chore: publish 3.0.1+1.10.3 release

Merge pull request 'security upgrade' (#17 ) from upgrade into main
Reviewed-on: coop-cloud/hedgedoc#17 Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
2025-04-23 16:48:57 -03:00 · 2025-04-23 19:46:19 +00:00 · 2025-04-11 17:02:46 -03:00 · 2025-04-11 17:01:25 -03:00 · 2025-04-11 17:00:56 -03:00 · 2025-04-10 15:42:21 -03:00
10 changed files with 28 additions and 8 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -35,7 +35,7 @@ steps:
        from_secret: drone_abra-bot_token
      fork: true
      repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json

 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -8,6 +8,8 @@ DOMAIN=hedgedoc.example.com
 #EXTRA_DOMAINS=', `www.hedgedoc.example.com`'
 LETS_ENCRYPT_ENV=production

+SECRET_SESSION_SECRET_VERSION=v1
+
 COMPOSE_FILE="compose.yml"

 # PostgreSQL
@ -37,6 +39,7 @@ COMPOSE_FILE="compose.yml"
 # CMD_ALLOW_ANONYMOUS_EDITS=false
 # CMD_ALLOW_EMAIL_REGISTER=true
 # CMD_ALLOW_FREEURL=false
+# CMD_REQUIRE_FREEURL_AUTHENTICATION=true
 # CMD_ALLOW_GRAVATAR=true
 # CMD_ALLOW_ORIGIN=localhost
 # CMD_COOKIE_POLICY=lax
--- a/abra.sh
+++ b/abra.sh
@ -1,2 +1,2 @@
-export ENTRYPOINT_CONF_VERSION=v10
+export ENTRYPOINT_CONF_VERSION=v12
 export PG_BACKUP_VERSION=v1
--- a/compose.postgresql.yml
+++ b/compose.postgresql.yml
@ -2,7 +2,7 @@ version: "3.8"
 services:
  app:
    environment:
-      - CMD_DB_URL=
+      - CMD_DB_TYPE=postgres
      - CMD_DB_NAME=codimd
      - CMD_DB_USER=codimd
      - CMD_DB_HOST=db
@ -14,7 +14,7 @@ services:
    secrets:
      - db_password
  db:
-    image: postgres:16.4-alpine
+    image: pgautoupgrade/pgautoupgrade:16-alpine
    environment:
      - POSTGRES_USER=codimd
      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
--- a/compose.yml
+++ b/compose.yml
@ -1,7 +1,7 @@
 version: "3.8"
 services:
  app:
-    image: quay.io/hedgedoc/hedgedoc:1.10.0
+    image: quay.io/hedgedoc/hedgedoc:1.10.3
    environment:
      - CMD_USECDN=false
      - CMD_URL_ADDPORT=false
@ -13,6 +13,7 @@ services:
      - CMD_ALLOW_ANONYMOUS_EDITS
      - CMD_ALLOW_EMAIL_REGISTER
      - CMD_ALLOW_FREEURL
+      - CMD_REQUIRE_FREEURL_AUTHENTICATION
      - CMD_ALLOW_GRAVATAR
      - CMD_ALLOW_ORIGIN
      - CMD_COOKIE_POLICY
@ -23,12 +24,15 @@ services:
      - CMD_DEFAULT_PERMISSION
      - CMD_EMAIL
      - CMD_SESSION_LIFE
+      - CMD_SESSION_SECRET_FILE=/run/secrets/session_secret
      - DOCUMENT_MAX_LENGTH
    networks:
      - proxy
    volumes:
      - codimd_uploads:/hedgedoc/public/uploads
      - codimd_database:/database
+    secrets:
+      - session_secret
    entrypoint: /docker-entrypoint.sh
    configs:
      - source: entrypoint_conf
@ -50,7 +54,7 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=1.2.1+1.10.0"
+        - "coop-cloud.${STACK_NAME}.version=3.0.1+1.10.3"
        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
    healthcheck:
      test: "nodejs -e \"http.get('http://localhost:3000', (res) => { console.log('status: ', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });\""
@ -61,6 +65,10 @@ services:
 volumes:
  codimd_uploads:
  codimd_database:
+secrets:
+  session_secret:
+    external: true
+    name: ${STACK_NAME}_session_secret_${SECRET_SESSION_SECRET_VERSION}
 networks:
  proxy:
    external: true
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -22,8 +22,11 @@ file_env() {
 }

 load_vars() {
-  file_env "CMD_DB_PASSWORD"
+  if [ -n "${CMD_DB_PASSWORD_FILE:-""}" ] ; then
+    file_env "CMD_DB_PASSWORD"
+  fi
  file_env "CMD_OAUTH2_CLIENT_SECRET"
+  file_env "CMD_SESSION_SECRET"
 }

 main() {
@ -39,7 +42,9 @@ main() {

 main

-export CMD_DB_URL="${CMD_DB_URL:-postgres://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME}"
+if [ -n "${CMD_DB_PASSWORD_FILE:-""}" ] ; then
+  export CMD_DB_URL="${CMD_DB_TYPE}://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME"
+fi

 # 3wc: `source /docker-entrypoint.sh -e` to load CMD_DB_URL for CLI scripts
 if [ ! "${1-}" == "-e" ]; then
--- a/release/1.2.2+1.10.1
+++ b/release/1.2.2+1.10.1
@ -0,0 +1 @@
+Upgrade to fix GHSA-6w39-x2c6-6mpf
--- a/release/1.3.0+1.10.1
+++ b/release/1.3.0+1.10.1
@ -0,0 +1 @@
+This release adds SQLite support by default, if you were using PostgreSQL make sure to update the env file!
--- a/release/3.0.0+1.10.1
+++ b/release/3.0.0+1.10.1
@ -0,0 +1 @@
+This release switches to `pgaautoupgrade` for easier Postgresql upgrades. If you are using Postgres, please take extra care to take a backup before upgrading.
--- a/release/3.0.1+1.10.3
+++ b/release/3.0.1+1.10.3
@ -0,0 +1 @@
+Security upgrade for GHSA-3983-rrqh-mvx5
Author	SHA1	Message	Date
f	660a5fee21	chore: publish 3.0.1+1.10.3 release	2025-04-23 16:48:57 -03:00
fauno	8d23542076	Merge pull request 'security upgrade' (#17 ) from upgrade into main Reviewed-on: coop-cloud/hedgedoc#17 Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>	2025-04-23 19:46:19 +00:00
f	29968706fc	fix: check for password file presence to build db url	2025-04-11 17:02:46 -03:00
f	1db30e2cda	fix: typo	2025-04-11 17:01:25 -03:00
f	ec1735a005	feat: set db type	2025-04-11 17:00:56 -03:00
f	29a7d585dc	fix: provide default values for variables	2025-04-10 15:42:21 -03:00
f	d0191f1c49	fix: prevent unbound variable error	2025-04-10 09:50:06 -03:00
f	58bfa65b8a	fix: security upgrade https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-3983-rrqh-mvx5	2025-04-10 09:26:42 -03:00
3wc	98c0268b72	chore: publish 3.0.0+1.10.1 release	2025-02-24 12:34:13 -05:00
3wc	73c8b662d4	Switch to pgautoupgrade to handle major database upgrades	2025-02-24 12:33:07 -05:00
3wc	674cbd0431	Fix CMD_DB_URL setting for postgres	2025-02-24 12:32:54 -05:00
f	4972af78e8	chore: publish 2.0.0+1.10.1 release	2025-02-04 12:57:45 +01:00
Moritz	aa2afc2270	Revert "chore: publish 1.3.0+1.10.1 release" This reverts commit `6fbaeb7af0`.	2025-02-04 12:56:14 +01:00
f	6fbaeb7af0	chore: publish 1.3.0+1.10.1 release	2025-02-03 09:45:58 -03:00
f	aa70a53ef1	Merge branch 'sqlite' of ssh://git.coopcloud.tech:2222/fauno/hedgedoc	2025-02-03 09:44:47 -03:00
f	3efbfec419	chore: publish 1.2.2+1.10.1 release	2025-02-03 09:42:30 -03:00
f	93e5604fcb	fix: GHSA-6w39-x2c6-6mpf https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6w39-x2c6-6mpf	2025-02-03 09:34:32 -03:00
Cassowary	917766023b	Update .drone.yml	2025-01-08 10:09:12 -08:00
3wordchant	6feab6a99e	Merge pull request 'envvars' (#16 ) from fauno/hedgedoc:envvars into main Reviewed-on: coop-cloud/hedgedoc#16	2024-10-27 06:22:01 +00:00
f	ca5a95bea6	fix: load secret from file into env var	2024-10-26 11:01:18 -03:00
f	6a036c4c82	fix: set session secret	2024-10-25 17:47:27 -03:00
f	d19f286c11	fix: require authentication for free urls	2024-10-25 17:46:47 -03:00
				`@ -0,0 +1 @@`
				`This release adds SQLite support by default, if you were using PostgreSQL make sure to update the env file!`
				`@ -0,0 +1 @@`
				This release switches to `pgaautoupgrade` for easier Postgresql upgrades. If you are using Postgres, please take extra care to take a backup before upgrading.