mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-21 17:26:29 -05:00

HedgeDoc - Ideas grow better together

codimd collaboration hacktoberfest hedgedoc markdown notes real-time

Find a file

Sheogorath 9e2f9e21e9 fix(imageRouter): Fix enumerable image upload issue This patch adds an own filename function for `formidable`, which will make sure to generate a random file name, using UUIDv4. This should resolve GHSA-q6vv-2q26-j7rx. This change is required due to a change in behaviour from version 1 to version 2 of formidable. Formidable version 2 will generate predictable filenames by default, which results in potential access to images, that were uploaded while formidable v2 was used in Hedgedoc. This affects the versions `1.9.1` and `1.9.2`. Files generated previous to this commit will look like this: ``` <random string generated on app start><counter>.<file-extension> 38e56506ec2dcab52e9282c00.jpg 38e56506ec2dcab52e9282c01.jpg 38e56506ec2dcab52e9282c02.jpg ``` After this patch it'll look like this: ``` <uuid v4>.<file-extension> a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg 56b3d5d0-c586-4679-9ae6-d2044843c2cd.jpg 2af727ac-a2d4-4aad-acb5-73596c2a7eb6.jpg ``` This patch was implemented using `uuid` since we already utilise this package elsewhere in the project as well as using a secure function to generate random strings. UUIDv4 is ideal for that. In order to be consumable by formidable, it was wrapped in a function that makes sure to keep the file extension. This vulnerability was reported by Matias from [NCSC-FI](https://www.kyberturvallisuuskeskus.fi/). References: https://github.com/node-formidable/formidable/blob/v2-latest/src/Formidable.js#L574 https://github.com/node-formidable/formidable/issues/808#issuecomment-1007090762 https://www.npmjs.com/package/uuid		2022-04-10 21:08:32 +02:00
.github	chore(deps): update actions/upload-artifact action to v3	2022-03-05 10:34:44 +01:00
bin	bin/manage_users: fix formatting	2022-04-03 22:14:27 +02:00
docs	chore(deps): update dependency mkdocs-material to v8.2.9	2022-04-09 05:31:08 +00:00
lib	fix(imageRouter): Fix enumerable image upload issue	2022-04-10 21:08:32 +02:00
locales	Import translations from POEditor	2021-12-02 22:14:34 +01:00
public	Fix missing inline authorship colors	2022-04-08 12:13:37 +02:00
test	Update tests and changelog	2022-01-07 18:21:33 +01:00
.babelrc	Use esbuild to minify frontend JS	2021-05-06 21:13:56 +02:00
.editorconfig	Replace CodiMD with HedgeDoc	2020-11-14 21:18:36 +01:00
.eslintignore	switching to eslint for code checking	2018-11-14 23:15:36 +01:00
.eslintrc.js	Cleanup ESLint config	2021-08-14 23:42:26 +02:00
.gitignore	added documentation about how the write, build and deploy this	2021-01-04 14:26:39 +01:00
.mailmap	Update .mailmap and AUTHORS	2020-11-27 22:23:08 +01:00
.remarkrc	fix: override markdown linting preset	2020-07-10 18:57:31 +02:00
app.js	Allow SAML authentication provider to be named	2022-03-20 19:59:53 +01:00
app.json	Remove pdf export code	2020-11-26 21:09:23 +01:00
AUTHORS	Update .mailmap and AUTHORS	2020-11-27 22:23:08 +01:00
CHANGELOG.md	Replace CodiMD with HedgeDoc	2020-11-14 21:18:36 +01:00
CODE-OF-CONDUCT.md	style: linting markdown files	2020-07-10 18:57:59 +02:00
config.json.example	Update example config	2021-05-06 22:24:02 +02:00
CONTRIBUTING.md	Introduce changelog snippets	2021-08-15 20:11:04 +02:00
LICENSE	Replace slogan	2020-11-14 22:23:18 +01:00
package.json	chore(deps): update linters	2022-04-10 10:08:01 +02:00
README.md	Update browser compatibility	2021-08-15 00:09:53 +02:00
renovate.json	Change label used by renovate to "type: maintenance"	2020-11-30 18:24:43 +01:00
SECURITY.md	Replace references to Matrix room with chat.hedgedoc.org	2020-11-27 19:53:26 +01:00
webpack.common.js	Remove unused Google Fonts import	2021-08-15 00:09:53 +02:00
webpack.dev.js	Don't use eval-based source maps	2021-06-07 23:04:45 +02:00
webpack.htmlexport.js	Inline CSS & JS into HTML export template	2021-08-15 00:09:53 +02:00
webpack.prod.js	Inline CSS & JS into HTML export template	2021-08-15 00:09:53 +02:00
yarn.lock	chore(deps): update linters	2022-04-10 10:08:01 +02:00

README.md

HedgeDoc

HedgeDoc lets you create real-time collaborative markdown notes. You can test-drive it by visiting our HedgeDoc demo server.

It is inspired by Hackpad, Etherpad and similar collaborative editors. This project originated with the team at HackMD and now forked into its own organisation. A longer writeup can be read in the history.

Community and Contributions

We welcome contributions! There's a lot to do: If you would like to report bugs, the issue tracker is the right place. If you can help translating, find us on POEditor. To get started developing, take a look at the developer documentation. In any case: come talk to us, we'll be delighted to help you with the first steps.

To stay up to date with our work or get support it's recommended to join our Matrix channel, stop by our community forums or subscribe to the release feed. We also engage in regular community calls (RSS) which you are very welcome to join.

Installation / Upgrading

You can run HedgeDoc in a number of ways, and we created setup instructions for all of these:

Configuration

Theres two main ways to configure your HedgeDoc instance: config file or environment variables. You can choose what works best for you.

HedgeDoc can integrate with

facebook, twitter, github, gitlab, mattermost, dropbox, google, ldap, saml and oauth2 for login
imgur, s3, minio, azure for image/attachment storage (files can also be local!)
dropbox for export and import

More info about that can be found in the configuration docs above.