This fixes a reported security vulnerability where one use could
retrieve revisions of another note where they don't have access
to. This was possible, because the URL included both the note alias
and the revision UUID, the backend then checked the user's permissions
for the note alias but fetched and returned the revision by its UUID
without checking whether the revision belongs to that note.
Credits for finding and reporting this vulnerability to:
- The Raw (https://github.com/therawdev)
- Vishal (https://github.com/shukla304)
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
We did not implement this functionality yet and won't for some time so in order for HedgeDoc 2 to become release ready, this button will be removed.
Fixes#6478
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The test checked the wrong error code, that was thrown because we don't provide the correct request body. The test never failed because of the forbidden alias
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The notification key 'editor.modal.permissions.error' was meant to be used with the ErrorToI18nKeyMapper as a base
which gets different suffixes added depending on the error code and not as a normal error code by itself.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is a moderate increase from about 2 req/minute to 2.6 req/minute
with an increase of the window to 15 minutes. Switching between
accounts a few times should be covered by the higher rate limit.
At the same time, the window increase reduces the attack/abuse chance
again.
Fixes#6471
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The frontmatter validator was still the one left place that used Joi instead
of the now widely used zod in HedgeDoc. Since zod can do validation, coercion
and providing types based on the schema, the code could be drastically reduced
compared to the old frontmatter validator.
At the same time, the validator is now less strict. Custom fields are still
allowed for people that want to add their own frontmatter tags which are
unrelated to HedgeDoc. Furthermore, we now allow the complete set of
RevealOptions for the slideOptions key instead of only a few handpicked
ones.
Fixes#5946
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
oxlint now includes support for TypeScript-aware linting by using
the oxlint-tsgolint package. While this increases the chance of
finding bugs early, it requires a few changes to the TypeScript
configuration, especially the explicit declaration of CSS imports
and changing the moduleResolution to bundler mode.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This method updates the backend and changes the redux state in one call, instead of just calling the backend.
With this the state get's updated, and the user see that they pinned a note immediately.
Fixes#6484
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
E2E Tests / backend-sqlite (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 24 (push) Has been cancelled
We had two different approcaches to the redirect after the login / registration.
Because of this there were race conditions, and we sometimes got stuck on the redirect page.
Fixes#6467
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
E2E Tests / backend-sqlite (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 24 (push) Has been cancelled
The backend end-to-end tests run with many parallel workers that
each start a full NestJS application including database connection
pools, HTTP server and so on. This can easily result in performance
bottlenecks - which is even the reason why we added the --runInBand
option for the CI. The performance can be improved by constraining
the number of workers and memory allocated per worker in our jest
config. Furthermore, we can forcefully close open HTTP connections
in the test cleanup. This terminates connections with a keepalive
flag, that would persist for a while longer otherwise. The following
`this.app.close()` waits for keepalive requests, so this reduces the
wait time.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
Deploy HD2 docs to Netlify / Deploys to netlify (push) Has been cancelled
E2E Tests / backend-sqlite (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 24 (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
This was originally contributed by @Avi98 back when the config still used
Joi and TypeORM instead of zod and knex. This commit adapts the same changes
previously done but ports them over to zod and knex. Furthermore, the tests
are updated to ensure all aspects of the config are tested.
Co-authored-by: Avinash <avinash.kumar.cs92@gmail.com>
Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Embedding the full URL into the notes is a bit anoying if you want to
change hostname (or e.g. hosting from a local IP). Using the relative
URL should work in all(?) cases afaik.
I would also like to remove that `additionalUrlText` argument, which is
a bit confusing (not sure it works as intended?). It is only used in
file `use-on-image-upload-from-renderer.ts` - and not sure it even is
set to anything
Signed-off-by: Nicolai Søborg <git@xn--sb-lka.org>
We already used fastify-cookie in other places. Technically, fastify-cookie
uses the same cookie library under the hood as well. However,
we should stick to the framework defaults in order to avoid
future breaking.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This allows session persistence across restarts of the backend.
At the same time it makes future scaling of HedgeDoc easier
since we reduce the amount of in-memory stored data by this
change.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Erik Michelson
Philip Molares
renovate[bot]
Nicolai Søborg