mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-09-19 07:28:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
6427 commits 36 branches 47 tags 158 MiB
Commit graph

6427 commits

This branch
This branch
All branches
Author SHA1 Message Date
renovate[bot]
39835b3f22
fix(deps): update dependency cli-color to v2.0.4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 08:59:45 +00:00
renovate[bot]
180f1d7da3 chore(deps): update nextjs monorepo to v14.1.4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 08:52:59 +00:00
renovate[bot]
0455632c46 chore(deps): update mariadb docker tag to v11.2.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 10:43:54 +02:00
renovate[bot]
b7c4e0c4a2 chore(deps): update testing-library 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 07:17:25 +00:00
renovate[bot]
954a384d65 chore(deps): update ossf/scorecard-action action to v2.3.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 07:16:00 +00:00
renovate[bot]
e229d93cdd chore(deps): update linters 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 05:26:16 +00:00
renovate[bot]
e3b93ad9a1 chore(deps): update dependency yjs to v13.6.18 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 05:25:31 +00:00
renovate[bot]
51bc6cc33f chore(deps): update github/codeql-action action to v3.24.11 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 05:21:34 +00:00
renovate[bot]
c8c7715287 chore(deps): update fsfe/reuse docker tag to v3.0.2 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 05:20:45 +00:00
renovate[bot]
161ab022a9 chore(deps): update dependency turbo to v1.12.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 02:22:16 +00:00
renovate[bot]
aa759cc879 chore(deps): update dependency ts-jest to v29.1.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 02:21:47 +00:00
renovate[bot]
7d842960a9 chore(deps): update dependency pymdown-extensions to v10.7.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 02:15:38 +00:00
renovate[bot]
c3fd6993d2 chore(deps): update dependency @tsconfig/node18 to v18.2.4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 02:15:21 +00:00
renovate[bot]
773ffaade3 chore(deps): update dependency node to v20.11.1
Some checks are pending
Docker / build-and-push (backend) (push) Waiting to run
Details
Docker / build-and-push (frontend) (push) Waiting to run
Details
Deploy HD2 docs to Netlify / Deploys to netlify (push) Waiting to run
Details
E2E Tests / backend-sqlite (push) Waiting to run
Details
E2E Tests / backend-mariadb (push) Waiting to run
Details
E2E Tests / backend-postgres (push) Waiting to run
Details
E2E Tests / Build test build of frontend (push) Waiting to run
Details
E2E Tests / frontend-cypress (1) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (2) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (3) (push) Blocked by required conditions
Details
Lint and check format / Lint files and check formatting (push) Waiting to run
Details
REUSE Compliance Check / reuse (push) Waiting to run
Details
Scorecard supply-chain security / Scorecard analysis (push) Waiting to run
Details
Static Analysis / Njsscan code scanning (push) Waiting to run
Details
Static Analysis / CodeQL analysis (javascript) (push) Waiting to run
Details
Run tests & build / Test and build with NodeJS 20 (push) Waiting to run
Details 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:53:40 +00:00
renovate[bot]
c3863a4e27 chore(deps): update dependency mkdocs-material to v9.5.33 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:53:03 +00:00
renovate[bot]
58defe5b3a chore(deps): update dependency cypress to v13.6.6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:52:41 +00:00
renovate[bot]
2cc71588fe fix(deps): update dependency ws to v8.17.1 [security] 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 00:43:05 +02:00
renovate[bot]
d31b2af368 chore(deps): update codemirror 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:41:17 +00:00
renovate[bot]
de8f1abe2e chore(deps): update dependency @dicebear/converter to v7.0.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:38:49 +00:00
renovate[bot]
e242d5ccf3 chore(deps): update codecov/codecov-action action to v4.0.2 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:37:08 +00:00
renovate[bot]
6a6fd3b099 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.6.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 00:33:01 +02:00
renovate[bot]
95748d1370 chore(deps): update actions/upload-artifact action to v4.3.6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:31:20 +00:00
renovate[bot]
5e236e4906 chore(deps): update actions/setup-node action to v4.0.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:30:51 +00:00
renovate[bot]
b65c8c1ff5 chore(deps): update actions/checkout action to v4.1.7 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:29:42 +00:00
renovate[bot]
9b64471554 chore(deps): update actions/checkout digest to 692973e 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:25:07 +00:00
renovate[bot]
8fedd5402c chore(deps): update actions/cache action to v4.0.2 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:24:54 +00:00
renovate[bot]
7773fe1bdb fix(deps): pin dependency @node-rs/argon2 to 1.8.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:23:56 +00:00
renovate[bot]
52944840c1 chore(deps): update actions/upload-artifact digest to 834a144 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:22:11 +00:00
renovate[bot]
14fe9470dd chore(deps): update node.js to 1a526b9 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:07:27 +00:00
Erik Michelson
0c4e9bc080
fix(formatting): remove blank line to silence prettier 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-29 00:00:08 +02:00
yamashush
e99ba0615c test: fix update patch when removing old revisions
Some checks failed
Docker / build-and-push (backend) (push) Has been cancelled
Details
Docker / build-and-push (frontend) (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS 20 (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details 
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2024-08-23 18:43:40 +02:00
Erik Michelson
f9b6f6851b feat(editor): re-add editor mode buttons (edit/both/view) 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-23 18:13:58 +02:00
Erik Michelson
f30f0d8e51 fix(passwords): use argon2id instead of bcrypt
Some checks failed
Docker / build-and-push (backend) (push) Has been cancelled
Details
Docker / build-and-push (frontend) (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS 20 (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details 
OWASP [1] recommends for password hashing the following algorithms in
descending order: argon2id, scrypt, bcrypt. They state that bcrypt may
be used in legacy systems or when required due to legal regulations.
We're however not building any legacy application. Even HedgeDoc 1.x
utilizes a more modern algorithm by using scrypt.

While bcrypt is not insecure per se, our implementation had a major
security flaw, leading to invalid passwords being accepted in certain
cases. The bcrypt nodejs package - and the OWASP cheatsheet as well -
point out, that the maximum input length of passwords is limited to 72
bytes with bcrypt. When some user has a password longer than 72 bytes in
use, only the first 72 bytes are required to log in successfully.
Depending on the encoding (which could be UTF-8 or UTF-16 depending on
different circumstances) this could in worst-case be at 36 characters,
which is not very unusual for a password. See also [2].

This commit changes the used algorithm to argon2id. Argon2id has been in
use for several years now and seems to be a well-designed password
hashing function that even won the 2015 Password Hashing Competition.
Argon2 does not have any real-world max input length for passwords (it
is at 4 GiB).

The node-rs/argon2 implementation seems to be well maintained, widely
used (more than 150k downloads per week) and is published with
provenance, proving that the npm package was built on GitHub actions
using the source code in the repository. The implementation is written
in Rust, so it should be safe against memory leakages etc.

[1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Che
     at_Sheet.html#password-hashing-algorithms
[2]: https://security.stackexchange.com/a/39851

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-08 20:29:23 +02:00
Erik Michelson
6684b0f886 enhancement(realtime): send metadata update on revision save
Some checks are pending
Docker / build-and-push (backend) (push) Waiting to run
Details
Docker / build-and-push (frontend) (push) Waiting to run
Details
E2E Tests / backend-sqlite (push) Waiting to run
Details
E2E Tests / backend-mariadb (push) Waiting to run
Details
E2E Tests / backend-postgres (push) Waiting to run
Details
E2E Tests / Build test build of frontend (push) Waiting to run
Details
E2E Tests / frontend-cypress (1) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (2) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (3) (push) Blocked by required conditions
Details
Lint and check format / Lint files and check formatting (push) Waiting to run
Details
REUSE Compliance Check / reuse (push) Waiting to run
Details
Scorecard supply-chain security / Scorecard analysis (push) Waiting to run
Details
Static Analysis / Njsscan code scanning (push) Waiting to run
Details
Static Analysis / CodeQL analysis (javascript) (push) Waiting to run
Details
Run tests & build / Test and build with NodeJS 20 (push) Waiting to run
Details 
When the frontend is notified about metadata updates, it refreshes the
data and therefore refreshes information like the timestamp of the last
revision save in the sidebar.
This commit adds such a notification from the backend to all clients on
each revision save, so that the "last saved at" value in the frontend is
correct.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-07 22:25:51 +02:00
Erik Michelson
9cbd78f622 fix(frontend): do not hardcode example.org, do not prebuild motd 
The motd.md is user-supplied and should therefore not be prebuild during
the HedgeDoc build process. As that required the presence of the base
URL which is also not available in the build context, it fell back to
our fallback value example.org, thus breaking offline builds.
By removing the example.org domains and disabling the prebuild for the
motd, this seems fixed.

Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-07 21:28:17 +02:00
Erik Michelson
1f1231a730 ci: remove netlify deployment workflow
Some checks failed
E2E Tests / backend-sqlite (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS ${{ matrix.node }} (true, 20) (push) Has been cancelled
Details
Docker / build-and-push (backend) (push) Has been cancelled
Details
Docker / build-and-push (frontend) (push) Has been cancelled
Details
Deploy HD2 docs to Netlify / Deploys to netlify (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details 
This workflow was used in an early stage of development of HedgeDoc 2.
It allowed the core developers to quickly check fixes, improvements or
new features to the HedgeDoc UI without the requirement to check-out
the branch locally. As not every pull request required a deployment,
this workflow was only triggered when the "ci: force deployment"
label was added. Since some time already, the frontend and backend
are so tightly coupled that the netfliy deployment doesn't make any
sense anymore and therefore hasn't been used anymore. This commit
therefore removes this leftover workflow.

@RedYetiDev contacted us privately and reported that this deployment
workflow could have been abused to invoke arbitrary commands, including
extraction of environment variables which include our tokens for the
turborepo build cache or the netlify deployment token. For this it
would have been required that somebody created a "safe" pull request,
which would have been labelled with the deployment label and then
changed afterwards since the workflow checks out the pull request
source repository, not the target. We assured that the label was only
added to pull requests from trusted members of the HedgeDoc core team.
There was never any malicious use of the workflow. Furthermore, no
released versions of HedgeDoc (1.x) could have been affected by this,
even in the worst-case scenario.

We're thankful for putting this risk at our attention!
If you too encounter something unusual regarding security in HedgeDoc
itself or our toolchain around it, don't hesitate to contact us.
Details on this are wriiten in our SECURITY.md in the root of the
repository.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-07-30 08:48:38 +02:00
Jochen Martin Eppler
cdb9a5cbb0 Fix typo
Some checks failed
Docker / build-and-push (backend) (push) Has been cancelled
Details
Docker / build-and-push (frontend) (push) Has been cancelled
Details
Deploy HD2 docs to Netlify / Deploys to netlify (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS ${{ matrix.node }} (true, 20) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details 
defition --> definition

Signed-off-by: Jochen Martin Eppler <jougs@gmx.net>
 2024-06-27 12:45:50 +02:00
renovate[bot]
3513377d2d fix(deps): update dependency next to v14.1.1 [security]
Some checks failed
Docker / build-and-push (frontend) (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
Docker / build-and-push (backend) (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS ${{ matrix.node }} (true, 20) (push) Has been cancelled
Details 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-05-10 07:42:49 +00:00
Erik Michelson
9597ac5422 feat(notes): check for equal alias or note id 
When creating a new note or adding a new alias to one,
it is checked that the new name
is neither forbidden nor already in use.

Co-authored-by: David Mehren <git@herrmehren.de>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-18 22:15:11 +02:00
Erik Michelson
6bb2452705 feat(sidebar): add media browser 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-18 22:11:49 +02:00
Erik Michelson
8693edbf6a refactor(media): add media redirection endpoint 
Previous versions of HedgeDoc suffered from the problem
that changing the media backend required manipulation of
the media links in all created notes. We discussed in
#3704 that it's favourable to have an endpoint that
redirects to the image's original URL. When changing the
media backend, the link stays the same but just the
redirect changes.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-18 22:11:49 +02:00
Philip Molares
1f19a6fac4 lint: fix error in new test 
This was probably introduced because the PR was open so long

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2024-04-18 21:52:36 +02:00
yamashush
1c22a425bd test: complete todo 
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
 2024-04-18 21:26:06 +02:00
renovate[bot]
662de1e9f8 fix(deps): update dependency reveal.js to v5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-04-09 11:40:15 +02:00
renovate[bot]
9aaec95398 fix(deps): update dependency @nestjs/schedule to v4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-04-09 11:31:07 +02:00
Erik Michelson
f7c70ebee1 test(utils): add tests for updateObject util 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-09 10:55:38 +02:00
Erik Michelson
d840a6f0b1 refactor(redux): migrate to RTK2 store definition 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-09 10:55:38 +02:00
renovate[bot]
8b501915f5 chore(deps): upgrade redux packages 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-04-09 10:55:38 +02:00
Erik Michelson
92bde4d281 enhancement(api-tokens): add prefix and more strict validation 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-09 10:54:35 +02:00
Erik Michelson
0db5a0856b feat(sidebar): add gitlab snippet and github gist export 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-04 00:36:48 +02:00