Only the OAuth2 auth strategy was using the state parameter,
which should be used as described in the RFC. The other
auth strategies such as GitHub, GitLab or Google were lacking
the state parameter.
This change adds the required state parameter as well as
enabling PKCE support on providers where it's possible.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Websites loaded via an iframe could interrupt the user's workflow by initiating certain actions like opening print dialogs, alert boxes, etc. on the user's browser or even initiate file downloads.
By using the sandbox attribute, the iframe is limited in it's actions and can't access browser APIs such as to download files.
With the additional credentialless attribute, the page in the iframe is loaded in a completely separate browsing context on Chromium-based browsers, thus isolating the content even more.
The functionality could previously be abused to initiate certain actions on 3rd-party websites where the user is logged-in, if these 3rd-party websites have no proper CSRF protection. However, this is not a security risk to HedgeDoc itself.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
When socket.io is not able to close a connection somehow, the code
never reaches the final shutdown state but keeps waiting for all
connections to be closed. This can cause a high CPU load on failing
shutdown. It is very unlikely to happen, except when the server is
shut down exactly at the same time a socket is disconnecting and not
already marked as disconnected. This change adds a fallback timer
which forcefully kills the server after a certain amount of time.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, the user token was only used for the endpoint
to delete the user itself. This commit adds that token to
the history deletion as well.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
shortid is deprecated and they recommend nanoid instead.
We're not sure if this has to do with possible name
collisions or enumerability, but to be sure and on the
safe side, we're changing this. nanoid seems quite safe
since it uses node's crypto module underneath.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit updates the whitelist we're using for outgoing links from HedgeDoc. Previously, any URI scheme except javascript: could be used as long as it contains two slashes after the scheme (like https://). On the one hand this allowed linking to arbitrary and possibly unsafe URI schemes, on the other hand this breaks some schemes like xmpp: or geo:.
We're now using the list of schemes that can be registered by a browser to be opened. This restricts arbitrary scheme usage but on the other side fixes several other schemes.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, image uploads were always allowed, unless `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false`.
This PR adds a new config option `CMD_ENABLE_UPLOADS` to configure image uploads independently. There are three different modes: `all` (everyone can upload, guests too), `registered` (only registered and logged-in users can upload images), and `none` to completely disable image uploads.
The default value is non-breaking as it is `all`, unless the config `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false` is set, in which case the value is `registered`.
The UI will reflect the setting and either show or hide the upload button.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
We don't want to mix security fixes with major dependency updates, so
this release will still work with v18, but the next one won't support
it anymore.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Because screen readers don't know that the anchor icon is not meant to be read,
they might read the title (which is the same as the heading itself) in addition
to the heading, thus causing a duplicated output.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
A change in the minio JS SDK resulted in uploads being stored
with a defect metadata object in minio, resulting in all
files served as application/octet-stream. This was caused as
the fifth argument to putObject is a metadata object and not
the content-type alone anymore.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
When the /_health endpoint for the docker container
healthcheck was introduced, it seems that it was
forgotten to exclude that route from the session
creation. As the healthcheck runs quite periodically,
this created a huge amount of session entries in the
database. This commit excludes the route from
session creation.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
A bug was reported that having frontmatter fields being only numeric results in an error. This seems to be caused
as the frontmatter is processed by the yaml-parser but returned
with the types as given. So a numeric value is returned as a number,
a "true" or "false" is returned as boolean etc.
As we expect strings in the template, that resulted in an exception.
This commit fixes this by treating every value as string in the template.
Since we've got no other usages of opengraph data, this should not have been
a security problem.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
After carefully studying the man pages of GNU sort and BSD sort,
we concluded that the version_lt function should also work on macOS.
Testing seemed to confirm that.
Signed-off-by: David Mehren <git@herrmehren.de>
Connection forbidden errors cause cleanup of note state without first
checking if other clients are still connected to the note. This leads
to inconsistent pad content and changes not being saved properly.
This change reverts parts of 725e982 (Fix realtime on forbidden not clean
up properly ...). The call to `interruptConnection()` on permission errors
is redundant, since `failConnection()` and `disconnect()` already perform
all required cleanup in this case. The other call to `interruptConnection()`
only happens when a client (the first client for a note) disconnects while
the note is being loaded from the database. It is refactored for clarity.
Fixes#3894
Co-authored-by: David Mehren <git@herrmehren.de>
Signed-off-by: Julian Rother <julian@jrother.eu>
This endpoint returns the internal readiness state used by
the realtime code to indicate whether HedgeDoc is performing
properly. As it only returns the state of a variable, it is
less resource hungry compared to a call to /status for
checking the health of HedgeDoc.
By prepending the route with an underscore, it should not be conflicting with already created pads in FreeURL mode.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
