 1.6.1
2020-06-23 16:49:38 +02:00
Victor Berger
5f3a1b6266 Backport of #278 for 1.6.1
This is a backport of #278 with the default value of `scope` changed to
`undefined`. This is thus a fully backward-compatible change.

Signed-off-by: Victor Berger <victor.berger@m4x.org>
2020-06-20 16:48:25 +02:00
Sheogorath
0ef5261e61
Merge pull request #398 from gramakri/patch-1
Update Cloudron docs
2020-06-20 14:58:05 +02:00
Sheogorath
01dcce23e8
Merge pull request #416 from oupala/patch-2
fix: outdated internal links in documentation
2020-06-20 13:45:48 +02:00
oupala
1ea99b0ec2 fix: outdated internal links in documentation
Signed-off-by: oupala <oupala@users.noreply.github.com>
2020-06-20 11:44:29 +02:00
Sheogorath
20a1563d7f
Merge pull request #414 from dalcde/config
Fix docs/configuration formatting
2020-06-19 02:11:02 +02:00
Dexter Chua
aba68eb39a Fix docs/configuration formatting
Signed-off-by: Dexter Chua <dalcde@yahoo.com.hk>
2020-06-19 06:23:23 +08:00
Sheogorath
c07a107b1f
Merge pull request #404 from oupala/master
improve documentation about configuration
2020-06-18 11:13:09 +02:00
oupala
46e86b1be3 refactor: move some documentation
Signed-off-by: oupala <oupala@users.noreply.github.com>
2020-06-17 15:33:55 +02:00
oupala
712e2194f4 fix: document CMD_S3_ENDPOINT ENV variable
fix #349

Signed-off-by: oupala <oupala@users.noreply.github.com>
2020-06-17 10:54:12 +02:00
oupala
65fc44e32f refactor: lint markdown
Signed-off-by: oupala <oupala@users.noreply.github.com>
2020-06-17 10:54:12 +02:00
oupala
e46d520ca2 doc: merge configuration-config-file.md and configuration-env-vars.md to configuration.md
Signed-off-by: oupala <oupala@users.noreply.github.com>
2020-06-17 10:54:12 +02:00
Sheogorath
3436d118e5
Merge pull request #400 from david-sawatzke/fix-anonymous-edits-docu
Fix allow anonymous edit documentation
2020-06-13 11:26:29 +02:00
David Sawatzke
c5ff30c5a1 Fix allow anonymous edit documentation
The default is false and the option only matters if allowAnonymous is true

Signed-off-by: David Sawatzke <d-git@sawatzke.dev>
2020-06-12 22:17:43 +02:00
Girish Ramakrishnan
8319c19aa5 Update Cloudron docs
Added a link to the demo and source code repo

Signed-off-by: Girish Ramakrishnan <girish@cloudron.io>
2020-06-12 11:23:10 -07:00
Sheogorath
3d1fab0512
Relax cookie restrictions to 'lax' to allow frontend to work
Our frontend requests the `/me` pathname in order to determine whether
it's logged in or not. Due to the fact that the sameSite attribute of
the session cookie was set to `strict` in a previous commit, the session
token was no longer sent along with HTTP calls initiated by JS. This is
due to the RFCs definition of "safe" HTTP calls in RFC7231.

The bug triggers the UI to show up like an unauthenticated user, even
after a successful login. In order to debug it a look into the send
cookies to the `/me` turned out to be very enlightening.

The fix this patch implements is rather simple, it replaces the sameSite
attribute to `lax` which enables the cookies for those requests again.

Some older and mobile clients were unaffected by this due to the lack of
implementations of sameSite policies.

References:
https://tools.ietf.org/html/rfc7231#section-4.2.1
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7.1
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
e77e7b165a

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-06-10 15:16:32 +02:00
Sheogorath
8cf3b50ee9
Fix broken cookie handling due to missing proxy awareness
We enabled the `secure` flag for various cookies in previous commits.
This caused setups behind reverse proxies to drop cookies as the nodejs
instance wasn't aware of the fact that it was able to hand out secure
commits using an insecure connection (between the codimd instance and
the reverse proxy).

This patch makes express, the webserver framework we use, aware of
proxies and this way re-enabled the handing out of cookies. Not only the
cookie monster will enjoy, but also functionality like authentication
and real-time editing will return as intended.

References:
https://www.npmjs.com/package/express-session#cookiesecure
383d791a50

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-06-10 12:26:23 +02:00
Sheogorath
d6ce60c86e
Upgrade pg to fix node version 14 compatibility
As @davidmehren figured out, the problem that NodeJS version 14 gets
stuck while CodiMD is starting, was due to the outdated postgres
dependency. The old pg version doesn't work with node version 14 due to
an undocumented API change in the `readyState` in the socket API.

This patch updates the required dependency and this way resolves the
issue.

Reference:
https://github.com/sequelize/sequelize/issues/12158
149f482324

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-06-09 20:26:51 +02:00
Sheogorath
2890022d4d
Merge branch 'fix/sessionCookies' 2020-06-08 16:30:26 +02:00
Sheogorath
7e02a92c45
Merge branch 'pr-upstream-389' 2020-06-08 16:27:56 +02:00
Sheogorath
cdd18aebfd
Remove unused socket.io cookie
The socket.io cookie doesn't really have any purpose as it's no longer
user in modern socket.io versions. This patch disables it.

References:
https://github.com/socketio/socket.io/issues/2276
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-06-08 16:10:00 +02:00
Sheogorath
383d791a50
Ensure session cookies are secure
While HSTS should take care of most of this, setting cookies to be
secure, and only applied on same site helps to improve situations where
for whatever reason, downgrade attacks are still a thing.

This patch adds the `sameSite` and `secure` to the session cookie and
this way prevent all accidents where a browser may doesn't support HSTS
or HSTS is intentionally dropped.

Reference:
https://www.npmjs.com/package/express-session#cookiesecure

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-06-08 16:09:49 +02:00
David Mehren
2215da9431
Disable unneeded 'io' cookie.
According to https://github.com/socketio/socket.io/issues/2276 this cookie is not used for anything. To avoid browser warnings about the sameSite attribute, we disable it here.

Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-06-08 15:52:08 +02:00
David Mehren
e77e7b165a
Set all cookies with sameSite: strict
Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-06-08 15:27:31 +02:00
Sheogorath
49de5f5bd6
Merge pull request #375 from codingHahn/fix-checksums
Fix checksums of mermaid
2020-05-28 18:06:30 +02:00
Nick Hahn
043f2c3193 Fix checksums of mermaid
Signed-off-by: Nick Hahn <nick.hahn@posteo.de>
2020-05-28 14:06:33 +02:00
Sheogorath
407c53b9d9
Merge pull request #373 from codingHahn/update-mermaid
Update to mermaid 8.5.1
2020-05-27 19:42:28 +02:00
Nick Hahn
26144a5091 Update all other dependencies
because I can't figure out how to just update mermaid

Signed-off-by: Nick Hahn <nick.hahn@posteo.de>
2020-05-27 14:10:19 +02:00
Nick Hahn
ae7772a3f3 Update to mermaid 8.5.1
Signed-off-by: Nick Hahn <nick.hahn@posteo.de>
2020-05-27 14:06:03 +02:00
Sheogorath
54bde6b11f
Add translations for permissions
Adding translations for permissions for a possible 1.6.1 release doesn't
hurt but might helps some usecases of running CodiMD and we'll need the
translations in the new frontend anyway.

This patch adds the translations as well as the english local file.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-05-26 16:22:41 +02:00
Sheogorath
a9fea54db0
Upgrade jquery to 3.5.1
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-05-26 16:16:49 +02:00
Sheogorath
d30e022c7f
Merge pull request #344 from SuperSandro2000/fix-links-1.x
Fix redirected, outdated links and convert all to https
2020-05-17 15:01:41 +02:00
Sheogorath
4fc7f0c5a2
Merge pull request #335 from ErikMichelson/docs/url-scheme
Add document explaining different URLs
2020-05-10 17:14:14 +02:00
Sheogorath
b79341f406
Merge pull request #347 from codimd/backport-345
findNoteOrCreate: Create new note with empty string instead of `null`
2020-04-28 18:40:39 +02:00
Sandro
4c0094a1f8
findNoteOrCreate: Create new note with empty string instead of null
Backport of #345 to 1.x

Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
2020-04-28 00:56:35 +02:00
Sandro Jäckel
91b2e4c9ef
Update outdated links
Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
2020-04-26 21:57:43 +02:00
Sandro Jäckel
24f388a7c4
Update all links with https
Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
2020-04-26 21:57:42 +02:00
Erik Michelson
2e7488870e
Add document explaining different URLs
Signed-off-by: Erik Michelson <erik@liltv.de>
2020-04-25 01:27:07 +02:00
Sheogorath
68174c0c6f
Merge pull request #309 from margau/master
Make "transform-style: preserve-3d;" screen-only.
2020-04-21 14:31:39 +02:00
Sheogorath
49e8be44e1
Merge pull request #321 from codimd/snyk-fix-36a009650e9001b5861c54337c2b192d
[Snyk] Security upgrade jquery from 3.4.1 to 3.5.0
2020-04-16 15:49:06 +02:00
snyk-bot
dae60e784d fix: package.json & yarn.lock to reduce vulnerabilities
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JQUERY-565129
2020-04-14 05:36:30 +00:00
Marvin Gaube
70b8b78f96 Make "transform-style: preserve-3d;" screen-only.
Signed-off-by: Marvin Gaube <dev@marvingaube.de>
2020-03-23 20:57:06 +01:00
Sheogorath
9425caf6c3
Merge pull request #305 from ErikMichelson/fix/eslint
Fixed eslint errors in cleanup-script
2020-03-22 00:19:18 +01:00
Erik Michelson
e0f729e014
Fixed eslint errors (whitespaces)
Signed-off-by: Erik Michelson <erik@liltv.de>
2020-03-21 23:27:00 +01:00
Sheogorath
f42304c967
Clean up all foreign-key constraints
This patch cleans up the remaining possible foreign-key constraint. This
case seem to appear, when notes are deleted, but due to missing database
contraints not their authroships.

This function should clean that up as well and complete the preparation
for the new db contraints.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-03-21 21:05:52 +01:00