Commit Graph

2034 Commits

Author SHA1 Message Date
Sheogorath 0d88707475
Update yarn.lock 2019-02-15 15:40:45 +01:00
Sheogorath bce58db97c
Update handlebar to version 4.0.13
Synk found an security vulnerbility in the version we provide, that in
theory can provide an RCE.

Details: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
2019-02-15 15:40:44 +01:00
Claudius Coenen baefa1c672
Merge pull request #1148 from felixonmars/patch-1
Fix several typos in auth/saml.md
2019-02-14 23:19:40 +01:00
Felix Yan 1ccadec5a3 Fix several typos in auth/saml.md
Signed-off-by: Felix Yan <felixonmars@archlinux.org>
2019-02-15 04:14:17 +08:00
Christoph (Sheogorath) Kern b28201176e Update ja.json (POEditor.com) 2019-01-31 13:06:56 +01:00
Sheogorath 806f403045
Disable OpenID by default
We talked about that during a community call. It turned out that not
everyone likes to have OpenID on their instance.

This patch disables OpenID by default.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-25 19:31:34 +01:00
Christoph (Sheogorath) Kern afcbea48cd
Merge pull request #1127 from SISheogorath/fix/unlinkFix
Fix broken PDF export by wrong unlink call
2019-01-25 18:27:33 +01:00
Sheogorath 4e81079050
Fix broken PDF export by wrong unlink call
We used `fs.unlink()` to remove the pdf file after we send it out to the
client. This breaks in Node 10, when no function as second parameter is
supplied.

This patches changes it to the `fs.unlinkSync` function that doesn't
have this requirement and this way doesn't crash.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-24 13:02:53 +01:00
Sheogorath 3dc40116e4
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-24 12:21:19 +01:00
Claudius Coenen 2c1a618c56
Merge pull request #1125 from hackmdio/dependency-node-6-fix
Fixing deep dependency problem with node 6.x
2019-01-24 01:18:07 +01:00
Claudius Coenen fa0dea0a1b Fixing deep dependency problem with node 6.x
this commit has been blatantly stolen from @samselikoff in ember-cli-addon-docs. It prevents an issue introduced via a deep dependency that no longer supports node 6 (which we still would like to support).
see: 231275b5a4
see: https://github.com/salesforce/tough-cookie/pull/141

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2019-01-23 23:37:13 +01:00
Christoph (Sheogorath) Kern a9d12e3a28
Merge pull request #1124 from phrix32/patch-1
Fix reference to SAML guide in README
2019-01-22 11:03:20 +01:00
Jonathan 07697ee9a1 Fix reference to SAML guide in README
Signed-off-by: Jonathan Klauck <jonathan.klauck@aoe.com>
2019-01-22 10:48:45 +01:00
Christoph (Sheogorath) Kern d69edd1def
Merge pull request #1123 from SISheogorath/fix/lintingTests
Add linting for tests
2019-01-21 23:16:22 +01:00
Sheogorath bf229d91c6
Add linting for tests
The tests are currently not linted. This causes a different coding style
than the rest of the sources.

This patch adds the `./test` directory to the eslint testing and fixes
linting for existing tests.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-21 17:17:54 +01:00
Christoph (Sheogorath) Kern 3a23bd7c05
Merge pull request #1121 from SISheogorath/test/CSP
Add tests for csp.js
2019-01-21 17:14:51 +01:00
Sheogorath d408f4c0fe
Add tests for csp.js
Since we lack of tests but got some great point to start, let's write
more tests.

This patch provides some basic tests for our CSP library. It's more an
integration than a unit test, but gets the job done.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-19 13:54:52 +01:00
Sheogorath 5f1406a136
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:04:22 +01:00
Christoph (Sheogorath) Kern b88a1ed04a
Merge pull request #1116 from dsprenkels/manage_users
Fix broken manage_users after Winston upgrade
2019-01-12 15:09:12 +01:00
Christoph (Sheogorath) Kern 4eb9d6941d
Merge pull request #1117 from SISheogorath/upgrade/bootstrap
Update bootstrap from 3.3.7 to 3.4.0
2019-01-12 15:08:54 +01:00
Sheogorath 62477f0279
Update bootstrap from 3.3.7 to 3.4.0
Seems like finally there is a new bootstrap version for old version 3.

This patch implements this new version with CodiMD and this way fixes
some possible security issues in the frontend code.

See:
https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72889
https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72890

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-11 01:56:52 +01:00
Daan Sprenkels 7c144ac7a9 Fix broken manage_users after Winston upgrade
Commit c3584770 upgrades Winston and with that version
`logger.transports.console` becomes undefined. This commit
updates the code to prevent the crash.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2019-01-10 14:05:12 +01:00
Christoph (Sheogorath) Kern 4eb7748adb
Merge pull request #1114 from SISheogorath/fix/samlVersion
Update SAML to version 1.0.0
2019-01-09 11:53:11 +01:00
Sheogorath 9eb4e545d2
Update SAML to version 1.0.0
Seems like there was a security problem with the library.

This patch updates to version 1.0.0 which fixed the details.

Details: https://snyk.io/vuln/SNYK-JS-PASSPORTSAML-72411

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-09 01:15:02 +01:00
Christoph (Sheogorath) Kern 7a83fc0f14
Merge pull request #1110 from dsprenkels/issue_1106
Remove blueimp-md5 dependency
2019-01-05 14:08:23 +01:00
Christoph (Sheogorath) Kern dba9575c94
Merge pull request #1112 from hackmdio/fix-XSS-issues
Fix some XSS issues
2018-12-29 21:52:03 +01:00
Max Wu 067cfe2d1e Fix to escape html comment tag [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-12-28 16:42:55 +08:00
Max Wu b89a35196a
Fix to sanitize disqus shortnames to remove slashes [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-12-28 16:39:13 +08:00
Daan Sprenkels f7bc1e99c0 Remove blueimp-md5 dependency
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-12-22 19:09:50 +01:00
Daan Sprenkels 318a37d41c Add a test for gravatar urls
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-12-22 19:09:45 +01:00
Christoph (Sheogorath) Kern f9cc2ff0ef
Merge pull request #1105 from SISheogorath/fix/gistCSP
Fix broken Gist embedding
2018-12-21 18:39:22 +01:00
Christoph (Sheogorath) Kern e4845849dc
Merge pull request #1108 from dsprenkels/patch-1
Update upload provider error message
2018-12-21 18:38:49 +01:00
Daan Sprenkels 8835a09d95 Update upload provider error message
Fixes #1107.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-12-21 15:30:06 +01:00
Sheogorath 0f9e367015
Fix broken Gist embedding
Looks like GitHub changed their asset system and our CSP prevented them
from getting loaded.

This patch should fix the Gist embedding with enabled CSP by replacing
the old URL `https://assets-cdn.github.com` with the new
`https://github.githubassets.com`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-12-20 22:49:25 +01:00
Christoph (Sheogorath) Kern f492fea418
Merge pull request #1103 from SISheogorath/fix/localImageUpload
Fix usage of new URL API
2018-12-20 22:42:17 +01:00
Sheogorath 0621d7a72d
Fix usage of new URL API
Due to the deprecation of the old `url`-API provided by NodeJS we
replaced `url.resolve` with `url.URL.resolve`, which doesn't exist.

This patch fixes the local filesystem upload of CodiMD by using the new
API correctly. Creating an URL object and using its href.

Some more background:
https://nodejs.org/api/url.html#url_url_href
https://nodejs.org/api/url.html#url_url_resolve_from_to

Fixes https://github.com/hackmdio/codimd/issues/1102

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-12-18 14:52:18 +01:00
Christoph (Sheogorath) Kern 17b1b5d6bf Update ru.json (POEditor.com) 2018-12-13 00:10:57 +01:00
Christoph (Sheogorath) Kern 7f0fe6903c
Merge pull request #1091 from SISheogorath/fix/speakerNotesCSP
Fix CSP for speaker notes
2018-12-06 10:35:41 +01:00
Christoph (Sheogorath) Kern b9848a4f7c
Merge pull request #1092 from SISheogorath/fix/disqusCSP
Fix disqus CSP
2018-12-06 10:35:24 +01:00
Sheogorath ecee16bd73
Fix disqus CSP
Disqus loads it's embed config.js from its root domain
(https://disqus.com). Our CSPs only allow subdomains (e.g.:
https://codimd.disqus.com). This causes the disqus embedding to fail.

This patch should fix this problem by adding https://disqus.com to the
CSP setting. From a security perspective there is no real change. Since
still the same parties are involved.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-12-05 13:17:14 +01:00
Sheogorath a556575b91
Fix CSP for speaker notes
Looks like I was wrong in my previous commit to update revealjs.[1]

The speaker notes broke again with the CSPs. So this patch updates the
hash and this way the speaker notes.

[1]: bcebf1e8d2

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-12-05 11:32:14 +01:00
Sheogorath b40f14f66d
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-12-04 14:04:34 +01:00
Christoph (Sheogorath) Kern 3cfd18d54f
Merge pull request #1085 from SISheogorath/update/socket.io
Update socket.io
2018-12-01 12:25:18 +01:00
Christoph (Sheogorath) Kern 786140331b
Merge pull request #1086 from SISheogorath/feature/urlWarning
Warn on missing serverURL
2018-12-01 12:25:02 +01:00
Sheogorath a4941be3de
Warn on missing serverURL
We see some issues that are based on not properly configured
`config.serverURL`.

This patch adds a warning when `config.serverURL` is an empty value.
This should provide users direct feedback about how to improve their
configs.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-28 14:38:49 +01:00
Christoph (Sheogorath) Kern b749d50e20
Merge pull request #1082 from cloudyu/pull
Fix wrong config options

In `./lib/web/auth/` some config includes still used `config.serverurl` instead of the correct `config.serverURL`. This causes wrong URL in worst case.

This patch should fix those problems and migrate the wrong statements to camelcase.
2018-11-28 13:27:38 +01:00
Sheogorath cf95465103
Update socket.io
Our socket.io version is 2.0.4 while the current socket.io version is
2.1.1.

This patch updates socket.io to version 2.1.1 and takes care of the CDN
client version.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-28 13:23:36 +01:00
Christoph (Sheogorath) Kern 769a1c4ccb
Merge pull request #1084 from dsprenkels/export-subdirs
Prevent subdirectories in user export
2018-11-28 10:26:41 +01:00
Daan Sprenkels 9fba268288 Prevent subdirectories in user export
This commit also refactors the code a bit, and adds a '-' separator
between a filename and its duplicate index.

This commit fixes #1079.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-11-28 09:13:28 +01:00
CloudYu 35a9f72a06 Fix typo
Signed-off-by: CloudYu <cloudyu322@gmail.com>
2018-11-27 22:14:37 +08:00