mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-09-19 15:38:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
6462 commits 36 branches 47 tags 158 MiB
Commit graph

2029 commits

Author SHA1 Message Date
renovate[bot]
75ba77f8c0 chore(deps): update dependency dotenv-cli to v7.4.2 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 12:40:57 +02:00
renovate[bot]
fbd9f7eb07 chore(deps): update dependency markdownlint-cli2 to v0.13.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 12:40:25 +02:00
renovate[bot]
722e8ca31b chore(deps): update codemirror 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 12:15:48 +02:00
renovate[bot]
4ca2ed1ced chore(deps): update dependency @dicebear/converter to v7.1.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 12:14:57 +02:00
renovate[bot]
c4916704ae fix(deps): update dependency react-redux to v9.1.2 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:52:17 +00:00
renovate[bot]
8769f13f5d fix(deps): update dependency rimraf to v5.0.10 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:41:38 +00:00
renovate[bot]
d441feb6bb fix(deps): update i18next 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:40:52 +00:00
renovate[bot]
83ccf48f93 fix(deps): update dependency @dicebear/identicon to v7.0.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:40:22 +00:00
renovate[bot]
7cf00fe548 fix(deps): update dependency emoji-picker-element to v1.21.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:39:54 +00:00
renovate[bot]
9e558f7f5d fix(deps): update nestjs packages 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:22:13 +00:00
renovate[bot]
fa5d85fc9e fix(deps): update dependency sharp to v0.33.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:22:05 +00:00
renovate[bot]
6cbc291ec4 fix(deps): update dependency react-use to v17.5.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:20:09 +00:00
renovate[bot]
475c82316f fix(deps): update dependency reflect-metadata to v0.2.2 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:19:10 +00:00
renovate[bot]
335340e1b1 fix(deps): update dependency react-bootstrap to v2.10.4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:18:27 +00:00
renovate[bot]
5f438a7e27 fix(deps): update dependency picocolors to v1.0.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:16:30 +00:00
renovate[bot]
7516eb7761 fix(deps): update dependency joi to v17.12.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:16:16 +00:00
renovate[bot]
ecbe34746b fix(deps): update dependency pg to v8.11.6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:15:51 +00:00
renovate[bot]
062d5b34b9 fix(deps): update dependency katex to v0.16.11 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:15:30 +00:00
renovate[bot]
7d4d69c3fd fix(deps): update dependency emoji-picker-element-data to v1.6.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:14:20 +00:00
renovate[bot]
c98fa9ca1a fix(deps): update dependency dompurify to v3.0.11
Some checks are pending
Docker / build-and-push (backend) (push) Waiting to run
Details
Docker / build-and-push (frontend) (push) Waiting to run
Details
Deploy HD2 docs to Netlify / Deploys to netlify (push) Waiting to run
Details
E2E Tests / backend-sqlite (push) Waiting to run
Details
E2E Tests / backend-mariadb (push) Waiting to run
Details
E2E Tests / backend-postgres (push) Waiting to run
Details
E2E Tests / Build test build of frontend (push) Waiting to run
Details
E2E Tests / frontend-cypress (1) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (2) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (3) (push) Blocked by required conditions
Details
Lint and check format / Lint files and check formatting (push) Waiting to run
Details
REUSE Compliance Check / reuse (push) Waiting to run
Details
Scorecard supply-chain security / Scorecard analysis (push) Waiting to run
Details
Static Analysis / Njsscan code scanning (push) Waiting to run
Details
Static Analysis / CodeQL analysis (javascript) (push) Waiting to run
Details
Run tests & build / Test and build with NodeJS 20 (push) Waiting to run
Details 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:12:24 +00:00
renovate[bot]
179f671796 fix(deps): update dependency bootstrap to v5.3.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:11:31 +00:00
renovate[bot]
e83c083c65 fix(deps): update dependency @orama/orama to v2.0.23 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:10:51 +00:00
renovate[bot]
2fbc425bb3 fix(deps): update dependency @dicebear/core to v7.0.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:10:06 +00:00
renovate[bot]
1038d798d8 fix(deps): update dependency cli-color to v2.0.4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 08:58:49 +00:00
renovate[bot]
180f1d7da3 chore(deps): update nextjs monorepo to v14.1.4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 08:52:59 +00:00
renovate[bot]
b7c4e0c4a2 chore(deps): update testing-library 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 07:17:25 +00:00
renovate[bot]
e229d93cdd chore(deps): update linters 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 05:26:16 +00:00
renovate[bot]
e3b93ad9a1 chore(deps): update dependency yjs to v13.6.18 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 05:25:31 +00:00
renovate[bot]
161ab022a9 chore(deps): update dependency turbo to v1.12.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 02:22:16 +00:00
renovate[bot]
aa759cc879 chore(deps): update dependency ts-jest to v29.1.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 02:21:47 +00:00
renovate[bot]
c3fd6993d2 chore(deps): update dependency @tsconfig/node18 to v18.2.4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 02:15:21 +00:00
renovate[bot]
58defe5b3a chore(deps): update dependency cypress to v13.6.6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:52:41 +00:00
renovate[bot]
2cc71588fe fix(deps): update dependency ws to v8.17.1 [security] 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 00:43:05 +02:00
renovate[bot]
d31b2af368 chore(deps): update codemirror 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:41:17 +00:00
renovate[bot]
de8f1abe2e chore(deps): update dependency @dicebear/converter to v7.0.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:38:49 +00:00
renovate[bot]
6a6fd3b099 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.6.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 00:33:01 +02:00
renovate[bot]
7773fe1bdb fix(deps): pin dependency @node-rs/argon2 to 1.8.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:23:56 +00:00
Erik Michelson
f30f0d8e51 fix(passwords): use argon2id instead of bcrypt
Some checks failed
Docker / build-and-push (backend) (push) Has been cancelled
Details
Docker / build-and-push (frontend) (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS 20 (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details 
OWASP [1] recommends for password hashing the following algorithms in
descending order: argon2id, scrypt, bcrypt. They state that bcrypt may
be used in legacy systems or when required due to legal regulations.
We're however not building any legacy application. Even HedgeDoc 1.x
utilizes a more modern algorithm by using scrypt.

While bcrypt is not insecure per se, our implementation had a major
security flaw, leading to invalid passwords being accepted in certain
cases. The bcrypt nodejs package - and the OWASP cheatsheet as well -
point out, that the maximum input length of passwords is limited to 72
bytes with bcrypt. When some user has a password longer than 72 bytes in
use, only the first 72 bytes are required to log in successfully.
Depending on the encoding (which could be UTF-8 or UTF-16 depending on
different circumstances) this could in worst-case be at 36 characters,
which is not very unusual for a password. See also [2].

This commit changes the used algorithm to argon2id. Argon2id has been in
use for several years now and seems to be a well-designed password
hashing function that even won the 2015 Password Hashing Competition.
Argon2 does not have any real-world max input length for passwords (it
is at 4 GiB).

The node-rs/argon2 implementation seems to be well maintained, widely
used (more than 150k downloads per week) and is published with
provenance, proving that the npm package was built on GitHub actions
using the source code in the repository. The implementation is written
in Rust, so it should be safe against memory leakages etc.

[1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Che
     at_Sheet.html#password-hashing-algorithms
[2]: https://security.stackexchange.com/a/39851

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-08 20:29:23 +02:00
renovate[bot]
3513377d2d fix(deps): update dependency next to v14.1.1 [security]
Some checks failed
Docker / build-and-push (frontend) (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
Docker / build-and-push (backend) (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS ${{ matrix.node }} (true, 20) (push) Has been cancelled
Details 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-05-10 07:42:49 +00:00
renovate[bot]
662de1e9f8 fix(deps): update dependency reveal.js to v5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-04-09 11:40:15 +02:00
renovate[bot]
9aaec95398 fix(deps): update dependency @nestjs/schedule to v4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-04-09 11:31:07 +02:00
renovate[bot]
8b501915f5 chore(deps): upgrade redux packages 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-04-09 10:55:38 +02:00
renovate[bot]
ad3859c9df fix(deps): update dependency katex to v0.16.10 [security] 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-03-25 23:21:37 +00:00
renovate[bot]
a6c2bbe1e7 fix(deps): update dependency copy-webpack-plugin to v12 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-03-23 01:36:41 +01:00
renovate[bot]
f56abf74e0 fix(deps): update dependency sass to v1.71.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-03-01 18:10:49 +01:00
renovate[bot]
61bf3adf99 chore(deps): update linters 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-03-01 17:51:22 +01:00
renovate[bot]
5775b07b2d chore(deps): update dependency @types/node to v20.11.18 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-15 15:34:38 +00:00
renovate[bot]
fc7b6f8d3d fix(deps): update dependency @orama/orama to v2.0.6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-13 21:34:53 +00:00
renovate[bot]
ecce1adc16 fix(deps): update nestjs packages to v10.3.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-12 13:13:48 +00:00
renovate[bot]
3dad5fce2c fix(deps): update dependency twemoji-colr-font to v15 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-12 12:47:14 +01:00