Commit Graph

2896 Commits

Author SHA1 Message Date
Francesco Franchina
0b15e2bf1c Fixes padding issues of the sidebar's items 2021-10-22 01:34:41 +02:00
Dan Brown
2e9ac21b38
Merge branch 'master' of https://github.com/theodor-franke/BookStack into theodor-franke-master 2021-10-21 14:04:23 +01:00
Dan Brown
129f3286d9
Applied styleci changes 2021-10-20 13:40:27 +01:00
Dan Brown
fe07cdaa06
Merge pull request #2996 from BookStackApp/saml2_acs_session
Updated SAML ACS post to retain user session
2021-10-20 13:38:35 +01:00
Dan Brown
cdef1b3ab0
Updated SAML ACS post to retain user session
Session was being lost due to the callback POST request cookies
not being provided due to samesite=lax. This instead adds an additional
hop in the flow to route the request via a GET request so the session is
retained. SAML POST data is stored encrypted in cache via a unique ID
then pulled out straight afterwards, and restored into POST for the SAML
toolkit to validate.

Updated testing to cover.
2021-10-20 13:34:00 +01:00
Dan Brown
859934d6a3
Applied latest changes from styleCI 2021-10-20 10:49:45 +01:00
Dan Brown
7bbcaa7cbc
Merge pull request #2986 from BookStackApp/attachments_api
Attachments API
2021-10-20 10:46:35 +01:00
Dan Brown
7e28c76e6f
Adjusted API docs table 2021-10-20 10:46:06 +01:00
Dan Brown
60d4c5902b
Added attachment API examples during manual testing 2021-10-20 10:43:03 +01:00
Dan Brown
2409d1850f
Added TestCase for attachments API methods 2021-10-20 00:58:56 +01:00
Dan Brown
c699f176bc
Fixed bug report yaml formatting 2021-10-19 15:15:35 +01:00
Dan Brown
72ad87b123
Update support_request.yml 2021-10-19 14:52:00 +01:00
Dan Brown
5d6d7ef5a7 Converted issues templates to forms
Added support request template
2021-10-19 14:49:49 +01:00
Dan Brown
7ad98fc3c3
Update language_request.yml 2021-10-19 14:07:45 +01:00
Dan Brown
0d6f1638fe
Delete language_request.md 2021-10-19 14:06:53 +01:00
Dan Brown
5a4b366e56
Create language_request.yml 2021-10-19 14:05:34 +01:00
Dan Brown
32f6ea946f
Build out core attachments API controller
Related to #2942
2021-10-18 17:46:55 +01:00
Dan Brown
1a8a6c609a
Added phpseclib to readme 2021-10-18 11:43:54 +01:00
Dan Brown
cb45c53029
Added base64 image extraction to markdown page content
- Included tests to cover.
- Manually tested via API update and interface page update.

Closes #2898
2021-10-18 11:42:50 +01:00
Dan Brown
6e325de226
Applied latest styles changes from style CI 2021-10-16 16:01:59 +01:00
Dan Brown
263384cf99
Merge branch 'oidc' 2021-10-16 15:51:13 +01:00
Dan Brown
5ba964b677
Updated readme with latest version info
Also updated version file to be current
2021-10-15 14:30:49 +01:00
Dan Brown
5647a8a091
New Crowdin updates (#2980)
* New translations entities.php (Spanish, Argentina)

* New translations activities.php (Spanish, Argentina)

* New translations auth.php (Spanish, Argentina)

* New translations settings.php (Spanish, Argentina)

* New translations validation.php (Spanish, Argentina)

* New translations auth.php (Spanish, Argentina)
2021-10-15 14:17:32 +01:00
Dan Brown
f3c147d33b
Applied latest styleci changes 2021-10-15 14:16:45 +01:00
Dan Brown
747f81d5d8
Updated php dependancies 2021-10-15 13:15:32 +01:00
Dan Brown
c9c0e5e16f
Fixed guest user email showing in TOTP setup url
- Occured during enforced MFA setup upon login.
- Added test to cover.

Fixes #2971
2021-10-14 18:02:16 +01:00
Dan Brown
d21b60079c
Merge pull request #2977 from BookStackApp/custom_debug_view
Added custom whoops-based debug view
2021-10-14 17:41:06 +01:00
Dan Brown
ffa4377e65
Added testing to cover debug view 2021-10-14 17:40:22 +01:00
Dan Brown
9b8bb49a33
Added custom whoops-based debug view
Provides a simple bookstack focused view that does not rely on JavaScript.
Contains links to BookStack specific resources in addition to commonly
desired debug details.
2021-10-14 15:33:08 +01:00
Dan Brown
855409bc4f
Fixed lack of oidc discovery filtering during testing
Tested oidc system on okta, Keycloak & Auth0
2021-10-14 13:37:55 +01:00
Dan Brown
a5d72aa458
Fleshed out testing for OIDC system 2021-10-13 16:51:27 +01:00
Dan Brown
c167f40af3
Renamed OIDC files to all be aligned 2021-10-12 23:04:28 +01:00
Dan Brown
06a0d829c8
Added OIDC basic autodiscovery support 2021-10-12 23:00:52 +01:00
Dan Brown
790723dfc5
Added further OIDC core class testing 2021-10-12 16:48:54 +01:00
Dan Brown
f3d54e4a2d
Added positive test case for OIDC implementation
- To continue coverage and spec cases next.
2021-10-12 00:01:51 +01:00
Dan Brown
6b182a435a
Got OIDC custom solution to a functional state
- Validation of all key/token elements now in place.
- Signing key system updated to work with jwk-style array or with
  file:// path to pem key.
2021-10-11 23:00:45 +01:00
Dan Brown
8c01c55684
Added token and key handling elements for oidc jwt
- Got basic signing support and structure checking done.
- Need to run through actual claim checking before providing details
  back to app.
2021-10-11 19:05:16 +01:00
Dan Brown
69301f7575
Merge pull request #2965 from Haxatron/master
Update DOMPDF chroot directory
2021-10-11 10:25:28 +01:00
Dan Brown
8ce696dff6
Started on a custom oidc oauth provider 2021-10-10 19:14:08 +01:00
Haxatron
b043257d9a
Update dompdf.php
base_path => public_path
2021-10-10 01:06:08 +08:00
Dan Brown
ca764caf2d
Added throttling to password reset requests 2021-10-08 23:19:37 +01:00
Dan Brown
543ea6ef71
Updated translator attribution before release v21.08.5 2021-10-08 22:24:32 +01:00
Dan Brown
a9b3df537f
Applied changes from styleci 2021-10-08 22:23:17 +01:00
Dan Brown
c2339ac9db
New Crowdin updates (#2953)
* New translations settings.php (Chinese Simplified)

* New translations entities.php (Slovak)

* New translations entities.php (Portuguese, Brazilian)

* New translations entities.php (Slovenian)

* New translations entities.php (Swedish)

* New translations entities.php (Turkish)

* New translations entities.php (Ukrainian)

* New translations entities.php (Chinese Simplified)

* New translations entities.php (Chinese Traditional)

* New translations entities.php (Indonesian)

* New translations entities.php (Portuguese)

* New translations entities.php (Persian)

* New translations entities.php (Spanish, Argentina)

* New translations entities.php (Croatian)

* New translations entities.php (Latvian)

* New translations entities.php (Bosnian)

* New translations entities.php (Norwegian Bokmal)

* New translations entities.php (Russian)

* New translations entities.php (Polish)

* New translations entities.php (Vietnamese)

* New translations entities.php (Danish)

* New translations entities.php (French)

* New translations entities.php (Spanish)

* New translations entities.php (Arabic)

* New translations entities.php (Bulgarian)

* New translations entities.php (Catalan)

* New translations entities.php (Czech)

* New translations entities.php (German)

* New translations entities.php (Dutch)

* New translations entities.php (Hebrew)

* New translations entities.php (Hungarian)

* New translations entities.php (Italian)

* New translations entities.php (Japanese)

* New translations entities.php (Korean)

* New translations entities.php (Lithuanian)

* New translations entities.php (German Informal)

* New translations entities.php (French)

* New translations entities.php (Spanish)

* New translations settings.php (Czech)

* New translations entities.php (Czech)

* New translations activities.php (Czech)

* New translations auth.php (Czech)

* New translations common.php (Czech)

* New translations validation.php (Czech)

* New translations entities.php (Portuguese)

* New translations settings.php (Portuguese)

* New translations entities.php (Portuguese)

* New translations activities.php (Portuguese)

* New translations auth.php (Portuguese)

* New translations common.php (Portuguese)

* New translations validation.php (Portuguese)

* New translations entities.php (Chinese Simplified)

* New translations entities.php (Chinese Simplified)

* New translations activities.php (Ukrainian)

* New translations activities.php (Ukrainian)
2021-10-08 22:22:01 +01:00
Dan Brown
41541df6ec
Added testing to cover work done in last commit
Relevant to comments in 7224fbcc89.
Added test cases. Ensured they failed pre-commit.
Also tested a range of the altered endpoints manually on both local and
s3-like filesystems.
2021-10-08 21:47:59 +01:00
Dan Brown
7224fbcc89
Added protections against path traversal in file system operations
- Files within the storage/ path could be accessed via path traversal
  references in content, accessed upon HTML export.
- This addresses this via two layers:
  - Scoped local flysystem filesystems down to the specific image &
    file folders since flysystem has built-in checking against the
    escaping of the root folder.
  - Added path normalization before enforcement of uploads/{images,file}
    prefix to prevent traversal at a path level.

Thanks to @Haxatron via huntr.dev for discovery and reporting.
Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
2021-10-08 17:47:14 +01:00
Dan Brown
81d6b1b016
Fixed search query issues when table prefixes are used
- Old raw select query was causing bad select clause in query
  when table prefixes were active.
2021-10-08 15:25:12 +01:00
Dan Brown
41ac69adb1
Forced response cache revalidation on logged-in responses
- Prevents authenticated responses being visible when back button
  pressed in browser.
- Previously, 'no-cache, private' was added by default by Symfony which
  would have prevents proxy cache issues but this adds no-store and a
  max-age option to also invalidate all caching.

Thanks to @haxatron via huntr.dev
Ref: https://huntr.dev/bounties/6cda9df9-4987-4e1c-b48f-855b6901ef53/
2021-10-08 15:22:09 +01:00
Dan Brown
41438adbd1
Continued review of #2169
- Removed uneeded custom refresh or logout actions for OIDC.
- Restructured how the services and guards are setup for external auth
  systems. SAML2 and OIDC now directly share a lot more logic.
- Renamed any OpenId references to OIDC or OpenIdConnect
- Removed non-required CSRF excemption for OIDC

Not tested, Come to roadblock due to lack of PHP8 support in upstream
dependancies. Certificate was deemed to be non-valid on every test
attempt due to changes in PHP8.
2021-10-06 23:05:26 +01:00
Dan Brown
2ec0aa85ca
Started refactor for merge of OIDC
- Made oidc config more generic to not be overly reliant on the library
  based upon learnings from saml2 auth.
- Removed any settings that are redundant or not deemed required for
  initial implementation.
- Reduced some methods down where not needed.
- Renamed OpenID to OIDC
- Updated .env.example.complete to align with all options and their
  defaults

Related to #2169
2021-10-06 17:12:01 +01:00