Dan Brown
929c8312bd
Started build of tag view
...
- Created listing
- Allows drilldown to tag name
- Shows totals
Not yet covered via testing
2021-11-06 16:30:20 +00:00
Dan Brown
8d7c8ac8bf
Done a round of phpstan fixes
2021-11-06 00:32:01 +00:00
Dan Brown
5c6a6b50a0
Applied StyleCI changes, added php/larastan to attribution
2021-11-05 16:27:59 +00:00
Dan Brown
bc291bee78
Added inital phpstan/larastan setup
2021-11-05 16:18:06 +00:00
Dan Brown
d0aa10a8c3
Applied styleci changes
2021-11-05 00:28:41 +00:00
Dan Brown
06b5009842
Standardised laravel validation to be array based
...
Converted from string-only-based validation.
Array based validation works nicer once you have validation classess or
advanced validation options.
2021-11-05 00:26:55 +00:00
Dan Brown
de5322288c
Applied latest styleci changes
2021-11-04 22:57:49 +00:00
Dan Brown
c9c4dbcb5b
Merge branch 'laravel_upgrade'
2021-11-04 22:42:35 +00:00
Dan Brown
a17be959d8
Applied latest styleci changes
2021-11-01 13:26:02 +00:00
Dan Brown
bfbccbede1
Updated attachments to not be saved with a complete extension
...
Intended to limit impact in the event the storage path is potentially
exposed.
2021-11-01 11:32:00 +00:00
Dan Brown
4360da03d4
Ran a pass through image and attachment routes
...
Added some stronger types, formatting changes and simplifications along
the way.
2021-11-01 11:17:30 +00:00
Dan Brown
c7fea8fe08
Cleaned up logic within ImageRepo
...
- Moved out extension check to ImageService as that seems more relevant.
- Updated models to use static-style references instead of facade to align with common modern usage within the app.
- Updated custom image_extension validation rule to use shared logic in image service.
2021-11-01 00:24:42 +00:00
Dan Brown
43830a372f
Updated showImage file serving to not be traversable
...
For #3030
2021-10-31 23:53:17 +00:00
Dan Brown
ae155d6745
Added safe mime sniffing to prevent serving HTML
...
(Amoung other content types)
For #3027
2021-10-31 17:58:56 +00:00
Dan Brown
5c834f24a6
Updated AzureAD provider to use microsoft graph
...
Since AzureAD graph is going away.
Tested using old AzureAD graph usage for backwards-compatbility, did not
seem to break things. Could not test with conditional access though due
to azure never enforcing it no matter what I attempted.
Fpr #3028
2021-10-31 13:09:30 +00:00
Dan Brown
98b23fd7ab
Moved from debugbar to clockwork
2021-10-30 22:03:36 +01:00
Dan Brown
f139cded78
Laravel 8 shift squash & merge ( #3029 )
...
* Temporarily moved back config path
* Apply Laravel coding style
* Shift exception handler
* Shift HTTP kernel and middleware
* Shift service providers
* Convert options array to fluent methods
* Shift to class based routes
* Shift console routes
* Ignore temporary framework files
* Shift to class based factories
* Namespace seeders
* Shift PSR-4 autoloading
* Shift config files
* Default config files
* Shift Laravel dependencies
* Shift return type of base TestCase methods
* Shift cleanup
* Applied stylci style changes
* Reverted config files location
* Applied manual changes to Laravel 8 shift
Co-authored-by: Shift <shift@laravelshift.com>
2021-10-30 21:29:59 +01:00
Dan Brown
4f55fe2f8e
Made further changes to page image extraction validation
...
Fixes #3019
Increased testing to cover the failing case amoung others.
2021-10-28 15:54:00 +01:00
Dan Brown
f77236aa38
Laravel 7.x Shift ( #3011 )
...
* Apply Laravel coding style
* Shift bindings
* Shift core files
* Shift to Throwable
* Add laravel/ui dependency
* Shift Eloquent methods
* Shift config files
* Shift Laravel dependencies
* Shift cleanup
* Shift test config and references
* Applied styleci changes
* Applied fixes post shift to laravel 7
Co-authored-by: Shift <shift@laravelshift.com>
2021-10-26 22:04:18 +01:00
Haxatron
64937ab826
Update ImageRepo.php
...
fix image validation vulnerability
2021-10-26 09:39:16 +08:00
Dan Brown
a75cfd1f25
Added estonian to language logic
2021-10-25 14:49:03 +01:00
Dan Brown
98072ba4a9
Reviewed SAML SLS changes for ADFS, #2902
...
- Migrated env usages to config.
- Removed potentially unneeded config options or auto-set signed options
based upon provision of certificate.
- Aligned SP certificate env option naming with similar IDP option.
Tested via AFDS on windows server 2019. To test on other providers.
2021-10-23 17:26:01 +01:00
Dan Brown
2e9ac21b38
Merge branch 'master' of https://github.com/theodor-franke/BookStack into theodor-franke-master
2021-10-21 14:04:23 +01:00
Dan Brown
129f3286d9
Applied styleci changes
2021-10-20 13:40:27 +01:00
Dan Brown
cdef1b3ab0
Updated SAML ACS post to retain user session
...
Session was being lost due to the callback POST request cookies
not being provided due to samesite=lax. This instead adds an additional
hop in the flow to route the request via a GET request so the session is
retained. SAML POST data is stored encrypted in cache via a unique ID
then pulled out straight afterwards, and restored into POST for the SAML
toolkit to validate.
Updated testing to cover.
2021-10-20 13:34:00 +01:00
Dan Brown
859934d6a3
Applied latest changes from styleCI
2021-10-20 10:49:45 +01:00
Dan Brown
60d4c5902b
Added attachment API examples during manual testing
2021-10-20 10:43:03 +01:00
Dan Brown
2409d1850f
Added TestCase for attachments API methods
2021-10-20 00:58:56 +01:00
Dan Brown
32f6ea946f
Build out core attachments API controller
...
Related to #2942
2021-10-18 17:46:55 +01:00
Dan Brown
cb45c53029
Added base64 image extraction to markdown page content
...
- Included tests to cover.
- Manually tested via API update and interface page update.
Closes #2898
2021-10-18 11:42:50 +01:00
Dan Brown
6e325de226
Applied latest styles changes from style CI
2021-10-16 16:01:59 +01:00
Dan Brown
263384cf99
Merge branch 'oidc'
2021-10-16 15:51:13 +01:00
Dan Brown
f3c147d33b
Applied latest styleci changes
2021-10-15 14:16:45 +01:00
Dan Brown
c9c0e5e16f
Fixed guest user email showing in TOTP setup url
...
- Occured during enforced MFA setup upon login.
- Added test to cover.
Fixes #2971
2021-10-14 18:02:16 +01:00
Dan Brown
ffa4377e65
Added testing to cover debug view
2021-10-14 17:40:22 +01:00
Dan Brown
9b8bb49a33
Added custom whoops-based debug view
...
Provides a simple bookstack focused view that does not rely on JavaScript.
Contains links to BookStack specific resources in addition to commonly
desired debug details.
2021-10-14 15:33:08 +01:00
Dan Brown
855409bc4f
Fixed lack of oidc discovery filtering during testing
...
Tested oidc system on okta, Keycloak & Auth0
2021-10-14 13:37:55 +01:00
Dan Brown
a5d72aa458
Fleshed out testing for OIDC system
2021-10-13 16:51:27 +01:00
Dan Brown
c167f40af3
Renamed OIDC files to all be aligned
2021-10-12 23:04:28 +01:00
Dan Brown
06a0d829c8
Added OIDC basic autodiscovery support
2021-10-12 23:00:52 +01:00
Dan Brown
790723dfc5
Added further OIDC core class testing
2021-10-12 16:48:54 +01:00
Dan Brown
f3d54e4a2d
Added positive test case for OIDC implementation
...
- To continue coverage and spec cases next.
2021-10-12 00:01:51 +01:00
Dan Brown
6b182a435a
Got OIDC custom solution to a functional state
...
- Validation of all key/token elements now in place.
- Signing key system updated to work with jwk-style array or with
file:// path to pem key.
2021-10-11 23:00:45 +01:00
Dan Brown
8c01c55684
Added token and key handling elements for oidc jwt
...
- Got basic signing support and structure checking done.
- Need to run through actual claim checking before providing details
back to app.
2021-10-11 19:05:16 +01:00
Dan Brown
8ce696dff6
Started on a custom oidc oauth provider
2021-10-10 19:14:08 +01:00
Haxatron
b043257d9a
Update dompdf.php
...
base_path => public_path
2021-10-10 01:06:08 +08:00
Dan Brown
ca764caf2d
Added throttling to password reset requests
2021-10-08 23:19:37 +01:00
Dan Brown
a9b3df537f
Applied changes from styleci
2021-10-08 22:23:17 +01:00
Dan Brown
7224fbcc89
Added protections against path traversal in file system operations
...
- Files within the storage/ path could be accessed via path traversal
references in content, accessed upon HTML export.
- This addresses this via two layers:
- Scoped local flysystem filesystems down to the specific image &
file folders since flysystem has built-in checking against the
escaping of the root folder.
- Added path normalization before enforcement of uploads/{images,file}
prefix to prevent traversal at a path level.
Thanks to @Haxatron via huntr.dev for discovery and reporting.
Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
2021-10-08 17:47:14 +01:00
Dan Brown
81d6b1b016
Fixed search query issues when table prefixes are used
...
- Old raw select query was causing bad select clause in query
when table prefixes were active.
2021-10-08 15:25:12 +01:00