mirror of
https://github.com/stefanprodan/podinfo.git
synced 2026-04-19 09:16:40 +00:00
620b9b7e2c
Validate that the hash URL parameter matches the expected SHA1 hex format (40 lowercase hex characters) before using it in file path operations. Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
82 lines
2.3 KiB
Go
82 lines
2.3 KiB
Go
package http
|
|
|
|
import (
|
|
"crypto/sha1"
|
|
"encoding/hex"
|
|
"io"
|
|
"net/http"
|
|
"os"
|
|
"path"
|
|
"regexp"
|
|
|
|
"github.com/gorilla/mux"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
var validHash = regexp.MustCompile(`^[a-f0-9]{40}$`)
|
|
|
|
// Store godoc
|
|
// @Summary Upload file
|
|
// @Description writes the posted content to disk at /data/hash and returns the SHA1 hash of the content
|
|
// @Tags HTTP API
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Router /store [post]
|
|
// @Success 200 {object} http.MapResponse
|
|
func (s *Server) storeWriteHandler(w http.ResponseWriter, r *http.Request) {
|
|
_, span := s.tracer.Start(r.Context(), "storeWriteHandler")
|
|
defer span.End()
|
|
|
|
body, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
s.ErrorResponse(w, r, span, "reading the request body failed", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
hash := hash(string(body))
|
|
err = os.WriteFile(path.Join(s.config.DataPath, hash), body, 0644)
|
|
if err != nil {
|
|
s.logger.Warn("writing file failed", zap.Error(err), zap.String("file", path.Join(s.config.DataPath, hash)))
|
|
s.ErrorResponse(w, r, span, "writing file failed", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
s.JSONResponseCode(w, r, map[string]string{"hash": hash}, http.StatusAccepted)
|
|
}
|
|
|
|
// Store godoc
|
|
// @Summary Download file
|
|
// @Description returns the content of the file /data/hash if exists
|
|
// @Tags HTTP API
|
|
// @Accept json
|
|
// @Produce plain
|
|
// @Param hash path string true "hash value"
|
|
// @Router /store/{hash} [get]
|
|
// @Success 200 {string} string "file"
|
|
func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) {
|
|
_, span := s.tracer.Start(r.Context(), "storeReadHandler")
|
|
defer span.End()
|
|
|
|
hash := mux.Vars(r)["hash"]
|
|
if !validHash.MatchString(hash) {
|
|
s.ErrorResponse(w, r, span, "invalid hash", http.StatusBadRequest)
|
|
return
|
|
}
|
|
content, err := os.ReadFile(path.Join(s.config.DataPath, hash))
|
|
if err != nil {
|
|
s.logger.Warn("reading file failed", zap.Error(err), zap.String("file", path.Join(s.config.DataPath, hash)))
|
|
s.ErrorResponse(w, r, span, "reading file failed", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/octet-stream")
|
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
|
w.Header().Set("Content-Security-Policy", "default-src 'none'")
|
|
w.WriteHeader(http.StatusAccepted)
|
|
w.Write([]byte(content))
|
|
}
|
|
|
|
func hash(input string) string {
|
|
h := sha1.New()
|
|
h.Write([]byte(input))
|
|
return hex.EncodeToString(h.Sum(nil))
|
|
}
|