Release 2.4.2

.devcontainer/Dockerfile

@@ -0,0 +1,14 @@
+# [Choice] Node.js version: 16, 14, 12
+ARG VARIANT=12-buster
+FROM mcr.microsoft.com/vscode/devcontainers/javascript-node:0-${VARIANT}
+
+# [Optional] Uncomment this section to install additional OS packages.
+# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
+#     && apt-get -y install --no-install-recommends <your-package-list-here>
+
+# [Optional] Uncomment if you want to install an additional version of node using nvm
+# ARG EXTRA_NODE_VERSION=10
+# RUN su node -c "source /usr/local/share/nvm/nvm.sh && nvm install ${EXTRA_NODE_VERSION}"
+
+# [Optional] Uncomment if you want to install more global node modules
+RUN su node -c "npm install -g npm@6"

.devcontainer/devcontainer.json

@@ -0,0 +1,58 @@
+{
+	"name": "CodiMD",
+	"dockerComposeFile": "docker-compose.yml",
+	"service": "app",
+	"workspaceFolder": "/workspace",
+
+	// Set *default* container specific settings.json values on container create.
+	"settings": { 
+		"terminal.integrated.shell.linux": "/bin/zsh",
+		"sqltools.connections": [{
+			"name": "Container Database",
+			"driver": "PostgreSQL",
+			"previewLimit": 50,
+			"server": "localhost",
+			"port": 5432,
+			"database": "codimd",
+			"username": "codimd",
+			"password": "codimd"
+		}],
+	},
+
+	// Add the IDs of extensions you want installed when the container is created.
+	"extensions": [
+		"dbaeumer.vscode-eslint",
+		"visualstudioexptteam.vscodeintellicode",
+		"christian-kohler.path-intellisense",
+		"standard.vscode-standard",
+		"mtxr.sqltools",
+		"mtxr.sqltools-driver-pg",
+		"eamodio.gitlens",
+		"codestream.codestream", 
+		"github.vscode-pull-request-github",
+		"cschleiden.vscode-github-actions",
+		"hbenl.vscode-mocha-test-adapter",
+		"hbenl.vscode-test-explorer"
+	],
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	"portsAttributes": {
+		"3000": {
+			"label": "CodiMD server",
+			"onAutoForward": "notify"
+		},
+		"5432": {
+			"label": "PostgreSQL",
+			"onAutoForward": "notify"
+		}
+	},
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "yarn install",
+	"postCreateCommand": "sudo chown -R node:node node_modules && /workspace/bin/setup",
+
+	// Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
+	"remoteUser": "node"
+}

.devcontainer/docker-compose.yml

@@ -0,0 +1,46 @@
+version: '3'
+
+services: 
+  app:
+    build:
+      context: ..
+      dockerfile: .devcontainer/Dockerfile
+      args:
+        VARIANT: 12-buster
+    environment:
+      - CMD_DB_URL=postgres://codimd:codimd@localhost/codimd
+      - CMD_USECDN=false
+    volumes: 
+      - ..:/workspace:cached
+      - node_modules:/workspace/node_modules:cached
+
+    # Overrides default command so things don't shut down after the process ends.
+    command: sleep infinity
+
+    # Runs app on the same network as the database container, allows "forwardPorts" in devcontainer.json function.
+    network_mode: service:db
+
+    # Runs app on the same network as the database container, allows "forwardPorts" in devcontainer.json function.
+
+    # Uncomment the next line to use a non-root user for all processes.
+    # user: vscode
+
+    # Use "forwardPorts" in **devcontainer.json** to forward an app port locally.
+    # (Adding the "ports" property to this file will not forward from a Codespace.)
+
+  db:
+    image: postgres:12.7-alpine
+    restart: unless-stopped
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_USER=codimd
+      - POSTGRES_PASSWORD=codimd
+      - POSTGRES_DB=codimd
+
+    # Add "forwardPorts": ["5432"] to **devcontainer.json** to forward PostgreSQL locally.
+    # (Adding the "ports" property to this file will not forward from a Codespace.)
+
+volumes:
+  node_modules:
+  postgres-data: 

.github/workflows/build.yml

@@ -0,0 +1,51 @@
+name: 'Test and Build'
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  test-and-build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [10.x, 12.x]
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - uses: actions/cache@v2
+      with:
+        path: ~/.npm
+        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-
+
+    - uses: actions/setup-node@v2
+      name: Use Node.js ${{ matrix.node-version }}
+      with:
+        node-version: ${{ matrix.node-version }}
+        check-latest: true
+
+    - run: npm ci
+    - run: npm run test:ci
+    - run: npm run build
+
+  doctoc:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/master' || github.event.pull_request
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      name: Use Node.js 12
+      with:
+        node-version: 12
+        check-latest: true
+    - name: Install doctoc-check
+      run: |
+        npm install -g doctoc
+        cp README.md README.md.orig
+        npm run doctoc
+        diff -q README.md README.md.orig

deployments/Dockerfile

@@ -1,8 +1,10 @@
 ARG RUNTIME
+ARG BUILDPACK
 
-FROM hackmdio/buildpack:node-10-0baafb79 as BUILD
+FROM $BUILDPACK as BUILD
 
 COPY --chown=hackmd:hackmd . .
+ENV QT_QPA_PLATFORM=offscreen
 
 RUN set -xe && \
     git reset --hard && \
@@ -18,6 +20,7 @@ RUN set -xe && \
 
 FROM $RUNTIME
 USER hackmd
+ENV QT_QPA_PLATFORM=offscreen
 WORKDIR /home/hackmd/app
 COPY --chown=1500:1500 --from=BUILD /home/hackmd/app .
 RUN npm install --production && npm cache clean --force && rm -rf /tmp/{core-js-banners,phantomjs}

deployments/build.sh

@@ -1,8 +1,13 @@
 #!/usr/bin/env bash
 
-set -euo pipefail
+set -eo pipefail
 set -x
 
+if [[ -z $1 || -z $2 ]];then
+    echo "build.sh [runtime image] [buildpack image]"
+    exit 1
+fi
+
 CURRENT_DIR=$(dirname "$BASH_SOURCE")
 
 GIT_SHA1="$(git rev-parse HEAD)"
@@ -11,6 +16,6 @@ GIT_TAG=$(git describe --exact-match --tags $(git log -n1 --pretty='%h') 2>/dev/
 
 DOCKER_TAG="${GIT_TAG:-$GIT_SHORT_ID}"
 
-docker build --build-arg RUNTIME=hackmdio/runtime:node-10-d27854ef -t "hackmdio/hackmd:$DOCKER_TAG" -f "$CURRENT_DIR/Dockerfile" "$CURRENT_DIR/.."
+docker build --build-arg RUNTIME=$1 --build-arg BUILDPACK=$2 -t "hackmdio/hackmd:$DOCKER_TAG" -f "$CURRENT_DIR/Dockerfile" "$CURRENT_DIR/.."
 
-docker build --build-arg RUNTIME=hackmdio/runtime:node-10-cjk-d27854ef -t "hackmdio/hackmd:$DOCKER_TAG-cjk" -f "$CURRENT_DIR/Dockerfile" "$CURRENT_DIR/.."
+docker build --build-arg RUNTIME=$1 --build-arg BUILDPACK=$2 -t "hackmdio/hackmd:$DOCKER_TAG-cjk" -f "$CURRENT_DIR/Dockerfile" "$CURRENT_DIR/.."

lib/auth/utils.js

@@ -8,8 +8,15 @@ exports.setReturnToFromReferer = function setReturnToFromReferer (req) {
   if (!req.session) req.session = {}
 
   var referer = req.get('referer')
-  var refererSearchParams = new URLSearchParams(new URL(referer).search)
-  var nextURL = refererSearchParams.get('next')
+  var nextURL
+  if (referer) {
+    try {
+      var refererSearchParams = new URLSearchParams(new URL(referer).search)
+      nextURL = refererSearchParams.get('next')
+    } catch (err) {
+      logger.warn(err)
+    }
+  }
 
   if (nextURL) {
     var isRelativeNextURL = nextURL.indexOf('://') === -1 && !nextURL.startsWith('//')

lib/homepage/index.js

@@ -16,7 +16,8 @@ exports.showIndex = async (req, res) => {
     errorMessage: req.flash('error'),
     privacyStatement: fs.existsSync(path.join(config.docsPath, 'privacy.md')),
     termsOfUse: fs.existsSync(path.join(config.docsPath, 'terms-of-use.md')),
-    deleteToken: deleteToken
+    deleteToken: deleteToken,
+    csrfToken: req.csrfToken()
   }
 
   if (!isLogin) {

lib/imageRouter/s3.js

@@ -9,7 +9,16 @@ const logger = require('../logger')
 const { S3Client } = require('@aws-sdk/client-s3-node/S3Client')
 const { PutObjectCommand } = require('@aws-sdk/client-s3-node/commands/PutObjectCommand')
 
-const s3 = new S3Client(config.s3)
+const credentials = {
+  accessKeyId: config.s3.accessKeyId,
+  secretAccessKey: config.s3.secretAccessKey
+}
+
+const s3 = new S3Client({
+  credentials,
+  region: config.s3.region,
+  endpoint: config.s3.endpoint
+})
 
 exports.uploadImage = function (imagePath, callback) {
   if (!imagePath || typeof imagePath !== 'string') {

lib/models/index.js

@@ -45,7 +45,7 @@ fs.readdirSync(__dirname)
     return (file.indexOf('.') !== 0) && (file !== 'index.js')
   })
   .forEach(function (file) {
-    var model = sequelize.import(path.join(__dirname, file))
+    var model = require(path.join(__dirname, file))(sequelize, Sequelize)
     db[model.name] = model
   })
 

lib/routes.js

@@ -17,8 +17,11 @@ const appRouter = Router()
 
 // register route
 
+const csurf = require('csurf')
+const csurfMiddleware = csurf({ cookie: true })
+
 // get index
-appRouter.get('/', wrap(indexController.showIndex))
+appRouter.get('/', csurfMiddleware, wrap(indexController.showIndex))
 
 // ----- error page -----
 // get 403 forbidden
@@ -52,7 +55,7 @@ appRouter.get('/me', wrap(userController.getMe))
 appRouter.get('/me/delete/:token?', wrap(userController.deleteUser))
 
 // export the data of the authenticated user
-appRouter.get('/me/export', userController.exportMyData)
+appRouter.post('/me/export', urlencodedParser, csurfMiddleware, userController.exportMyData)
 
 appRouter.get('/user/:username/avatar.svg', userController.getMyAvatar)
 

lib/user/index.js

@@ -91,8 +91,11 @@ exports.exportMyData = (req, res) => {
         let filename
         let suffix = 0
         do {
-          const separator = suffix === 0 ? '' : '-'
-          filename = basename + separator + suffix + '.md'
+          if (suffix === 0) {
+            filename = basename + '.md'
+          } else {
+            filename = basename + '-' + suffix + '.md'
+          }
           suffix++
         } while (filenames[filename])
         filenames[filename] = true