This fixes a reported security vulnerability where one use could
retrieve revisions of another note where they don't have access
to. This was possible, because the URL included both the note alias
and the revision UUID, the backend then checked the user's permissions
for the note alias but fetched and returned the revision by its UUID
without checking whether the revision belongs to that note.
Credits for finding and reporting this vulnerability to:
- The Raw (https://github.com/therawdev)
- Vishal (https://github.com/shukla304)
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The test checked the wrong error code, that was thrown because we don't provide the correct request body. The test never failed because of the forbidden alias
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is a moderate increase from about 2 req/minute to 2.6 req/minute
with an increase of the window to 15 minutes. Switching between
accounts a few times should be covered by the higher rate limit.
At the same time, the window increase reduces the attack/abuse chance
again.
Fixes#6471
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The frontmatter validator was still the one left place that used Joi instead
of the now widely used zod in HedgeDoc. Since zod can do validation, coercion
and providing types based on the schema, the code could be drastically reduced
compared to the old frontmatter validator.
At the same time, the validator is now less strict. Custom fields are still
allowed for people that want to add their own frontmatter tags which are
unrelated to HedgeDoc. Furthermore, we now allow the complete set of
RevealOptions for the slideOptions key instead of only a few handpicked
ones.
Fixes#5946
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
E2E Tests / backend-sqlite (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 24 (push) Has been cancelled
The backend end-to-end tests run with many parallel workers that
each start a full NestJS application including database connection
pools, HTTP server and so on. This can easily result in performance
bottlenecks - which is even the reason why we added the --runInBand
option for the CI. The performance can be improved by constraining
the number of workers and memory allocated per worker in our jest
config. Furthermore, we can forcefully close open HTTP connections
in the test cleanup. This terminates connections with a keepalive
flag, that would persist for a while longer otherwise. The following
`this.app.close()` waits for keepalive requests, so this reduces the
wait time.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
Deploy HD2 docs to Netlify / Deploys to netlify (push) Has been cancelled
E2E Tests / backend-sqlite (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 24 (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
This was originally contributed by @Avi98 back when the config still used
Joi and TypeORM instead of zod and knex. This commit adapts the same changes
previously done but ports them over to zod and knex. Furthermore, the tests
are updated to ensure all aspects of the config are tested.
Co-authored-by: Avinash <avinash.kumar.cs92@gmail.com>
Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
We already used fastify-cookie in other places. Technically, fastify-cookie
uses the same cookie library under the hood as well. However,
we should stick to the framework defaults in order to avoid
future breaking.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This allows session persistence across restarts of the backend.
At the same time it makes future scaling of HedgeDoc easier
since we reduce the amount of in-memory stored data by this
change.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The ?? placeholder syntax is replaced by Knex with the proper
quoting of the identifier matching the configured database.
This resolves the bug that MariaDB wasn't working with the new
whereEqualLowercase selector since it uses different quoting than
PostgreSQL and SQLite.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This causes errors for two reasons:
1. A DELETE request should not have a body and therefore
should not have a content-type set.
2. The explicit .set(...) call overrides the set which is
done in agent setup for extending the agent with CSRF-
token submission.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
E2E Tests / backend-sqlite (push) Has been cancelled
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
Deploy HD2 docs to Netlify / Deploys to netlify (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 24 (push) Has been cancelled
The current implementation restricts the backend port binding
to 127.0.0.1, since this is the default of fastify. This is a
reasonable default from a security standpoint. However, in
certain contexts like docker network, this won't work.
The new configuration option HD_BACKEND_BIND_IP allows to set
a custom IP address to which fastify binds, or setting
0.0.0.0 to bind to all interfaces.
At the same time this fix extends the Dockerfile to announce
port 3000 to be available to the docker daemon.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit adds pooling to Knex since this seems the only reliable way to reconnect
the database after a lost connection. The pooling is only applied to MariaDB and
PostgreSQL since it makes no sense for SQLite.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Since the monitoring endpoints should be accessible without
requiring an API token, the token guard was removed.
For the detailed monitoring information, we might want to add
some extra monitoring token later on, or make that endpoint
dependent on some admin flag set for the user account trying
to access the endpoints.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Erik Michelson
Philip Molares
renovate[bot]