mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-10-19 22:00:15 -04:00
a2522888b2
As we already decleared in earlier versions, this patch removes PDF export entirely. It's a not acceptable security risk for every CodiMD instance. The current implementation allowed to extract arbitary files from the CodiMD host and therefore leaking secrets from a `/etc/passwd` to CodiMD's own config files and all secrets contained in it. Thanks to Joona for finding this vulnerability in August last year, which lead to an emergency disabling of PDF exports in 1.5.0. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
171 lines
4.3 KiB
JavaScript
171 lines
4.3 KiB
JavaScript
'use strict'
|
|
|
|
const os = require('os')
|
|
|
|
module.exports = {
|
|
domain: '',
|
|
urlPath: '',
|
|
host: '0.0.0.0',
|
|
port: 3000,
|
|
loglevel: 'info',
|
|
urlAddPort: false,
|
|
allowOrigin: ['localhost'],
|
|
useSSL: false,
|
|
hsts: {
|
|
enable: true,
|
|
maxAgeSeconds: 60 * 60 * 24 * 365,
|
|
includeSubdomains: true,
|
|
preload: true
|
|
},
|
|
csp: {
|
|
enable: true,
|
|
directives: {
|
|
},
|
|
addDefaults: true,
|
|
addDisqus: true,
|
|
addGoogleAnalytics: true,
|
|
upgradeInsecureRequests: 'auto',
|
|
reportURI: undefined
|
|
},
|
|
protocolUseSSL: false,
|
|
useCDN: false,
|
|
allowAnonymous: true,
|
|
allowAnonymousEdits: false,
|
|
allowFreeURL: false,
|
|
forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views'],
|
|
defaultPermission: 'editable',
|
|
dbURL: '',
|
|
db: {},
|
|
// ssl path
|
|
sslKeyPath: '',
|
|
sslCertPath: '',
|
|
sslCAPath: '',
|
|
dhParamPath: '',
|
|
// other path
|
|
publicPath: './public',
|
|
viewPath: './public/views',
|
|
tmpPath: os.tmpdir(),
|
|
defaultNotePath: './public/default.md',
|
|
docsPath: './public/docs',
|
|
uploadsPath: './public/uploads',
|
|
// session
|
|
sessionName: 'connect.sid',
|
|
sessionSecret: 'secret',
|
|
sessionSecretLen: 128,
|
|
sessionLife: 14 * 24 * 60 * 60 * 1000, // 14 days
|
|
staticCacheTime: 1 * 24 * 60 * 60 * 1000, // 1 day
|
|
// socket.io
|
|
heartbeatInterval: 5000,
|
|
heartbeatTimeout: 10000,
|
|
// too busy timeout
|
|
tooBusyLag: 70,
|
|
// document
|
|
documentMaxLength: 100000,
|
|
// image upload setting, available options are imgur/s3/filesystem/azure/lutim
|
|
imageUploadType: 'filesystem',
|
|
lutim: {
|
|
url: 'https://framapic.org/'
|
|
},
|
|
imgur: {
|
|
clientID: undefined
|
|
},
|
|
s3: {
|
|
accessKeyId: undefined,
|
|
secretAccessKey: undefined,
|
|
region: undefined
|
|
},
|
|
minio: {
|
|
accessKey: undefined,
|
|
secretKey: undefined,
|
|
endPoint: undefined,
|
|
secure: true,
|
|
port: 9000
|
|
},
|
|
s3bucket: undefined,
|
|
azure: {
|
|
connectionString: undefined,
|
|
container: undefined
|
|
},
|
|
// authentication
|
|
oauth2: {
|
|
providerName: undefined,
|
|
authorizationURL: undefined,
|
|
tokenURL: undefined,
|
|
clientID: undefined,
|
|
clientSecret: undefined
|
|
},
|
|
facebook: {
|
|
clientID: undefined,
|
|
clientSecret: undefined
|
|
},
|
|
twitter: {
|
|
consumerKey: undefined,
|
|
consumerSecret: undefined
|
|
},
|
|
github: {
|
|
clientID: undefined,
|
|
clientSecret: undefined
|
|
},
|
|
gitlab: {
|
|
baseURL: undefined,
|
|
clientID: undefined,
|
|
clientSecret: undefined,
|
|
scope: undefined,
|
|
version: 'v4'
|
|
},
|
|
dropbox: {
|
|
clientID: undefined,
|
|
clientSecret: undefined,
|
|
appKey: undefined
|
|
},
|
|
google: {
|
|
clientID: undefined,
|
|
clientSecret: undefined,
|
|
hostedDomain: undefined
|
|
},
|
|
ldap: {
|
|
providerName: undefined,
|
|
url: undefined,
|
|
bindDn: undefined,
|
|
bindCredentials: undefined,
|
|
searchBase: undefined,
|
|
searchFilter: undefined,
|
|
searchAttributes: undefined,
|
|
usernameField: undefined,
|
|
useridField: undefined,
|
|
tlsca: undefined
|
|
},
|
|
saml: {
|
|
idpSsoUrl: undefined,
|
|
idpCert: undefined,
|
|
issuer: undefined,
|
|
identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
|
|
disableRequestedAuthnContext: false,
|
|
groupAttribute: undefined,
|
|
externalGroups: [],
|
|
requiredGroups: [],
|
|
attribute: {
|
|
id: undefined,
|
|
username: undefined,
|
|
email: undefined
|
|
}
|
|
},
|
|
email: true,
|
|
allowEmailRegister: true,
|
|
allowGravatar: true,
|
|
openID: false,
|
|
// linkifyHeaderStyle - How is a header text converted into a link id.
|
|
// Header Example: "3.1. Good Morning my Friend! - Do you have 5$?"
|
|
// * 'keep-case' is the legacy CodiMD value.
|
|
// Generated id: "31-Good-Morning-my-Friend---Do-you-have-5"
|
|
// * 'lower-case' is the same like legacy (see above), but converted to lower-case.
|
|
// Generated id: "#31-good-morning-my-friend---do-you-have-5"
|
|
// * 'gfm' _GitHub-Flavored Markdown_ style as described here:
|
|
// https://gist.github.com/asabaylus/3071099#gistcomment-1593627
|
|
// It works like 'lower-case', but making sure the ID is unique.
|
|
// This is What GitHub, GitLab and (hopefully) most other tools use.
|
|
// Generated id: "31-good-morning-my-friend---do-you-have-5"
|
|
// 2nd appearance: "31-good-morning-my-friend---do-you-have-5-1"
|
|
// 3rd appearance: "31-good-morning-my-friend---do-you-have-5-2"
|
|
linkifyHeaderStyle: 'keep-case'
|
|
}
|