[21.05] hedgedoc: 1.8.2 -> 1.9.0, fixes CVE-2021-39175

[Ma27]

Motivation for this change

Backport of #138468.

ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0

As documented in the Nix expression, I unfortunately had to patch
yarn.lock manually (the yarn.nix result isn't affected by this). By
adding a git+https-prefix to
midi "https://github.com/paulrosen/MIDI.js.git#abcjs" in the lock-file
I ensured that yarn actually uses the MIDI.js from the offline-cache
from yarn2nix rather than trying to download a tarball from GitHub.

Also, this release contains a fix for CVE-2021-39175 which doesn't seem
to be backported to 1.8. To quote NVD[1]:

In versions prior to 1.9.0, an unauthenticated attacker can inject
arbitrary JavaScript into the speaker-notes of the slide-mode feature
by embedding an iframe hosting the malicious code into the slides or by
embedding the HedgeDoc instance into another page.

Even though it "only" has a medium rating by NVD (6.1), this seems
rather problematic to me (also, GitHub rates this as "High"), so it's
actually a candidate for a backport.

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175

(cherry picked from commit 0a10c17)

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• 21.11 Release Notes (or backporting 21.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[r-rmcgibbo]

Result of nixpkgs-review pr 139238 at 4eb0a2b run on aarch64-linux 1

1 package failed to build:

• hedgedoc

1 package built successfully:

• nixos-install-tools

Note that build failures may predate this PR, and could be nondeterministic or hardware dependent.
Please exercise your independent judgement. Does something look off? Please file an issue or reach out on IRC.

---

Result of nixpkgs-review pr 139238 at 4eb0a2b run on x86_64-linux 1

1 package failed to build:

• hedgedoc

1 package built successfully:

• nixos-install-tools

4 suggestions:

• warning: build-tools-in-build-inputs

  rsync is a build tool so it likely goes to nativeBuildInputs, not buildInputs.

  Near pkgs/development/tools/yarn2nix-moretea/yarn2nix/default.nix:292:7:

      |
  292 |       buildInputs = [ yarn nodejs rsync ] ++ extraBuildInputs;
      |       ^
  

• warning: unused-argument

  Unused argument: fetchpatch.
  Near pkgs/servers/web-apps/hedgedoc/default.nix:4:3:

    |
  4 | , fetchpatch
    |   ^
  

• warning: unclear-gpl

  agpl3 is a deprecated license, please check if project uses agpl3Plus or agpl3Only and change meta.license accordingly.

  Near pkgs/servers/web-apps/hedgedoc/default.nix:108:5:

      |
  108 |     license = licenses.agpl3;
      |     ^
  

• warning: build-tools-in-build-inputs

  yarn is a build tool so it likely goes to nativeBuildInputs, not buildInputs.

  Near pkgs/development/tools/yarn2nix-moretea/yarn2nix/default.nix:292:7:

      |
  292 |       buildInputs = [ yarn nodejs rsync ] ++ extraBuildInputs;
      |       ^
  

Note that build failures may predate this PR, and could be nondeterministic or hardware dependent.
Please exercise your independent judgement. Does something look off? Please file an issue or reach out on IRC.

[Ma27]

Meh. Gonna regenerate the lockfiles tomorrow.

[Ma27]

@ofborg build hedgedoc

Rebuilding now. I could reproduce the hash-mismatch, but it's gone now. If I had to guess, it's GitHub where something got screwed up badly.

[Ma27]

Now this is weird. Can anybody please check the result of nix-build /nix/store/zr0dr0cczfgbdyl3y08mipv90wz8xl52-js-sequence-diagrams-bda0e49.drv --check here?

[yayayayaka]

Tried to build your PR and it fails with

mak@build-worker-01:~/nixpkgs $ nix build -f . hedgedoc
hash mismatch in fixed-output derivation '/nix/store/2j7bifz3c5spf838gkxz6lhv3406rzjq-js-sequence-diagrams-bda0e49':
  wanted: sha256:0rl29jmhv7vhadzb6d08hi9g64227r9j10fh3d0lbgxinrib5gma
  got:    sha256:0d2zf62fmad760rg9hrkyhp03k5apms3fm0mf64yy8q6p3iw7jvw
cannot build derivation '/nix/store/rq2mnls3gdql1z2xlc8lwl8dgf2jccgf-js-sequence-diagrams.git.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/qwwn2ip9w232is822vkz0gnblhaxwzrj-offline.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/716sxkd1gbbac8kzl0v0shn9csfn4a4z-HedgeDoc-modules-1.9.0.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/rnyg66ir8py1lvih5p9xk7x8f3pcxqm8-HedgeDoc-1.9.0.drv': 1 dependencies couldn't be built
[38 built (1 failed), 907 copied (108.7 MiB), 91.7 MiB DL]
error: build of '/nix/store/rnyg66ir8py1lvih5p9xk7x8f3pcxqm8-HedgeDoc-1.9.0.drv' failed
mak@build-worker-01:~/nixpkgs $ nix-build /nix/store/zr0dr0cczfgbdyl3y08mipv90wz8xl52-js-sequence-diagrams-bda0e49.drv --check
these derivations will be built:
  /nix/store/zr0dr0cczfgbdyl3y08mipv90wz8xl52-js-sequence-diagrams-bda0e49.drv
error: some outputs of '/nix/store/zr0dr0cczfgbdyl3y08mipv90wz8xl52-js-sequence-diagrams-bda0e49.drv' are not valid, so checking is not possible
mak@build-worker-01:~/nixpkgs $ 

[Ma27]

Yeah, as mentioned above, I'm aware of that (also, ofborg already failed with the same issue) :)

Will try to investigate what's wrong at some point.

[Ma27]

OK, the overall cause is that the store-path with the new hash (i.e. the store-path that doesn't mismatch) is missing a submodule while the problematic store-path doesn't.

However, both stem from the same derivation (/nix/store/zr0dr0cczfgbdyl3y08mipv90wz8xl52-js-sequence-diagrams-bda0e49.drv). Not sure how that's possible so far, but I'll see.

[Ma27]

OK, found the problem (and with this explanation, master is also affected, so I'll fix that first):

• the first part is rather trivial: yarn2nix runs nix-prefetch-git without --fetch-submodules, but fetchgit fetches submodule sby default (I think that this behavior is really problematic btw). The easiest fix is to change the nix-prefetch-git of yarn2nix. COnsidering that noone else had this before, this just wasn't noticed until now.
• It took me a while until I realized that I still had some output path with the wrong hash lying around which silenced the error. HOWEVER, nix-build --check didn't raise an error even though it should which seems like a Nix bug to me (in fact, I would've noticed way earlier otherwise), will file a patch for that later.

[Ma27]

This now contains the changes from #139489 as well, so we should wait until this is also merged :)

[yayayayaka]

I could reproduce the hash-mismatch, but it's gone now.

That sentence led me to believe the issue had been fixed at that point.

[Ma27]

Oh I only gave an update that it wasn't gone in Matrix, but not here, sorry for that! :)