forked from tcp.direct/tcp.ac
Update 'img.go'
Initial review looks awesome, needs a few minor adjustments especially the hashing function. should be hashing based on file + epoch of upload time and/or user session to allow for same file to be uploaded multiple times. not allowing this could tip people off about the amount of times someone has seen a document or other privacy things.
This commit is contained in:
parent
714480b339
commit
970aa1fc35
34
img.go
34
img.go
@ -41,34 +41,34 @@ func imgDel(c *gin.Context) {
|
||||
log.Debug().Str("func", fn).Msg("Request received!") // received request
|
||||
rKey := c.Param("key")
|
||||
if len(rKey) != 16 || !valid.IsAlphanumeric(rKey) {
|
||||
log.Error().Str("func", fn).Msg("delete request failed sanity check!")
|
||||
errThrow(c, 400, "400", "400")
|
||||
log.Error().Str("func", fn).Msg("delete request failed sanity check! email <a href="mailto:staff@urls.is">staff</a> please.")
|
||||
errThrow(c, 400, "400", "400") // look for signs of pen testing..
|
||||
return
|
||||
}
|
||||
|
||||
targetImg, _ := keyDB.Get([]byte(rKey))
|
||||
if targetImg == nil || !strings.Contains(string(targetImg), "i.") {
|
||||
log.Error().Str("func", fn).Str("rkey", rKey).Msg("no img delete entry found with provided key")
|
||||
errThrow(c, 400, "400", "400")
|
||||
log.Error().Str("func", fn).Str("rkey", rKey).Msg("no img delete entry found with provided key. If this keeps happening, email <a href="mailto:staff@urls.is">staff</a> please.")
|
||||
errThrow(c, 400, "400", "400") // Might have two windows open and deleted it.. otherwise look for permission errors, etc.
|
||||
return
|
||||
}
|
||||
|
||||
finalTarget := strings.Split(string(targetImg), ".")
|
||||
|
||||
if !imgDB.Has([]byte(finalTarget[1])) {
|
||||
log.Error().Str("func", fn).Str("rkey", rKey).Msg("corresponding image not found in database!")
|
||||
errThrow(c, 500, "500", "500") // this shouldn't happen...?
|
||||
log.Error().Str("func", fn).Str("rkey", rKey).Msg("corresponding image not found in database! Do you have multiple tabs/windows open? If not, email <a href="mailto:staff@urls.is">staff</a> please.")
|
||||
errThrow(c, 500, "500", "500") // Might have two windows open and deleted it.. otherwise look for permission errors, etc.
|
||||
return
|
||||
}
|
||||
err := imgDB.Delete([]byte(finalTarget[1]))
|
||||
if err != nil {
|
||||
log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("delete failed!")
|
||||
errThrow(c, 500, "500", "500")
|
||||
log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("delete failed! Did you already delete it? email <a href="mailto:staff@urls.is">staff</a> for support issues.")
|
||||
errThrow(c, 500, "500", "500") // Check permissions, hd space, tx/rx errors..
|
||||
return
|
||||
}
|
||||
|
||||
if imgDB.Has([]byte(finalTarget[1])) {
|
||||
log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("delete failed!?")
|
||||
log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("delete failed!? Did you already delete it? email <a href="mailto:staff@urls.is">staff</a> for support issues.")
|
||||
errThrow(c, 500, "500", "500")
|
||||
return
|
||||
}
|
||||
@ -77,11 +77,12 @@ func imgDel(c *gin.Context) {
|
||||
log.Debug().Str("func", fn).Str("rkey", finalTarget[1]).Msg("Removing delete key entry")
|
||||
err = keyDB.Delete([]byte(rKey))
|
||||
if err != nil {
|
||||
log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("Couldn't delete key")
|
||||
log.Error().Str("func", fn).Str("rkey", finalTarget[1]).Msg("Couldn't delete key. email <a href="mailto:staff@urls.is">support staff</a> about this ASAP.")
|
||||
// it would be insane to try and delete the hash here
|
||||
} // if someone is uploading this image again after del
|
||||
c.JSON(200, "DELETE_SUCCESS") // and the file corresponding to the hash no longer exists
|
||||
// we will delete the hash entry then and re-add then
|
||||
// we will delete the hash entry then and re-add then.
|
||||
// also they are likely fucking with the server.
|
||||
}
|
||||
|
||||
func imgView(c *gin.Context) {
|
||||
@ -152,7 +153,7 @@ func imgPost(c *gin.Context) {
|
||||
|
||||
log.Debug().Str("func", fn).Str("filename", f.Filename).Msg("[+] New upload")
|
||||
|
||||
file, err := f.Open()
|
||||
file, err := f.Open() // Eventually replace this with hashing routine to make it browser PSK encrypted faux E2E...
|
||||
if err != nil {
|
||||
errThrow(c, http.StatusInternalServerError, err.Error(), "error processing file\n")
|
||||
}
|
||||
@ -160,8 +161,8 @@ func imgPost(c *gin.Context) {
|
||||
log.Debug().Str("func", fn).Msg("verifying file is an image")
|
||||
imageFormat, ok := checkImage(file)
|
||||
if !ok {
|
||||
errThrow(c, http.StatusBadRequest, "400", "input does not appear to be an image")
|
||||
return
|
||||
errThrow(c, http.StatusBadRequest, "400", "input does not appear to be an image. you will be rate limited if this keeps happening.")
|
||||
return // add counter function and start rate limiting eventually.
|
||||
} else {
|
||||
log.Debug().Str("func", fn).Msg("image file type detected")
|
||||
}
|
||||
@ -195,8 +196,8 @@ func imgPost(c *gin.Context) {
|
||||
log.Debug().Str("func", fn).Str("ogUid", ogUid).Msg("duplicate checksum in hash database, checking if file still exists...")
|
||||
if imgDB.Has(imgRef) {
|
||||
log.Debug().Str("func", fn).Str("ogUid", ogUid).Msg("duplicate file found! returning original URL")
|
||||
postUpload(c, ogUid, "nil") // they weren't the original uploader so they don't get a delete key
|
||||
return
|
||||
postUpload(c, ogUid, "nil") // they weren't the original uploader so they don't get a delete key for now.
|
||||
return // ENHANCEMENT: Needs to hash the file with session and/or epoch of time uploaded.
|
||||
} else {
|
||||
log.Debug().Str("func", fn).Str("ogUid", ogUid).Msg("stale hash found, deleting entry...")
|
||||
hashDB.Delete(hash)
|
||||
@ -235,6 +236,7 @@ func imgPost(c *gin.Context) {
|
||||
}
|
||||
|
||||
log.Debug().Str("func", fn).Str("uid", uid).Msg("saved to database successfully, sending to postUpload")
|
||||
// Make tick for metrics without getting all sketchy on privacy.
|
||||
|
||||
postUpload(c, uid, key)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user