package rushlink import ( "crypto/subtle" "fmt" "log" "mime/multipart" "net/http" "net/url" "os" "strconv" "strings" "time" "gitea.hashru.nl/dsprenkels/rushlink/internal/db" "github.com/google/uuid" "github.com/gorilla/mux" "github.com/pkg/errors" ) const ( // formParseMaxMemory value is based on the default value that is used in // Request.ParseMultipartForm. formParseMaxMemory = 32 << 20 // 32 MB // highOnlineEntropy is the desired entropy of an "unguessable" paste URL // (in bits). It should be chosen such that it should be hard for an // attacker to find *any* key that should not be found. // It is desired that the probability to guess a good key is small. // // [ amount of pastes ] // Pr[ good key ] = --------------------------- // [ amount of possible keys ] // // So with a conservative [ amount of pastes ] = 2^32 (= 4 billion), and // an [ amount of possible keys ] = 2^80 then the probability of a correct // guess is 2^-48. highOnlineEntropy = 80 ) type viewPaste uint const ( _ viewPaste = 1 << iota viewNoRedirect viewShowMeta ) type canDelete uint const ( canDeleteUndef canDelete = iota canDeleteYes canDeleteNo ) func (cd *canDelete) Bool() bool { return *cd == canDeleteYes } func (cd *canDelete) String() string { switch *cd { case canDeleteUndef: return "undefined" case canDeleteYes: return "correct" case canDeleteNo: return "invalid" default: panic("unreachable") } } func (rl *rushlink) staticGetHandler(w http.ResponseWriter, r *http.Request) { rl.renderStatic(w, r, mux.Vars(r)["path"]) } func (rl *rushlink) indexGetHandler(w http.ResponseWriter, r *http.Request) { rl.render(w, r, http.StatusOK, "index", map[string]interface{}{}) } func (rl *rushlink) viewPasteHandler(w http.ResponseWriter, r *http.Request) { rl.viewPasteHandlerFlags(w, r, 0) } func (rl *rushlink) viewPasteHandlerNoRedirect(w http.ResponseWriter, r *http.Request) { rl.viewPasteHandlerFlags(w, r, viewNoRedirect) } func (rl *rushlink) viewPasteHandlerMeta(w http.ResponseWriter, r *http.Request) { rl.viewPasteHandlerFlags(w, r, viewShowMeta) } func (rl *rushlink) viewPasteHandlerFlags(w http.ResponseWriter, r *http.Request, flags viewPaste) { vars := mux.Vars(r) key := vars["key"] var p *db.Paste var fu *db.FileUpload var notFound bool err := rl.db.Transaction(func(tx *db.Database) error { var err error p, err = db.GetPaste(tx, key) if err != nil { return err } if p != nil && p.Type == db.PasteTypeFileUpload { var id uuid.UUID copy(id[:], p.Content) fu, err = db.GetFileUpload(tx, id) if err != nil { return err } } return nil }) if notFound { err = db.ErrPasteDoesNotExist } if err != nil { status := db.ErrHTTPStatusCode(err) if status == http.StatusInternalServerError { panic(err) } rl.renderError(w, r, status, err.Error()) return } rl.viewPasteHandlerInner(w, r, flags, p, fu) } func (rl *rushlink) viewPasteHandlerInner(w http.ResponseWriter, r *http.Request, flags viewPaste, p *db.Paste, fu *db.FileUpload) { if flags&viewShowMeta != 0 { rl.viewPasteHandlerInnerMeta(w, r, p, fu) return } switch p.State { case db.PasteStatePresent: switch p.Type { case db.PasteTypeFileUpload: if fu == nil { panic(fmt.Sprintf("file for id %v does not exist in database\n", string(p.Content))) } rl.viewFileUploadHandler(w, r, fu) return case db.PasteTypeRedirect: if flags&viewNoRedirect != 0 { w.Write([]byte(p.RedirectURL().String())) return } http.Redirect(w, r, p.RedirectURL().String(), http.StatusTemporaryRedirect) return default: panic("paste type unsupported") } case db.PasteStateDeleted: rl.renderError(w, r, http.StatusGone, "paste has been deleted\n") return default: panic(errors.Errorf("invalid paste.State (%v) for key '%v'", p.State, p.Key)) } } func (rl *rushlink) viewFileUploadHandler(w http.ResponseWriter, r *http.Request, fu *db.FileUpload) { filePath := fu.Path(rl.fs) file, err := os.Open(filePath) if err != nil { if os.IsNotExist(err) { log.Printf("error: '%v' should exist according to the database, but it doesn't", filePath) rl.renderError(w, r, http.StatusNotFound, "file not found") return } // unexpected error panic(err) } var modtime time.Time info, err := file.Stat() if err != nil { log.Printf("error: %v", errors.Wrapf(err, "could not stat file '%v'", filePath)) } else { modtime = info.ModTime() } // Provide the real filename to the client (to be used in Ctrl+S etc.) quotedName := strings.ReplaceAll(fu.FileName, "\"", "\\\"") w.Header().Set("Content-Disposition", fmt.Sprintf("inline; filename=\"%s\"", quotedName)) // We use http.ServeContent (instead of http.ServeFile) because we cannot // use http.ServeFile together with the assertion that the file exists, // without introducing a TOCTOU flaw. http.ServeContent(w, r, fu.FileName, modtime, file) } func (rl *rushlink) viewPasteHandlerInnerMeta(w http.ResponseWriter, r *http.Request, p *db.Paste, fu *db.FileUpload) { var cd canDelete deleteToken := getDeleteTokenFromRequest(r) if deleteToken != "" { if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(p.DeleteToken)) == 1 { cd = canDeleteYes } else { cd = canDeleteNo } } var fileExt string if fu != nil { fileExt = fu.Ext() } data := map[string]interface{}{ "Paste": p, "FileExt": fileExt, "CanDeleteString": cd.String(), "CanDeleteBool": cd.Bool(), } var status int if p.State == db.PasteStateDeleted { status = http.StatusGone } else { status = http.StatusOK } rl.render(w, r, status, "pasteMeta", data) } func (rl *rushlink) viewActionSuccess(w http.ResponseWriter, r *http.Request, p *db.Paste, fu *db.FileUpload) { var fileExt string if fu != nil { fileExt = fu.Ext() } // Redirect to the new paste. pasteURL := url.URL{ Path: fmt.Sprintf("/%s%s/meta", p.Key, fileExt), RawQuery: fmt.Sprintf("deleteToken=%s", url.QueryEscape(p.DeleteToken)), } http.Redirect(w, r, pasteURL.String(), http.StatusFound) // But still render the page for CURL-like clients. cd := canDeleteYes data := map[string]interface{}{ "Paste": p, "FileExt": fileExt, "CanDeleteString": cd.String(), "CanDeleteBool": cd.Bool(), } rl.render(w, r, 0, "pasteMeta", data) } func (rl *rushlink) newPasteHandler(w http.ResponseWriter, r *http.Request) { // Check if the user is authenticated username, password, ok := r.BasicAuth() if !ok { // User is not authenticated, return a 401 Unauthorized response w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`) w.WriteHeader(http.StatusUnauthorized) return } // Authenticate the user user, err := db.Authenticate(rl.db, username, password) if err != nil { // Authentication failed, return a 401 Unauthorized response w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`) w.WriteHeader(http.StatusUnauthorized) return } if err := r.ParseMultipartForm(formParseMaxMemory); err != nil { msg := fmt.Sprintf("could not parse form: %v\n", err) rl.renderError(w, r, http.StatusBadRequest, msg) return } fileHeaders, fileHeadersPrs := r.MultipartForm.File["file"] shortens, shortensPrs := r.MultipartForm.Value["shorten"] if !shortensPrs && !fileHeadersPrs { rl.renderError(w, r, http.StatusBadRequest, "no 'file' and no 'shorten' fields given in form\n") return } if shortensPrs && fileHeadersPrs { rl.renderError(w, r, http.StatusBadRequest, "both 'file' and 'shorten' fields provided in form\n") return } if shortensPrs { rl.newRedirectPasteHandler(w, r, user, shortens[0]) return } if fileHeadersPrs { fileHeader := fileHeaders[0] file, err := fileHeader.Open() if err != nil { rl.renderInternalServerError(w, r, err) return } rl.newFileUploadPasteHandler(w, r, user, file, *fileHeader) return } } func (rl *rushlink) createUserHandler(w http.ResponseWriter, r *http.Request) { // Check if the user is authenticated as an admin user := rl.authenticateUser(w, r, true, nil) if user == nil { return } if err := r.ParseMultipartForm(formParseMaxMemory); err != nil { msg := fmt.Sprintf("could not parse form: %v\n", err) rl.renderError(w, r, http.StatusBadRequest, msg) return } new_username := r.FormValue("username") new_password := r.FormValue("password") new_admin, _ := strconv.ParseBool(r.FormValue("admin")) // Create the user if err := db.NewUser(rl.db, new_username, new_password, new_admin); err != nil { // Failed to create the user, return a 500 Internal Server Error response http.Error(w, "Failed to create user", http.StatusInternalServerError) return } // Return a 201 Created response w.WriteHeader(http.StatusCreated) } func (rl *rushlink) authenticateUser(w http.ResponseWriter, r *http.Request, shouldBeAdmin bool, canAlsoBe *string) *db.User { // Check if the user is authenticated username, password, ok := r.BasicAuth() if !ok { // User is not authenticated, return a 401 Unauthorized response w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`) w.WriteHeader(http.StatusUnauthorized) return nil } // Authenticate the user user, err := db.Authenticate(rl.db, username, password) if err != nil || (shouldBeAdmin && !user.Admin && (canAlsoBe == nil || *canAlsoBe != user.User)) { // Authentication failed, return a 401 Unauthorized response w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`) w.WriteHeader(http.StatusUnauthorized) return nil } return user } func (rl *rushlink) deleteUserHandler(w http.ResponseWriter, r *http.Request) { // Parse the user ID from the request URL vars := mux.Vars(r) userName := vars["user"] // Check if the user is authenticated as an admin or self user := rl.authenticateUser(w, r, true, &userName) if user == nil { return } // Delete the user if err := db.DeleteUser(rl.db, userName); err != nil { // Failed to delete the user, return a 500 Internal Server Error response http.Error(w, "Failed to delete user", http.StatusInternalServerError) return } // Return a 204 No Content response w.WriteHeader(http.StatusNoContent) } func (rl *rushlink) changeUserHandler(w http.ResponseWriter, r *http.Request) { // Parse the user ID from the request URL vars := mux.Vars(r) userName := vars["user"] // Check if the user is authenticated as an admin or self user := rl.authenticateUser(w, r, true, &userName) if user == nil { return } // Parse the request multipart form if err := r.ParseMultipartForm(formParseMaxMemory); err != nil { msg := fmt.Sprintf("could not parse form: %v\n", err) rl.renderError(w, r, http.StatusBadRequest, msg) return } // Get the user record from the database updatedUser := new(db.User) if err := rl.db.Where("user = ?", userName).First(&updatedUser).Error; err != nil { // User record not found, return a 404 Not Found response http.NotFound(w, r) return } // Get the updated user data from the form if newUsername := r.FormValue("new_username"); newUsername != "" { updatedUser.User = newUsername } if newPassword := r.FormValue("new_password"); newPassword != "" { hashedPassword, err := db.HashPassword(newPassword) if err != nil { msg := fmt.Sprintf("could not hash password: %v\n", err) rl.renderError(w, r, http.StatusInternalServerError, msg) return } updatedUser.Password = hashedPassword } if newAdminStr := r.FormValue("new_admin"); newAdminStr != "" { newAdmin, err := strconv.ParseBool(newAdminStr) if err != nil { msg := fmt.Sprintf("could not parse admin status: %v\n", err) rl.renderError(w, r, http.StatusBadRequest, msg) return } updatedUser.Admin = newAdmin } // Check if the user is trying to update their own admin status if updatedUser.Admin && !user.Admin { // User is trying to update their own admin status, return a 403 Forbidden response http.Error(w, "You do not have permission to update your own admin status", http.StatusForbidden) return } // Update the user in the database if err := db.ChangeUser(rl.db, userName, updatedUser); err != nil { // Failed to update the user, return a 500 Internal Server Error response http.Error(w, "Failed to update user", http.StatusInternalServerError) return } // Return a 200 OK response w.WriteHeader(http.StatusOK) } func (rl *rushlink) newFileUploadPasteHandler(w http.ResponseWriter, r *http.Request, user *db.User, file multipart.File, header multipart.FileHeader) { var fu *db.FileUpload var paste *db.Paste if err := rl.db.Transaction(func(tx *db.Database) error { var err error fu, err = db.NewFileUpload(rl.fs, file, user, header.Filename) if err != nil { panic(errors.Wrap(err, "creating fileUpload")) } if err := fu.Save(tx); err != nil { panic(errors.Wrap(err, "saving fileUpload in db")) } paste, err = shortenFileUploadID(tx, user, fu.PubID) return err }); err != nil { panic(err) } rl.viewActionSuccess(w, r, paste, fu) } func (rl *rushlink) newRedirectPasteHandler(w http.ResponseWriter, r *http.Request, user *db.User, rawurl string) { userURL, err := url.Parse(rawurl) if err != nil { msg := fmt.Sprintf("invalid url (%v): %v", err, rawurl) rl.renderError(w, r, http.StatusBadRequest, msg) return } if userURL.Scheme == "" { rl.renderError(w, r, http.StatusBadRequest, "invalid url (unspecified scheme)\n") return } if userURL.Host == "" { rl.renderError(w, r, http.StatusBadRequest, "invalid url (unspecified host)\n") return } var paste *db.Paste if err := rl.db.Transaction(func(tx *db.Database) error { var err error paste, err = shortenURL(tx, user, userURL) return err }); err != nil { panic(err) } rl.viewActionSuccess(w, r, paste, nil) } // Delete a URL from the database func (rl *rushlink) deletePasteHandler(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) key := vars["key"] deleteToken := getDeleteTokenFromRequest(r) if deleteToken == "" { rl.renderError(w, r, http.StatusBadRequest, "no delete token provided\n") return } var errorCode int var paste *db.Paste if err := rl.db.Transaction(func(tx *db.Database) error { var err error paste, err = db.GetPaste(tx, key) if err != nil { errorCode = http.StatusNotFound return err } if paste.State == db.PasteStateDeleted { errorCode = http.StatusGone return errors.New("already deleted") } if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(paste.DeleteToken)) == 0 { errorCode = http.StatusForbidden return errors.New("invalid delete token") } if err := paste.Delete(tx, rl.fs); err != nil { errorCode = http.StatusInternalServerError return err } return nil }); err != nil { log.Printf("error: %v\n", err) rl.renderError(w, r, errorCode, fmt.Sprintf("error: %v\n", err)) return } rl.viewActionSuccess(w, r, paste, nil) } // Add a new fileUpload redirect to the database // // Returns the new paste key if the fileUpload was successfully added to the // database func shortenFileUploadID(tx *db.Database, user *db.User, id uuid.UUID) (*db.Paste, error) { return shorten(tx, user, db.PasteTypeFileUpload, id[:]) } // Add a new URL to the database // // Returns the new paste key if the url was successfully shortened func shortenURL(tx *db.Database, user *db.User, userURL *url.URL) (*db.Paste, error) { return shorten(tx, user, db.PasteTypeRedirect, []byte(userURL.String())) } // Add a paste (of any kind) to the database with arbitrary content. func shorten(tx *db.Database, user *db.User, ty db.PasteType, content []byte) (*db.Paste, error) { // Generate the paste key var keyEntropy int if ty == db.PasteTypeFileUpload || ty == db.PasteTypePaste { keyEntropy = highOnlineEntropy } pasteKey, err := db.GeneratePasteKey(tx, keyEntropy) if err != nil { return nil, errors.Wrap(err, "generating paste key") } // Also generate a deleteToken deleteToken, err := db.GenerateDeleteToken() if err != nil { return nil, errors.Wrap(err, "generating delete token") } // Store the new key p := db.Paste{ Type: ty, State: db.PasteStatePresent, CreatedBy: user.ID, Content: content, Key: pasteKey, DeleteToken: deleteToken, } if err := p.Save(tx); err != nil { return nil, err } return &p, nil } func getDeleteTokenFromRequest(r *http.Request) string { return r.URL.Query().Get("deleteToken") }