CVE-2021-29474

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker can read arbitrary .md files from the server's filesystem due to an improper input validation, which results in the ability to perform a relative path traversal. To verify if you are affected, you can try to open the following URL: http://localhost:3000/..%2F..%2FREADME# (replace http://localhost:3000 with your instance's base-URL e.g. https://demo.hedgedoc.org/..%2F..%2FREADME#). If you see a README page being rendered, you run an affected version. The attack works due the fact that the internal router passes the url-encoded alias to the noteController.showNote-function. This function passes the input directly to findNote() utility function, that will pass it on the the parseNoteId()-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the note creation-function is c