When socket.io is not able to close a connection somehow, the code
never reaches the final shutdown state but keeps waiting for all
connections to be closed. This can cause a high CPU load on failing
shutdown. It is very unlikely to happen, except when the server is
shut down exactly at the same time a socket is disconnecting and not
already marked as disconnected. This change adds a fallback timer
which forcefully kills the server after a certain amount of time.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, the user token was only used for the endpoint
to delete the user itself. This commit adds that token to
the history deletion as well.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Node 18 has not the ability yet to run the more modern
packages. Since we want to keep Node 18 compatability
around for some time, these packages can't be upgraded.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit upgrades dependencies that are more or less trivial
to update, e.g. because they didn't have major version bumps or
simply didn't break anything. There are some dependencies which
have not been upgraded since this would have required larger
refactorings. This includes especially the markdown-it ecosystem
and the webpack ecosystem.
The largest refactorings in this commit come from the bump of
socket.io v2 to v4 which changed the handling of the connected
socket list for instance.
This commit further removes some outdated and/or unnecessary
dependencies. This includes the String.js library which is
unmaintained for 9 years and has some CVEs. We mainly used
this library for their escapeHTML and unescapeHTML methods.
This can be done using native DOM APIs nowadays, which is also
considered more safe since it is the same logic that the
browser itself uses.
Since we target Node 18 and above, we can also rely on the
built-in fetch function instead of the node-fetch package.
The current version of Chance.js includes a method for
generating a random color now too, so we don't need the
package randomcolor anymore.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
shortid is deprecated and they recommend nanoid instead.
We're not sure if this has to do with possible name
collisions or enumerability, but to be sure and on the
safe side, we're changing this. nanoid seems quite safe
since it uses node's crypto module underneath.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit updates the whitelist we're using for outgoing links from HedgeDoc. Previously, any URI scheme except javascript: could be used as long as it contains two slashes after the scheme (like https://). On the one hand this allowed linking to arbitrary and possibly unsafe URI schemes, on the other hand this breaks some schemes like xmpp: or geo:.
We're now using the list of schemes that can be registered by a browser to be opened. This restricts arbitrary scheme usage but on the other side fixes several other schemes.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, image uploads were always allowed, unless `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false`.
This PR adds a new config option `CMD_ENABLE_UPLOADS` to configure image uploads independently. There are three different modes: `all` (everyone can upload, guests too), `registered` (only registered and logged-in users can upload images), and `none` to completely disable image uploads.
The default value is non-breaking as it is `all`, unless the config `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false` is set, in which case the value is `registered`.
The UI will reflect the setting and either show or hide the upload button.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
If running with an orchestrator that restarts hedgedoc on failing
healthchecks, this causes it to enter a crashloop.
toobusy -> gets restarted -> everyone refreshes -> toobusy
Signed-off-by: Daniel Koschützki <daniel.koschuetzki@adfinis.com>
The slideshare integration was broken for quite a while already,
as slideshare doesn't seem to have a good replacement, we're
dropping it in the same manner as speakerdeck was dropped some
time ago. This means the special syntax now just renders a plain
link. This commit gets rid of the vimdo oembed API too which
allowed JSONP injection. Instead we're using the normal vimeo
video metadata API.
Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The used library gist-embed relies on GitHub Gist's JSONP
endpoint which is a risk for XSS injection. By adding untrusted
content from GitHub into the DOM it also follows very bad
practises. Using the iframe embedding has the disadvantage of
not having the proper height for the frame auto-loaded, but
the security benefits are worth it.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This is required since SVG files are able to contain
malicious code through JavaScript and remote embeddings.
When opened in a browser tab, this code would be
executed. However, with these headers in place, there's
no possibility of getting the files to run in the
browser.
Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
