Commit graph

2201 commits

Author SHA1 Message Date
Sheogorath
b51a048777
Fix wrong value type for HSTS environment variable
Seem like also environment variables are affected. This patch fixes that
as well.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-04 17:13:43 +01:00
Sheogorath
32a1afbe86
Fix wrong value type in example config
HSTS maxAge has to be an integer, not a string.

Fixes https://github.com/hackmdio/codimd/issues/1159

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-04 16:59:44 +01:00
Sheogorath
20d1f17d2c
Add serbian language
Thanks for the work of the translator Vladan we got a serbian
translation added! Those few changes will add serbian language support
for future CodiMD releases.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-04 13:21:01 +01:00
Christoph (Sheogorath) Kern
126cd1b1f0
Merge pull request #1139 from Luclu7/patch-1
Corrected a typo
2019-03-04 13:10:56 +01:00
Sheogorath
87443dec5f
Release version 1.3.0
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-04 12:37:00 +01:00
toshi0123
6aab032709 Fix empty serverURL did not redirect properly
Signed-off-by: toshi0123 <7948737+toshi0123@users.noreply.github.com>
2019-03-04 13:59:14 +09:00
Sheogorath
1ee9874393
Fix names with spaces in letter-avatars
Seems like there is a possible problem when a name containing a space is
passed to this function. using urlencode on the name should fix possible
problems here.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-03 15:46:28 +01:00
Christoph (Sheogorath) Kern
112827423a
Merge pull request #1157 from hackmdio/fix-MathJax-XSS-issue
Fix possible MathJax XSS issue [Security Issue]
2019-03-03 15:44:33 +01:00
Max Wu
1743a97c22 Fix possible MathJax XSS issue [Security Issue]
see more at: http://docs.mathjax.org/en/latest/safe-mode.html

Signed-off-by: Max Wu <jackymaxj@gmail.com>
2019-03-03 18:32:58 +08:00
Sheogorath
b718eac70a
Force upgrade of some outdated dependencies
I don't really like the way to go here, but I guess having those
forcefully upgraded is better than staying around with vulnerable
dependencies.

This patch fixes some vulnerbilities in dependencies that were
categories as high severity.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-02 19:14:12 +01:00
Sheogorath
edfe7fc401
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-02 15:27:16 +01:00
Sheogorath
9981a6c8ba
Fix wrong domain in app.json
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-02 14:27:59 +01:00
Christoph (Sheogorath) Kern
5274247790
Merge pull request #1150 from SISheogorath/fix/speakerdeck
Remove broken speakerdeck embedding
2019-02-21 23:34:15 +01:00
Sheogorath
1f0fb12755
Fix CI errors for unused variables
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-02-21 01:36:39 +01:00
Sheogorath
c5ca7b634a
Remove broken speakerdeck embedding
The current speakerdeck implementation is broken. An alternative
implementation using oembed doesn't work due to CORS, which could be
solved by proxying the speakerdeck API, but we decided to not do this.

This patch provides the link to the speakerdeck presentation instead,
and this way doesn't break existing notes. This is right now the best
solution we could come up with.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-02-21 01:26:37 +01:00
Sheogorath
0d88707475
Update yarn.lock 2019-02-15 15:40:45 +01:00
Sheogorath
bce58db97c
Update handlebar to version 4.0.13
Synk found an security vulnerbility in the version we provide, that in
theory can provide an RCE.

Details: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
2019-02-15 15:40:44 +01:00
Claudius Coenen
baefa1c672
Merge pull request #1148 from felixonmars/patch-1
Fix several typos in auth/saml.md
2019-02-14 23:19:40 +01:00
Felix Yan
1ccadec5a3 Fix several typos in auth/saml.md
Signed-off-by: Felix Yan <felixonmars@archlinux.org>
2019-02-15 04:14:17 +08:00
Luclu7
d982d8aaf2
Corrected a typo
Signed-off-by: Luclu7 <me@luclu7.fr>
2019-02-07 20:47:43 +01:00
Christoph (Sheogorath) Kern
b28201176e Update ja.json (POEditor.com) 2019-01-31 13:06:56 +01:00
Sheogorath
806f403045
Disable OpenID by default
We talked about that during a community call. It turned out that not
everyone likes to have OpenID on their instance.

This patch disables OpenID by default.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-25 19:31:34 +01:00
Christoph (Sheogorath) Kern
afcbea48cd
Merge pull request #1127 from SISheogorath/fix/unlinkFix
Fix broken PDF export by wrong unlink call
2019-01-25 18:27:33 +01:00
Sheogorath
4e81079050
Fix broken PDF export by wrong unlink call
We used `fs.unlink()` to remove the pdf file after we send it out to the
client. This breaks in Node 10, when no function as second parameter is
supplied.

This patches changes it to the `fs.unlinkSync` function that doesn't
have this requirement and this way doesn't crash.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-24 13:02:53 +01:00
Sheogorath
3dc40116e4
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-24 12:21:19 +01:00
Claudius Coenen
2c1a618c56
Merge pull request #1125 from hackmdio/dependency-node-6-fix
Fixing deep dependency problem with node 6.x
2019-01-24 01:18:07 +01:00
Claudius Coenen
fa0dea0a1b Fixing deep dependency problem with node 6.x
this commit has been blatantly stolen from @samselikoff in ember-cli-addon-docs. It prevents an issue introduced via a deep dependency that no longer supports node 6 (which we still would like to support).
see: 231275b5a4
see: https://github.com/salesforce/tough-cookie/pull/141

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2019-01-23 23:37:13 +01:00
Christoph (Sheogorath) Kern
a9d12e3a28
Merge pull request #1124 from phrix32/patch-1
Fix reference to SAML guide in README
2019-01-22 11:03:20 +01:00
Jonathan
07697ee9a1 Fix reference to SAML guide in README
Signed-off-by: Jonathan Klauck <jonathan.klauck@aoe.com>
2019-01-22 10:48:45 +01:00
Christoph (Sheogorath) Kern
d69edd1def
Merge pull request #1123 from SISheogorath/fix/lintingTests
Add linting for tests
2019-01-21 23:16:22 +01:00
Sheogorath
bf229d91c6
Add linting for tests
The tests are currently not linted. This causes a different coding style
than the rest of the sources.

This patch adds the `./test` directory to the eslint testing and fixes
linting for existing tests.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-21 17:17:54 +01:00
Christoph (Sheogorath) Kern
3a23bd7c05
Merge pull request #1121 from SISheogorath/test/CSP
Add tests for csp.js
2019-01-21 17:14:51 +01:00
Sheogorath
d408f4c0fe
Add tests for csp.js
Since we lack of tests but got some great point to start, let's write
more tests.

This patch provides some basic tests for our CSP library. It's more an
integration than a unit test, but gets the job done.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-19 13:54:52 +01:00
Sheogorath
5f1406a136
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:04:22 +01:00
Christoph (Sheogorath) Kern
b88a1ed04a
Merge pull request #1116 from dsprenkels/manage_users
Fix broken manage_users after Winston upgrade
2019-01-12 15:09:12 +01:00
Christoph (Sheogorath) Kern
4eb9d6941d
Merge pull request #1117 from SISheogorath/upgrade/bootstrap
Update bootstrap from 3.3.7 to 3.4.0
2019-01-12 15:08:54 +01:00
Sheogorath
62477f0279
Update bootstrap from 3.3.7 to 3.4.0
Seems like finally there is a new bootstrap version for old version 3.

This patch implements this new version with CodiMD and this way fixes
some possible security issues in the frontend code.

See:
https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72889
https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72890

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-11 01:56:52 +01:00
Daan Sprenkels
7c144ac7a9 Fix broken manage_users after Winston upgrade
Commit c3584770 upgrades Winston and with that version
`logger.transports.console` becomes undefined. This commit
updates the code to prevent the crash.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2019-01-10 14:05:12 +01:00
Christoph (Sheogorath) Kern
4eb7748adb
Merge pull request #1114 from SISheogorath/fix/samlVersion
Update SAML to version 1.0.0
2019-01-09 11:53:11 +01:00
Sheogorath
9eb4e545d2
Update SAML to version 1.0.0
Seems like there was a security problem with the library.

This patch updates to version 1.0.0 which fixed the details.

Details: https://snyk.io/vuln/SNYK-JS-PASSPORTSAML-72411

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-09 01:15:02 +01:00
Christoph (Sheogorath) Kern
7a83fc0f14
Merge pull request #1110 from dsprenkels/issue_1106
Remove blueimp-md5 dependency
2019-01-05 14:08:23 +01:00
Christoph (Sheogorath) Kern
dba9575c94
Merge pull request #1112 from hackmdio/fix-XSS-issues
Fix some XSS issues
2018-12-29 21:52:03 +01:00
Max Wu
067cfe2d1e Fix to escape html comment tag [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-12-28 16:42:55 +08:00
Max Wu
b89a35196a
Fix to sanitize disqus shortnames to remove slashes [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-12-28 16:39:13 +08:00
Daan Sprenkels
f7bc1e99c0 Remove blueimp-md5 dependency
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-12-22 19:09:50 +01:00
Daan Sprenkels
318a37d41c Add a test for gravatar urls
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-12-22 19:09:45 +01:00
Christoph (Sheogorath) Kern
f9cc2ff0ef
Merge pull request #1105 from SISheogorath/fix/gistCSP
Fix broken Gist embedding
2018-12-21 18:39:22 +01:00
Christoph (Sheogorath) Kern
e4845849dc
Merge pull request #1108 from dsprenkels/patch-1
Update upload provider error message
2018-12-21 18:38:49 +01:00
Daan Sprenkels
8835a09d95 Update upload provider error message
Fixes #1107.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-12-21 15:30:06 +01:00
Sheogorath
0f9e367015
Fix broken Gist embedding
Looks like GitHub changed their asset system and our CSP prevented them
from getting loaded.

This patch should fix the Gist embedding with enabled CSP by replacing
the old URL `https://assets-cdn.github.com` with the new
`https://github.githubassets.com`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-12-20 22:49:25 +01:00