Commit graph

3052 commits

Author SHA1 Message Date
Jonas Thelemann
326b38dff9
Docker Secrets: Correct Source Path
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-09-02 18:45:16 +02:00
Sheogorath
6755d1b989
Merge pull request #147 from codimd/snyk-fix-0aa72a9ec7fcf1d8b1832518c29b6f4c
[Snyk] Fix for 2 vulnerable dependencies
2019-09-02 19:25:42 +03:00
Sheogorath
c765f34d03
Merge pull request #143 from Fonata/improve-docs
Slightly improve documentation
2019-09-02 19:24:04 +03:00
Sheogorath
2e627099d8
Merge pull request #32 from codimd/aws-endpoints
make aws s3 endpoint configurable
2019-09-02 18:50:29 +03:00
Sheogorath
2b0300e2f2
Merge pull request #165 from morpheus-87/imprint-docs
Add documentation for the new imprint feature
2019-09-02 18:49:59 +03:00
Matthias Lindinger
e07f70c231 Remove useless blank line
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
2019-09-02 13:09:23 +02:00
Matthias Lindinger
eef2b57bde Add documentation for the new imprint feature
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
2019-09-02 13:05:17 +02:00
Sheogorath
a9b5b754f5
Merge pull request #158 from morpheus-87/add-imprint-link
Add link to imprint
2019-09-02 13:36:43 +03:00
Matthias Lindinger
fe2c8634d3 Add link to imprint
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
2019-08-26 14:57:44 +02:00
snyk-test
47d2b99582 fix: package.json to reduce vulnerabilities
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AUTOLINKER-73494
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
2019-08-20 05:32:45 +00:00
Christian Bläul
d21ede4df8 Documentation: improved 'Users and Privileges' section
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 12:19:34 +02:00
Christian Bläul
3684c65f10 Documentation: improved English
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 12:14:51 +02:00
Christian Bläul
49663390d1 Not serverurl, but serverURL is used as a default for issuer
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 12:14:24 +02:00
Christian Bläul
ef857a565c Documentation: improved sessionLife description
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 11:56:31 +02:00
Christian Bläul
32f00e9830 Documentation: improved 'Email (local account)' sections
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 11:53:49 +02:00
Christian Bläul
29e1ff7699 Documentation: improved dbURL description
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 11:40:53 +02:00
Christian Bläul
60d6a6a15d Documentation: Improved descriptions of 'Users and Privileges' section
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 10:53:17 +02:00
Christian Bläul
374ee58790 Documentation: converted descriptions to sentences to allow more details
No content was added; this is just a formatting commit.

Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 10:49:03 +02:00
Christian Bläul
4b392f4b12 Improved docs for YAML metadata
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:41 +02:00
Christian Bläul
305525aa0c Config documentation: Improved spelling and capitalization of services
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:37 +02:00
Christian Bläul
f49bbf4c45 Documentation of config options: Improve loglevel
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:29 +02:00
Christian Bläul
c065d45da8 Documentation of config options: Improve db
Signed-off-by: Christian Bläul <christian@blaeul.de>
2019-08-17 00:03:04 +02:00
Sheogorath
9c1665ae5b
Release version 1.5.0 2019-08-15 23:30:37 +02:00
Sheogorath
09e1584800
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:25:30 +02:00
Sheogorath
fce0e18ad0
Add arabian translation
Thanks to our great translators that made it to translate the major
parts of CodiMD into Arabic!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:20:52 +02:00
Sheogorath
c178947402
Disable PDF export due to security issue
As a temporary fix, to keep you and your users save, this patch disables
the PDF export feature. Details of the attack along with a fix for
future versions of CodiMD will be released in future.

I hope you can live with this solution for this release because I'm
super short on time and the alternative would be to ship no fix at all.
This appears to be the better solution for this release.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:54 +02:00
Sheogorath
e574ae7588
Switch mysql library to mysql2
The recent sequelize upgrade introduced some other dependencies, this is
one of them. This patch replaces the old `mysql` library with `mysql2`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:53 +02:00
Sheogorath
c07ae7eda1
Fix variable names for docker secrets
It seems like since we switched to camelcase we missed to update some
variable names in the config section. This patch fixes those.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:53 +02:00
Sheogorath
c4053ea7ce
Update meta-marked to latest version
Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.

This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.

For Details:

https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515

What is a ReDOS?

A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.

For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

Credit:

Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.

Also thanks to the `marked`-team for fixing things already.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-15 23:14:48 +02:00
Sheogorath
57cfbcbd47 Update id.json (POEditor.com) 2019-08-15 23:14:28 +02:00
Sheogorath
ec83605f29
Merge pull request #141 from alangecker/fix/migration-should-return-promise
fix: migration should return promise
2019-08-12 14:40:30 +02:00
chandi
6280e92d10 fix: migration should return promise
Signed-off-by: chandi <git@chandi.it>
2019-08-12 14:13:34 +02:00
Sheogorath
478062b9aa
Merge pull request #140 from SISheogorath/docs/updateIcons
Update badge icons
2019-08-08 10:32:29 +02:00
Sheogorath
1a4a0c41a4 Update de.json (POEditor.com) 2019-08-03 18:16:00 +02:00
Sheogorath
1cc9d2e50e
Update badge icons
I just noticed that shields.io provides some nice new badges including
one explicitly for Matrix and one for Mastodon. Since those are really
our platforms, let's get them into our README. Just a cosmetic change.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-03 17:57:47 +02:00
Sheogorath
7d67566b96
Update yarn.lock 2019-08-01 20:14:48 +02:00
Salim B
5e7715a4e2
Slightly improve docker-linux-server.md
- fix typo
- add link to PhantomJS
- improve formatting

Signed-off-by: Salim B <salim@posteo.de>
2019-08-01 20:11:55 +02:00
Sheogorath
e85f4defbb
Merge pull request #114 from SISheogorath/fix/linuxServerDocs
Fix some minor quirks in the LinuxServer.io docs
2019-08-01 20:07:09 +02:00
Sheogorath
788d8ca933
Fix some minor quirks in the LinuxServer.io docs
The current documents might end up confusing people and are not
completely accessible. This minor fixes should clear up the situation
and add alt texts to all badges, explain the links at the end of the
docs, and list LinuxServer.io in the supported provider section of the
README.

Some reasoning on the change in the listing:
Since we maintain an own container image which is for sure kept updated
on release, this is our first listing, as well as general solutions that
are build on that image, like the K8s integration.

The next listings are integrated provides which allow self-hosting, like
Cloudron and I also consider LinuxServer.io as this kind of providers.
Which try to enable people to run CodiMD on their own hardware or rented
servers in a very easy way, but by using their own images.

As third category I would look at hosted offers, like Heroku, which are
not completely SaaS but far enough away from the self-hostability that
I consider them as an own category. PaaS-based solutions are not as
FOSS-style as we want our setups to be, but of course still supported.

Finally the manual setup. We keep it down here, because we support it,
but don't recommend it in general. It's hard to upgrade and can cause
problems when dependencies are not correctly updated or people don't run
the db migrations.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-01 20:03:07 +02:00
Sheogorath
1ec083a091
Merge pull request #137 from codimd/snyk-fix-90a963f5d1c4d3e15b1c30f372c2f444
[Snyk] Fix for 1 vulnerable dependencies
2019-08-01 19:59:10 +02:00
snyk-test
6f588826e0 fix: package.json to reduce vulnerabilities
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-MERMAID-174698
2019-07-24 05:32:45 +00:00
Sheogorath
1bfed17f8c
Merge pull request #104 from SISheogorath/feature/dnt
Respect DNT header
2019-07-20 12:50:13 +02:00
Sheogorath
2f6e81e4db
Merge pull request #128 from dargmuesli/docker-secrets
DB URL: Secret File Support
2019-07-20 12:49:19 +02:00
Jonas Thelemann
cc78dd0428
Docker Secrets: Add DB URL Support
As the connection string may include a password it should be supported by Docker Secrets.

Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
2019-07-01 19:43:42 +02:00
Sheogorath
118314d8dd
Merge pull request #119 from lhw/patch-1
Add SVG image detection based on file extension
2019-07-01 19:03:18 +02:00
Sheogorath
0d5923d61c
Update sequelize to latest version
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-06-22 16:29:09 +02:00
Sheogorath
502fae70a4
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-06-22 16:23:24 +02:00
Sheogorath
fd2731042f
Merge pull request #107 from SISheogorath/feature/db-upgrade
Fix sequelize by updating to the latest version
2019-06-22 16:17:11 +02:00
Lennart Weller
f22a563116 Add SVG image detection based on file extension
Add simple SVG image detecetion base on the file extension .svg.
This fixes the SVG being delivered as binary/octet-stream and makes it possible to embedd the SVG.

Signed-off-by: Lennart Weller <lennart.weller@hansemerkur.de>
2019-06-18 17:13:50 +02:00
Sheogorath
8612740f82 Update sv.json (POEditor.com) 2019-06-16 10:59:48 +02:00