Commit Graph

2052 Commits

Author SHA1 Message Date
Christoph (Sheogorath) Kern de0acbb566
Merge pull request #1153 from toshi0123/for_empty_serverurl
Fix empty serverURL did not redirect properly
2019-03-05 18:11:37 +01:00
Christoph (Sheogorath) Kern e48342a64a
Merge pull request #1155 from Turakar/master
Mention dependency on libssl-dev in README.md
2019-03-04 20:20:02 +01:00
Turakar 13ee05ba0d Mention dependency on libssl-dev in README.md
This dependency was introduced by upgrading to the new scrypt version in commit cee2aa92f9.

Signed-off-by: Tilman Hoffbauer <turakar23@gmail.com>
2019-03-04 20:14:55 +01:00
Sheogorath b51a048777
Fix wrong value type for HSTS environment variable
Seem like also environment variables are affected. This patch fixes that
as well.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-04 17:13:43 +01:00
Sheogorath 32a1afbe86
Fix wrong value type in example config
HSTS maxAge has to be an integer, not a string.

Fixes https://github.com/hackmdio/codimd/issues/1159

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-04 16:59:44 +01:00
Christoph (Sheogorath) Kern 126cd1b1f0
Merge pull request #1139 from Luclu7/patch-1
Corrected a typo
2019-03-04 13:10:56 +01:00
Sheogorath 87443dec5f
Release version 1.3.0
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-04 12:37:00 +01:00
toshi0123 6aab032709 Fix empty serverURL did not redirect properly
Signed-off-by: toshi0123 <7948737+toshi0123@users.noreply.github.com>
2019-03-04 13:59:14 +09:00
Sheogorath 1ee9874393
Fix names with spaces in letter-avatars
Seems like there is a possible problem when a name containing a space is
passed to this function. using urlencode on the name should fix possible
problems here.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-03 15:46:28 +01:00
Christoph (Sheogorath) Kern 112827423a
Merge pull request #1157 from hackmdio/fix-MathJax-XSS-issue
Fix possible MathJax XSS issue [Security Issue]
2019-03-03 15:44:33 +01:00
Max Wu 1743a97c22 Fix possible MathJax XSS issue [Security Issue]
see more at: http://docs.mathjax.org/en/latest/safe-mode.html

Signed-off-by: Max Wu <jackymaxj@gmail.com>
2019-03-03 18:32:58 +08:00
Sheogorath b718eac70a
Force upgrade of some outdated dependencies
I don't really like the way to go here, but I guess having those
forcefully upgraded is better than staying around with vulnerable
dependencies.

This patch fixes some vulnerbilities in dependencies that were
categories as high severity.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-02 19:14:12 +01:00
Sheogorath edfe7fc401
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-02 15:27:16 +01:00
Sheogorath 9981a6c8ba
Fix wrong domain in app.json
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-02 14:27:59 +01:00
Christoph (Sheogorath) Kern 5274247790
Merge pull request #1150 from SISheogorath/fix/speakerdeck
Remove broken speakerdeck embedding
2019-02-21 23:34:15 +01:00
Sheogorath 1f0fb12755
Fix CI errors for unused variables
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-02-21 01:36:39 +01:00
Sheogorath c5ca7b634a
Remove broken speakerdeck embedding
The current speakerdeck implementation is broken. An alternative
implementation using oembed doesn't work due to CORS, which could be
solved by proxying the speakerdeck API, but we decided to not do this.

This patch provides the link to the speakerdeck presentation instead,
and this way doesn't break existing notes. This is right now the best
solution we could come up with.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-02-21 01:26:37 +01:00
Sheogorath 0d88707475
Update yarn.lock 2019-02-15 15:40:45 +01:00
Sheogorath bce58db97c
Update handlebar to version 4.0.13
Synk found an security vulnerbility in the version we provide, that in
theory can provide an RCE.

Details: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
2019-02-15 15:40:44 +01:00
Claudius Coenen baefa1c672
Merge pull request #1148 from felixonmars/patch-1
Fix several typos in auth/saml.md
2019-02-14 23:19:40 +01:00
Felix Yan 1ccadec5a3 Fix several typos in auth/saml.md
Signed-off-by: Felix Yan <felixonmars@archlinux.org>
2019-02-15 04:14:17 +08:00
Luclu7 d982d8aaf2
Corrected a typo
Signed-off-by: Luclu7 <me@luclu7.fr>
2019-02-07 20:47:43 +01:00
Christoph (Sheogorath) Kern b28201176e Update ja.json (POEditor.com) 2019-01-31 13:06:56 +01:00
Sheogorath 806f403045
Disable OpenID by default
We talked about that during a community call. It turned out that not
everyone likes to have OpenID on their instance.

This patch disables OpenID by default.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-25 19:31:34 +01:00
Christoph (Sheogorath) Kern afcbea48cd
Merge pull request #1127 from SISheogorath/fix/unlinkFix
Fix broken PDF export by wrong unlink call
2019-01-25 18:27:33 +01:00
Sheogorath 4e81079050
Fix broken PDF export by wrong unlink call
We used `fs.unlink()` to remove the pdf file after we send it out to the
client. This breaks in Node 10, when no function as second parameter is
supplied.

This patches changes it to the `fs.unlinkSync` function that doesn't
have this requirement and this way doesn't crash.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-24 13:02:53 +01:00
Sheogorath 3dc40116e4
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-24 12:21:19 +01:00
Claudius Coenen 2c1a618c56
Merge pull request #1125 from hackmdio/dependency-node-6-fix
Fixing deep dependency problem with node 6.x
2019-01-24 01:18:07 +01:00
Claudius Coenen fa0dea0a1b Fixing deep dependency problem with node 6.x
this commit has been blatantly stolen from @samselikoff in ember-cli-addon-docs. It prevents an issue introduced via a deep dependency that no longer supports node 6 (which we still would like to support).
see: 231275b5a4
see: https://github.com/salesforce/tough-cookie/pull/141

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2019-01-23 23:37:13 +01:00
Christoph (Sheogorath) Kern a9d12e3a28
Merge pull request #1124 from phrix32/patch-1
Fix reference to SAML guide in README
2019-01-22 11:03:20 +01:00
Jonathan 07697ee9a1 Fix reference to SAML guide in README
Signed-off-by: Jonathan Klauck <jonathan.klauck@aoe.com>
2019-01-22 10:48:45 +01:00
Christoph (Sheogorath) Kern d69edd1def
Merge pull request #1123 from SISheogorath/fix/lintingTests
Add linting for tests
2019-01-21 23:16:22 +01:00
Sheogorath bf229d91c6
Add linting for tests
The tests are currently not linted. This causes a different coding style
than the rest of the sources.

This patch adds the `./test` directory to the eslint testing and fixes
linting for existing tests.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-21 17:17:54 +01:00
Christoph (Sheogorath) Kern 3a23bd7c05
Merge pull request #1121 from SISheogorath/test/CSP
Add tests for csp.js
2019-01-21 17:14:51 +01:00
Sheogorath d408f4c0fe
Add tests for csp.js
Since we lack of tests but got some great point to start, let's write
more tests.

This patch provides some basic tests for our CSP library. It's more an
integration than a unit test, but gets the job done.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-19 13:54:52 +01:00
Sheogorath 5f1406a136
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:04:22 +01:00
Christoph (Sheogorath) Kern b88a1ed04a
Merge pull request #1116 from dsprenkels/manage_users
Fix broken manage_users after Winston upgrade
2019-01-12 15:09:12 +01:00
Christoph (Sheogorath) Kern 4eb9d6941d
Merge pull request #1117 from SISheogorath/upgrade/bootstrap
Update bootstrap from 3.3.7 to 3.4.0
2019-01-12 15:08:54 +01:00
Sheogorath 62477f0279
Update bootstrap from 3.3.7 to 3.4.0
Seems like finally there is a new bootstrap version for old version 3.

This patch implements this new version with CodiMD and this way fixes
some possible security issues in the frontend code.

See:
https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72889
https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72890

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-11 01:56:52 +01:00
Daan Sprenkels 7c144ac7a9 Fix broken manage_users after Winston upgrade
Commit c3584770 upgrades Winston and with that version
`logger.transports.console` becomes undefined. This commit
updates the code to prevent the crash.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2019-01-10 14:05:12 +01:00
Christoph (Sheogorath) Kern 4eb7748adb
Merge pull request #1114 from SISheogorath/fix/samlVersion
Update SAML to version 1.0.0
2019-01-09 11:53:11 +01:00
Sheogorath 9eb4e545d2
Update SAML to version 1.0.0
Seems like there was a security problem with the library.

This patch updates to version 1.0.0 which fixed the details.

Details: https://snyk.io/vuln/SNYK-JS-PASSPORTSAML-72411

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-09 01:15:02 +01:00
Christoph (Sheogorath) Kern 7a83fc0f14
Merge pull request #1110 from dsprenkels/issue_1106
Remove blueimp-md5 dependency
2019-01-05 14:08:23 +01:00
Christoph (Sheogorath) Kern dba9575c94
Merge pull request #1112 from hackmdio/fix-XSS-issues
Fix some XSS issues
2018-12-29 21:52:03 +01:00
Max Wu 067cfe2d1e Fix to escape html comment tag [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-12-28 16:42:55 +08:00
Max Wu b89a35196a
Fix to sanitize disqus shortnames to remove slashes [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-12-28 16:39:13 +08:00
Daan Sprenkels f7bc1e99c0 Remove blueimp-md5 dependency
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-12-22 19:09:50 +01:00
Daan Sprenkels 318a37d41c Add a test for gravatar urls
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-12-22 19:09:45 +01:00
Christoph (Sheogorath) Kern f9cc2ff0ef
Merge pull request #1105 from SISheogorath/fix/gistCSP
Fix broken Gist embedding
2018-12-21 18:39:22 +01:00
Christoph (Sheogorath) Kern e4845849dc
Merge pull request #1108 from dsprenkels/patch-1
Update upload provider error message
2018-12-21 18:38:49 +01:00