BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixpkgs-suyu/pkgs/servers/web-apps/hedgedoc/default.nix
Maximilian Bosch 0a10c17c8d
hedgedoc: 1.8.2 -> 1.9.0, fixes CVE-2021-39175 
ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0

As documented in the Nix expression, I unfortunately had to patch
`yarn.lock` manually (the `yarn.nix` result isn't affected by this). By
adding a `git+https`-prefix to
`midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` in the lock-file
I ensured that `yarn` actually uses the `MIDI.js` from the offline-cache
from `yarn2nix` rather than trying to download a tarball from GitHub.

Also, this release contains a fix for CVE-2021-39175 which doesn't seem
to be backported to 1.8. To quote NVD[1]:

> In versions prior to 1.9.0, an unauthenticated attacker can inject
> arbitrary JavaScript into the speaker-notes of the slide-mode feature
> by embedding an iframe hosting the malicious code into the slides or by
> embedding the HedgeDoc instance into another page.

Even though it "only" has a medium rating by NVD (6.1), this seems
rather problematic to me (also, GitHub rates this as "High"), so it's
actually a candidate for a backport.

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175
2021-09-19 00:18:18 +02:00

113 lines
2.7 KiB
Nix
Raw Blame History

{ lib
, stdenv
, fetchFromGitHub
, fetchpatch
, makeWrapper
, which
, nodejs
, mkYarnPackage
, python2
, nixosTests
, buildGoModule
}:
let
# we need a different version than the one already available in nixpkgs
esbuild-hedgedoc = buildGoModule rec {
pname = "esbuild";
version = "0.12.27";
src = fetchFromGitHub {
owner = "evanw";
repo = "esbuild";
rev = "v${version}";
sha256 = "sha256-UclUTfm6fxoYEEdEEmO/j+WLZLe8SFzt7+Tej4bR0RU=";
};
vendorSha256 = "sha256-QPkBR+FscUc3jOvH7olcGUhM6OW4vxawmNJuRQxPuGs=";
};
in
mkYarnPackage rec {
pname = "hedgedoc";
version = "1.9.0";
src = fetchFromGitHub {
owner = "hedgedoc";
repo = "hedgedoc";
rev = version;
sha256 = "sha256-hSKQGkI1+68Zf05RhgRKZo47buyobzjhURSZ30/h0PA=";
};
nativeBuildInputs = [ which makeWrapper ];
extraBuildInputs = [ python2 esbuild-hedgedoc ];
yarnNix = ./yarn.nix;
# FIXME(@Ma27) on the bump to 1.9.0 I had to patch this file manually:
# I replaced `midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` with
# `midi "git+https://github.com/paulrosen/MIDI.js.git#abcjs"` on all occurrences.
#
# Without this change `yarn` attempted to download the code directly from GitHub, with
# the `git+`-prefix it actually uses the `midi.js` version from the offline cache
# created by `yarn2nix`. On future bumps this may be necessary as well!
yarnLock = ./yarn.lock;
packageJSON = ./package.json;
postConfigure = ''
rm deps/HedgeDoc/node_modules
cp -R "$node_modules" deps/HedgeDoc
chmod -R u+w deps/HedgeDoc
'';
buildPhase = ''
runHook preBuild
cd deps/HedgeDoc
pushd node_modules/sqlite3
export CPPFLAGS="-I${nodejs}/include/node"
npm run install --build-from-source --nodedir=${nodejs}/include/node
popd
pushd node_modules/esbuild
rm bin/esbuild
ln -s ${lib.getBin esbuild-hedgedoc}/bin/esbuild bin/
popd
npm run build
patchShebangs bin/*
runHook postBuild
'';
dontInstall = true;
distPhase = ''
runHook preDist
mkdir -p $out
cp -R {app.js,bin,lib,locales,node_modules,package.json,public} $out
cat > $out/bin/hedgedoc <<EOF
#!${stdenv.shell}/bin/sh
${nodejs}/bin/node $out/app.js
EOF
chmod +x $out/bin/hedgedoc
wrapProgram $out/bin/hedgedoc \
--set NODE_PATH "$out/lib/node_modules"
runHook postDist
'';
passthru.tests = { inherit (nixosTests) hedgedoc; };
meta = with lib; {
description = "Realtime collaborative markdown notes on all platforms";
license = licenses.agpl3;
homepage = "https://hedgedoc.org";
maintainers = with maintainers; [ willibutz ma27 globin ];
platforms = platforms.linux;
};
}
Reference in a new issue View git blame Copy permalink