package rushlink import ( "crypto/subtle" "encoding/base64" "fmt" "io" "log" "mime/multipart" "net/http" "net/url" "os" "time" "github.com/google/uuid" "github.com/gorilla/mux" "github.com/pkg/errors" bolt "go.etcd.io/bbolt" ) type viewPaste uint const ( _ viewPaste = 1 << iota viewNoRedirect viewShowMeta ) const CookieDeleteToken = "owner_token" // These keys are designated reserved, and will not be randomly chosen var ReservedPasteKeys = []string{"xd42", "example"} // Base64 encoding and decoding var base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_" var base64Encoder = base64.RawURLEncoding.WithPadding(base64.NoPadding) func indexGetHandler(w http.ResponseWriter, r *http.Request) { render(w, r, "index", map[string]interface{}{}) } func uploadFileGetHandler(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) id := vars["id"] var fu *fileUpload var badID bool if err := DB.View(func(tx *bolt.Tx) error { fuID, err := uuid.Parse(id) if err != nil { badID = true return err } fu, err = getFileUpload(tx, fuID) return err }); err != nil { if badID { renderError(w, r, http.StatusNotFound, "malformed file id") return } else { panic(err) } } filePath := fileStorePath(fu.ID, fu.FileName) file, err := os.Open(filePath) if err != nil { if os.IsNotExist(err) { log.Printf("error: %v should exist according to the database, but it doesn't", filePath) renderError(w, r, http.StatusNotFound, "file not found") return } else { panic(err) } } w.Header().Set("Content-Type", fu.ContentType) io.Copy(w, file) } func viewPasteHandler(w http.ResponseWriter, r *http.Request) { viewPasteHandlerInner(w, r, 0) } func viewPasteHandlerNoRedirect(w http.ResponseWriter, r *http.Request) { viewPasteHandlerInner(w, r, viewNoRedirect) } func viewPasteHandlerMeta(w http.ResponseWriter, r *http.Request) { viewPasteHandlerInner(w, r, viewShowMeta) } func viewPasteHandlerInner(w http.ResponseWriter, r *http.Request, flags viewPaste) { vars := mux.Vars(r) key := vars["key"] var p *paste var fuID *uuid.UUID var fu *fileUpload if err := DB.View(func(tx *bolt.Tx) error { var err error p, err = getPaste(tx, key) if err != nil { return err } if p != nil && p.Type == pasteTypeFileUpload { var id uuid.UUID copy(id[:], p.Content) fuID = &id fu, err = getFileUpload(tx, id) if err != nil { return err } } return nil }); err != nil { panic(err) } if p == nil { renderError(w, r, http.StatusNotFound, "url key not found in the database") return } if flags&viewShowMeta != 0 { canDelete := struct { Bool bool String string }{Bool: false} deleteToken := getDeleteTokenFromRequest(r) if deleteToken == "" { canDelete.String = "undefined" } else { if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(p.DeleteToken)) == 1 { canDelete.Bool = true canDelete.String = "correct" } else { canDelete.String = "invalid" } } data := map[string]interface{}{ "Paste": p, "CanDelete": canDelete, } render(w, r, "pasteMeta", data) return } switch p.State { case pasteStatePresent: var location string switch p.Type { case pasteTypeFileUpload: if fu == nil { panic(fmt.Sprintf("file for id %v does not exist in database\n", fuID)) } location = fu.url().String() break case pasteTypeRedirect: location = p.redirectURL().String() break default: panic("paste type unsupported") } if flags&viewNoRedirect == 0 { http.Redirect(w, r, location, http.StatusSeeOther) } fmt.Fprint(w, location) case pasteStateDeleted: renderError(w, r, http.StatusGone, "paste has been deleted\n") default: panic(errors.Errorf("invalid paste.State (%v) for key '%v'", p.State, p.Key)) } } func newPasteHandler(w http.ResponseWriter, r *http.Request) { newPasteHandlerMultipart(w, r, func(w http.ResponseWriter, r *http.Request) { newPasteHandlerURLEncoded(w, r, func(w http.ResponseWriter, r *http.Request) { renderError(w, r, http.StatusBadRequest, "no form data in request\n") }) }) } // Try to parse the new-paste request as multi-part form. // // If there is no multi-part form in the request, this handler will call next. func newPasteHandlerMultipart(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) { reader, err := r.MultipartReader() if err != nil { next(w, r) return } part, err := reader.NextPart() if err != nil { if err == io.EOF { renderError(w, r, http.StatusBadRequest, "multipart form is empty\n") return } panic(errors.Wrap(err, "multipart.Reader.NextPart")) } if part.FormName() != "file" { msg := fmt.Sprintf("invalid multipart form name: %v", part.FormName()) renderError(w, r, http.StatusBadRequest, msg) return } newFileUploadPasteHandler(w, r, *part) } func newFileUploadPasteHandler(w http.ResponseWriter, r *http.Request, part multipart.Part) { var fu *fileUpload var paste *paste if err := DB.Update(func(tx *bolt.Tx) error { var err error // Create the fileUpload in the database fu, err = newFileUpload(tx, &part, part.FileName(), part.Header.Get("Content-Type")) if err != nil { panic(errors.Wrap(err, "creating fileUpload")) } paste, err = shortenFileUploadID(tx, fu.ID) return err }); err != nil { panic(err) } data := map[string]interface{}{"Paste": paste} render(w, r, "newFileUploadPasteSuccess", data) } func newPasteHandlerURLEncoded(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) { if err := r.ParseForm(); err != nil { next(w, r) return } shorten := r.PostFormValue("shorten") if shorten == "" { renderError(w, r, http.StatusBadRequest, "no 'shorten' param given\n") return } newRedirectPasteHandler(w, r, shorten) } func newRedirectPasteHandler(w http.ResponseWriter, r *http.Request, shorten string) { rawurl := r.PostForm.Get("shorten") userURL, err := url.ParseRequestURI(rawurl) if err != nil { msg := fmt.Sprintf("invalid url (%v): %v", err, rawurl) renderError(w, r, http.StatusBadRequest, msg) return } if userURL.Scheme == "" { renderError(w, r, http.StatusBadRequest, "invalid url (unspecified scheme)\n") return } if userURL.Host == "" { renderError(w, r, http.StatusBadRequest, "invalid url (unspecified host)\n") return } var paste *paste if err := DB.Update(func(tx *bolt.Tx) error { // Generate a new delete token for this paste var err error paste, err = shortenURL(tx, userURL) return err }); err != nil { panic(err) } data := map[string]interface{}{"Paste": paste} render(w, r, "newRedirectPasteSuccess", data) } // Delete a URL from the database func deletePasteHandler(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) key := vars["key"] deleteToken := getDeleteTokenFromRequest(r) if deleteToken == "" { renderError(w, r, http.StatusBadRequest, "no delete token provided\n") return } var errorCode int if err := DB.Update(func(tx *bolt.Tx) error { p, err := getPaste(tx, key) if err != nil { errorCode = http.StatusNotFound return err } if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(p.DeleteToken)) == 1 { p.delete(tx) } errorCode = http.StatusForbidden return errors.New("invalid delete token") }); err != nil { log.Printf("error: %v\n", err) renderError(w, r, errorCode, fmt.Sprintf("error: %v\n", err)) return } } // Add a new fileUpload redirect to the database // // Returns the new paste key if the fileUpload was successfully added to the // database func shortenFileUploadID(tx *bolt.Tx, id uuid.UUID) (*paste, error) { return shorten(tx, pasteTypeFileUpload, id[:]) } // Add a new URL to the database // // Returns the new paste key if the url was successfully shortened func shortenURL(tx *bolt.Tx, userURL *url.URL) (*paste, error) { return shorten(tx, pasteTypeRedirect, []byte(userURL.String())) } // Add a paste (of any kind) to the database with arbitrary content. func shorten(tx *bolt.Tx, ty pasteType, content []byte) (*paste, error) { // Generate the paste key pasteKey, err := generatePasteKey(tx) if err != nil { return nil, errors.Wrap(err, "generating paste key") } // Also generate a deleteToken deleteToken, err := generateDeleteToken() if err != nil { return nil, errors.Wrap(err, "generating delete token") } // Store the new key p := paste{ Type: ty, State: pasteStatePresent, Content: content, Key: pasteKey, DeleteToken: deleteToken, TimeCreated: time.Now().UTC(), } if err := p.save(tx); err != nil { return nil, err } return &p, nil } func getDeleteTokenFromRequest(r *http.Request) string { return r.URL.Query().Get("deleteToken") }