mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-09-19 07:28:48 -04:00
HedgeDoc - Ideas grow better together
f30f0d8e51
Some checks failed
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
E2E Tests / backend-sqlite (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
E2E Tests / Build test build of frontend (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 20 (push) Has been cancelled
E2E Tests / frontend-cypress (1) (push) Has been cancelled
E2E Tests / frontend-cypress (2) (push) Has been cancelled
E2E Tests / frontend-cypress (3) (push) Has been cancelled
OWASP [1] recommends for password hashing the following algorithms in descending order: argon2id, scrypt, bcrypt. They state that bcrypt may be used in legacy systems or when required due to legal regulations. We're however not building any legacy application. Even HedgeDoc 1.x utilizes a more modern algorithm by using scrypt. While bcrypt is not insecure per se, our implementation had a major security flaw, leading to invalid passwords being accepted in certain cases. The bcrypt nodejs package - and the OWASP cheatsheet as well - point out, that the maximum input length of passwords is limited to 72 bytes with bcrypt. When some user has a password longer than 72 bytes in use, only the first 72 bytes are required to log in successfully. Depending on the encoding (which could be UTF-8 or UTF-16 depending on different circumstances) this could in worst-case be at 36 characters, which is not very unusual for a password. See also [2]. This commit changes the used algorithm to argon2id. Argon2id has been in use for several years now and seems to be a well-designed password hashing function that even won the 2015 Password Hashing Competition. Argon2 does not have any real-world max input length for passwords (it is at 4 GiB). The node-rs/argon2 implementation seems to be well maintained, widely used (more than 150k downloads per week) and is published with provenance, proving that the npm package was built on GitHub actions using the source code in the repository. The implementation is written in Rust, so it should be safe against memory leakages etc. [1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Che at_Sheet.html#password-hashing-algorithms [2]: https://security.stackexchange.com/a/39851 Signed-off-by: Erik Michelson <github@erik.michelson.eu> |
||
|---|---|---|
| .github | ||
| .idea/copyright | ||
| .reuse | ||
| .yarn | ||
| backend | ||
| commons | ||
| dev-reverse-proxy | ||
| docker | ||
| docs | ||
| frontend | ||
| html-to-react | ||
| LICENSES | ||
| markdown-it-plugins | ||
| .dockerignore | ||
| .env.example | ||
| .env.example.license | ||
| .gitattributes | ||
| .gitignore | ||
| .mailmap | ||
| .mailmap.license | ||
| .nvmrc | ||
| .nvmrc.license | ||
| .yarnrc.yml | ||
| AUTHORS | ||
| CODE_OF_CONDUCT.md | ||
| codecov.yml | ||
| CONTRIBUTING.md | ||
| developer-certificate-of-origin.txt | ||
| developer-certificate-of-origin.txt.license | ||
| LICENSE | ||
| package.json | ||
| package.json.license | ||
| README.md | ||
| renovate.json | ||
| renovate.json.license | ||
| SECURITY.md | ||
| turbo.json | ||
| turbo.json.license | ||
| yarn.lock | ||
| yarn.lock.license | ||
HedgeDoc lets you create real-time collaborative markdown notes.
Getting Started
- ℹ️ Read all about HedgeDoc and the history of the project on our website
- 🧪 Try out HedgeDoc with the demo instance. Check out the features page!
- 💽 Install HedgeDoc yourself using the install guide
- ❓ Questions? Join our Matrix chat or the community forums
- 💬 Stay up to date by subscribing to the release feed
State of the project
HedgeDoc 1.x is stable and used around the world, but the codebase has grown over time,
making it hard to add new features.
We are currently working on HedgeDoc 2, a complete rewrite of HedgeDoc. Please note the following:
- This branch contains the latest development code and does not implement all features yet. If you are looking for the 1.x source code, have a look at the master branch.
- The 1.x release is maintenance-only. We do not accept feature requests or PRs for this release anymore and may choose to close non-critical bug reports, if the bug will be non-existent in 2.0.
- HedgeDoc 2 will be split in two components. The backend and the frontend. Both are present in this repository.
Development
Information for setting up a local development environment can be found in the developer documentation
HedgeDoc 2 Alpha
Curious about the new look and feel of HedgeDoc 2? We provide a demo of the alpha on hedgedoc.dev.
If you want to try it out on your own devices, visit the HedgeDoc 2 docs. But be aware that these may change over time.
Contributions
We welcome contributions!
Have a look at our contribution docs to find out how you can help. If you want to contribute to
HedgeDoc 2, please join our development chat.
License
Licensed under AGPLv3. For our list of contributors, see AUTHORS.
The license does not include the HedgeDoc logo, whose terms of usage can be found in the github repository.