mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-09-19 15:38:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
6397 commits 36 branches 47 tags 158 MiB
Commit graph

766 commits

Author SHA1 Message Date
yamashush
e99ba0615c test: fix update patch when removing old revisions
Some checks failed
Docker / build-and-push (backend) (push) Has been cancelled
Details
Docker / build-and-push (frontend) (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS 20 (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details 
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2024-08-23 18:43:40 +02:00
Erik Michelson
f30f0d8e51 fix(passwords): use argon2id instead of bcrypt
Some checks failed
Docker / build-and-push (backend) (push) Has been cancelled
Details
Docker / build-and-push (frontend) (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS 20 (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details 
OWASP [1] recommends for password hashing the following algorithms in
descending order: argon2id, scrypt, bcrypt. They state that bcrypt may
be used in legacy systems or when required due to legal regulations.
We're however not building any legacy application. Even HedgeDoc 1.x
utilizes a more modern algorithm by using scrypt.

While bcrypt is not insecure per se, our implementation had a major
security flaw, leading to invalid passwords being accepted in certain
cases. The bcrypt nodejs package - and the OWASP cheatsheet as well -
point out, that the maximum input length of passwords is limited to 72
bytes with bcrypt. When some user has a password longer than 72 bytes in
use, only the first 72 bytes are required to log in successfully.
Depending on the encoding (which could be UTF-8 or UTF-16 depending on
different circumstances) this could in worst-case be at 36 characters,
which is not very unusual for a password. See also [2].

This commit changes the used algorithm to argon2id. Argon2id has been in
use for several years now and seems to be a well-designed password
hashing function that even won the 2015 Password Hashing Competition.
Argon2 does not have any real-world max input length for passwords (it
is at 4 GiB).

The node-rs/argon2 implementation seems to be well maintained, widely
used (more than 150k downloads per week) and is published with
provenance, proving that the npm package was built on GitHub actions
using the source code in the repository. The implementation is written
in Rust, so it should be safe against memory leakages etc.

[1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Che
     at_Sheet.html#password-hashing-algorithms
[2]: https://security.stackexchange.com/a/39851

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-08 20:29:23 +02:00
Erik Michelson
6684b0f886 enhancement(realtime): send metadata update on revision save
Some checks are pending
Docker / build-and-push (backend) (push) Waiting to run
Details
Docker / build-and-push (frontend) (push) Waiting to run
Details
E2E Tests / backend-sqlite (push) Waiting to run
Details
E2E Tests / backend-mariadb (push) Waiting to run
Details
E2E Tests / backend-postgres (push) Waiting to run
Details
E2E Tests / Build test build of frontend (push) Waiting to run
Details
E2E Tests / frontend-cypress (1) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (2) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (3) (push) Blocked by required conditions
Details
Lint and check format / Lint files and check formatting (push) Waiting to run
Details
REUSE Compliance Check / reuse (push) Waiting to run
Details
Scorecard supply-chain security / Scorecard analysis (push) Waiting to run
Details
Static Analysis / Njsscan code scanning (push) Waiting to run
Details
Static Analysis / CodeQL analysis (javascript) (push) Waiting to run
Details
Run tests & build / Test and build with NodeJS 20 (push) Waiting to run
Details 
When the frontend is notified about metadata updates, it refreshes the
data and therefore refreshes information like the timestamp of the last
revision save in the sidebar.
This commit adds such a notification from the backend to all clients on
each revision save, so that the "last saved at" value in the frontend is
correct.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-07 22:25:51 +02:00
Erik Michelson
9597ac5422 feat(notes): check for equal alias or note id 
When creating a new note or adding a new alias to one,
it is checked that the new name
is neither forbidden nor already in use.

Co-authored-by: David Mehren <git@herrmehren.de>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-18 22:15:11 +02:00
Erik Michelson
8693edbf6a refactor(media): add media redirection endpoint 
Previous versions of HedgeDoc suffered from the problem
that changing the media backend required manipulation of
the media links in all created notes. We discussed in
#3704 that it's favourable to have an endpoint that
redirects to the image's original URL. When changing the
media backend, the link stays the same but just the
redirect changes.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-18 22:11:49 +02:00
Philip Molares
1f19a6fac4 lint: fix error in new test 
This was probably introduced because the PR was open so long

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2024-04-18 21:52:36 +02:00
yamashush
1c22a425bd test: complete todo 
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
 2024-04-18 21:26:06 +02:00
renovate[bot]
9aaec95398 fix(deps): update dependency @nestjs/schedule to v4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-04-09 11:31:07 +02:00
Erik Michelson
92bde4d281 enhancement(api-tokens): add prefix and more strict validation 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-09 10:54:35 +02:00
Erik Michelson
956dd28648 feat: add event listener for canceling destroy timer 
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-03-03 21:15:32 +01:00
renovate[bot]
61bf3adf99 chore(deps): update linters 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-03-01 17:51:22 +01:00
renovate[bot]
5775b07b2d chore(deps): update dependency @types/node to v20.11.18 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-15 15:34:38 +00:00
renovate[bot]
ecce1adc16 fix(deps): update nestjs packages to v10.3.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-12 13:13:48 +00:00
renovate[bot]
663faaf8f7 chore(deps): update yarn to v4.1.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
 2024-02-10 18:00:34 +01:00
renovate[bot]
73e34755a1 fix(deps): update dependency joi to v17.12.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
 2024-02-10 18:00:34 +01:00
renovate[bot]
315d43f209 fix(deps): update dependency htmlparser2 to v9.1.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
 2024-02-10 18:00:34 +01:00
renovate[bot]
b58c475f83 fix(deps): update dependency express-session to v1.18.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
 2024-02-10 18:00:34 +01:00
renovate[bot]
0eb473e5fc chore(deps): update typescript-eslint monorepo to v6.21.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
 2024-02-10 18:00:34 +01:00
renovate[bot]
eb71573227 chore(deps): update linters 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
 2024-02-10 18:00:34 +01:00
renovate[bot]
01257ea7ac chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.5.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
 2024-02-10 18:00:34 +01:00
renovate[bot]
d089634369 fix(deps): update dependency ws to v8.16.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
 2024-02-10 18:00:34 +01:00
renovate[bot]
20c41578f3 fix(deps): update dependency reflect-metadata to v0.2.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
 2024-02-10 18:00:34 +01:00
renovate[bot]
970686202d chore(deps): update nestjs packages 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
 2024-02-10 18:00:34 +01:00
renovate[bot]
1ccf02bab6 fix(deps): update nestjs packages 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-10 18:00:34 +01:00
renovate[bot]
0474dbbac8 fix(deps): update dependency typeorm to v0.3.20 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-10 18:00:34 +01:00
renovate[bot]
3f5f7bbc27 chore(deps): update dependency yjs to v13.6.12 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-10 18:00:34 +01:00
renovate[bot]
68ae8fd726 chore(deps): update dependency @types/jest to v29.5.12 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-10 18:00:34 +01:00
renovate[bot]
bf0991a671 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.4.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-10 18:00:34 +01:00
renovate[bot]
074a92444b chore(deps): update definitelytyped 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-02-10 18:00:34 +01:00
renovate[bot]
c36bf7f1c2 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.4.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-29 16:19:43 +01:00
renovate[bot]
95e09f02f7 chore(deps): update dependency @types/node to v20.11.10 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-28 21:02:24 +00:00
renovate[bot]
696cc5086c fix(deps): update dependency sqlite3 to v5.1.7 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-28 16:55:25 +00:00
renovate[bot]
ec7ba41e45 chore(deps): update node.js to 2f46fd4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-28 16:06:28 +00:00
renovate[bot]
e5386ed856 chore(deps): update definitelytyped 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-28 16:30:29 +01:00
renovate[bot]
2e8424fb40 fix(deps): update dependency joi to v17.11.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-25 07:24:23 +00:00
renovate[bot]
ddc70d66cc fix(deps): update dependency reflect-metadata to v0.1.14 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-25 07:24:04 +00:00
renovate[bot]
7e1494d780 fix(deps): update dependency class-validator to v0.14.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-25 04:08:09 +00:00
renovate[bot]
7016eddbb8 chore(deps): update test packages 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-25 04:07:42 +00:00
renovate[bot]
76a89a0f9b fix(deps): update dependency @nestjs/swagger to v7.1.17 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-25 04:05:35 +00:00
renovate[bot]
3a31f977c3 chore(deps): update linters 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-25 01:45:58 +00:00
renovate[bot]
d3b9bba683 chore(deps): update dependency yjs to v13.6.11 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-24 22:00:54 +00:00
renovate[bot]
7d01059e66 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.3.9 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-22 12:17:12 +00:00
renovate[bot]
a6c3f4fe43 chore(deps): update definitelytyped 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-22 10:49:56 +00:00
renovate[bot]
a48b160eff chore(deps): update node.js to 8e6a472 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-21 17:16:42 +00:00
renovate[bot]
09d37c4ec3 fix(deps): update dependency passport to v0.7.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-01-18 21:09:43 +01:00
renovate[bot]
2ab59b750c chore(deps): update linters 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: David Mehren <git@herrmehren.de>
 2023-12-08 09:10:43 +01:00
renovate[bot]
8ab09131a8 fix(deps): update dependency cookie to v0.6.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2023-12-07 21:20:41 +01:00
renovate[bot]
215ac7e23f fix(deps): update dependency @azure/storage-blob to v12.17.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2023-12-07 21:20:24 +01:00
renovate[bot]
dbc81435bf chore(deps): update dependency typescript to v5.3.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2023-12-07 21:07:59 +01:00
renovate[bot]
235e0b8d68 fix(deps): update dependency @nestjs/passport to v10.0.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2023-12-07 19:25:12 +00:00