Merge branch 'master' into fix-workflows

tests on PR
tests on PR (#375 )
2021-05-21 17:18:50 +02:00 · 2021-05-21 17:17:54 +02:00 · 2021-05-21 17:16:43 +02:00 · 2021-05-21 17:14:14 +02:00 · 2021-05-21 17:06:38 +02:00 · 2021-05-21 17:05:49 +02:00
7 changed files with 100 additions and 38 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: test
 on:
+  pull_request:
+    branches:
+      - "*"
  push:
    branches:
      - "*"
--- a/README.md
+++ b/README.md
@@ -114,6 +114,7 @@ rate-limit | request per minute  | | RATE_LIMIT |
 max-upload-size | max upload size in kilobytes  | | MAX_UPLOAD_SIZE |
 purge-days | number of days after the uploads are purged automatically | | PURGE_DAYS |   
 purge-interval | interval in hours to run the automatic purge for (not applicable to S3 and Storj) | | PURGE_INTERVAL |   
+random-token-length | length of the random token for the upload path (double the size for delete path) | 6 | RANDOM_TOKEN_LENGTH |   

 If you want to use TLS using lets encrypt certificates, set lets-encrypt-hosts to your domain, set tls-listener to :443 and enable force-https.

--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -12,7 +12,7 @@ import (
 	"google.golang.org/api/googleapi"
 )

-var Version = "1.2.2"
+var Version = "1.2.4"
 var helpTemplate = `NAME:
 {{.Name}} - {{.Usage}}

@@ -274,6 +274,12 @@ var globalFlags = []cli.Flag{
 		Value:  "",
 		EnvVar: "CORS_DOMAINS",
 	},
+	cli.Int64Flag{
+		Name:   "random-token-length",
+		Usage:  "",
+		Value:  6,
+		EnvVar: "RANDOM_TOKEN_LENGTH",
+	},
 }

 type Cmd struct {
@@ -377,6 +383,9 @@ func New() *Cmd {
 			options = append(options, server.RateLimit(v))
 		}

+		v := c.Int64("random-token-length")
+		options = append(options, server.RandomTokenLength(v))
+
 		purgeDays := c.Int("purge-days")
 		purgeInterval := c.Int("purge-interval")
 		if purgeDays > 0 && purgeInterval > 0 {
--- a/server/codec.go
+++ b/server/codec.go
@@ -26,6 +26,7 @@ package server

 import (
 	"math"
+	"math/rand"
 	"strings"
 )

@@ -34,19 +35,31 @@ const (
 	SYMBOLS = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"

 	// someone set us up the bomb !!
-	BASE = int64(len(SYMBOLS))
+	BASE = float64(len(SYMBOLS))
+
+	// init seed encode number
+	INIT_SEED = float64(-1)
 )

 // encodes a number into our *base* representation
 // TODO can this be made better with some bitshifting?
-func Encode(number int64) string {
-	rest := number % BASE
+func Encode(number float64, length int64) string {
+	if number == INIT_SEED {
+		seed := math.Pow(float64(BASE), float64(length))
+		number = seed + (rand.Float64() * seed) // start with seed to enforce desired length
+	}
+
+	rest := int64(math.Mod(number, BASE))
 	// strings are a bit weird in go...
 	result := string(SYMBOLS[rest])
-	if number-rest != 0 {
-		newnumber := (number - rest) / BASE
-		result = Encode(newnumber) + result
+	if rest > 0 && number-float64(rest) != 0 {
+		newnumber := (number - float64(rest)) / BASE
+		result = Encode(newnumber, length) + result
+	} else {
+		// it would always be 1 because of starting with seed and we want to skip
+		return ""
 	}
+
 	return result
 }

--- a/server/codec_test.go
+++ b/server/codec_test.go
@@ -0,0 +1,15 @@
+package server
+
+import "testing"
+
+func BenchmarkEncodeConcat(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		_ = Encode(INIT_SEED, 5) + Encode(INIT_SEED, 5)
+	}
+}
+
+func BenchmarkEncodeLonger(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		_ = Encode(INIT_SEED, 10)
+	}
+}
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -41,7 +41,6 @@ import (
 	"io"
 	"io/ioutil"
 	"log"
-	"math/rand"
 	"mime"
 	"net/http"
 	"net/url"
@@ -95,6 +94,27 @@ func healthHandler(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprintf(w, "Approaching Neutral Zone, all systems normal and functioning.")
 }

+func canContainsXSS(contentType string) bool {
+	switch {
+	case strings.Contains(contentType, "cache-manifest"):
+		fallthrough
+	case strings.Contains(contentType, "html"):
+		fallthrough
+	case strings.Contains(contentType, "rdf"):
+		fallthrough
+	case strings.Contains(contentType, "vtt"):
+		fallthrough
+	case strings.Contains(contentType, "xml"):
+		fallthrough
+	case strings.Contains(contentType, "xsl"):
+		return true
+	case strings.Contains(contentType, "x-mixed-replace"):
+		return true
+	}
+
+	return false
+}
+
 /* The preview handler will show a preview of the content for browsers (accept type text/html), and referer is not transfer.sh */
 func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
@@ -174,23 +194,25 @@ func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {
 	webAddress := resolveWebAddress(r, s.proxyPath, s.proxyPort)

 	data := struct {
-		ContentType   string
-		Content       html_template.HTML
-		Filename      string
-		Url           string
-		UrlGet        string
-		Hostname      string
-		WebAddress    string
-		ContentLength uint64
-		GAKey         string
-		UserVoiceKey  string
-		QRCode        string
+		ContentType    string
+		Content        html_template.HTML
+		Filename       string
+		Url            string
+		UrlGet         string
+		UrlRandomToken string
+		Hostname       string
+		WebAddress     string
+		ContentLength  uint64
+		GAKey          string
+		UserVoiceKey   string
+		QRCode         string
 	}{
 		contentType,
 		content,
 		filename,
 		resolvedURL,
 		resolvedURLGet,
+		token,
 		hostname,
 		webAddress,
 		contentLength,
@@ -255,18 +277,14 @@ func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	token := Encode(10000000 + int64(rand.Intn(1000000000)))
+	token := Encode(INIT_SEED, s.randomTokenLength)

 	w.Header().Set("Content-Type", "text/plain")

 	for _, fheaders := range r.MultipartForm.File {
 		for _, fheader := range fheaders {
 			filename := sanitize(fheader.Filename)
-			contentType := fheader.Header.Get("Content-Type")
-
-			if contentType == "" {
-				contentType = mime.TypeByExtension(filepath.Ext(fheader.Filename))
-			}
+			contentType := mime.TypeByExtension(filepath.Ext(fheader.Filename))

 			var f io.Reader
 			var err error
@@ -317,7 +335,7 @@ func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) {
 				return
 			}

-			metadata := MetadataForRequest(contentType, r)
+			metadata := MetadataForRequest(contentType, s.randomTokenLength, r)

 			buffer := &bytes.Buffer{}
 			if err := json.NewEncoder(buffer).Encode(metadata); err != nil {
@@ -381,13 +399,13 @@ type Metadata struct {
 	DeletionToken string
 }

-func MetadataForRequest(contentType string, r *http.Request) Metadata {
+func MetadataForRequest(contentType string, randomTokenLength int64, r *http.Request) Metadata {
 	metadata := Metadata{
 		ContentType:   strings.ToLower(contentType),
 		MaxDate:       time.Time{},
 		Downloads:     0,
 		MaxDownloads:  -1,
-		DeletionToken: Encode(10000000+int64(rand.Intn(1000000000))) + Encode(10000000+int64(rand.Intn(1000000000))),
+		DeletionToken: Encode(INIT_SEED, randomTokenLength) + Encode(INIT_SEED, randomTokenLength),
 	}

 	if v := r.Header.Get("Max-Downloads"); v == "" {
@@ -473,15 +491,11 @@ func (s *Server) putHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	contentType := r.Header.Get("Content-Type")
+	contentType := mime.TypeByExtension(filepath.Ext(vars["filename"]))

-	if contentType == "" {
-		contentType = mime.TypeByExtension(filepath.Ext(vars["filename"]))
-	}
+	token := Encode(INIT_SEED, s.randomTokenLength)

-	token := Encode(10000000 + int64(rand.Intn(1000000000)))
-
-	metadata := MetadataForRequest(contentType, r)
+	metadata := MetadataForRequest(contentType, s.randomTokenLength, r)

 	buffer := &bytes.Buffer{}
 	if err := json.NewEncoder(buffer).Encode(metadata); err != nil {
@@ -686,7 +700,7 @@ func (s *Server) CheckDeletionToken(deletionToken, token, filename string) error

 	r, _, err := s.storage.Get(token, fmt.Sprintf("%s.metadata", filename))
 	if s.storage.IsNotExist(err) {
-		return nil
+		return errors.New("Metadata doesn't exist")
 	} else if err != nil {
 		return err
 	}
@@ -1007,8 +1021,7 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("X-Remaining-Downloads", remainingDownloads)
 	w.Header().Set("X-Remaining-Days", remainingDays)

-
-	if disposition == "inline" && strings.Contains(contentType, "html") {
+	if disposition == "inline" && canContainsXSS(contentType) {
 		reader = ioutil.NopCloser(bluemonday.UGCPolicy().SanitizeReader(reader))
 	}

--- a/server/server.go
+++ b/server/server.go
@@ -187,6 +187,12 @@ func RateLimit(requests int) OptionFn {
 	}
 }

+func RandomTokenLength(length int64) OptionFn {
+	return func(srvr *Server) {
+		srvr.randomTokenLength = length
+	}
+}
+
 func Purge(days, interval int) OptionFn {
 	return func(srvr *Server) {
 		srvr.purgeDays = time.Duration(days) * time.Hour * 24
@@ -294,6 +300,8 @@ type Server struct {

 	forceHTTPs bool

+	randomTokenLength int64
+
 	ipFilterOptions *IPFilterOptions

 	VirusTotalKey    string
Author	SHA1	Message	Date
Andrea Spacca	ffeba97f90	Merge branch 'master' into fix-workflows	2021-05-21 17:18:50 +02:00
Andrea Spacca	62349b51df	tests on PR	2021-05-21 17:17:54 +02:00
Andrea Spacca	2e2c07c3a0	tests on PR (#375 ) * tests on PR	2021-05-21 17:16:43 +02:00
Andrea Spacca	87b090af66	tests on PR	2021-05-21 17:14:14 +02:00
Andrea Spacca	e57b0314b3	tests on PR	2021-05-21 17:06:38 +02:00
Andrea Spacca	f25b3fb99d	tests on PR	2021-05-21 17:05:49 +02:00
Andrea Spacca	9df18fdc69	fixes-20210521 (#373 )	2021-05-21 15:49:48 +02:00
Stefan Benten	49c6d7ee4f	Merge pull request #372 from dutchcoders/ISSUE-371 Add random-token-length config	2021-05-21 10:37:42 +02:00
Andrea Spacca	fdfd453222	Added random-token-length, Encode() refactored	2021-05-20 08:26:07 +02:00
Stefan Benten	b5ffdb5095	Merge pull request #370 from dutchcoders/ISSUE-38-WEB Added UrlRandomToken in template data	2021-05-09 10:37:43 +02:00
Andrea Spacca	0512452111	Added UrlRandomToken in template data	2021-05-09 09:21:54 +02:00