Only the OAuth2 auth strategy was using the state parameter,
which should be used as described in the RFC. The other
auth strategies such as GitHub, GitLab or Google were lacking
the state parameter.
This change adds the required state parameter as well as
enabling PKCE support on providers where it's possible.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Websites loaded via an iframe could interrupt the user's workflow by initiating certain actions like opening print dialogs, alert boxes, etc. on the user's browser or even initiate file downloads.
By using the sandbox attribute, the iframe is limited in it's actions and can't access browser APIs such as to download files.
With the additional credentialless attribute, the page in the iframe is loaded in a completely separate browsing context on Chromium-based browsers, thus isolating the content even more.
The functionality could previously be abused to initiate certain actions on 3rd-party websites where the user is logged-in, if these 3rd-party websites have no proper CSRF protection. However, this is not a security risk to HedgeDoc itself.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
When socket.io is not able to close a connection somehow, the code
never reaches the final shutdown state but keeps waiting for all
connections to be closed. This can cause a high CPU load on failing
shutdown. It is very unlikely to happen, except when the server is
shut down exactly at the same time a socket is disconnecting and not
already marked as disconnected. This change adds a fallback timer
which forcefully kills the server after a certain amount of time.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, the user token was only used for the endpoint
to delete the user itself. This commit adds that token to
the history deletion as well.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Node 18 has not the ability yet to run the more modern
packages. Since we want to keep Node 18 compatability
around for some time, these packages can't be upgraded.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit upgrades dependencies that are more or less trivial
to update, e.g. because they didn't have major version bumps or
simply didn't break anything. There are some dependencies which
have not been upgraded since this would have required larger
refactorings. This includes especially the markdown-it ecosystem
and the webpack ecosystem.
The largest refactorings in this commit come from the bump of
socket.io v2 to v4 which changed the handling of the connected
socket list for instance.
This commit further removes some outdated and/or unnecessary
dependencies. This includes the String.js library which is
unmaintained for 9 years and has some CVEs. We mainly used
this library for their escapeHTML and unescapeHTML methods.
This can be done using native DOM APIs nowadays, which is also
considered more safe since it is the same logic that the
browser itself uses.
Since we target Node 18 and above, we can also rely on the
built-in fetch function instead of the node-fetch package.
The current version of Chance.js includes a method for
generating a random color now too, so we don't need the
package randomcolor anymore.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
shortid is deprecated and they recommend nanoid instead.
We're not sure if this has to do with possible name
collisions or enumerability, but to be sure and on the
safe side, we're changing this. nanoid seems quite safe
since it uses node's crypto module underneath.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit updates the whitelist we're using for outgoing links from HedgeDoc. Previously, any URI scheme except javascript: could be used as long as it contains two slashes after the scheme (like https://). On the one hand this allowed linking to arbitrary and possibly unsafe URI schemes, on the other hand this breaks some schemes like xmpp: or geo:.
We're now using the list of schemes that can be registered by a browser to be opened. This restricts arbitrary scheme usage but on the other side fixes several other schemes.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, image uploads were always allowed, unless `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false`.
This PR adds a new config option `CMD_ENABLE_UPLOADS` to configure image uploads independently. There are three different modes: `all` (everyone can upload, guests too), `registered` (only registered and logged-in users can upload images), and `none` to completely disable image uploads.
The default value is non-breaking as it is `all`, unless the config `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false` is set, in which case the value is `registered`.
The UI will reflect the setting and either show or hide the upload button.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
If running with an orchestrator that restarts hedgedoc on failing
healthchecks, this causes it to enter a crashloop.
toobusy -> gets restarted -> everyone refreshes -> toobusy
Signed-off-by: Daniel Koschützki <daniel.koschuetzki@adfinis.com>
