Only the OAuth2 auth strategy was using the state parameter,
which should be used as described in the RFC. The other
auth strategies such as GitHub, GitLab or Google were lacking
the state parameter.
This change adds the required state parameter as well as
enabling PKCE support on providers where it's possible.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Websites loaded via an iframe could interrupt the user's workflow by initiating certain actions like opening print dialogs, alert boxes, etc. on the user's browser or even initiate file downloads.
By using the sandbox attribute, the iframe is limited in it's actions and can't access browser APIs such as to download files.
With the additional credentialless attribute, the page in the iframe is loaded in a completely separate browsing context on Chromium-based browsers, thus isolating the content even more.
The functionality could previously be abused to initiate certain actions on 3rd-party websites where the user is logged-in, if these 3rd-party websites have no proper CSRF protection. However, this is not a security risk to HedgeDoc itself.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
When socket.io is not able to close a connection somehow, the code
never reaches the final shutdown state but keeps waiting for all
connections to be closed. This can cause a high CPU load on failing
shutdown. It is very unlikely to happen, except when the server is
shut down exactly at the same time a socket is disconnecting and not
already marked as disconnected. This change adds a fallback timer
which forcefully kills the server after a certain amount of time.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, the user token was only used for the endpoint
to delete the user itself. This commit adds that token to
the history deletion as well.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit upgrades dependencies that are more or less trivial
to update, e.g. because they didn't have major version bumps or
simply didn't break anything. There are some dependencies which
have not been upgraded since this would have required larger
refactorings. This includes especially the markdown-it ecosystem
and the webpack ecosystem.
The largest refactorings in this commit come from the bump of
socket.io v2 to v4 which changed the handling of the connected
socket list for instance.
This commit further removes some outdated and/or unnecessary
dependencies. This includes the String.js library which is
unmaintained for 9 years and has some CVEs. We mainly used
this library for their escapeHTML and unescapeHTML methods.
This can be done using native DOM APIs nowadays, which is also
considered more safe since it is the same logic that the
browser itself uses.
Since we target Node 18 and above, we can also rely on the
built-in fetch function instead of the node-fetch package.
The current version of Chance.js includes a method for
generating a random color now too, so we don't need the
package randomcolor anymore.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
shortid is deprecated and they recommend nanoid instead.
We're not sure if this has to do with possible name
collisions or enumerability, but to be sure and on the
safe side, we're changing this. nanoid seems quite safe
since it uses node's crypto module underneath.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit updates the whitelist we're using for outgoing links from HedgeDoc. Previously, any URI scheme except javascript: could be used as long as it contains two slashes after the scheme (like https://). On the one hand this allowed linking to arbitrary and possibly unsafe URI schemes, on the other hand this breaks some schemes like xmpp: or geo:.
We're now using the list of schemes that can be registered by a browser to be opened. This restricts arbitrary scheme usage but on the other side fixes several other schemes.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, image uploads were always allowed, unless `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false`.
This PR adds a new config option `CMD_ENABLE_UPLOADS` to configure image uploads independently. There are three different modes: `all` (everyone can upload, guests too), `registered` (only registered and logged-in users can upload images), and `none` to completely disable image uploads.
The default value is non-breaking as it is `all`, unless the config `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false` is set, in which case the value is `registered`.
The UI will reflect the setting and either show or hide the upload button.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The slideshare integration was broken for quite a while already,
as slideshare doesn't seem to have a good replacement, we're
dropping it in the same manner as speakerdeck was dropped some
time ago. This means the special syntax now just renders a plain
link. This commit gets rid of the vimdo oembed API too which
allowed JSONP injection. Instead we're using the normal vimeo
video metadata API.
Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The used library gist-embed relies on GitHub Gist's JSONP
endpoint which is a risk for XSS injection. By adding untrusted
content from GitHub into the DOM it also follows very bad
practises. Using the iframe embedding has the disadvantage of
not having the proper height for the frame auto-loaded, but
the security benefits are worth it.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
We don't want to mix security fixes with major dependency updates, so
this release will still work with v18, but the next one won't support
it anymore.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Because screen readers don't know that the anchor icon is not meant to be read,
they might read the title (which is the same as the heading itself) in addition
to the heading, thus causing a duplicated output.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
A change in the minio JS SDK resulted in uploads being stored
with a defect metadata object in minio, resulting in all
files served as application/octet-stream. This was caused as
the fifth argument to putObject is a metadata object and not
the content-type alone anymore.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
When the /_health endpoint for the docker container
healthcheck was introduced, it seems that it was
forgotten to exclude that route from the session
creation. As the healthcheck runs quite periodically,
this created a huge amount of session entries in the
database. This commit excludes the route from
session creation.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
A bug was reported that having frontmatter fields being only numeric results in an error. This seems to be caused
as the frontmatter is processed by the yaml-parser but returned
with the types as given. So a numeric value is returned as a number,
a "true" or "false" is returned as boolean etc.
As we expect strings in the template, that resulted in an exception.
This commit fixes this by treating every value as string in the template.
Since we've got no other usages of opengraph data, this should not have been
a security problem.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
