mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-24 17:36:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 33
8409 commits 214 branches 107 tags 73 MiB
Commit graph

471 commits

Author SHA1 Message Date
Richard Hansen
50929fe7f7 express: Call expressConfigure, expressCreateServer hooks asynchronously 2021-02-12 07:08:51 +00:00
Richard Hansen
8919f63c98 lint: Replace use of underscore.js with plain ECMAScript 2021-02-12 07:08:51 +00:00
John McLear
ab127289c4 security: limit socketio to 1M chars 2021-02-11 21:01:47 -05:00
Richard Hansen
83a519941b /admin/plugins: Fix logging of error messages 2021-02-09 22:18:35 +00:00
Richard Hansen
1e3f352281 openapi: Turn down logging verbosity 2021-02-09 07:24:31 +00:00
John McLear
2b112ac851
tests: Admin Frontend Test Coverage(#4717) 
Covers all frontend admin operations, runs separated in CI.
 2021-02-07 11:32:57 +00:00
Richard Hansen
8b28e00784 restructure: Prefix bin/ and tests/ with src/ 
This is a follow-up to commit
2ea8ea1275.
 2021-02-05 21:52:08 +00:00
Richard Hansen
cd1d322af4 /admin/plugins/info: Move logic to .js file 2021-02-04 08:41:00 +00:00
freddii
ea202e41f6 docs: fixed typos 2021-02-03 00:30:07 +01:00
Richard Hansen
42c25b2536 openapi: Fix error logging 2021-01-27 04:59:36 +00:00
Richard Hansen
54a3dbb9a0 lint: Fix some straightforward ESLint errors 2021-01-27 04:59:36 +00:00
John McLear
6054f6d93f lint: src/node/hooks/i18n.js 2021-01-25 22:53:11 -05:00
John McLear
2dec36bfd7 lint: src/node/hooks/express/tests.js 2021-01-25 22:53:11 -05:00
John McLear
6df3eadecd lint: src/node/hooks/express/static.js 2021-01-25 22:53:11 -05:00
John McLear
09fc7438ea lint: src/node/hooks/express/specialpages.js 2021-01-25 22:53:11 -05:00
John McLear
72ddf35426 lint: src/node/hooks/express/padurlsanitize.js 2021-01-25 22:53:10 -05:00
John McLear
43ce0f839b lint: src/node/hooks/express/padreadonly.js 2021-01-25 22:53:10 -05:00
John McLear
2f9a3ec655 lint: src/node/hooks/express/openapi.js 2021-01-25 22:53:10 -05:00
John McLear
18ebf7b69a lint: src/node/hooks/express/isValidJSONPName.js 2021-01-25 22:53:10 -05:00
John McLear
3571eb7c32 lint: src/node/hooks/express/importexport.js 2021-01-25 22:53:10 -05:00
John McLear
3cf6e1f015 lint: src/node/hooks/express/errorhandling.js 2021-01-25 22:53:10 -05:00
John McLear
4de2844af2 lint: src/node/hooks/express/apicalls.js 2021-01-25 22:53:10 -05:00
John McLear
fbc70c1276 lint: src/node/hooks/express/adminplugins.js 2021-01-25 22:53:10 -05:00
John McLear
3a586a7aad lint: src/node/hooks/express/admin.js 2021-01-25 22:53:10 -05:00
webzwo0i
ca405c1685 send the test files with the correct content-type header 2020-12-27 23:40:35 +00:00
Richard Hansen
f31232dd20 socket.io: Disconnect clients when closing HTTP server 2020-12-23 16:18:28 -05:00
Richard Hansen
8c1afc3399 express: New expressCloseServer hook 
This will be used by a future commit to close all socket.io
connections during server restart.
 2020-12-23 16:18:28 -05:00
Richard Hansen
3e8c3e5789 express: Factor out common server shutdown logic 
Also log when the HTTP server is about to be closed and when it is
done closing.
 2020-12-23 16:18:28 -05:00
Richard Hansen
ff19181cd1 lint: Fix some straightforward ESLint errors 2020-12-23 16:18:28 -05:00
Richard Hansen
973644c7dd lint: Fix ESLint errors in /admin/plugins code 2020-11-27 16:59:24 +00:00
Richard Hansen
6a5f905090 admin: Delete unused search_results 
This silences some ESLint camelcase warnings.
 2020-11-27 16:59:24 +00:00
Richard Hansen
8e5fd19db2 lint: Run eslint --fix on src/ 2020-11-24 20:06:12 +00:00
Richard Hansen
7df3ded66f lint: Put opening brace on same line as function 
Normally I would let `eslint --fix` do this for me, but there's a bug
that causes:

    const x = function ()
    {
      // ...
    };

to become:

    const x = ()
    => {
      // ...
    };

which ESLint thinks is a syntax error. (It probably is; I don't know
enough about the automatic semicolon insertion rules to be confident.)
 2020-11-24 20:06:12 +00:00
Richard Hansen
867fdbd3f9 webaccess: Asyncify checkAccess 2020-11-19 09:05:38 +00:00
Richard Hansen
a803f570e0 webaccess: Don't export checkAccess 
Nobody uses it outside of this module.
 2020-11-19 09:05:38 +00:00
Richard Hansen
5d585a12d6 webaccess: Fix some ESLint errors 2020-11-19 09:05:38 +00:00
Richard Hansen
4587c0fb4d webaccess: Use a non-capturing regex group 2020-11-19 09:05:38 +00:00
Richard Hansen
a05e8198c9
bugfix: Fix bad paren placement in /javascript handler (#4496) 
* Fix bad paren placement in `/javascript` handler

This fixes a bug introduced in commit
ed5a635f4c.

* add regression test for #4495

* Move `/javascript` test to `specialpages.js`

Co-authored-by: webzwo0i <webzwo0i@c3d2.de>
 2020-11-19 08:19:13 +00:00
Richard Hansen
6408d2313c webaccess: Be extra paranoid about nullish password 
If `settings.json` contains a user without a `password` property then
nobody should be able to log in as that user using the built-in HTTP
basic authentication. This is true both with and without this change,
but before this change it wasn't immediately obvious that a malicious
user couldn't use an empty or null password to log in as such a user.
This commit adds an explicit nullish check and some unit tests to
ensure that an empty or null password will not work if the `password`
property is null or undefined.
 2020-11-04 18:06:08 +00:00
Richard Hansen
ed5a635f4c Add req to EJS render args when possible 
This makes it possible for EJS templates and `eejsBlock_*` hook
functions to access the user's express-session state.
 2020-11-02 16:05:01 +00:00
Richard Hansen
2f65987ba2 webaccess: Remove user's password from session info 
This prevents the password from being logged or stored in the
database.
 2020-10-27 20:30:01 +00:00
Viljami Kuosmanen
c502ca3259 Use isHttpError utility provided by http-errors 
This new utility method was introduced in http-errors v1.8.0. Let's use
that instead of instanceof. This also upgrades the http-errors dependency
 2020-10-25 10:45:58 +00:00
Viljami Kuosmanen
aef4cce0c9 Use correct constructor for 404,501 error handlers 
Fixes error message mentioned in #4378.
 2020-10-25 10:45:58 +00:00
Richard Hansen
79119baf58 hooks: Call the callback when done 
If a hook function neither calls the callback nor returns a
(non-undefined) value then there's no way for the hook system to know
if/when the hook function has finished.
 2020-10-24 16:08:50 +01:00
Richard Hansen
4a25559a2d tests: Aggressively filter out non-.js files 
This prevents errors when the directory contains Emacs backup files.
 2020-10-14 10:38:52 +01:00
John McLear
66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178) 
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
 2020-10-07 13:43:54 +01:00
Richard Hansen
661a89355f socketio: Mimic what Express does to get client IP address 
This also makes it easier for plugins to get the client IP address.
 2020-10-07 10:40:37 +01:00
Richard Hansen
a8cf434d1d import: Replace the allowAnyoneToImport check with userCanModify 
This reduces the number of hoops a user or tool must jump through to
import.
 2020-10-05 18:48:16 +01:00
Richard Hansen
831528e8bc import: Allow import if pad does not yet exist 2020-10-05 18:48:16 +01:00
Richard Hansen
ed6fcefb67 webaccess: Fix pad ID extraction for import and export paths 2020-10-05 18:48:16 +01:00