mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-25 11:16:31 -05:00

HedgeDoc - Ideas grow better together

codimd collaboration hacktoberfest hedgedoc markdown notes real-time

Find a file

Sheogorath dc29a286e6 Fix arbitary file upload for uploadimage API endpoint This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>		2020-12-27 19:51:01 +01:00
.github	Update issue templates to use the new labels	2020-12-01 21:14:11 +01:00
bin	Fix inconsistent spacing in bin/setup	2020-11-17 21:29:54 +01:00
docs	update linuxserver docker info	2020-12-24 17:00:31 -05:00
lib	Fix arbitary file upload for uploadimage API endpoint	2020-12-27 19:51:01 +01:00
locales	Update el.json (POEditor.com)	2020-11-27 21:52:47 +01:00
public	Don't store mermaid diagrams in innerHTML	2020-12-27 10:14:27 +01:00
test	Add test for dropbox csp rule	2020-08-23 01:41:55 +02:00
.babelrc	drop node 6 support	2019-05-13 19:37:21 +02:00
.editorconfig	Replace CodiMD with HedgeDoc	2020-11-14 21:18:36 +01:00
.eslintignore	switching to eslint for code checking	2018-11-14 23:15:36 +01:00
.eslintrc.js	Add no-console as a warning	2019-05-12 20:15:46 +02:00
.gitignore	striving for consistency across various docs	2019-04-01 01:03:36 +02:00
.mailmap	Update .mailmap and AUTHORS	2020-11-27 22:23:08 +01:00
.remarkrc	fix: override markdown linting preset	2020-07-10 18:57:31 +02:00
.sequelizerc.example	Create example config	2016-10-05 10:58:05 +08:00
app.js	Remove pdf export code	2020-11-26 21:09:23 +01:00
app.json	Remove pdf export code	2020-11-26 21:09:23 +01:00
AUTHORS	Update .mailmap and AUTHORS	2020-11-27 22:23:08 +01:00
CHANGELOG.md	Replace CodiMD with HedgeDoc	2020-11-14 21:18:36 +01:00
CODE-OF-CONDUCT.md	style: linting markdown files	2020-07-10 18:57:59 +02:00
config.json.example	Replace CodiMD with HedgeDoc	2020-11-14 21:18:36 +01:00
CONTRIBUTING.md	Fix link braces	2020-11-18 22:33:25 +01:00
LICENSE	Replace slogan	2020-11-14 22:23:18 +01:00
package.json	Bump version to 1.7.0	2020-12-21 21:36:40 +01:00
README.md	Replace references to Matrix room with chat.hedgedoc.org	2020-11-27 19:53:26 +01:00
renovate.json	Change label used by renovate to "type: maintenance"	2020-11-30 18:24:43 +01:00
SECURITY.md	Replace references to Matrix room with chat.hedgedoc.org	2020-11-27 19:53:26 +01:00
webpack.common.js	Generate CSS filenames with contenthash	2020-12-21 12:31:34 +01:00
webpack.dev.js	Use new source map naming for the Webpack dev config	2020-11-10 22:56:00 +01:00
webpack.htmlexport.js	Fix urlPath support, let CodiMD be served from a subpath correctly	2019-12-20 12:03:16 +01:00
webpack.prod.js	Fix urlPath support, let CodiMD be served from a subpath correctly	2019-12-20 12:03:16 +01:00
yarn.lock	Update yarn.lock	2020-12-21 21:20:00 +01:00

README.md

HedgeDoc

HedgeDoc lets you create real-time collaborative markdown notes. You can test-drive it by visiting our HedgeDoc demo server.

It is inspired by Hackpad, Etherpad and similar collaborative editors. This project originated with the team at HackMD and now forked into its own organisation. A longer writeup can be read in the history doc.

Community and Contributions

We welcome contributions! There's a lot to do: If you would like to report bugs, the issue tracker is the right place. If you can help translating, find us on POEditor. To get started developing, take a look at the docs/dev directory. In any case: come talk to us, we'll be delighted to help you with the first steps.

To stay up to date with our work or get support it's recommended to join our Matrix channel, stop by our community forums or subscribe to the release feed. We also engage in regular community calls (RSS) which you are very welcome to join.

Installation / Upgrading

You can run HedgeDoc in a number of ways, and we created setup instructions for all of these:

Configuration

Theres two main ways to configure your HedgeDoc instance: config file or environment variables. You can choose what works best for you.

HedgeDoc can integrate with

facebook, twitter, github, gitlab, mattermost, dropbox, google, ldap, saml and oauth2 for login
imgur, s3, minio, azure for image/attachment storage (files can also be local!)
dropbox for export and import

More info about that can be found in the configuration docs above.