hedgedoc: 1.8.2 -> 1.9.0, fixes CVE-2021-39175

ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0

As documented in the Nix expression, I unfortunately had to patch
`yarn.lock` manually (the `yarn.nix` result isn't affected by this). By
adding a `git+https`-prefix to
`midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` in the lock-file
I ensured that `yarn` actually uses the `MIDI.js` from the offline-cache
from `yarn2nix` rather than trying to download a tarball from GitHub.

Also, this release contains a fix for CVE-2021-39175 which doesn't seem
to be backported to 1.8. To quote NVD[1]:

> In versions prior to 1.9.0, an unauthenticated attacker can inject
> arbitrary JavaScript into the speaker-notes of the slide-mode feature
> by embedding an iframe hosting the malicious code into the slides or by
> embedding the HedgeDoc instance into another page.

Even though it "only" has a medium rating by NVD (6.1), this seems
rather problematic to me (also, GitHub rates this as "High"), so it's
actually a candidate for a backport.

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175
This commit is contained in:
Maximilian Bosch 2021-09-19 00:09:26 +02:00
parent d23ff4d6d9
commit 0a10c17c8d
No known key found for this signature in database
GPG Key ID: 091DBF4D1FC46B8E
4 changed files with 4539 additions and 4454 deletions

View File

@ -15,34 +15,42 @@ let
# we need a different version than the one already available in nixpkgs
esbuild-hedgedoc = buildGoModule rec {
pname = "esbuild";
version = "0.11.20";
version = "0.12.27";
src = fetchFromGitHub {
owner = "evanw";
repo = "esbuild";
rev = "v${version}";
sha256 = "009f2mfgzkzgxjh3034mzdkcvm5vz17sgy1cs604f0425i22z8qm";
sha256 = "sha256-UclUTfm6fxoYEEdEEmO/j+WLZLe8SFzt7+Tej4bR0RU=";
};
vendorSha256 = "1n5538yik72x94vzfq31qaqrkpxds5xys1wlibw2gn2am0z5c06q";
vendorSha256 = "sha256-QPkBR+FscUc3jOvH7olcGUhM6OW4vxawmNJuRQxPuGs=";
};
in
mkYarnPackage rec {
pname = "hedgedoc";
version = "1.8.2";
version = "1.9.0";
src = fetchFromGitHub {
owner = "hedgedoc";
repo = "hedgedoc";
rev = version;
sha256 = "1h2wyhap264iqm2jh0i05w0hb2j86jsq1plyl7k3an90w7wngyg1";
sha256 = "sha256-hSKQGkI1+68Zf05RhgRKZo47buyobzjhURSZ30/h0PA=";
};
nativeBuildInputs = [ which makeWrapper ];
extraBuildInputs = [ python2 esbuild-hedgedoc ];
yarnNix = ./yarn.nix;
# FIXME(@Ma27) on the bump to 1.9.0 I had to patch this file manually:
# I replaced `midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` with
# `midi "git+https://github.com/paulrosen/MIDI.js.git#abcjs"` on all occurrences.
#
# Without this change `yarn` attempted to download the code directly from GitHub, with
# the `git+`-prefix it actually uses the `midi.js` version from the offline cache
# created by `yarn2nix`. On future bumps this may be necessary as well!
yarnLock = ./yarn.lock;
packageJSON = ./package.json;

View File

@ -1,6 +1,6 @@
{
"name": "HedgeDoc",
"version": "1.8.2",
"version": "1.9.0",
"description": "The best platform to write and share markdown.",
"main": "app.js",
"license": "AGPL-3.0",
@ -21,7 +21,7 @@
"Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
"archiver": "^5.0.2",
"async": "^3.0.0",
"aws-sdk": "^2.888.0",
"aws-sdk": "^2.987.0",
"azure-storage": "^2.7.0",
"base64url": "^3.0.0",
"body-parser": "^1.15.2",
@ -29,7 +29,7 @@
"cheerio": "^0.22.0",
"compression": "^1.6.2",
"connect-flash": "^0.1.1",
"connect-session-sequelize": "^7.0.0",
"connect-session-sequelize": "^7.1.2",
"cookie": "^0.4.0",
"cookie-parser": "^1.4.3",
"deep-freeze": "^0.0.1",
@ -40,7 +40,6 @@
"file-type": "^16.1.0",
"formidable": "^1.0.17",
"graceful-fs": "^4.1.11",
"handlebars": "^4.5.2",
"helmet": "^4.5.0",
"i18n": "^0.13.0",
"is-svg": "^4.3.1",
@ -66,7 +65,7 @@
"meta-marked": "git+https://github.com/hedgedoc/meta-marked",
"method-override": "^3.0.0",
"minimist": "^1.2.0",
"minio": "^7.0.0",
"minio": "^7.0.19",
"moment": "^2.17.1",
"morgan": "^1.7.0",
"mysql2": "^2.0.0",
@ -80,7 +79,7 @@
"passport-ldapauth": "^3.0.0",
"passport-local": "^1.0.0",
"passport-oauth2": "^1.4.0",
"passport-saml": "^2.0.0",
"passport-saml": "^3.1.2",
"passport-twitter": "^1.0.4",
"passport.socketio": "^3.7.0",
"pdfobject": "^2.0.201604172",
@ -98,13 +97,11 @@
"sqlite3": "^5.0.0",
"store": "^2.0.12",
"string": "^3.3.3",
"tedious": "^6.6.0",
"toobusy-js": "^0.5.1",
"umzug": "^2.3.0",
"uuid": "^8.0.0",
"validator": "^13.0.0",
"winston": "^3.1.0",
"ws": "^7.4.4",
"xss": "^1.0.3"
},
"resolutions": {
@ -133,7 +130,7 @@
"url": "https://shivering-isles.com"
},
{
"name":"David Mehren",
"name": "David Mehren",
"email": "hedgedoc@herrmehren.de"
}
],
@ -142,6 +139,7 @@
"url": "https://github.com/hedgedoc/hedgedoc.git"
},
"devDependencies": {
"abcjs": "5.12.0",
"babel-cli": "6.26.0",
"babel-core": "6.26.3",
"babel-loader": "7.1.5",
@ -153,30 +151,31 @@
"bootstrap-validator": "0.11.9",
"codemirror": "git+https://github.com/hedgedoc/CodeMirror.git",
"copy-webpack-plugin": "6.4.1",
"css-loader": "5.2.4",
"css-loader": "5.2.7",
"emojify.js": "1.1.0",
"esbuild-loader": "2.13.0",
"esbuild-loader": "2.15.1",
"escape-html": "1.0.3",
"eslint": "7.26.0",
"eslint-config-standard": "16.0.2",
"eslint-plugin-import": "2.22.1",
"eslint": "7.32.0",
"eslint-config-standard": "16.0.3",
"eslint-plugin-import": "2.24.2",
"eslint-plugin-node": "11.1.0",
"eslint-plugin-promise": "5.1.0",
"eslint-plugin-standard": "4.1.0",
"exports-loader": "1.1.1",
"expose-loader": "1.0.3",
"file-loader": "6.2.0",
"file-saver": "2.0.5",
"flowchart.js": "1.15.0",
"fork-awesome": "1.1.7",
"fork-awesome": "1.2.0",
"gist-embed": "2.6.0",
"highlight.js": "10.7.2",
"highlight.js": "10.7.3",
"html-webpack-plugin": "4.5.2",
"imports-loader": "1.2.0",
"ionicons": "2.0.1",
"jquery": "3.6.0",
"jquery-mousewheel": "3.1.13",
"jquery-ui": "1.12.1",
"js-cookie": "2.2.1",
"js-cookie": "3.0.1",
"js-sequence-diagrams": "git+https://github.com/hedgedoc/js-sequence-diagrams.git",
"js-yaml": "3.14.1",
"jsonlint": "1.6.3",
@ -185,29 +184,28 @@
"less-loader": "7.3.0",
"list.js": "2.3.1",
"mathjax": "2.7.9",
"mermaid": "8.10.1",
"mini-css-extract-plugin": "1.6.0",
"mocha": "8.4.0",
"mermaid": "8.12.1",
"mini-css-extract-plugin": "1.6.2",
"mocha": "9.1.1",
"mock-require": "3.0.3",
"optimize-css-assets-webpack-plugin": "5.0.4",
"prismjs": "1.23.0",
"optimize-css-assets-webpack-plugin": "6.0.1",
"prismjs": "1.24.1",
"raphael": "2.3.0",
"remark-cli": "9.0.0",
"remark-preset-lint-markdown-style-guide": "4.0.0",
"remark-cli": "10.0.0",
"remark-preset-lint-markdown-style-guide": "5.0.1",
"reveal.js": "3.9.2",
"script-loader": "0.7.2",
"select2": "3.5.2-browserify",
"socket.io-client": "2.4.0",
"spin.js": "4.1.0",
"spin.js": "4.1.1",
"string-loader": "0.0.1",
"turndown": "7.0.0",
"turndown": "7.1.1",
"url-loader": "4.1.1",
"velocity-animate": "1.5.2",
"visibilityjs": "2.0.2",
"viz.js": "1.8.2",
"webpack": "4.46.0",
"webpack-cli": "4.7.0",
"webpack-merge": "5.7.3",
"webpack-cli": "4.8.0",
"webpack-merge": "5.8.0",
"wurl": "2.5.4"
},
"optionalDependencies": {

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff