havenweb / haven Goto Github PK

[DEPRECATED] The `--deployment` flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please use `bundle config set --local deployment 'true'`, and stop using this flag
[DEPRECATED] The `--without` flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please use `bundle config set --local without 'development test'`, and stop using this flag

Check various deployment scripts, ensure we're using the correct setting.

Hey there!

I belong to an open source security research community, and a member (@vanlan12) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

There's a few configuration options on nginx (and I'm certain a few others as well), that need to be set up, due to the redirects that the application is performing. A few lines of "maybe you need these options on nginx" would fit in?

This is a suggestion and not related to the code. By adding tag other people could also find this project by topics. (BTW I found this via HN).

For the tags, I suggest the followings (obvious) tags

• self-hosted
• social networking

Right now, there is no seed data, which makes developing just a bit more difficult, since an user needs to be created before you can login. There should be some seed data to make development a little bit easier.

The db/seeds.rb file can be used to accommodate this.

hi

im getting the following when running the docker compose file

=> ERROR [haven 7/13] RUN APT update 0.4s

[haven 7/13] RUN APT update:
0.345 /bin/sh: 1: APT: not found

failed to solve: process "/bin/sh -c APT update" did not complete successfully: exit code: 127

This is after 2-3 minutes of building, then this error and stops.

Is this a known issues or something someone as seen before? Thanks!

There seems to be quite a lack of tests. Increasing the test coverage not only increases developer confidence when building new stuff (the old stuff will not break), but it also documents the expected behaviour.

By default uses Minitest, but we could make the argument that RSpec is also a fine choice, because it is arguably better readable.

Started through docker_compose (see below) and after first login it was a 500 error.
Reading the production.log (inside the container) it was missing @setting so I run Setting.create and it worked.

version: '3.7'
services:
  haven:
    container_name: 'haven-blog'
    image: ghcr.io/havenweb/haven:22dc990
    depends_on:
      - postgresql
    ports:
      - "5030:3000"
    volumes:
      - $BASE_FOLDER_DOCKER/haven_storage:/storage
    environment:
      - RAILS_ENV=production
      - HAVEN_DB_HOST=postgresql
      - HAVEN_DB_NAME=haven
      - HAVEN_DB_ROLE=haven
      - HAVEN_DB_PASSWORD=$HAVEN_DB_PASSWORD
      - HAVEN_USER_EMAIL=$HAVEN_USER_EMAIL
      - HAVEN_USER_PASS=$HAVEN_USER_PASS

  postgresql:
    image: postgres:13.2-alpine
    ports:
      - "5432:5432"
    # https://www.postgresql.org/docs/current/static/non-durability.html
    command: [
      "postgres",
      "-c", "max_connections=1000",
      "-c", "synchronous_commit=off",
      "-c", "fsync=off",
      "-c", "full_page_writes=off",
      "-c", "max_wal_size=4GB",
      "-c", "checkpoint_timeout=30min",
      "-c", "wal_level=logical"
    ]
    environment:
      POSTGRES_HOST_AUTH_METHOD: trust
      POSTGRES_USER: haven
    volumes:
      - $BASE_FOLDER_DOCKER/postgresqldata:/var/lib/postgresql/data

volumes:
  postgresqldata:
    external: false
  haven_storage:
    external: false

How to deploy this on own server? Not on AWS, not on a Pi, just on a regular Linux VM. Thanks!

It would be great to be able to customize the favicon by uploading a new image.

When viewing on mobile, the links are stacking instead of converting to a hamburger menu. It's a bit cluttered in the header due to this.

Using an iPhone 12 Pro Max.

A Security Advisory has been raised for Haven v5d15944 (CVE-2023-24060):

Description:
Haven v5d15944 allows Server-Side Request Forgery (SSRF) via the Feeds functionality.
Malicious authenticated users with the ability to create or add RSS Feeds to the website can supply an arbitrary host such as the host itself in an attempt to scan the internal network.

Affected URL (Parameter):
http://localhost:3000/feeds (url)

Suggested Fix:
Consider performing this action on the client-side. There's no need for the server to fetch the RSS feed, have the user's browser fetch the latest feed when loading the page. This would also remove the need to have a script that will execute every so often to update the RSS feed.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24060
https://nvd.nist.gov/vuln/detail/CVE-2023-24060
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

Payload:

POST /feeds HTTP/1.1
Host: localhost:3000
Content-Length: 203
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Cookie: _blog_session=[]
Connection: close

utf8=%E2%9C%93&authenticity_token=[]&feed%5Burl%5D=https%3A%2F%2Fattacker.com%2Frss&commit=Add+Feed

Hello, good day, I am trying to get Haven to work with the deploy-pi.sh script, however, I have some doubts, I have my own reverse proxy to expose the server to the internet, which part of the script would I have to delete for everything to work ok, try removing the parts of:

## HTTPS with Letsencrypt
#Rewrite Apache config to fix http -> https redirect

However, I get a server not available error, could you guide me a little, thanks

Demo Site

• Add some sample posts, comments, multiple users to show how it works
• On the "Demo Credentials" page, when you click "Login", it requires you to have copied both email and password (or remember the email). Would be better if the email was pre-filled via a query string, maybe? That functionality could also make it easier to add secondary users, if you are managing the email used for them - sending a link where the email is already filled in.

Account Page

Right now, the options for Password are:

• Password (leave blank if you don't want to change it)
  • 6 characters minimum
• Password confirmation
• Current password (we need your current password to confirm your changes)

This is confusing.

Either the "Change Password" screen should be a sub-menu (different page), or it should at least have its own header, with its own save button:

Proposed Account Layout

Account

• Email
• Name
• Current Password
  • current password required to save changes

save changes

Password

• New Password
• New Password (again)
• Current Password

update password

Delete Account

• Current Password
  • current password required to delete account

delete account [custom css to make it red, probably]

I'll update if I find more. If I end up using the site, I may open a PR for some of the above.

I believe the project could greatly benefit from Docker (and compose) support. Making it easier to setup on machines that are not single purpose (like a raspberry pi or AWS instances) can be greatly beneficial in getting a greater adoption for Haven.

We can start with a rough base and refine from there.

It's not specifically stated if this is a goal at all, but is there a way to make posts globally visible? Meaning you don't need a password to see.

For example

blog.domain.com/public

When on https (certificate through certbot), using apache and reverse proxy:
when making some edits such as:

• login
• create post

I got this error:

HTTP Origin header (https://blog.<my website obscured name>.com) didn't match request.base_url (http://blog.<my website obscured name>.it) 

Do I have to force HTTP instead of HTTPS?

Hello, I have tried to follow the steps of the script except for the part of the certificate and the https redirection and when I try to see the server the index of it appears instead of the haven app, what step could I have omitted? Thanks and regards

Hi, there's been some pretty great strides in support for IndieAuth Ticket Auth which is a simple mechanism for publishers to provide a bearer authentication token to clients (such as feed readers), which is significantly more secure than private per-user feeds. Are there any plans to support that on the reader and/or publisher side of Haven?

Getting more widespread adoption of this mechanism would be great.

Hello! I'm starting to use Haven finally (we had talked over email before!) and after a pause in using it, and having changed my password, I got locked out. I have no idea how to get the password back (sadly my password manager didn't catch that I changed it) and was wondering if a possible feature to have an email reset the password would be able to be included?

I also was wondering if it would be possible to make the CSS editing a bit easier. I know some CSS/HTML, but I couldn't find an easy guide on how to start editing it as far as CSS classes and such. I know I can inspect element in my browser, but it might be worthwhile to either make note of some tips on styling it, or something along those lines? Especially for people who might not be quite as knowledgeable. If there is a guide somewhere, I apologize! I'm bad at finding things sometimes.

Thank you for your time and I really like the project!

Apologies for any inconveniences caused; posted erroneously.

As it is, the current docker-compose.yml file lacks context, which should be paired when using the dockerfile command. I'm preparing a PR as we speak
#24
#36

Do you plan on adding contribution guidelines? I would love to help out where possible if there's a need and/or desire for contributions. If not, no worries. Just wanted to get the conversation going if there's one to be had.

It would be nice if haven would support RTL languages. It means that when you wrote in these languages, then the text will appear from right to left instead from left to right.

My post:

The Pic link can be readed without login