From 970aa1fc357fdbb4db02c277de5c93dcc23479a6 Mon Sep 17 00:00:00 2001 From: blackout Date: Sat, 13 Feb 2021 15:58:10 +0000 Subject: [PATCH] Update 'img.go' Initial review looks awesome, needs a few minor adjustments especially the hashing function. should be hashing based on file + epoch of upload time and/or user session to allow for same file to be uploaded multiple times. not allowing this could tip people off about the amount of times someone has seen a document or other privacy things. --- img.go | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/img.go b/img.go index d1fcc2b..fa4d330 100644 --- a/img.go +++ b/img.go @@ -41,34 +41,34 @@ func imgDel(c *gin.Context) { log.Debug().Str("func", fn).Msg("Request received!") // received request rKey := c.Param("key") if len(rKey) != 16 || !valid.IsAlphanumeric(rKey) { - log.Error().Str("func", fn).Msg("delete request failed sanity check!") - errThrow(c, 400, "400", "400") + log.Error().Str("func", fn).Msg("delete request failed sanity check! email staff please.") + errThrow(c, 400, "400", "400") // look for signs of pen testing.. return } targetImg, _ := keyDB.Get([]byte(rKey)) if targetImg == nil || !strings.Contains(string(targetImg), "i.") { - log.Error().Str("func", fn).Str("rkey", rKey).Msg("no img delete entry found with provided key") - errThrow(c, 400, "400", "400") + log.Error().Str("func", fn).Str("rkey", rKey).Msg("no img delete entry found with provided key. If this keeps happening, email staff please.") + errThrow(c, 400, "400", "400") // Might have two windows open and deleted it.. otherwise look for permission errors, etc. return } finalTarget := strings.Split(string(targetImg), ".") if !imgDB.Has([]byte(finalTarget[1])) { - log.Error().Str("func", fn).Str("rkey", rKey).Msg("corresponding image not found in database!") - errThrow(c, 500, "500", "500") // this shouldn't happen...? + log.Error().Str("func", fn).Str("rkey", rKey).Msg("corresponding image not found in database! Do you have multiple tabs/windows open? If not, email staff please.") + errThrow(c, 500, "500", "500") // Might have two windows open and deleted it.. otherwise look for permission errors, etc. return } err := imgDB.Delete([]byte(finalTarget[1])) if err != nil { - log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("delete failed!") - errThrow(c, 500, "500", "500") + log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("delete failed! Did you already delete it? email staff for support issues.") + errThrow(c, 500, "500", "500") // Check permissions, hd space, tx/rx errors.. return } if imgDB.Has([]byte(finalTarget[1])) { - log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("delete failed!?") + log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("delete failed!? Did you already delete it? email staff for support issues.") errThrow(c, 500, "500", "500") return } @@ -77,11 +77,12 @@ func imgDel(c *gin.Context) { log.Debug().Str("func", fn).Str("rkey", finalTarget[1]).Msg("Removing delete key entry") err = keyDB.Delete([]byte(rKey)) if err != nil { - log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("Couldn't delete key") + log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("Couldn't delete key. email support staff about this ASAP.") // it would be insane to try and delete the hash here } // if someone is uploading this image again after del c.JSON(200, "DELETE_SUCCESS") // and the file corresponding to the hash no longer exists - // we will delete the hash entry then and re-add then + // we will delete the hash entry then and re-add then. + // also they are likely fucking with the server. } func imgView(c *gin.Context) { @@ -152,7 +153,7 @@ func imgPost(c *gin.Context) { log.Debug().Str("func", fn).Str("filename", f.Filename).Msg("[+] New upload") - file, err := f.Open() + file, err := f.Open() // Eventually replace this with hashing routine to make it browser PSK encrypted faux E2E... if err != nil { errThrow(c, http.StatusInternalServerError, err.Error(), "error processing file\n") } @@ -160,8 +161,8 @@ func imgPost(c *gin.Context) { log.Debug().Str("func", fn).Msg("verifying file is an image") imageFormat, ok := checkImage(file) if !ok { - errThrow(c, http.StatusBadRequest, "400", "input does not appear to be an image") - return + errThrow(c, http.StatusBadRequest, "400", "input does not appear to be an image. you will be rate limited if this keeps happening.") + return // add counter function and start rate limiting eventually. } else { log.Debug().Str("func", fn).Msg("image file type detected") } @@ -195,8 +196,8 @@ func imgPost(c *gin.Context) { log.Debug().Str("func", fn).Str("ogUid", ogUid).Msg("duplicate checksum in hash database, checking if file still exists...") if imgDB.Has(imgRef) { log.Debug().Str("func", fn).Str("ogUid", ogUid).Msg("duplicate file found! returning original URL") - postUpload(c, ogUid, "nil") // they weren't the original uploader so they don't get a delete key - return + postUpload(c, ogUid, "nil") // they weren't the original uploader so they don't get a delete key for now. + return // ENHANCEMENT: Needs to hash the file with session and/or epoch of time uploaded. } else { log.Debug().Str("func", fn).Str("ogUid", ogUid).Msg("stale hash found, deleting entry...") hashDB.Delete(hash) @@ -235,6 +236,7 @@ func imgPost(c *gin.Context) { } log.Debug().Str("func", fn).Str("uid", uid).Msg("saved to database successfully, sending to postUpload") + // Make tick for metrics without getting all sketchy on privacy. postUpload(c, uid, key)