mirror of
https://gitlab.com/timvisee/send.git
synced 2025-12-07 22:50:53 +03:00
Begin implementing a reporting mechanism
This commit is contained in:
Danny Coates
@@ -6,7 +6,7 @@ module.exports = async function(req, res) {
|
||||
const id = req.params.id;
|
||||
const meta = req.meta;
|
||||
const ttl = await storage.ttl(id);
|
||||
await storage.del(id);
|
||||
await storage.kill(id);
|
||||
res.sendStatus(200);
|
||||
statDeleteEvent({
|
||||
id,
|
||||
|
||||
@@ -7,6 +7,9 @@ module.exports = async function(req, res) {
|
||||
const id = req.params.id;
|
||||
try {
|
||||
const meta = req.meta;
|
||||
if (meta.dead || meta.flagged) {
|
||||
return res.sendStatus(404);
|
||||
}
|
||||
const fileStream = await storage.get(id);
|
||||
let cancelled = false;
|
||||
|
||||
@@ -33,7 +36,7 @@ module.exports = async function(req, res) {
|
||||
});
|
||||
try {
|
||||
if (dl >= dlimit) {
|
||||
await storage.del(id);
|
||||
await storage.kill(id);
|
||||
} else {
|
||||
await storage.incrementField(id, 'dl');
|
||||
}
|
||||
|
||||
@@ -3,6 +3,9 @@ const storage = require('../storage');
|
||||
module.exports = async (req, res) => {
|
||||
try {
|
||||
const meta = await storage.metadata(req.params.id);
|
||||
if (!meta || meta.dead) {
|
||||
return res.sendStatus(404);
|
||||
}
|
||||
res.set('WWW-Authenticate', `send-v1 ${meta.nonce}`);
|
||||
res.send({
|
||||
requiresPassword: meta.pwd
|
||||
|
||||
@@ -32,55 +32,57 @@ module.exports = function(app) {
|
||||
});
|
||||
if (!IS_DEV) {
|
||||
let csp = {
|
||||
directives: {
|
||||
defaultSrc: ["'self'"],
|
||||
connectSrc: [
|
||||
"'self'",
|
||||
'wss://*.dev.lcip.org',
|
||||
'wss://*.send.nonprod.cloudops.mozgcp.net',
|
||||
config.base_url.replace(/^https:\/\//, 'wss://'),
|
||||
'https://*.dev.lcip.org',
|
||||
'https://accounts.firefox.com',
|
||||
'https://*.accounts.firefox.com',
|
||||
'https://sentry.prod.mozaws.net'
|
||||
],
|
||||
imgSrc: [
|
||||
"'self'",
|
||||
'https://*.dev.lcip.org',
|
||||
'https://firefoxusercontent.com',
|
||||
'https://secure.gravatar.com'
|
||||
],
|
||||
scriptSrc: [
|
||||
"'self'",
|
||||
function(req) {
|
||||
return `'nonce-${req.cspNonce}'`;
|
||||
}
|
||||
],
|
||||
formAction: ["'none'"],
|
||||
frameAncestors: ["'none'"],
|
||||
objectSrc: ["'none'"],
|
||||
reportUri: '/__cspreport__'
|
||||
}
|
||||
directives: {
|
||||
defaultSrc: ["'self'"],
|
||||
connectSrc: [
|
||||
"'self'",
|
||||
config.base_url.replace(/^https:\/\//, 'wss://')
|
||||
],
|
||||
imgSrc: ["'self'"],
|
||||
scriptSrc: [
|
||||
"'self'",
|
||||
function(req) {
|
||||
return `'nonce-${req.cspNonce}'`;
|
||||
}
|
||||
],
|
||||
formAction: ["'none'"],
|
||||
frameAncestors: ["'none'"],
|
||||
objectSrc: ["'none'"],
|
||||
reportUri: '/__cspreport__'
|
||||
}
|
||||
|
||||
csp.directives.connectSrc.push(config.base_url.replace(/^https:\/\//,'wss://'))
|
||||
if(config.fxa_csp_oauth_url != ""){
|
||||
csp.directives.connectSrc.push(config.fxa_csp_oauth_url)
|
||||
};
|
||||
if (config.fxa_client_id) {
|
||||
csp.directives.connectSrc.push('https://accounts.firefox.com');
|
||||
csp.directives.connectSrc.push('https://*.accounts.firefox.com');
|
||||
csp.directives.imgSrc.push('https://firefoxusercontent.com');
|
||||
csp.directives.imgSrc.push('https://secure.gravatar.com');
|
||||
}
|
||||
if(config.fxa_csp_content_url != "" ){
|
||||
csp.directives.connectSrc.push(config.fxa_csp_content_url)
|
||||
if (config.sentry_id) {
|
||||
csp.directives.connectSrc.push(config.sentry_host);
|
||||
}
|
||||
if(config.fxa_csp_profile_url != "" ){
|
||||
csp.directives.connectSrc.push(config.fxa_csp_profile_url)
|
||||
if (
|
||||
config.base_url.test(/^https:\/\/.*\.dev\.lcip\.org$/) ||
|
||||
config.base_url.test(
|
||||
/^https:\/\/.*\.send\.nonprod\.cloudops\.mozgcp\.net$/
|
||||
)
|
||||
) {
|
||||
csp.directives.connectSrc.push('https://*.dev.lcip.org');
|
||||
csp.directives.imgSrc.push('https://*.dev.lcip.org');
|
||||
}
|
||||
if(config.fxa_csp_profileimage_url != ""){
|
||||
csp.directives.imgSrc.push(config.fxa_csp_profileimage_url)
|
||||
if (config.fxa_csp_oauth_url != '') {
|
||||
csp.directives.connectSrc.push(config.fxa_csp_oauth_url);
|
||||
}
|
||||
if (config.fxa_csp_content_url != '') {
|
||||
csp.directives.connectSrc.push(config.fxa_csp_content_url);
|
||||
}
|
||||
if (config.fxa_csp_profile_url != '') {
|
||||
csp.directives.connectSrc.push(config.fxa_csp_profile_url);
|
||||
}
|
||||
if (config.fxa_csp_profileimage_url != '') {
|
||||
csp.directives.imgSrc.push(config.fxa_csp_profileimage_url);
|
||||
}
|
||||
|
||||
|
||||
app.use(
|
||||
helmet.contentSecurityPolicy(csp)
|
||||
);
|
||||
app.use(helmet.contentSecurityPolicy(csp));
|
||||
}
|
||||
|
||||
app.use(function(req, res, next) {
|
||||
@@ -101,6 +103,7 @@ module.exports = function(app) {
|
||||
app.get('/oauth', language, pages.blank);
|
||||
app.get('/legal', language, pages.legal);
|
||||
app.get('/login', language, pages.index);
|
||||
app.get('/report', language, pages.blank);
|
||||
app.get('/app.webmanifest', language, require('./webmanifest'));
|
||||
app.get(`/download/:id${ID_REGEX}`, language, pages.download);
|
||||
app.get('/unsupported/:reason', language, pages.unsupported);
|
||||
@@ -124,6 +127,7 @@ module.exports = function(app) {
|
||||
require('./params')
|
||||
);
|
||||
app.post(`/api/info/:id${ID_REGEX}`, auth.owner, require('./info'));
|
||||
app.post(`/api/report/:id${ID_REGEX}`, require('./report'));
|
||||
app.post('/api/metrics', require('./metrics'));
|
||||
app.get('/__version__', function(req, res) {
|
||||
// eslint-disable-next-line node/no-missing-require
|
||||
|
||||
@@ -4,9 +4,13 @@ module.exports = async function(req, res) {
|
||||
const id = req.params.id;
|
||||
const meta = req.meta;
|
||||
try {
|
||||
if (meta.dead && !meta.flagged) {
|
||||
return res.sendStatus(404);
|
||||
}
|
||||
const ttl = await storage.ttl(id);
|
||||
res.send({
|
||||
metadata: meta.metadata,
|
||||
flagged: !!meta.flagged,
|
||||
finalDownload: meta.dl + 1 === meta.dlimit,
|
||||
ttl
|
||||
});
|
||||
|
||||
@@ -23,14 +23,17 @@ module.exports = {
|
||||
const id = req.params.id;
|
||||
const appState = await state(req);
|
||||
try {
|
||||
const { nonce, pwd } = await storage.metadata(id);
|
||||
const { nonce, pwd, dead, flagged } = await storage.metadata(id);
|
||||
if (dead && !flagged) {
|
||||
return next();
|
||||
}
|
||||
res.set('WWW-Authenticate', `send-v1 ${nonce}`);
|
||||
res.send(
|
||||
stripEvents(
|
||||
routes().toString(
|
||||
`/download/${id}`,
|
||||
Object.assign(appState, {
|
||||
downloadMetadata: { nonce, pwd }
|
||||
downloadMetadata: { nonce, pwd, flagged }
|
||||
})
|
||||
)
|
||||
)
|
||||
|
||||
39
server/routes/report.js
Normal file
39
server/routes/report.js
Normal file
@@ -0,0 +1,39 @@
|
||||
const storage = require('../storage');
|
||||
const Keychain = require('../keychain');
|
||||
const { statReportEvent } = require('../amplitude');
|
||||
|
||||
module.exports = async function(req, res) {
|
||||
try {
|
||||
const id = req.params.id;
|
||||
const meta = await storage.metadata(id);
|
||||
if (meta.flagged) {
|
||||
return res.sendStatus(200);
|
||||
}
|
||||
try {
|
||||
const key = req.body.key;
|
||||
const keychain = new Keychain(key);
|
||||
const metadata = await keychain.decryptMetadata(
|
||||
Buffer.from(meta.metadata, 'base64')
|
||||
);
|
||||
if (metadata.manifest) {
|
||||
storage.flag(id, key);
|
||||
statReportEvent({
|
||||
id,
|
||||
ip: req.ip,
|
||||
owner: meta.owner,
|
||||
reason: req.body.reason,
|
||||
download_limit: meta.dlimit,
|
||||
download_count: meta.dl,
|
||||
agent: req.ua.browser.name || req.ua.ua.substring(0, 6)
|
||||
});
|
||||
return res.sendStatus(200);
|
||||
}
|
||||
res.sendStatus(400);
|
||||
} catch (e) {
|
||||
console.error(e);
|
||||
res.sendStatus(400);
|
||||
}
|
||||
} catch (e) {
|
||||
res.sendStatus(404);
|
||||
}
|
||||
};
|
||||
Reference in New Issue
Block a user