Merge branch 'master' into fix-workflows

tests on PR
tests on PR (#375 )
2021-05-21 17:18:50 +02:00 · 2021-05-21 17:17:54 +02:00 · 2021-05-21 17:16:43 +02:00 · 2021-05-21 17:14:14 +02:00 · 2021-05-21 17:06:38 +02:00 · 2021-05-21 17:05:49 +02:00
10 changed files with 190 additions and 98 deletions
--- a/.github/workflows/build-docker-images.yml
+++ b/.github/workflows/build-docker-images.yml
@@ -1,4 +1,4 @@
-name: Deploy multi-architecture Docker images for transfer.sh with buildx
+name: deploy multi-architecture Docker images for transfer.sh with buildx

 on:
  schedule:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,58 @@
+name: release
+on:
+  push:
+    tags:
+      - v*
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        GOOS: [ darwin, linux, windows ]
+        GOARCH: [ amd64 ]
+        include:
+          - GOOS: darwin
+            GOARCH: amd64
+            suffix: darwin-amd64
+          - GOOS: windows
+            GOARCH: amd64
+            suffix: windows-amd64.exe
+          - GOOS: linux
+            GOARCH: amd64
+            suffix: linux-amd64
+          - GOOS: linux
+            GOARCH: arm
+            suffix: linux-armv7
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: 1.16.x
+      - name: Build ${{ matrix.suffix }} (GOOS=${{ matrix.GOOS }}, GOARCH=${{ matrix.GOARCH }})
+        env:
+          GOOS: ${{ matrix.GOOS }}
+          GOARCH: ${{ matrix.GOARCH }}
+        run: |
+          go version
+          go build -o ./artifacts/transfersh-${GITHUB_REF##*/}-${{ matrix.suffix }}
+      - uses: actions/upload-artifact@v2
+        name: Upload artifacts
+        with:
+          name: artifacts
+          path: ./artifacts
+
+  release:
+    runs-on: ubuntu-latest
+    needs: [ build ]
+    steps:
+      - uses: actions/download-artifact@v2
+        name: Download artifacts
+        with:
+          name: artifacts
+          path: ./artifacts
+      - name: Publish artifacts
+        uses: softprops/action-gh-release@v1
+        with:
+          files: './artifacts/*'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,30 @@
+name: test
+on:
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - "*"
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        go_version:
+          - 1.13.x
+          - 1.14.x
+          - 1.15.x
+          - 1.16.x
+    name: Test with ${{ matrix.go_version }}
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v1
+        with:
+          go-version: ${{ matrix.go_version }}
+      - name: Vet and test
+        run: |
+          go version
+          go vet ./...
+          go test ./...
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,49 +0,0 @@
-language: go
-sudo: false
-
-os:
-  - linux
-
-services:
-  - docker
-
-go:
-  - 1.13.x
-  - 1.14.x
-  - 1.15.x
-  - 1.16.x
-  - tip
-
-env:
-  global:
-    - GO111MODULE=on
-
-install:
-  - go get -t -u -v ./...
-  - go build -v .
-  - go vet ./...
-
-script:
-  - go test ./...
-
-before_deploy:
-  - mkdir -p release
-  - "GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -tags netgo -ldflags '-a -s -w -extldflags -static' -o release/transfersh-$TRAVIS_TAG-linux-amd64"
-  - "GOOS=linux GOARCH=arm GOARM=7 CGO_ENABLED=0 go build -tags netgo -ldflags '-a -s -w -extldflags -static' -o release/transfersh-$TRAVIS_TAG-linux-armv7"
-  - "GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -tags netgo -ldflags '-a -s -w -extldflags -static' -o release/transfersh-$TRAVIS_TAG-darwin-amd64"
-  - "GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -tags netgo -ldflags '-a -s -w -extldflags -static' -o release/transfersh-$TRAVIS_TAG-win-amd64.exe"
-
-deploy:
-  provider: releases
-  api_key:
-    secure: cOuMGyvrl/9GX3TZFL+Vq++2Bv5Hlb3VfXSYONfeAj+1AXI3Y+tPruy/XnWpa1MUxkvFuIhea3sUAiKfwhHip9csCmMUhDJtaTU9apsxRkyF/OFrWb7/FlbnqYuAwnp91ImvtSlnubg2VHTjhBA6ycNQF7WZcJEMVMsAtC/nSY4=
-  file:
-    - "release/transfersh-$TRAVIS_TAG-linux-amd64"
-    - "release/transfersh-$TRAVIS_TAG-linux-armv7"
-    - "release/transfersh-$TRAVIS_TAG-darwin-amd64"
-    - "release/transfersh-$TRAVIS_TAG-win-amd64.exe"
-  skip_cleanup: true
-  on:
-    tags: true
-    go: 1.15.x
-  overwrite: true
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# transfer.sh [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/dutchcoders/transfer.sh?utm_source=badge&utm_medium=badge&utm_campaign=&utm_campaign=pr-badge&utm_content=badge) [![Go Report Card](https://goreportcard.com/badge/github.com/dutchcoders/transfer.sh)](https://goreportcard.com/report/github.com/dutchcoders/transfer.sh) [![Docker pulls](https://img.shields.io/docker/pulls/dutchcoders/transfer.sh.svg)](https://hub.docker.com/r/dutchcoders/transfer.sh/) [![Build Status](https://travis-ci.com/dutchcoders/transfer.sh.svg?branch=master)](https://travis-ci.com/dutchcoders/transfer.sh)
+# transfer.sh [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/dutchcoders/transfer.sh?utm_source=badge&utm_medium=badge&utm_campaign=&utm_campaign=pr-badge&utm_content=badge) [![Go Report Card](https://goreportcard.com/badge/github.com/dutchcoders/transfer.sh)](https://goreportcard.com/report/github.com/dutchcoders/transfer.sh) [![Docker pulls](https://img.shields.io/docker/pulls/dutchcoders/transfer.sh.svg)](https://hub.docker.com/r/dutchcoders/transfer.sh/) [![Build Status](https://github.com/dutchcoders/transfer.sh/actions/workflows/test.yml/badge.svg?branch=master)](https://github.com/dutchcoders/transfer.sh/actions/workflows/test.yml?query=branch%3Amaster)

 Easy and fast file sharing from the command-line. This code contains the server with everything you need to create your own instance.

@@ -114,6 +114,7 @@ rate-limit | request per minute  | | RATE_LIMIT |
 max-upload-size | max upload size in kilobytes  | | MAX_UPLOAD_SIZE |
 purge-days | number of days after the uploads are purged automatically | | PURGE_DAYS |   
 purge-interval | interval in hours to run the automatic purge for (not applicable to S3 and Storj) | | PURGE_INTERVAL |   
+random-token-length | length of the random token for the upload path (double the size for delete path) | 6 | RANDOM_TOKEN_LENGTH |   

 If you want to use TLS using lets encrypt certificates, set lets-encrypt-hosts to your domain, set tls-listener to :443 and enable force-https.

--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -12,7 +12,7 @@ import (
 	"google.golang.org/api/googleapi"
 )

-var Version = "1.2.2"
+var Version = "1.2.4"
 var helpTemplate = `NAME:
 {{.Name}} - {{.Usage}}

@@ -274,6 +274,12 @@ var globalFlags = []cli.Flag{
 		Value:  "",
 		EnvVar: "CORS_DOMAINS",
 	},
+	cli.Int64Flag{
+		Name:   "random-token-length",
+		Usage:  "",
+		Value:  6,
+		EnvVar: "RANDOM_TOKEN_LENGTH",
+	},
 }

 type Cmd struct {
@@ -377,6 +383,9 @@ func New() *Cmd {
 			options = append(options, server.RateLimit(v))
 		}

+		v := c.Int64("random-token-length")
+		options = append(options, server.RandomTokenLength(v))
+
 		purgeDays := c.Int("purge-days")
 		purgeInterval := c.Int("purge-interval")
 		if purgeDays > 0 && purgeInterval > 0 {
--- a/server/codec.go
+++ b/server/codec.go
@@ -26,6 +26,7 @@ package server

 import (
 	"math"
+	"math/rand"
 	"strings"
 )

@@ -34,19 +35,31 @@ const (
 	SYMBOLS = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"

 	// someone set us up the bomb !!
-	BASE = int64(len(SYMBOLS))
+	BASE = float64(len(SYMBOLS))
+
+	// init seed encode number
+	INIT_SEED = float64(-1)
 )

 // encodes a number into our *base* representation
 // TODO can this be made better with some bitshifting?
-func Encode(number int64) string {
-	rest := number % BASE
+func Encode(number float64, length int64) string {
+	if number == INIT_SEED {
+		seed := math.Pow(float64(BASE), float64(length))
+		number = seed + (rand.Float64() * seed) // start with seed to enforce desired length
+	}
+
+	rest := int64(math.Mod(number, BASE))
 	// strings are a bit weird in go...
 	result := string(SYMBOLS[rest])
-	if number-rest != 0 {
-		newnumber := (number - rest) / BASE
-		result = Encode(newnumber) + result
+	if rest > 0 && number-float64(rest) != 0 {
+		newnumber := (number - float64(rest)) / BASE
+		result = Encode(newnumber, length) + result
+	} else {
+		// it would always be 1 because of starting with seed and we want to skip
+		return ""
 	}
+
 	return result
 }

--- a/server/codec_test.go
+++ b/server/codec_test.go
@@ -0,0 +1,15 @@
+package server
+
+import "testing"
+
+func BenchmarkEncodeConcat(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		_ = Encode(INIT_SEED, 5) + Encode(INIT_SEED, 5)
+	}
+}
+
+func BenchmarkEncodeLonger(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		_ = Encode(INIT_SEED, 10)
+	}
+}
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -41,7 +41,6 @@ import (
 	"io"
 	"io/ioutil"
 	"log"
-	"math/rand"
 	"mime"
 	"net/http"
 	"net/url"
@@ -95,6 +94,27 @@ func healthHandler(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprintf(w, "Approaching Neutral Zone, all systems normal and functioning.")
 }

+func canContainsXSS(contentType string) bool {
+	switch {
+	case strings.Contains(contentType, "cache-manifest"):
+		fallthrough
+	case strings.Contains(contentType, "html"):
+		fallthrough
+	case strings.Contains(contentType, "rdf"):
+		fallthrough
+	case strings.Contains(contentType, "vtt"):
+		fallthrough
+	case strings.Contains(contentType, "xml"):
+		fallthrough
+	case strings.Contains(contentType, "xsl"):
+		return true
+	case strings.Contains(contentType, "x-mixed-replace"):
+		return true
+	}
+
+	return false
+}
+
 /* The preview handler will show a preview of the content for browsers (accept type text/html), and referer is not transfer.sh */
 func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
@@ -174,23 +194,25 @@ func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {
 	webAddress := resolveWebAddress(r, s.proxyPath, s.proxyPort)

 	data := struct {
-		ContentType   string
-		Content       html_template.HTML
-		Filename      string
-		Url           string
-		UrlGet        string
-		Hostname      string
-		WebAddress    string
-		ContentLength uint64
-		GAKey         string
-		UserVoiceKey  string
-		QRCode        string
+		ContentType    string
+		Content        html_template.HTML
+		Filename       string
+		Url            string
+		UrlGet         string
+		UrlRandomToken string
+		Hostname       string
+		WebAddress     string
+		ContentLength  uint64
+		GAKey          string
+		UserVoiceKey   string
+		QRCode         string
 	}{
 		contentType,
 		content,
 		filename,
 		resolvedURL,
 		resolvedURLGet,
+		token,
 		hostname,
 		webAddress,
 		contentLength,
@@ -255,18 +277,14 @@ func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	token := Encode(10000000 + int64(rand.Intn(1000000000)))
+	token := Encode(INIT_SEED, s.randomTokenLength)

 	w.Header().Set("Content-Type", "text/plain")

 	for _, fheaders := range r.MultipartForm.File {
 		for _, fheader := range fheaders {
 			filename := sanitize(fheader.Filename)
-			contentType := fheader.Header.Get("Content-Type")
-
-			if contentType == "" {
-				contentType = mime.TypeByExtension(filepath.Ext(fheader.Filename))
-			}
+			contentType := mime.TypeByExtension(filepath.Ext(fheader.Filename))

 			var f io.Reader
 			var err error
@@ -317,7 +335,7 @@ func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) {
 				return
 			}

-			metadata := MetadataForRequest(contentType, r)
+			metadata := MetadataForRequest(contentType, s.randomTokenLength, r)

 			buffer := &bytes.Buffer{}
 			if err := json.NewEncoder(buffer).Encode(metadata); err != nil {
@@ -381,13 +399,13 @@ type Metadata struct {
 	DeletionToken string
 }

-func MetadataForRequest(contentType string, r *http.Request) Metadata {
+func MetadataForRequest(contentType string, randomTokenLength int64, r *http.Request) Metadata {
 	metadata := Metadata{
 		ContentType:   strings.ToLower(contentType),
 		MaxDate:       time.Time{},
 		Downloads:     0,
 		MaxDownloads:  -1,
-		DeletionToken: Encode(10000000+int64(rand.Intn(1000000000))) + Encode(10000000+int64(rand.Intn(1000000000))),
+		DeletionToken: Encode(INIT_SEED, randomTokenLength) + Encode(INIT_SEED, randomTokenLength),
 	}

 	if v := r.Header.Get("Max-Downloads"); v == "" {
@@ -473,15 +491,11 @@ func (s *Server) putHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	contentType := r.Header.Get("Content-Type")
+	contentType := mime.TypeByExtension(filepath.Ext(vars["filename"]))

-	if contentType == "" {
-		contentType = mime.TypeByExtension(filepath.Ext(vars["filename"]))
-	}
+	token := Encode(INIT_SEED, s.randomTokenLength)

-	token := Encode(10000000 + int64(rand.Intn(1000000000)))
-
-	metadata := MetadataForRequest(contentType, r)
+	metadata := MetadataForRequest(contentType, s.randomTokenLength, r)

 	buffer := &bytes.Buffer{}
 	if err := json.NewEncoder(buffer).Encode(metadata); err != nil {
@@ -661,13 +675,11 @@ func (s *Server) CheckMetadata(token, filename string, increaseDownload bool) (M
 		return metadata, errors.New("MaxDownloads expired.")
 	} else if !metadata.MaxDate.IsZero() && time.Now().After(metadata.MaxDate) {
 		return metadata, errors.New("MaxDate expired.")
-	} else {
+	} else if metadata.MaxDownloads != -1 && increaseDownload {
 		// todo(nl5887): mutex?

 		// update number of downloads
-		if increaseDownload {
-			metadata.Downloads++
-		}
+		metadata.Downloads++

 		buffer := &bytes.Buffer{}
 		if err := json.NewEncoder(buffer).Encode(metadata); err != nil {
@@ -688,7 +700,7 @@ func (s *Server) CheckDeletionToken(deletionToken, token, filename string) error

 	r, _, err := s.storage.Get(token, fmt.Sprintf("%s.metadata", filename))
 	if s.storage.IsNotExist(err) {
-		return nil
+		return errors.New("Metadata doesn't exist")
 	} else if err != nil {
 		return err
 	}
@@ -1009,13 +1021,8 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("X-Remaining-Downloads", remainingDownloads)
 	w.Header().Set("X-Remaining-Days", remainingDays)

-
-	if disposition == "inline" && strings.Contains(contentType, "html") {
-		reader = ioutil.NopCloser(
-			bytes.NewReader(
-				bluemonday.UGCPolicy().
-					SanitizeReader(reader).
-					Bytes()))
+	if disposition == "inline" && canContainsXSS(contentType) {
+		reader = ioutil.NopCloser(bluemonday.UGCPolicy().SanitizeReader(reader))
 	}

 	if w.Header().Get("Range") == "" {
--- a/server/server.go
+++ b/server/server.go
@@ -187,6 +187,12 @@ func RateLimit(requests int) OptionFn {
 	}
 }

+func RandomTokenLength(length int64) OptionFn {
+	return func(srvr *Server) {
+		srvr.randomTokenLength = length
+	}
+}
+
 func Purge(days, interval int) OptionFn {
 	return func(srvr *Server) {
 		srvr.purgeDays = time.Duration(days) * time.Hour * 24
@@ -294,6 +300,8 @@ type Server struct {

 	forceHTTPs bool

+	randomTokenLength int64
+
 	ipFilterOptions *IPFilterOptions

 	VirusTotalKey    string
Author	SHA1	Message	Date
Andrea Spacca	ffeba97f90	Merge branch 'master' into fix-workflows	2021-05-21 17:18:50 +02:00
Andrea Spacca	62349b51df	tests on PR	2021-05-21 17:17:54 +02:00
Andrea Spacca	2e2c07c3a0	tests on PR (#375 ) * tests on PR	2021-05-21 17:16:43 +02:00
Andrea Spacca	87b090af66	tests on PR	2021-05-21 17:14:14 +02:00
Andrea Spacca	e57b0314b3	tests on PR	2021-05-21 17:06:38 +02:00
Andrea Spacca	f25b3fb99d	tests on PR	2021-05-21 17:05:49 +02:00
Andrea Spacca	9df18fdc69	fixes-20210521 (#373 )	2021-05-21 15:49:48 +02:00
Stefan Benten	49c6d7ee4f	Merge pull request #372 from dutchcoders/ISSUE-371 Add random-token-length config	2021-05-21 10:37:42 +02:00
Andrea Spacca	fdfd453222	Added random-token-length, Encode() refactored	2021-05-20 08:26:07 +02:00
Stefan Benten	b5ffdb5095	Merge pull request #370 from dutchcoders/ISSUE-38-WEB Added UrlRandomToken in template data	2021-05-09 10:37:43 +02:00
Andrea Spacca	0512452111	Added UrlRandomToken in template data	2021-05-09 09:21:54 +02:00
Federico Marzocchi	16e94447f7	GitHub workflow for releases (#368 ) * GitHub workflow for releases * avoid renaming * add workflow for tests * fix workflow name * one yaml for all * fix yaml * add missing pipe * add conditional * also rename that other var * remove empty version * print the go version * add name to step * add go version when building * split files * remove dependency * delete travis and add badge * CHANGE NAMES TO LOWER CASE	2021-05-01 19:53:15 +02:00
Stefan Benten	941ec1fe0f	Merge pull request #365 from JustAnotherArchivist/disable-download-counter-without-limit Only increment download counter on files that have a download limit	2021-04-25 21:00:49 +02:00
JustAnotherArchivist	6bd3e97186	Only increment download counter on files that have a download limit For files that have no limit, there is no reason to track the download counter as its value will never be used anyway. This reduces costs on storage backends that have an operation fee (e.g. AWS S3) or a minimum retention (e.g. Wasabi S3).	2021-04-25 17:47:23 +00:00
Andrea Spacca	31ef712847	Merge pull request #362 from JustAnotherArchivist/fix-metadata-rewrite Only rewrite metadata file when the download counter changed	2021-04-24 21:23:51 +02:00
JustAnotherArchivist	4daca97f89	Only rewrite metadata file when the download counter changed Previously, the metadata file would be rewritten even if the download counter stayed the same (i.e. `increaseDownload = false`, previews and HEAD requests). Because the metadata doesn't change in that case, this would simply rewrite the exact same contents needlessly, which may also incur extra costs depending on the storage backend.	2021-04-19 18:37:47 +00:00
Andrea Spacca	69519d8fa4	Unwrap unnecessary bytes.NewReader	2021-03-19 08:25:40 +01:00