Daniel Legt
cb026d4fd1
- Replace legacy salted password hashing with bcrypt and store hash alg - Accept existing bcrypt hashes while keeping legacy verification fallback - Validate box IDs and use SafeChildPath for box/file operations to prevent traversal - Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip writefeat(security): use bcrypt hashes and safe paths for boxes - Replace legacy salted password hashing with bcrypt and store hash alg - Accept existing bcrypt hashes while keeping legacy verification fallback - Validate box IDs and use SafeChildPath for box/file operations to prevent traversal - Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip write
745 lines
19 KiB
Go
745 lines
19 KiB
Go
package boxstore
|
|
|
|
import (
|
|
"archive/zip"
|
|
"crypto/sha256"
|
|
"crypto/subtle"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"mime"
|
|
"mime/multipart"
|
|
"net/url"
|
|
"os"
|
|
"path/filepath"
|
|
"sort"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
|
|
"warpbox/lib/helpers"
|
|
"warpbox/lib/models"
|
|
)
|
|
|
|
const (
|
|
manifestFile = ".warpbox.json"
|
|
|
|
OneTimeDownloadRetentionKey = "one-time"
|
|
)
|
|
|
|
var (
|
|
uploadRoot = filepath.Join("data", "uploads")
|
|
manifestMu sync.Mutex
|
|
)
|
|
|
|
var retentionOptions = []models.RetentionOption{
|
|
{Key: "10s", Label: "10 seconds", Seconds: 10},
|
|
{Key: "10m", Label: "10 minutes", Seconds: 10 * 60},
|
|
{Key: "1h", Label: "1 hour", Seconds: 60 * 60},
|
|
{Key: "12h", Label: "12 hours", Seconds: 12 * 60 * 60},
|
|
{Key: "24h", Label: "24 hours", Seconds: 24 * 60 * 60},
|
|
{Key: "48h", Label: "48 hours", Seconds: 48 * 60 * 60},
|
|
{Key: OneTimeDownloadRetentionKey, Label: "One time download", Seconds: 0},
|
|
}
|
|
|
|
func NewBoxID() (string, error) {
|
|
return helpers.RandomHexID(16)
|
|
}
|
|
|
|
func ValidBoxID(boxID string) bool {
|
|
return helpers.ValidLowerHexID(boxID, 32)
|
|
}
|
|
|
|
func RetentionOptions() []models.RetentionOption {
|
|
options := make([]models.RetentionOption, len(retentionOptions))
|
|
copy(options, retentionOptions)
|
|
return options
|
|
}
|
|
|
|
func DefaultRetentionOption() models.RetentionOption {
|
|
return retentionOptions[0]
|
|
}
|
|
|
|
func SetUploadRoot(path string) {
|
|
if path == "" {
|
|
return
|
|
}
|
|
uploadRoot = filepath.Clean(path)
|
|
}
|
|
|
|
func UploadRoot() string {
|
|
return uploadRoot
|
|
}
|
|
|
|
func BoxPath(boxID string) string {
|
|
return filepath.Join(uploadRoot, boxID)
|
|
}
|
|
|
|
func safeBoxPath(boxID string) (string, bool) {
|
|
if !ValidBoxID(boxID) {
|
|
return "", false
|
|
}
|
|
return helpers.SafeChildPath(uploadRoot, boxID)
|
|
}
|
|
|
|
func ManifestPath(boxID string) string {
|
|
return filepath.Join(BoxPath(boxID), manifestFile)
|
|
}
|
|
|
|
func SafeBoxFilePath(boxID string, filename string) (string, bool) {
|
|
boxPath, ok := safeBoxPath(boxID)
|
|
if !ok {
|
|
return "", false
|
|
}
|
|
return helpers.SafeChildPath(boxPath, filename)
|
|
}
|
|
|
|
func IsSafeRegularBoxFile(boxID string, filename string) bool {
|
|
path, ok := SafeBoxFilePath(boxID, filename)
|
|
if !ok {
|
|
return false
|
|
}
|
|
return ensureRegularFile(path) == nil
|
|
}
|
|
|
|
func DeleteBox(boxID string) error {
|
|
boxPath, ok := safeBoxPath(boxID)
|
|
if !ok {
|
|
return fmt.Errorf("Invalid box id")
|
|
}
|
|
return os.RemoveAll(boxPath)
|
|
}
|
|
|
|
func ListBoxSummaries() ([]models.BoxSummary, error) {
|
|
entries, err := os.ReadDir(uploadRoot)
|
|
if err != nil {
|
|
if os.IsNotExist(err) {
|
|
return nil, nil
|
|
}
|
|
return nil, err
|
|
}
|
|
|
|
summaries := make([]models.BoxSummary, 0, len(entries))
|
|
for _, entry := range entries {
|
|
if !entry.IsDir() || !ValidBoxID(entry.Name()) {
|
|
continue
|
|
}
|
|
|
|
summary, err := BoxSummary(entry.Name())
|
|
if err != nil {
|
|
continue
|
|
}
|
|
summaries = append(summaries, summary)
|
|
}
|
|
|
|
sort.Slice(summaries, func(i int, j int) bool {
|
|
return summaries[i].CreatedAt.After(summaries[j].CreatedAt)
|
|
})
|
|
return summaries, nil
|
|
}
|
|
|
|
func BoxSummary(boxID string) (models.BoxSummary, error) {
|
|
files, err := ListFiles(boxID)
|
|
if err != nil {
|
|
return models.BoxSummary{}, err
|
|
}
|
|
|
|
var manifest models.BoxManifest
|
|
hasManifest := false
|
|
if readManifest, err := ReadManifest(boxID); err == nil {
|
|
manifest = readManifest
|
|
hasManifest = true
|
|
}
|
|
|
|
totalSize := int64(0)
|
|
for _, file := range files {
|
|
totalSize += file.Size
|
|
}
|
|
|
|
summary := models.BoxSummary{
|
|
ID: boxID,
|
|
FileCount: len(files),
|
|
TotalSize: totalSize,
|
|
TotalSizeLabel: helpers.FormatBytes(totalSize),
|
|
}
|
|
if hasManifest {
|
|
summary.CreatedAt = manifest.CreatedAt
|
|
summary.ExpiresAt = manifest.ExpiresAt
|
|
summary.Expired = IsExpired(manifest)
|
|
summary.OneTimeDownload = manifest.OneTimeDownload
|
|
summary.PasswordProtected = IsPasswordProtected(manifest)
|
|
} else if info, err := os.Stat(BoxPath(boxID)); err == nil {
|
|
summary.CreatedAt = info.ModTime().UTC()
|
|
}
|
|
|
|
return summary, nil
|
|
}
|
|
|
|
func ListFiles(boxID string) ([]models.BoxFile, error) {
|
|
if manifest, err := reconcileManifest(boxID); err == nil && len(manifest.Files) > 0 {
|
|
files := make([]models.BoxFile, 0, len(manifest.Files))
|
|
for _, file := range manifest.Files {
|
|
files = append(files, DecorateFile(boxID, file))
|
|
}
|
|
|
|
return files, nil
|
|
}
|
|
|
|
return listCompletedFilesFromDisk(boxID)
|
|
}
|
|
|
|
func CreateManifest(boxID string, request models.CreateBoxRequest) ([]models.BoxFile, error) {
|
|
retention := normalizeRetentionOption(request.RetentionKey)
|
|
usedNames := make(map[string]int, len(request.Files))
|
|
files := make([]models.BoxFile, 0, len(request.Files))
|
|
|
|
for _, fileRequest := range request.Files {
|
|
filename, ok := helpers.SafeFilename(fileRequest.Name)
|
|
if !ok {
|
|
return nil, fmt.Errorf("Invalid filename")
|
|
}
|
|
|
|
filename = helpers.UniqueNameInBatch(filename, usedNames)
|
|
fileID, err := helpers.RandomHexID(8)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Could not create file id")
|
|
}
|
|
|
|
mimeType := mime.TypeByExtension(strings.ToLower(filepath.Ext(filename)))
|
|
if mimeType == "" {
|
|
mimeType = "application/octet-stream"
|
|
}
|
|
|
|
files = append(files, models.BoxFile{
|
|
ID: fileID,
|
|
Name: filename,
|
|
Size: fileRequest.Size,
|
|
MimeType: mimeType,
|
|
Status: models.FileStatusWait,
|
|
})
|
|
}
|
|
|
|
now := time.Now().UTC()
|
|
disableZip := false
|
|
if request.AllowZip != nil {
|
|
disableZip = !*request.AllowZip
|
|
}
|
|
oneTimeDownload := retention.Key == OneTimeDownloadRetentionKey
|
|
if oneTimeDownload {
|
|
disableZip = false
|
|
}
|
|
|
|
manifest := models.BoxManifest{
|
|
Files: files,
|
|
CreatedAt: now,
|
|
RetentionKey: retention.Key,
|
|
RetentionLabel: retention.Label,
|
|
RetentionSecs: retention.Seconds,
|
|
DisableZip: disableZip,
|
|
OneTimeDownload: oneTimeDownload,
|
|
}
|
|
|
|
if password := strings.TrimSpace(request.Password); password != "" {
|
|
authToken, err := helpers.RandomHexID(16)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Could not secure upload box")
|
|
}
|
|
passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Could not secure upload box")
|
|
}
|
|
|
|
manifest.PasswordHash = string(passwordHash)
|
|
manifest.PasswordHashAlg = "bcrypt"
|
|
manifest.AuthToken = authToken
|
|
}
|
|
|
|
if err := WriteManifest(boxID, manifest); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
decoratedFiles := make([]models.BoxFile, 0, len(files))
|
|
for _, file := range files {
|
|
decoratedFiles = append(decoratedFiles, DecorateFile(boxID, file))
|
|
}
|
|
|
|
return decoratedFiles, nil
|
|
}
|
|
|
|
func IsExpired(manifest models.BoxManifest) bool {
|
|
return !manifest.ExpiresAt.IsZero() && time.Now().UTC().After(manifest.ExpiresAt)
|
|
}
|
|
|
|
func IsPasswordProtected(manifest models.BoxManifest) bool {
|
|
return manifest.PasswordHash != "" && manifest.AuthToken != ""
|
|
}
|
|
|
|
func VerifyPassword(manifest models.BoxManifest, password string) bool {
|
|
if !IsPasswordProtected(manifest) {
|
|
return true
|
|
}
|
|
|
|
expected := manifest.PasswordHash
|
|
if manifest.PasswordHashAlg == "bcrypt" || strings.HasPrefix(expected, "$2") {
|
|
return bcrypt.CompareHashAndPassword([]byte(expected), []byte(password)) == nil
|
|
}
|
|
|
|
actual := legacyPasswordHash(manifest.PasswordSalt, password)
|
|
return subtle.ConstantTimeCompare([]byte(expected), []byte(actual)) == 1
|
|
}
|
|
|
|
func VerifyAuthToken(manifest models.BoxManifest, token string) bool {
|
|
if !IsPasswordProtected(manifest) {
|
|
return true
|
|
}
|
|
|
|
if token == "" {
|
|
return false
|
|
}
|
|
|
|
return subtle.ConstantTimeCompare([]byte(manifest.AuthToken), []byte(token)) == 1
|
|
}
|
|
|
|
func MarkFileStatus(boxID string, fileID string, status string) (models.BoxFile, error) {
|
|
if status != models.FileStatusWait && status != models.FileStatusWork && status != models.FileStatusReady && status != models.FileStatusFailed {
|
|
return models.BoxFile{}, fmt.Errorf("Invalid file status")
|
|
}
|
|
|
|
manifestMu.Lock()
|
|
defer manifestMu.Unlock()
|
|
|
|
manifest, err := readManifestUnlocked(boxID)
|
|
if err != nil {
|
|
return models.BoxFile{}, err
|
|
}
|
|
|
|
for index, file := range manifest.Files {
|
|
if file.ID != fileID {
|
|
continue
|
|
}
|
|
|
|
manifest.Files[index].Status = status
|
|
startRetentionIfTerminalUnlocked(&manifest)
|
|
if err := writeManifestUnlocked(boxID, manifest); err != nil {
|
|
return models.BoxFile{}, err
|
|
}
|
|
|
|
return DecorateFile(boxID, manifest.Files[index]), nil
|
|
}
|
|
|
|
return models.BoxFile{}, fmt.Errorf("File not found")
|
|
}
|
|
|
|
func ReadManifest(boxID string) (models.BoxManifest, error) {
|
|
manifestMu.Lock()
|
|
defer manifestMu.Unlock()
|
|
|
|
return readManifestUnlocked(boxID)
|
|
}
|
|
|
|
func WriteManifest(boxID string, manifest models.BoxManifest) error {
|
|
manifestMu.Lock()
|
|
defer manifestMu.Unlock()
|
|
|
|
return writeManifestUnlocked(boxID, manifest)
|
|
}
|
|
|
|
func RenewManifest(boxID string, seconds int64) (models.BoxManifest, error) {
|
|
manifestMu.Lock()
|
|
defer manifestMu.Unlock()
|
|
|
|
manifest, err := readManifestUnlocked(boxID)
|
|
if err != nil {
|
|
return manifest, err
|
|
}
|
|
if seconds <= 0 || manifest.OneTimeDownload || manifest.ExpiresAt.IsZero() {
|
|
return manifest, nil
|
|
}
|
|
manifest.ExpiresAt = time.Now().UTC().Add(time.Duration(seconds) * time.Second)
|
|
return manifest, writeManifestUnlocked(boxID, manifest)
|
|
}
|
|
|
|
func AddFileToZip(zipWriter *zip.Writer, boxID string, filename string) error {
|
|
path, ok := SafeBoxFilePath(boxID, filename)
|
|
if !ok {
|
|
return fmt.Errorf("Invalid file")
|
|
}
|
|
if err := ensureRegularFile(path); err != nil {
|
|
return err
|
|
}
|
|
zipName, ok := safeZipEntryName(filename)
|
|
if !ok {
|
|
return fmt.Errorf("Invalid zip entry")
|
|
}
|
|
|
|
source, err := os.Open(path)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer source.Close()
|
|
|
|
destination, err := zipWriter.Create(zipName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = io.Copy(destination, source)
|
|
return err
|
|
}
|
|
|
|
func SaveManifestUpload(boxID string, fileID string, file *multipart.FileHeader) (models.BoxFile, error) {
|
|
manifestMu.Lock()
|
|
defer manifestMu.Unlock()
|
|
|
|
manifest, err := readManifestUnlocked(boxID)
|
|
if err != nil {
|
|
return models.BoxFile{}, err
|
|
}
|
|
if IsExpired(manifest) {
|
|
return models.BoxFile{}, fmt.Errorf("Box expired")
|
|
}
|
|
|
|
fileIndex := -1
|
|
for index, manifestFile := range manifest.Files {
|
|
if manifestFile.ID == fileID {
|
|
fileIndex = index
|
|
break
|
|
}
|
|
}
|
|
|
|
if fileIndex < 0 {
|
|
return models.BoxFile{}, fmt.Errorf("File not found")
|
|
}
|
|
|
|
filename := manifest.Files[fileIndex].Name
|
|
if err := os.MkdirAll(BoxPath(boxID), 0755); err != nil {
|
|
return models.BoxFile{}, fmt.Errorf("Could not prepare upload box")
|
|
}
|
|
|
|
destination, ok := SafeBoxFilePath(boxID, filename)
|
|
if !ok {
|
|
return models.BoxFile{}, fmt.Errorf("Invalid filename")
|
|
}
|
|
if err := saveMultipartFile(file, destination); err != nil {
|
|
manifest.Files[fileIndex].Status = models.FileStatusFailed
|
|
startRetentionIfTerminalUnlocked(&manifest)
|
|
writeManifestUnlocked(boxID, manifest)
|
|
return models.BoxFile{}, fmt.Errorf("Could not save uploaded file")
|
|
}
|
|
|
|
manifest.Files[fileIndex].Size = file.Size
|
|
manifest.Files[fileIndex].MimeType = helpers.MimeTypeForFile(destination, filename)
|
|
manifest.Files[fileIndex].Status = models.FileStatusReady
|
|
startRetentionIfTerminalUnlocked(&manifest)
|
|
if err := writeManifestUnlocked(boxID, manifest); err != nil {
|
|
return models.BoxFile{}, err
|
|
}
|
|
|
|
return DecorateFile(boxID, manifest.Files[fileIndex]), nil
|
|
}
|
|
|
|
func SaveUpload(boxID string, file *multipart.FileHeader) (models.BoxFile, error) {
|
|
filename, ok := helpers.SafeFilename(file.Filename)
|
|
if !ok {
|
|
return models.BoxFile{}, fmt.Errorf("Invalid filename")
|
|
}
|
|
|
|
boxPath := BoxPath(boxID)
|
|
if err := os.MkdirAll(boxPath, 0755); err != nil {
|
|
return models.BoxFile{}, fmt.Errorf("Could not prepare upload box")
|
|
}
|
|
|
|
filename = helpers.UniqueFilename(boxPath, filename)
|
|
destination, ok := SafeBoxFilePath(boxID, filename)
|
|
if !ok {
|
|
return models.BoxFile{}, fmt.Errorf("Invalid filename")
|
|
}
|
|
if err := saveMultipartFile(file, destination); err != nil {
|
|
return models.BoxFile{}, fmt.Errorf("Could not save uploaded file")
|
|
}
|
|
|
|
return DecorateFile(boxID, models.BoxFile{
|
|
ID: filename,
|
|
Name: filename,
|
|
Size: file.Size,
|
|
MimeType: helpers.MimeTypeForFile(destination, filename),
|
|
Status: models.FileStatusReady,
|
|
}), nil
|
|
}
|
|
|
|
func DecorateFile(boxID string, file models.BoxFile) models.BoxFile {
|
|
if file.MimeType == "" {
|
|
if path, ok := SafeBoxFilePath(boxID, file.Name); ok {
|
|
file.MimeType = helpers.MimeTypeForFile(path, file.Name)
|
|
}
|
|
}
|
|
|
|
if file.SizeLabel == "" {
|
|
file.SizeLabel = helpers.FormatBytes(file.Size)
|
|
}
|
|
|
|
file.IconPath = IconForMimeType(file.MimeType, file.Name)
|
|
if file.ThumbnailPath != nil {
|
|
file.ThumbnailURL = *file.ThumbnailPath
|
|
}
|
|
file.DownloadPath = "/box/" + boxID + "/files/" + url.PathEscape(file.Name)
|
|
file.UploadPath = "/box/" + boxID + "/files/" + url.PathEscape(file.ID) + "/upload"
|
|
file.IsComplete = file.Status == models.FileStatusReady
|
|
|
|
switch file.Status {
|
|
case models.FileStatusReady:
|
|
file.StatusLabel = "Ready"
|
|
file.Title = "Download " + file.Name
|
|
case models.FileStatusFailed:
|
|
file.StatusLabel = "Failed"
|
|
file.Title = "Failed to upload"
|
|
case models.FileStatusWork:
|
|
file.StatusLabel = "Loading"
|
|
file.Title = "Loading"
|
|
default:
|
|
file.Status = models.FileStatusWait
|
|
file.StatusLabel = "Waiting"
|
|
file.Title = "Loading"
|
|
}
|
|
|
|
return file
|
|
}
|
|
|
|
func IconForMimeType(mimeType string, filename string) string {
|
|
extension := strings.ToLower(filepath.Ext(filename))
|
|
|
|
switch {
|
|
case extension == ".exe":
|
|
return "/static/img/icons/Program Files Icons - PNG/MSONSEXT.DLL_14_6-0.png"
|
|
case strings.HasPrefix(mimeType, "image/"):
|
|
return "/static/img/sprites/bitmap.png"
|
|
case strings.HasPrefix(mimeType, "video/"):
|
|
return "/static/img/icons/netshow_notransm-1.png"
|
|
case strings.HasPrefix(mimeType, "audio/"):
|
|
return "/static/img/icons/netshow_notransm-1.png"
|
|
case strings.HasPrefix(mimeType, "text/") || extension == ".md":
|
|
return "/static/img/sprites/notepad_file-1.png"
|
|
case strings.Contains(mimeType, "zip") || strings.Contains(mimeType, "compressed") || extension == ".rar" || extension == ".7z" || extension == ".tar" || extension == ".gz":
|
|
return "/static/img/icons/Windows Icons - PNG/zipfldr.dll_14_101-0.png"
|
|
case extension == ".ttf" || extension == ".otf" || extension == ".woff" || extension == ".woff2":
|
|
return "/static/img/sprites/font.png"
|
|
case extension == ".pdf":
|
|
return "/static/img/sprites/journal.png"
|
|
case extension == ".html" || extension == ".css" || extension == ".js":
|
|
return "/static/img/sprites/frame_web-0.png"
|
|
default:
|
|
return "/static/img/icons/Windows Icons - PNG/ole2.dll_14_DEFICON.png"
|
|
}
|
|
}
|
|
|
|
func reconcileManifest(boxID string) (models.BoxManifest, error) {
|
|
manifestMu.Lock()
|
|
defer manifestMu.Unlock()
|
|
|
|
manifest, err := readManifestUnlocked(boxID)
|
|
if err != nil {
|
|
return manifest, err
|
|
}
|
|
|
|
changed := false
|
|
for index, file := range manifest.Files {
|
|
path, ok := SafeBoxFilePath(boxID, file.Name)
|
|
if !ok || ensureRegularFile(path) != nil {
|
|
continue
|
|
}
|
|
info, err := os.Stat(path)
|
|
if err != nil || !info.Mode().IsRegular() {
|
|
continue
|
|
}
|
|
|
|
if file.Status == models.FileStatusReady && file.Size == info.Size() {
|
|
continue
|
|
}
|
|
|
|
// The manifest is the UI source of truth, but disk wins when an upload
|
|
// was saved and the final status write/response was interrupted.
|
|
manifest.Files[index].Size = info.Size()
|
|
manifest.Files[index].MimeType = helpers.MimeTypeForFile(path, file.Name)
|
|
manifest.Files[index].Status = models.FileStatusReady
|
|
changed = true
|
|
}
|
|
|
|
if changed {
|
|
startRetentionIfTerminalUnlocked(&manifest)
|
|
if err := writeManifestUnlocked(boxID, manifest); err != nil {
|
|
return manifest, err
|
|
}
|
|
}
|
|
|
|
return manifest, nil
|
|
}
|
|
|
|
func listCompletedFilesFromDisk(boxID string) ([]models.BoxFile, error) {
|
|
entries, err := os.ReadDir(BoxPath(boxID))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
files := make([]models.BoxFile, 0, len(entries))
|
|
for _, entry := range entries {
|
|
if entry.IsDir() || entry.Name() == manifestFile || entry.Type()&os.ModeSymlink != 0 {
|
|
continue
|
|
}
|
|
|
|
info, err := entry.Info()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !info.Mode().IsRegular() {
|
|
continue
|
|
}
|
|
|
|
name := entry.Name()
|
|
files = append(files, DecorateFile(boxID, models.BoxFile{
|
|
ID: name,
|
|
Name: name,
|
|
Size: info.Size(),
|
|
MimeType: helpers.MimeTypeForFile(filepath.Join(BoxPath(boxID), name), name),
|
|
Status: models.FileStatusReady,
|
|
}))
|
|
}
|
|
|
|
return files, nil
|
|
}
|
|
|
|
func readManifestUnlocked(boxID string) (models.BoxManifest, error) {
|
|
var manifest models.BoxManifest
|
|
data, err := os.ReadFile(ManifestPath(boxID))
|
|
if err != nil {
|
|
return manifest, err
|
|
}
|
|
|
|
if err := json.Unmarshal(data, &manifest); err != nil {
|
|
return manifest, err
|
|
}
|
|
|
|
return manifest, nil
|
|
}
|
|
|
|
func normalizeRetentionOption(key string) models.RetentionOption {
|
|
for _, option := range retentionOptions {
|
|
if option.Key == key {
|
|
return option
|
|
}
|
|
}
|
|
|
|
return DefaultRetentionOption()
|
|
}
|
|
|
|
func startRetentionIfTerminalUnlocked(manifest *models.BoxManifest) {
|
|
if !manifest.ExpiresAt.IsZero() || len(manifest.Files) == 0 {
|
|
return
|
|
}
|
|
if manifest.OneTimeDownload {
|
|
return
|
|
}
|
|
|
|
for _, file := range manifest.Files {
|
|
if file.Status != models.FileStatusReady && file.Status != models.FileStatusFailed {
|
|
return
|
|
}
|
|
}
|
|
|
|
seconds := manifest.RetentionSecs
|
|
if seconds <= 0 {
|
|
seconds = normalizeRetentionOption(manifest.RetentionKey).Seconds
|
|
}
|
|
|
|
// Retention starts after uploads settle so slow or very large uploads do
|
|
// not expire before users get a real chance to open the box.
|
|
manifest.ExpiresAt = time.Now().UTC().Add(time.Duration(seconds) * time.Second)
|
|
}
|
|
|
|
func legacyPasswordHash(salt string, password string) string {
|
|
sum := sha256.Sum256([]byte(salt + ":" + password))
|
|
return hex.EncodeToString(sum[:])
|
|
}
|
|
|
|
// Manifest writes are serialized because the browser can upload several files
|
|
// concurrently into the same box. Without this lock, status updates can race.
|
|
func writeManifestUnlocked(boxID string, manifest models.BoxManifest) error {
|
|
data, err := json.MarshalIndent(manifest, "", " ")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return os.WriteFile(ManifestPath(boxID), data, 0644)
|
|
}
|
|
|
|
func saveMultipartFile(file *multipart.FileHeader, destination string) error {
|
|
source, err := file.Open()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer source.Close()
|
|
|
|
target, tempPath, err := createTempSibling(destination)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
committed := false
|
|
defer func() {
|
|
target.Close()
|
|
if !committed {
|
|
os.Remove(tempPath)
|
|
}
|
|
}()
|
|
|
|
if _, err := io.Copy(target, source); err != nil {
|
|
return err
|
|
}
|
|
if err := target.Close(); err != nil {
|
|
return err
|
|
}
|
|
if err := os.Rename(tempPath, destination); err != nil {
|
|
return err
|
|
}
|
|
committed = true
|
|
return nil
|
|
}
|
|
|
|
func createTempSibling(destination string) (*os.File, string, error) {
|
|
directory := filepath.Dir(destination)
|
|
if err := os.MkdirAll(directory, 0755); err != nil {
|
|
return nil, "", err
|
|
}
|
|
|
|
target, err := os.CreateTemp(directory, ".warpbox-upload-*")
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
return target, target.Name(), nil
|
|
}
|
|
|
|
func safeZipEntryName(filename string) (string, bool) {
|
|
filename = strings.TrimSpace(filename)
|
|
if filename == "" || filepath.IsAbs(filename) {
|
|
return "", false
|
|
}
|
|
|
|
cleaned := filepath.ToSlash(filepath.Clean(filename))
|
|
if cleaned == "." || cleaned == ".." || strings.HasPrefix(cleaned, "../") || strings.HasPrefix(cleaned, "/") {
|
|
return "", false
|
|
}
|
|
return cleaned, true
|
|
}
|
|
|
|
func ensureRegularFile(path string) error {
|
|
info, err := os.Lstat(path)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if info.Mode()&os.ModeSymlink != 0 || !info.Mode().IsRegular() {
|
|
return fmt.Errorf("Invalid file")
|
|
}
|
|
return nil
|
|
}
|