mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-30 12:09:52 -05:00
a2522888b2
As we already decleared in earlier versions, this patch removes PDF export entirely. It's a not acceptable security risk for every CodiMD instance. The current implementation allowed to extract arbitary files from the CodiMD host and therefore leaking secrets from a `/etc/passwd` to CodiMD's own config files and all secrets contained in it. Thanks to Joona for finding this vulnerability in August last year, which lead to an emergency disabling of PDF exports in 1.5.0. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
135 lines
4.6 KiB
JSON
135 lines
4.6 KiB
JSON
{
|
|
"name": "CodiMD",
|
|
"description": "Realtime collaborative markdown notes on all platforms",
|
|
"keywords": [
|
|
"Collaborative",
|
|
"Markdown",
|
|
"Notes"
|
|
],
|
|
"website": "https://codimd.org",
|
|
"repository": "https://github.com/codimd/server",
|
|
"logo": "https://github.com/codimd/server/raw/master/public/codimd-icon-1024.png",
|
|
"success_url": "/",
|
|
"env": {
|
|
"NPM_CONFIG_PRODUCTION": {
|
|
"description": "Let npm also install development build tool",
|
|
"value": "false"
|
|
},
|
|
"DB_TYPE": {
|
|
"description": "Specify database type. See sequelize available databases. Default using postgres",
|
|
"value": "postgres"
|
|
},
|
|
"CMD_SESSION_SECRET": {
|
|
"description": "Secret used to secure session cookies.",
|
|
"required": false
|
|
},
|
|
"CMD_HSTS_ENABLE": {
|
|
"description": "whether to also use HSTS if HTTPS is enabled",
|
|
"required": false
|
|
},
|
|
"CMD_HSTS_MAX_AGE": {
|
|
"description": "max duration, in seconds, to tell clients to keep HSTS status",
|
|
"required": false
|
|
},
|
|
"CMD_HSTS_INCLUDE_SUBDOMAINS": {
|
|
"description": "whether to tell clients to also regard subdomains as HSTS hosts",
|
|
"required": false
|
|
},
|
|
"CMD_HSTS_PRELOAD": {
|
|
"description": "whether to allow at all adding of the site to HSTS preloads (e.g. in browsers)",
|
|
"required": false
|
|
},
|
|
"CMD_DOMAIN": {
|
|
"description": "domain name",
|
|
"required": false
|
|
},
|
|
"CMD_URL_PATH": {
|
|
"description": "sub url path, like `www.example.com/<URL_PATH>`",
|
|
"required": false
|
|
},
|
|
"CMD_ALLOW_ORIGIN": {
|
|
"description": "domain name whitelist (use comma to separate)",
|
|
"required": false,
|
|
"value": "localhost"
|
|
},
|
|
"CMD_PROTOCOL_USESSL": {
|
|
"description": "set to use ssl protocol for resources path (only applied when domain is set)",
|
|
"required": false
|
|
},
|
|
"CMD_URL_ADDPORT": {
|
|
"description": "set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set)",
|
|
"required": false
|
|
},
|
|
"CMD_FACEBOOK_CLIENTID": {
|
|
"description": "Facebook API client id",
|
|
"required": false
|
|
},
|
|
"CMD_FACEBOOK_CLIENTSECRET": {
|
|
"description": "Facebook API client secret",
|
|
"required": false
|
|
},
|
|
"CMD_TWITTER_CONSUMERKEY": {
|
|
"description": "Twitter API consumer key",
|
|
"required": false
|
|
},
|
|
"CMD_TWITTER_CONSUMERSECRET": {
|
|
"description": "Twitter API consumer secret",
|
|
"required": false
|
|
},
|
|
"CMD_GITHUB_CLIENTID": {
|
|
"description": "GitHub API client id",
|
|
"required": false
|
|
},
|
|
"CMD_GITHUB_CLIENTSECRET": {
|
|
"description": "GitHub API client secret",
|
|
"required": false
|
|
},
|
|
"CMD_GITLAB_BASEURL": {
|
|
"description": "GitLab authentication endpoint, set to use other endpoint than GitLab.com (optional)",
|
|
"required": false
|
|
},
|
|
"CMD_GITLAB_CLIENTID": {
|
|
"description": "GitLab API client id",
|
|
"required": false
|
|
},
|
|
"CMD_GITLAB_CLIENTSECRET": {
|
|
"description": "GitLab API client secret",
|
|
"required": false
|
|
},
|
|
"CMD_GITLAB_SCOPE": {
|
|
"description": "GitLab API client scope (optional)",
|
|
"required": false
|
|
},
|
|
"CMD_DROPBOX_CLIENTID": {
|
|
"description": "Dropbox API client id",
|
|
"required": false
|
|
},
|
|
"CMD_DROPBOX_CLIENTSECRET": {
|
|
"description": "Dropbox API client secret",
|
|
"required": false
|
|
},
|
|
"CMD_DROPBOX_APP_KEY": {
|
|
"description": "Dropbox app key (for import/export)",
|
|
"required": false
|
|
},
|
|
"CMD_GOOGLE_CLIENTID": {
|
|
"description": "Google API client id",
|
|
"required": false
|
|
},
|
|
"CMD_GOOGLE_CLIENTSECRET": {
|
|
"description": "Google API client secret",
|
|
"required": false
|
|
},
|
|
"CMD_GOOGLE_HOSTEDDOMAIN": {
|
|
"description": "Google API hosted domain (Provided only if the user belongs to a hosted domain)",
|
|
"required": false
|
|
},
|
|
"CMD_IMGUR_CLIENTID": {
|
|
"description": "Imgur API client id",
|
|
"required": false
|
|
}
|
|
},
|
|
"addons": [
|
|
"heroku-postgresql"
|
|
]
|
|
}
|