Merge branch 'develop'

.github/workflows/frontend-admin-tests.yml

@@ -8,6 +8,7 @@ permissions:
 
 jobs:
   withplugins:
+    if: ${{ github.actor != 'dependabot[bot]' }}
     name: with plugins
     runs-on: ubuntu-latest
 
@@ -17,17 +18,6 @@ jobs:
         node: [16, 18, 20]
 
     steps:
-      -
-        name: Fail if Dependabot
-        if: github.actor == 'dependabot[bot]'
-        run: |
-          cat <<EOF >&2
-          Frontend tests skipped because Dependabot can't access secrets.
-          Manually re-run the jobs to run the frontend tests.
-          For more information, see:
-          https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
-          EOF
-          exit 1
       -
         name: Generate Sauce Labs strings
         id: sauce_strings

.github/workflows/frontend-tests.yml

@@ -10,18 +10,9 @@ jobs:
   withoutplugins:
     name: without plugins
     runs-on: ubuntu-latest
+    if: ${{ github.actor != 'dependabot[bot]' }}
+
     steps:
-      -
-        name: Fail if Dependabot
-        if: github.actor == 'dependabot[bot]'
-        run: |
-          cat <<EOF >&2
-          Frontend tests skipped because Dependabot can't access secrets.
-          Manually re-run the jobs to run the frontend tests.
-          For more information, see:
-          https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
-          EOF
-          exit 1
       -
         name: Generate Sauce Labs strings
         id: sauce_strings
@@ -74,18 +65,9 @@ jobs:
   withplugins:
     name: with plugins
     runs-on: ubuntu-latest
+    if: ${{ github.actor != 'dependabot[bot]' }}
+
     steps:
-      -
-        name: Fail if Dependabot
-        if: github.actor == 'dependabot[bot]'
-        run: |
-          cat <<EOF >&2
-          Frontend tests skipped because Dependabot can't access secrets.
-          Manually re-run the jobs to run the frontend tests.
-          For more information, see:
-          https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
-          EOF
-          exit 1
       -
         name: Generate Sauce Labs strings
         id: sauce_strings

.github/workflows/windows.yml

@@ -15,13 +15,19 @@ jobs:
       || (github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id)
     name: Build .zip
     runs-on: windows-latest
+    defaults:
+      run:
+        shell: msys2 {0}
     steps:
       -
         uses: msys2/setup-msys2@v2
         with:
+          release: false
+          update: false
           path-type: inherit
           install: >-
             zip
+            rsync
       -
         name: Checkout repository
         uses: actions/checkout@v3
@@ -35,16 +41,17 @@ jobs:
             src/bin/doc/package-lock.json
       -
         name: Install all dependencies and symlink for ep_etherpad-lite
-        shell: msys2 {0}
-        run: src/bin/installDeps.sh
+        run: |
+          set MSYSTEM=winsymlinks:lnk
+          src/bin/installDeps.sh
       -
         name: Run the backend tests
-        shell: msys2 {0}
         run: cd src && npm test
       -
         name: Build the .zip
-        shell: msys2 {0}
-        run: src/bin/buildForWindows.sh
+        run: |
+          set MSYSTEM=winsymlinks:lnk
+          src/bin/buildForWindows.sh
       -
         name: Archive production artifacts
         uses: actions/upload-artifact@v3

CHANGELOG.md

@@ -1,3 +1,26 @@
+# 1.9.2
+
+### Notable enhancements and fixes
+
+* Security
+  * Enable session key rotation: This setting can be enabled in the settings.json. It changes the signing key for the cookie authentication in a fixed interval.
+
+* Bugfixes
+  * Fix appendRevision when creating a new pad via the API without a text. 
+
+
+* Enhancements
+  * Bump JQuery to version 3.7
+  * Update elasticsearch connector to version 8
+
+### Compatibility changes
+
+* No compability changes as JQuery maintains excellent backwards compatibility. 
+
+#### For plugin authors
+
+* Please update to JQuery 3.7. There is an excellent deprecation guide over [here](https://api.jquery.com/category/deprecated/). Version 3.1 to 3.7 are relevant for the upgrade. 
+
 # 1.9.1
 
 ### Notable enhancements and fixes
@@ -37,6 +60,11 @@
     session expires (with some exceptions that will be fixed in the future).
   * Requests for static content (e.g., `/robots.txt`) and special pages (e.g.,
     the HTTP API, `/stats`) no longer create login session state.
+  * The secret used to sign the `express_sid` cookie is now automatically
+    regenerated every day (called *key rotation*) by default. If key rotation is
+    enabled, the now-deprecated `SESSIONKEY.txt` file can be safely deleted
+    after Etherpad starts up (its content is read and saved to the database and
+    used to validate signatures from old cookies until they expire).
 * The following settings from `settings.json` are now applied as expected (they
   were unintentionally ignored before):
   * `padOptions.lang`

Dockerfile

@@ -4,15 +4,18 @@
 #
 # Author: muxator
 
-FROM node:lts-slim
+FROM node:lts-alpine
 LABEL maintainer="Etherpad team, https://github.com/ether/etherpad-lite"
 
 ARG TIMEZONE=
+
 RUN \
   [ -z "${TIMEZONE}" ] || { \
-    ln -sf /usr/share/zoneinfo/"${TIMEZONE#/usr/share/zoneinfo/}" /etc/localtime; \
-    dpkg-reconfigure -f noninteractive tzdata; \
+    apk add --no-cache tzdata && \
+    cp /usr/share/zoneinfo/${TIMEZONE} /etc/localtime && \
+    echo "${TIMEZONE}" > /etc/timezone; \
   }
+ENV TIMEZONE=${TIMEZONE}
 
 # plugins to install while building the container. By default no plugins are
 # installed.
@@ -42,7 +45,9 @@ ARG INSTALL_SOFFICE=
 # leaner (development dependencies are not installed) and runs faster (among
 # other things, assets are minified & compressed).
 ENV NODE_ENV=production
-
+ENV ETHERPAD_PRODUCTION=true
+# Install dependencies required for modifying access.
+RUN apk add shadow bash
 # Follow the principle of least privilege: run as unprivileged user.
 #
 # Running as non-root enables running this image in platforms like OpenShift
@@ -54,6 +59,9 @@ ARG EP_HOME=
 ARG EP_UID=5001
 ARG EP_GID=0
 ARG EP_SHELL=
+
+ENV NODE_ENV=production
+
 RUN groupadd --system ${EP_GID:+--gid "${EP_GID}" --non-unique} etherpad && \
     useradd --system ${EP_UID:+--uid "${EP_UID}" --non-unique} --gid etherpad \
         ${EP_HOME:+--home-dir "${EP_HOME}"} --create-home \
@@ -64,18 +72,14 @@ RUN mkdir -p "${EP_DIR}" && chown etherpad:etherpad "${EP_DIR}"
 
 # the mkdir is needed for configuration of openjdk-11-jre-headless, see
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863199
-RUN export DEBIAN_FRONTEND=noninteractive; \
+RUN  \
     mkdir -p /usr/share/man/man1 && \
-    apt-get -qq update && \
-    apt-get -qq dist-upgrade && \
-    apt-get -qq --no-install-recommends install \
+    apk update && apk upgrade && \
+    apk add  \
         ca-certificates \
         git \
         ${INSTALL_ABIWORD:+abiword} \
-        ${INSTALL_SOFFICE:+libreoffice default-jre libreoffice-java-common} \
-        && \
-    apt-get -qq clean && \
-    rm -rf /var/lib/apt/lists/*
+        ${INSTALL_SOFFICE:+libreoffice openjdk8-jre libreoffice-common}
 
 USER etherpad
 

doc/docker.adoc

@@ -370,6 +370,10 @@ For the editor container, you can also make it full width by adding `full-width-
 | Description
 | Default
 
+|`COOKIE_KEY_ROTATION_INTERVAL`
+|How often (ms) to rotate in a new secret for signing cookies
+|`86400000` (1 day)
+
 | `COOKIE_SAME_SITE`
 | Value of the SameSite cookie property.
 | `"Lax"`

settings.json.docker

@@ -363,6 +363,23 @@
    * Settings controlling the session cookie issued by Etherpad.
    */
   "cookie": {
+    /*
+     * How often (in milliseconds) the key used to sign the express_sid cookie
+     * should be rotated. Long rotation intervals reduce signature verification
+     * overhead (because there are fewer historical keys to check) and database
+     * load (fewer historical keys to store, and less frequent queries to
+     * get/update the keys). Short rotation intervals are slightly more secure.
+     *
+     * Multiple Etherpad processes sharing the same database (table) is
+     * supported as long as the clock sync error is significantly less than this
+     * value.
+     *
+     * Key rotation can be disabled (not recommended) by setting this to 0 or
+     * null, or by disabling session expiration (see sessionLifetime).
+     */
+    // 86400000 = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
+    "keyRotationInterval": "${COOKIE_KEY_ROTATION_INTERVAL:86400000}",
+
     /*
      * Value of the SameSite cookie property. "Lax" is recommended unless
      * Etherpad will be embedded in an iframe from another site, in which case
@@ -392,6 +409,8 @@
      *     indefinitely without consulting authentication or authorization
      *     hooks, so once a user has accessed a pad, the user can continue to
      *     use the pad until the user leaves for longer than sessionLifetime.
+     *   - More historical keys (sessionLifetime / keyRotationInterval) must be
+     *     checked when verifying signatures.
      *
      * Session lifetime can be set to infinity (not recommended) by setting this
      * to null or 0. Note that if the session does not expire, most browsers
@@ -634,5 +653,10 @@
   "customLocaleStrings": {},
 
   /* Disable Admin UI tests */
-  "enableAdminUITests": false
+  "enableAdminUITests": false,
+
+  /*
+   * Enable/Disable case-insensitive pad names.
+   */
+  "lowerCasePadIds": "${LOWER_CASE_PAD_IDS:false}"
 }

settings.json.template

@@ -364,6 +364,22 @@
    * Settings controlling the session cookie issued by Etherpad.
    */
   "cookie": {
+    /*
+     * How often (in milliseconds) the key used to sign the express_sid cookie
+     * should be rotated. Long rotation intervals reduce signature verification
+     * overhead (because there are fewer historical keys to check) and database
+     * load (fewer historical keys to store, and less frequent queries to
+     * get/update the keys). Short rotation intervals are slightly more secure.
+     *
+     * Multiple Etherpad processes sharing the same database (table) is
+     * supported as long as the clock sync error is significantly less than this
+     * value.
+     *
+     * Key rotation can be disabled (not recommended) by setting this to 0 or
+     * null, or by disabling session expiration (see sessionLifetime).
+     */
+    "keyRotationInterval": 86400000, // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
+
     /*
      * Value of the SameSite cookie property. "Lax" is recommended unless
      * Etherpad will be embedded in an iframe from another site, in which case
@@ -393,6 +409,8 @@
      *     indefinitely without consulting authentication or authorization
      *     hooks, so once a user has accessed a pad, the user can continue to
      *     use the pad until the user leaves for longer than sessionLifetime.
+     *   - More historical keys (sessionLifetime / keyRotationInterval) must be
+     *     checked when verifying signatures.
      *
      * Session lifetime can be set to infinity (not recommended) by setting this
      * to null or 0. Note that if the session does not expire, most browsers
@@ -635,5 +653,10 @@
   "customLocaleStrings": {},
 
   /* Disable Admin UI tests */
-  "enableAdminUITests": false
+  "enableAdminUITests": false,
+
+  /*
+   * Enable/Disable case-insensitive pad names.
+   */
+  "lowerCasePadIds": false
 }

src/bin/buildForWindows.sh

@@ -20,7 +20,7 @@ try cd "${workdir}"
 [ -f src/package.json ] || fatal "failed to cd to etherpad root directory"
 
 # See https://github.com/msys2/MSYS2-packages/issues/1216
-export MSYS=winsymlinks:lnk
+export MSYSTEM=winsymlinks:lnk
 
 OUTPUT=${workdir}/etherpad-win.zip
 
@@ -29,10 +29,12 @@ trap 'exit 1' HUP INT TERM
 trap 'log "cleaning up..."; try cd / && try rm -rf "${TMP_FOLDER}"' EXIT
 
 log "create a clean environment in $TMP_FOLDER..."
-try git archive --format=tar HEAD | (try cd "${TMP_FOLDER}" && try tar xf -) \
+try export GIT_WORK_TREE=${TMP_FOLDER}; git checkout HEAD -f \
     || fatal "failed to copy etherpad to temporary folder"
 try mkdir "${TMP_FOLDER}"/.git
 try git rev-parse HEAD >${TMP_FOLDER}/.git/HEAD
+try cp -r ./src/node_modules "${TMP_FOLDER}"/src/node_modules
+
 try cd "${TMP_FOLDER}"
 [ -f src/package.json ] || fatal "failed to copy etherpad to temporary folder"
 

src/bin/doc/package.json

@@ -7,7 +7,7 @@
     "node": ">=12.17.0"
   },
   "dependencies": {
-    "marked": "^5.1.0"
+    "marked": "^7.0.3"
   },
   "devDependencies": {},
   "optionalDependencies": {},

src/bin/installDeps.sh

@@ -1,5 +1,6 @@
 #!/bin/sh
 
+
 # Move to the Etherpad base directory.
 MY_DIR=$(cd "${0%/*}" && pwd -P) || exit 1
 cd "${MY_DIR}/../.." || exit 1
@@ -36,14 +37,22 @@ if [ ! -f "$settings" ]; then
   cp settings.json.template "$settings" || exit 1
 fi
 
+
 log "Installing dependencies..."
-(
-  mkdir -p node_modules &&
-  cd node_modules &&
-  { [ -d ep_etherpad-lite ] || ln -sf ../src ep_etherpad-lite; } &&
-  cd ep_etherpad-lite &&
-  npm ci --no-optional
-) || exit 1
+(mkdir -p node_modules &&
+cd node_modules &&
+{ [ -d ep_etherpad-lite ] || ln -sf ../src ep_etherpad-lite; } &&
+cd ep_etherpad-lite)
+
+cd src
+
+if [ -z "${ETHERPAD_PRODUCTION}" ]; then
+  log "Installing dev dependencies"
+ npm ci --no-optional --omit=optional --include=dev --lockfile-version 1 || exit 1
+else
+  log "Installing production dependencies"
+  npm ci --no-optional --omit=optional --omit=dev --lockfile-version 1 --production || exit 1
+fi
 
 # Remove all minified data to force node creating it new
 log "Clearing minified cache..."