From def2bc3d2c616d48f160323c9eb50d429cca7e74 Mon Sep 17 00:00:00 2001 From: stratic-dev Date: Tue, 12 Mar 2024 23:00:01 +0000 Subject: [PATCH 1/6] initial commit --- .gitignore | 3 +- config.json | 7 ++- config/config.go | 30 ++++++---- schemas/patch-schema/screenshots.sql | 13 +++++ server/channelserver/handlers_bbs.go | 33 ++++++++++- server/channelserver/sys_channel_server.go | 9 +++ server/discordbot/discord_bot.go | 14 +++-- server/signv2server/endpoints.go | 68 ++++++++++++++++++++++ server/signv2server/signv2_server.go | 3 +- 9 files changed, 157 insertions(+), 23 deletions(-) create mode 100644 schemas/patch-schema/screenshots.sql diff --git a/.gitignore b/.gitignore index 4101960d2..493cbb0f6 100644 --- a/.gitignore +++ b/.gitignore @@ -7,4 +7,5 @@ savedata/*/ *.exe *.lnk *.bat -/docker/db-data \ No newline at end of file +/docker/db-data +sreenshots/* \ No newline at end of file diff --git a/config.json b/config.json index 0e081c4e5..2943915ba 100644 --- a/config.json +++ b/config.json @@ -9,7 +9,12 @@ ], "PatchServerManifest": "", "PatchServerFile": "", - "ScreenshotAPIURL": "", + "Screenshots":{ + "Enabled":true, + "Host":"127.0.0.1", + "Port":8080, + "OutputDir":"screenshots" + }, "DeleteOnSaveCorruption": false, "ClientMode": "ZZ", "QuestCacheExpiry": 300, diff --git a/config/config.go b/config/config.go index 6f6d4d2af..c88bd3912 100644 --- a/config/config.go +++ b/config/config.go @@ -75,7 +75,6 @@ type Config struct { LoginNotices []string // MHFML string of the login notices displayed PatchServerManifest string // Manifest patch server override PatchServerFile string // File patch server override - ScreenshotAPIURL string // Destination for screenshots uploaded to BBS DeleteOnSaveCorruption bool // Attempts to save corrupted data will flag the save for deletion ClientMode string RealClientMode Mode @@ -87,16 +86,18 @@ type Config struct { EarthID int32 EarthMonsters []int32 SaveDumps SaveDumpOptions - DebugOptions DebugOptions - GameplayOptions GameplayOptions - Discord Discord - Commands []Command - Courses []Course - Database Database - Sign Sign - SignV2 SignV2 - Channel Channel - Entrance Entrance + Screenshots ScreenshotsOptions + + DebugOptions DebugOptions + GameplayOptions GameplayOptions + Discord Discord + Commands []Command + Courses []Course + Database Database + Sign Sign + SignV2 SignV2 + Channel Channel + Entrance Entrance } type SaveDumpOptions struct { @@ -105,6 +106,13 @@ type SaveDumpOptions struct { OutputDir string } +type ScreenshotsOptions struct { + Enabled bool + Host string // Destination for screenshots uploaded to BBS + Port uint32 // Port for screenshots API + OutputDir string +} + // DebugOptions holds various debug/temporary options for use while developing Erupe. type DebugOptions struct { CleanDB bool // Automatically wipes the DB on server reset. diff --git a/schemas/patch-schema/screenshots.sql b/schemas/patch-schema/screenshots.sql new file mode 100644 index 000000000..345fcda13 --- /dev/null +++ b/schemas/patch-schema/screenshots.sql @@ -0,0 +1,13 @@ +BEGIN; + +CREATE TABLE public.screenshots +( + id serial PRIMARY KEY, + article_id TEXT NOT NULL, + discord_message_id TEXT, + char_id integer NOT NULL, + title TEXT NOT NULL, + description TEXT NOT NULL, + discord_img_url TEXT, + ); +END; \ No newline at end of file diff --git a/server/channelserver/handlers_bbs.go b/server/channelserver/handlers_bbs.go index 222a8eadc..69abc542d 100644 --- a/server/channelserver/handlers_bbs.go +++ b/server/channelserver/handlers_bbs.go @@ -8,6 +8,7 @@ import ( ) func handleMsgMhfGetBbsUserStatus(s *Session, p mhfpacket.MHFPacket) { + //Post Screenshot pauses till this succeedes pkt := p.(*mhfpacket.MsgMhfGetBbsUserStatus) bf := byteframe.NewByteFrame() bf.WriteUint32(200) @@ -32,10 +33,36 @@ func handleMsgMhfApplyBbsArticle(s *Session, p mhfpacket.MHFPacket) { bf := byteframe.NewByteFrame() articleToken := token.Generate(40) bf.WriteUint32(200) - bf.WriteUint32(80) + bf.WriteUint32(s.server.erupeConfig.Screenshots.Port) bf.WriteUint32(0) bf.WriteUint32(0) bf.WriteBytes(stringsupport.PaddedString(articleToken, 64, false)) - bf.WriteBytes(stringsupport.PaddedString(s.server.erupeConfig.ScreenshotAPIURL, 64, false)) - doAckBufSucceed(s, pkt.AckHandle, bf.Data()) + bf.WriteBytes(stringsupport.PaddedString(s.server.erupeConfig.Screenshots.Host, 64, false)) + + if s.server.erupeConfig.SaveDumps.Enabled && s.server.erupeConfig.Discord.Enabled { + messageId := s.server.DiscordScreenShotSend(pkt.Name, pkt.Title, pkt.Description) // TODO: send and get back message id store in db + + _, err := s.server.db.Exec("INSERT INTO public.screenshots (article_id,discord_message_id,char_id,title,description) VALUES ($1,$2,$3,$4,$5)", articleToken, messageId, s.charID, pkt.Title, pkt.Description) + if err != nil { + doAckBufFail(s, pkt.AckHandle, make([]byte, 4)) + } else { + + doAckBufSucceed(s, pkt.AckHandle, bf.Data()) + s.server.BroadcastChatMessage("Screenshot has been sent to discord") + + } + + } else if s.server.erupeConfig.SaveDumps.Enabled { + _, err := s.server.db.Exec("INSERT INTO public.screenshots (article_id,char_id,title,description) VALUES ($1,$2,$3,$4)", articleToken, s.charID, pkt.Title, pkt.Description) + if err != nil { + doAckBufFail(s, pkt.AckHandle, make([]byte, 4)) + } else { + s.server.BroadcastChatMessage("Screenshot has been sent to server") + doAckBufSucceed(s, pkt.AckHandle, bf.Data()) + + } + } else { + doAckBufFail(s, pkt.AckHandle, make([]byte, 4)) + s.server.BroadcastChatMessage("No destination for screenshots have been configured by the host") + } } diff --git a/server/channelserver/sys_channel_server.go b/server/channelserver/sys_channel_server.go index 19bd04123..6d2c7c39d 100644 --- a/server/channelserver/sys_channel_server.go +++ b/server/channelserver/sys_channel_server.go @@ -367,6 +367,15 @@ func (s *Server) DiscordChannelSend(charName string, content string) { } } +func (s *Server) DiscordScreenShotSend(charName string, title string, description string) string { + if s.erupeConfig.Discord.Enabled && s.discordBot != nil { + message := fmt.Sprintf("**%s**: %s - %s", charName, title, description) + mesageId, _ := s.discordBot.RealtimeChannelSend(message) + return mesageId + } + return "" +} + func (s *Server) FindSessionByCharID(charID uint32) *Session { for _, c := range s.Channels { for _, session := range c.sessions { diff --git a/server/discordbot/discord_bot.go b/server/discordbot/discord_bot.go index a9b327cc3..9c824684f 100644 --- a/server/discordbot/discord_bot.go +++ b/server/discordbot/discord_bot.go @@ -1,10 +1,12 @@ package discordbot import ( - "erupe-ce/config" + "errors" + _config "erupe-ce/config" + "regexp" + "github.com/bwmarrin/discordgo" "go.uber.org/zap" - "regexp" ) var Commands = []*discordgo.ApplicationCommand{ @@ -104,14 +106,14 @@ func (bot *DiscordBot) NormalizeDiscordMessage(message string) string { return result } -func (bot *DiscordBot) RealtimeChannelSend(message string) (err error) { +func (bot *DiscordBot) RealtimeChannelSend(message string) (messageId string, err error) { if bot.RelayChannel == nil { - return + return "", errors.New("RelayChannel is nil") } - _, err = bot.Session.ChannelMessageSend(bot.RelayChannel.ID, message) + msg, err := bot.Session.ChannelMessageSend(bot.RelayChannel.ID, message) - return + return msg.ID, err } func ReplaceTextAll(text string, regex *regexp.Regexp, handler func(input string) string) string { diff --git a/server/signv2server/endpoints.go b/server/signv2server/endpoints.go index b3ac00254..7647ce743 100644 --- a/server/signv2server/endpoints.go +++ b/server/signv2server/endpoints.go @@ -6,7 +6,12 @@ import ( "errors" _config "erupe-ce/config" "erupe-ce/server/channelserver" + "fmt" + "image" + "image/jpeg" "net/http" + "os" + "path/filepath" "strings" "time" @@ -286,3 +291,66 @@ func (s *Server) ExportSave(w http.ResponseWriter, r *http.Request) { w.Header().Add("Content-Type", "application/json") json.NewEncoder(w).Encode(save) } + +func (s *Server) ScreenShot(w http.ResponseWriter, r *http.Request) { + if !s.erupeConfig.SaveDumps.Enabled { + http.Error(w, "Screenshots not enabled in Config", http.StatusBadRequest) + + return + } else { + + if r.Method != http.MethodPost { + http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) + return + } + // Get File from Request + file, _, err := r.FormFile("img") + if err != nil { + http.Error(w, "No valid file uploaded", http.StatusBadRequest) + return + } + token := r.FormValue("token") + if token == "" { + http.Error(w, "Token not specified cannot continue", http.StatusBadRequest) + return + } + + // Validate file + img, _, err := image.Decode(file) + if err != nil { + http.Error(w, "Invalid image file", http.StatusBadRequest) + return + } + + dir := filepath.Join(s.erupeConfig.Screenshots.OutputDir) + path := filepath.Join(s.erupeConfig.Screenshots.OutputDir, fmt.Sprintf("%s.jpg", token)) + _, err = os.Stat(dir) + if err != nil { + if os.IsNotExist(err) { + err = os.MkdirAll(dir, os.ModePerm) + if err != nil { + s.logger.Error("Error writing screenshot, could not create folder") + return + } + } else { + s.logger.Error("Error writing screenshot") + return + } + } + // Create or open the output file + outputFile, err := os.Create(path) + if err != nil { + panic(err) + } + defer outputFile.Close() + + // Encode the image and write it to the file + err = jpeg.Encode(outputFile, img, &jpeg.Options{}) + if err != nil { + panic(err) + } + if err != nil { + s.logger.Error("Error writing screenshot, could not write file", zap.Error(err)) + } + } +} diff --git a/server/signv2server/signv2_server.go b/server/signv2server/signv2_server.go index fedbabba2..3b278a3a7 100644 --- a/server/signv2server/signv2_server.go +++ b/server/signv2server/signv2_server.go @@ -2,7 +2,7 @@ package signv2server import ( "context" - "erupe-ce/config" + _config "erupe-ce/config" "fmt" "net/http" "os" @@ -52,6 +52,7 @@ func (s *Server) Start() error { r.HandleFunc("/character/create", s.CreateCharacter) r.HandleFunc("/character/delete", s.DeleteCharacter) r.HandleFunc("/character/export", s.ExportSave) + r.HandleFunc("/api/ss/bbs/upload.php", s.ScreenShot) handler := handlers.CORS(handlers.AllowedHeaders([]string{"Content-Type"}))(r) s.httpServer.Handler = handlers.LoggingHandler(os.Stdout, handler) s.httpServer.Addr = fmt.Sprintf(":%d", s.erupeConfig.SignV2.Port) From 3797438ca2c13d3ebf5889cbbf815d645f0d06e3 Mon Sep 17 00:00:00 2001 From: stratic-dev Date: Fri, 15 Mar 2024 00:54:18 +0000 Subject: [PATCH 2/6] No database --- .gitignore | 2 +- config.json | 3 +- config/config.go | 9 +-- schemas/patch-schema/screenshots.sql | 13 ---- server/channelserver/handlers_bbs.go | 47 +++++-------- server/channelserver/sys_channel_server.go | 9 ++- server/discordbot/discord_bot.go | 10 ++- server/signv2server/endpoints.go | 79 ++++++++++++++++------ server/signv2server/signv2_server.go | 1 + 9 files changed, 93 insertions(+), 80 deletions(-) delete mode 100644 schemas/patch-schema/screenshots.sql diff --git a/.gitignore b/.gitignore index 493cbb0f6..5b569b1c2 100644 --- a/.gitignore +++ b/.gitignore @@ -8,4 +8,4 @@ savedata/*/ *.lnk *.bat /docker/db-data -sreenshots/* \ No newline at end of file +screenshots/* \ No newline at end of file diff --git a/config.json b/config.json index 2943915ba..a4ef568cf 100644 --- a/config.json +++ b/config.json @@ -13,7 +13,8 @@ "Enabled":true, "Host":"127.0.0.1", "Port":8080, - "OutputDir":"screenshots" + "OutputDir":"screenshots", + "UploadQuality":100 }, "DeleteOnSaveCorruption": false, "ClientMode": "ZZ", diff --git a/config/config.go b/config/config.go index c88bd3912..6e86c60ed 100644 --- a/config/config.go +++ b/config/config.go @@ -107,10 +107,11 @@ type SaveDumpOptions struct { } type ScreenshotsOptions struct { - Enabled bool - Host string // Destination for screenshots uploaded to BBS - Port uint32 // Port for screenshots API - OutputDir string + Enabled bool + Host string // Destination for screenshots uploaded to BBS + Port uint32 // Port for screenshots API + OutputDir string + UploadQuality int //Determines the upload quality to the server } // DebugOptions holds various debug/temporary options for use while developing Erupe. diff --git a/schemas/patch-schema/screenshots.sql b/schemas/patch-schema/screenshots.sql deleted file mode 100644 index 345fcda13..000000000 --- a/schemas/patch-schema/screenshots.sql +++ /dev/null @@ -1,13 +0,0 @@ -BEGIN; - -CREATE TABLE public.screenshots -( - id serial PRIMARY KEY, - article_id TEXT NOT NULL, - discord_message_id TEXT, - char_id integer NOT NULL, - title TEXT NOT NULL, - description TEXT NOT NULL, - discord_img_url TEXT, - ); -END; \ No newline at end of file diff --git a/server/channelserver/handlers_bbs.go b/server/channelserver/handlers_bbs.go index 69abc542d..d991ee67a 100644 --- a/server/channelserver/handlers_bbs.go +++ b/server/channelserver/handlers_bbs.go @@ -7,62 +7,47 @@ import ( "erupe-ce/network/mhfpacket" ) +// Handler BBS handles all the interactions with the for the screenshot sending to bulitin board functionality. For it to work it requires the API to be hosted somehwere. This implementation supports discord. + +// Checks the status of the user to see if they can use Bulitin Board yet func handleMsgMhfGetBbsUserStatus(s *Session, p mhfpacket.MHFPacket) { //Post Screenshot pauses till this succeedes pkt := p.(*mhfpacket.MsgMhfGetBbsUserStatus) bf := byteframe.NewByteFrame() - bf.WriteUint32(200) + bf.WriteUint32(200) //HTTP Status Codes //200 Success //404 You wont be able to post for a certain amount of time after creating your character //401/500 A error occured server side bf.WriteUint32(0) bf.WriteUint32(0) bf.WriteUint32(0) doAckBufSucceed(s, pkt.AckHandle, bf.Data()) } +// Checks the status of Bultin Board Server to see if authenticated func handleMsgMhfGetBbsSnsStatus(s *Session, p mhfpacket.MHFPacket) { pkt := p.(*mhfpacket.MsgMhfGetBbsSnsStatus) bf := byteframe.NewByteFrame() - bf.WriteUint32(200) - bf.WriteUint32(401) - bf.WriteUint32(401) + bf.WriteUint32(200) //200 Success //4XX Authentication has expired Please re-authenticate //5XX + bf.WriteUint32(401) //unk http status? + bf.WriteUint32(401) //unk http status? bf.WriteUint32(0) doAckBufSucceed(s, pkt.AckHandle, bf.Data()) } +// Tells the game client what host port and gives the bultin board article a token func handleMsgMhfApplyBbsArticle(s *Session, p mhfpacket.MHFPacket) { pkt := p.(*mhfpacket.MsgMhfApplyBbsArticle) bf := byteframe.NewByteFrame() articleToken := token.Generate(40) - bf.WriteUint32(200) + + bf.WriteUint32(200) //http status //200 success //4XX An error occured server side bf.WriteUint32(s.server.erupeConfig.Screenshots.Port) bf.WriteUint32(0) bf.WriteUint32(0) bf.WriteBytes(stringsupport.PaddedString(articleToken, 64, false)) bf.WriteBytes(stringsupport.PaddedString(s.server.erupeConfig.Screenshots.Host, 64, false)) - - if s.server.erupeConfig.SaveDumps.Enabled && s.server.erupeConfig.Discord.Enabled { - messageId := s.server.DiscordScreenShotSend(pkt.Name, pkt.Title, pkt.Description) // TODO: send and get back message id store in db - - _, err := s.server.db.Exec("INSERT INTO public.screenshots (article_id,discord_message_id,char_id,title,description) VALUES ($1,$2,$3,$4,$5)", articleToken, messageId, s.charID, pkt.Title, pkt.Description) - if err != nil { - doAckBufFail(s, pkt.AckHandle, make([]byte, 4)) - } else { - - doAckBufSucceed(s, pkt.AckHandle, bf.Data()) - s.server.BroadcastChatMessage("Screenshot has been sent to discord") - - } - - } else if s.server.erupeConfig.SaveDumps.Enabled { - _, err := s.server.db.Exec("INSERT INTO public.screenshots (article_id,char_id,title,description) VALUES ($1,$2,$3,$4)", articleToken, s.charID, pkt.Title, pkt.Description) - if err != nil { - doAckBufFail(s, pkt.AckHandle, make([]byte, 4)) - } else { - s.server.BroadcastChatMessage("Screenshot has been sent to server") - doAckBufSucceed(s, pkt.AckHandle, bf.Data()) - - } - } else { - doAckBufFail(s, pkt.AckHandle, make([]byte, 4)) - s.server.BroadcastChatMessage("No destination for screenshots have been configured by the host") + //pkt.unk1[3] == Changes sometimes? + if s.server.erupeConfig.Screenshots.Enabled && s.server.erupeConfig.Discord.Enabled { + s.server.DiscordScreenShotSend(pkt.Name, pkt.Title, pkt.Description, articleToken) } + doAckBufSucceed(s, pkt.AckHandle, bf.Data()) + } diff --git a/server/channelserver/sys_channel_server.go b/server/channelserver/sys_channel_server.go index 6d2c7c39d..a0d1fe1b7 100644 --- a/server/channelserver/sys_channel_server.go +++ b/server/channelserver/sys_channel_server.go @@ -367,13 +367,12 @@ func (s *Server) DiscordChannelSend(charName string, content string) { } } -func (s *Server) DiscordScreenShotSend(charName string, title string, description string) string { +func (s *Server) DiscordScreenShotSend(charName string, title string, description string, articleToken string) { if s.erupeConfig.Discord.Enabled && s.discordBot != nil { - message := fmt.Sprintf("**%s**: %s - %s", charName, title, description) - mesageId, _ := s.discordBot.RealtimeChannelSend(message) - return mesageId + imageUrl := fmt.Sprintf("%s:%d/api/ss/bbs/%s", s.erupeConfig.Screenshots.Host, s.erupeConfig.Screenshots.Port, articleToken) + message := fmt.Sprintf("**%s**: %s - %s %s", charName, title, description, imageUrl) + s.discordBot.RealtimeChannelSend(message) } - return "" } func (s *Server) FindSessionByCharID(charID uint32) *Session { diff --git a/server/discordbot/discord_bot.go b/server/discordbot/discord_bot.go index 9c824684f..303cbc630 100644 --- a/server/discordbot/discord_bot.go +++ b/server/discordbot/discord_bot.go @@ -1,7 +1,6 @@ package discordbot import ( - "errors" _config "erupe-ce/config" "regexp" @@ -106,16 +105,15 @@ func (bot *DiscordBot) NormalizeDiscordMessage(message string) string { return result } -func (bot *DiscordBot) RealtimeChannelSend(message string) (messageId string, err error) { +func (bot *DiscordBot) RealtimeChannelSend(message string) (err error) { if bot.RelayChannel == nil { - return "", errors.New("RelayChannel is nil") + return } - msg, err := bot.Session.ChannelMessageSend(bot.RelayChannel.ID, message) + _, err = bot.Session.ChannelMessageSend(bot.RelayChannel.ID, message) - return msg.ID, err + return } - func ReplaceTextAll(text string, regex *regexp.Regexp, handler func(input string) string) string { result := regex.ReplaceAllFunc([]byte(text), func(s []byte) []byte { input := regex.ReplaceAllString(string(s), `$1`) diff --git a/server/signv2server/endpoints.go b/server/signv2server/endpoints.go index 7647ce743..8200cd824 100644 --- a/server/signv2server/endpoints.go +++ b/server/signv2server/endpoints.go @@ -3,18 +3,21 @@ package signv2server import ( "database/sql" "encoding/json" + "encoding/xml" "errors" _config "erupe-ce/config" "erupe-ce/server/channelserver" "fmt" "image" "image/jpeg" + "io" "net/http" "os" "path/filepath" "strings" "time" + "github.com/gorilla/mux" "github.com/lib/pq" "go.uber.org/zap" "golang.org/x/crypto/bcrypt" @@ -291,35 +294,63 @@ func (s *Server) ExportSave(w http.ResponseWriter, r *http.Request) { w.Header().Add("Content-Type", "application/json") json.NewEncoder(w).Encode(save) } - +func (s *Server) ScreenShotGet(w http.ResponseWriter, r *http.Request) { + // Get the 'id' parameter from the URL + vars := mux.Vars(r) + id := vars["id"] + // Open the image file + path := filepath.Join(s.erupeConfig.Screenshots.OutputDir, fmt.Sprintf("%s.jpg", id)) + file, err := os.Open(path) + if err != nil { + http.Error(w, "Image not found", http.StatusNotFound) + return + } + defer file.Close() + // Set content type header to image/jpeg + w.Header().Set("Content-Type", "image/jpeg") + // Copy the image content to the response writer + if _, err := io.Copy(w, file); err != nil { + http.Error(w, "Unable to send image", http.StatusInternalServerError) + return + } +} func (s *Server) ScreenShot(w http.ResponseWriter, r *http.Request) { - if !s.erupeConfig.SaveDumps.Enabled { - http.Error(w, "Screenshots not enabled in Config", http.StatusBadRequest) - return + // Create a struct representing the XML result + type Result struct { + XMLName xml.Name `xml:"result"` + Code string `xml:"code"` + } + // Set the Content-Type header to specify that the response is in XML format + w.Header().Set("Content-Type", "text/xml") + result := Result{Code: "200"} + + if !s.erupeConfig.Screenshots.Enabled { + result = Result{Code: "400"} + } else { if r.Method != http.MethodPost { - http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) - return + result = Result{Code: "405"} + } // Get File from Request file, _, err := r.FormFile("img") if err != nil { - http.Error(w, "No valid file uploaded", http.StatusBadRequest) - return + result = Result{Code: "400"} + } token := r.FormValue("token") if token == "" { - http.Error(w, "Token not specified cannot continue", http.StatusBadRequest) - return + result = Result{Code: "400"} + } // Validate file img, _, err := image.Decode(file) if err != nil { - http.Error(w, "Invalid image file", http.StatusBadRequest) - return + result = Result{Code: "400"} + } dir := filepath.Join(s.erupeConfig.Screenshots.OutputDir) @@ -330,27 +361,37 @@ func (s *Server) ScreenShot(w http.ResponseWriter, r *http.Request) { err = os.MkdirAll(dir, os.ModePerm) if err != nil { s.logger.Error("Error writing screenshot, could not create folder") - return + result = Result{Code: "500"} } } else { s.logger.Error("Error writing screenshot") - return + result = Result{Code: "500"} } } // Create or open the output file outputFile, err := os.Create(path) if err != nil { - panic(err) + result = Result{Code: "500"} } defer outputFile.Close() // Encode the image and write it to the file - err = jpeg.Encode(outputFile, img, &jpeg.Options{}) - if err != nil { - panic(err) - } + err = jpeg.Encode(outputFile, img, &jpeg.Options{Quality: s.erupeConfig.Screenshots.UploadQuality}) if err != nil { s.logger.Error("Error writing screenshot, could not write file", zap.Error(err)) + result = Result{Code: "500"} + } + + } + // Marshal the struct into XML + xmlData, err := xml.Marshal(result) + if err != nil { + http.Error(w, "Unable to marshal XML", http.StatusInternalServerError) + return } + + // Write the XML response with a 200 status code + w.WriteHeader(http.StatusOK) + w.Write(xmlData) } diff --git a/server/signv2server/signv2_server.go b/server/signv2server/signv2_server.go index 3b278a3a7..32c852e30 100644 --- a/server/signv2server/signv2_server.go +++ b/server/signv2server/signv2_server.go @@ -53,6 +53,7 @@ func (s *Server) Start() error { r.HandleFunc("/character/delete", s.DeleteCharacter) r.HandleFunc("/character/export", s.ExportSave) r.HandleFunc("/api/ss/bbs/upload.php", s.ScreenShot) + r.HandleFunc("/api/ss/bbs/{id}", s.ScreenShotGet) handler := handlers.CORS(handlers.AllowedHeaders([]string{"Content-Type"}))(r) s.httpServer.Handler = handlers.LoggingHandler(os.Stdout, handler) s.httpServer.Addr = fmt.Sprintf(":%d", s.erupeConfig.SignV2.Port) From 12b3dd1be32d0cac003bc73017d88b566fe77a08 Mon Sep 17 00:00:00 2001 From: stratic-dev Date: Fri, 15 Mar 2024 18:33:23 +0000 Subject: [PATCH 3/6] Add regex --- server/signv2server/endpoints.go | 10 ---------- server/signv2server/signv2_server.go | 2 +- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/server/signv2server/endpoints.go b/server/signv2server/endpoints.go index 8200cd824..3b9fd606f 100644 --- a/server/signv2server/endpoints.go +++ b/server/signv2server/endpoints.go @@ -315,7 +315,6 @@ func (s *Server) ScreenShotGet(w http.ResponseWriter, r *http.Request) { } } func (s *Server) ScreenShot(w http.ResponseWriter, r *http.Request) { - // Create a struct representing the XML result type Result struct { XMLName xml.Name `xml:"result"` @@ -324,33 +323,27 @@ func (s *Server) ScreenShot(w http.ResponseWriter, r *http.Request) { // Set the Content-Type header to specify that the response is in XML format w.Header().Set("Content-Type", "text/xml") result := Result{Code: "200"} - if !s.erupeConfig.Screenshots.Enabled { result = Result{Code: "400"} - } else { if r.Method != http.MethodPost { result = Result{Code: "405"} - } // Get File from Request file, _, err := r.FormFile("img") if err != nil { result = Result{Code: "400"} - } token := r.FormValue("token") if token == "" { result = Result{Code: "400"} - } // Validate file img, _, err := image.Decode(file) if err != nil { result = Result{Code: "400"} - } dir := filepath.Join(s.erupeConfig.Screenshots.OutputDir) @@ -380,9 +373,7 @@ func (s *Server) ScreenShot(w http.ResponseWriter, r *http.Request) { if err != nil { s.logger.Error("Error writing screenshot, could not write file", zap.Error(err)) result = Result{Code: "500"} - } - } // Marshal the struct into XML xmlData, err := xml.Marshal(result) @@ -390,7 +381,6 @@ func (s *Server) ScreenShot(w http.ResponseWriter, r *http.Request) { http.Error(w, "Unable to marshal XML", http.StatusInternalServerError) return } - // Write the XML response with a 200 status code w.WriteHeader(http.StatusOK) w.Write(xmlData) diff --git a/server/signv2server/signv2_server.go b/server/signv2server/signv2_server.go index 32c852e30..74ce2978c 100644 --- a/server/signv2server/signv2_server.go +++ b/server/signv2server/signv2_server.go @@ -53,7 +53,7 @@ func (s *Server) Start() error { r.HandleFunc("/character/delete", s.DeleteCharacter) r.HandleFunc("/character/export", s.ExportSave) r.HandleFunc("/api/ss/bbs/upload.php", s.ScreenShot) - r.HandleFunc("/api/ss/bbs/{id}", s.ScreenShotGet) + r.HandleFunc("/api/ss/bbs/{id:[A-Za-z0-9]+}", s.ScreenShotGet) handler := handlers.CORS(handlers.AllowedHeaders([]string{"Content-Type"}))(r) s.httpServer.Handler = handlers.LoggingHandler(os.Stdout, handler) s.httpServer.Addr = fmt.Sprintf(":%d", s.erupeConfig.SignV2.Port) From 62a2fe9f7300f6985a8547b5019d82e6499cb95a Mon Sep 17 00:00:00 2001 From: stratic-dev Date: Fri, 15 Mar 2024 18:43:33 +0000 Subject: [PATCH 4/6] Added more regex --- server/signv2server/endpoints.go | 17 +++++++++++++---- server/signv2server/signv2_server.go | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/server/signv2server/endpoints.go b/server/signv2server/endpoints.go index 3b9fd606f..dd3864d2a 100644 --- a/server/signv2server/endpoints.go +++ b/server/signv2server/endpoints.go @@ -14,6 +14,7 @@ import ( "net/http" "os" "path/filepath" + "regexp" "strings" "time" @@ -297,9 +298,15 @@ func (s *Server) ExportSave(w http.ResponseWriter, r *http.Request) { func (s *Server) ScreenShotGet(w http.ResponseWriter, r *http.Request) { // Get the 'id' parameter from the URL vars := mux.Vars(r) - id := vars["id"] + token := vars["id"] + var tokenPattern = regexp.MustCompile(`[A-Za-z0-9]+`) + + if !tokenPattern.MatchString(token) || token == "" { + http.Error(w, "Not Valid Token", http.StatusBadRequest) + + } // Open the image file - path := filepath.Join(s.erupeConfig.Screenshots.OutputDir, fmt.Sprintf("%s.jpg", id)) + path := filepath.Join(s.erupeConfig.Screenshots.OutputDir, fmt.Sprintf("%s.jpg", token)) file, err := os.Open(path) if err != nil { http.Error(w, "Image not found", http.StatusNotFound) @@ -335,9 +342,11 @@ func (s *Server) ScreenShot(w http.ResponseWriter, r *http.Request) { if err != nil { result = Result{Code: "400"} } + var tokenPattern = regexp.MustCompile(`[A-Za-z0-9]+`) token := r.FormValue("token") - if token == "" { - result = Result{Code: "400"} + if !tokenPattern.MatchString(token) || token == "" { + result = Result{Code: "401"} + } // Validate file diff --git a/server/signv2server/signv2_server.go b/server/signv2server/signv2_server.go index 74ce2978c..32c852e30 100644 --- a/server/signv2server/signv2_server.go +++ b/server/signv2server/signv2_server.go @@ -53,7 +53,7 @@ func (s *Server) Start() error { r.HandleFunc("/character/delete", s.DeleteCharacter) r.HandleFunc("/character/export", s.ExportSave) r.HandleFunc("/api/ss/bbs/upload.php", s.ScreenShot) - r.HandleFunc("/api/ss/bbs/{id:[A-Za-z0-9]+}", s.ScreenShotGet) + r.HandleFunc("/api/ss/bbs/{id}", s.ScreenShotGet) handler := handlers.CORS(handlers.AllowedHeaders([]string{"Content-Type"}))(r) s.httpServer.Handler = handlers.LoggingHandler(os.Stdout, handler) s.httpServer.Addr = fmt.Sprintf(":%d", s.erupeConfig.SignV2.Port) From d123182a2fb56a7630f718d7176dc8ebf39700f3 Mon Sep 17 00:00:00 2001 From: stratic-dev Date: Fri, 15 Mar 2024 19:37:55 +0000 Subject: [PATCH 5/6] Renamed signv2 to api and enabled it by default --- config.json | 4 +-- config/config.go | 18 +++++----- main.go | 22 ++++++------ .../signv2_server.go => api/api_server.go} | 18 +++++----- server/{signv2server => api}/dbutils.go | 18 +++++----- server/{signv2server => api}/endpoints.go | 34 +++++++++---------- 6 files changed, 57 insertions(+), 57 deletions(-) rename server/{signv2server/signv2_server.go => api/api_server.go} (86%) rename server/{signv2server => api}/dbutils.go (81%) rename server/{signv2server => api}/endpoints.go (90%) diff --git a/config.json b/config.json index a4ef568cf..2b836ab03 100644 --- a/config.json +++ b/config.json @@ -195,8 +195,8 @@ "Enabled": true, "Port": 53312 }, - "SignV2": { - "Enabled": false, + "API": { + "Enabled": true, "Port": 8080, "PatchServer": "", "Banners": [], diff --git a/config/config.go b/config/config.go index 6e86c60ed..52642956b 100644 --- a/config/config.go +++ b/config/config.go @@ -95,7 +95,7 @@ type Config struct { Courses []Course Database Database Sign Sign - SignV2 SignV2 + API API Channel Channel Entrance Entrance } @@ -237,29 +237,29 @@ type Sign struct { Port int } -// SignV2 holds the new sign server config -type SignV2 struct { +// API holds server config +type API struct { Enabled bool Port int PatchServer string - Banners []SignV2Banner - Messages []SignV2Message - Links []SignV2Link + Banners []APISignBanner + Messages []APISignMessage + Links []APISignLink } -type SignV2Banner struct { +type APISignBanner struct { Src string `json:"src"` // Displayed image URL Link string `json:"link"` // Link accessed on click } -type SignV2Message struct { +type APISignMessage struct { Message string `json:"message"` // Displayed message Date int64 `json:"date"` // Displayed date Kind int `json:"kind"` // 0 for 'Default', 1 for 'New' Link string `json:"link"` // Link accessed on click } -type SignV2Link struct { +type APISignLink struct { Name string `json:"name"` // Displayed name Icon string `json:"icon"` // Displayed icon. It will be cast as a monochrome color as long as it is transparent. Link string `json:"link"` // Link accessed on click diff --git a/main.go b/main.go index a7d368930..2c776a78c 100644 --- a/main.go +++ b/main.go @@ -10,11 +10,11 @@ import ( "syscall" "time" + "erupe-ce/server/api" "erupe-ce/server/channelserver" "erupe-ce/server/discordbot" "erupe-ce/server/entranceserver" "erupe-ce/server/signserver" - "erupe-ce/server/signv2server" "github.com/jmoiron/sqlx" _ "github.com/lib/pq" @@ -181,21 +181,21 @@ func main() { } // New Sign server - var newSignServer *signv2server.Server - if config.SignV2.Enabled { - newSignServer = signv2server.NewServer( - &signv2server.Config{ + var ApiServer *api.APIServer + if config.API.Enabled { + ApiServer = api.NewAPIServer( + &api.Config{ Logger: logger.Named("sign"), ErupeConfig: _config.ErupeConfig, DB: db, }) - err = newSignServer.Start() + err = ApiServer.Start() if err != nil { - preventClose(fmt.Sprintf("SignV2: Failed to start, %s", err.Error())) + preventClose(fmt.Sprintf("API: Failed to start, %s", err.Error())) } - logger.Info("SignV2: Started successfully") + logger.Info("API: Started successfully") } else { - logger.Info("SignV2: Disabled") + logger.Info("API: Disabled") } var channels []*channelserver.Server @@ -273,8 +273,8 @@ func main() { signServer.Shutdown() } - if config.SignV2.Enabled { - newSignServer.Shutdown() + if config.API.Enabled { + ApiServer.Shutdown() } if config.Entrance.Enabled { diff --git a/server/signv2server/signv2_server.go b/server/api/api_server.go similarity index 86% rename from server/signv2server/signv2_server.go rename to server/api/api_server.go index 32c852e30..3774f3fb8 100644 --- a/server/signv2server/signv2_server.go +++ b/server/api/api_server.go @@ -1,4 +1,4 @@ -package signv2server +package api import ( "context" @@ -21,8 +21,8 @@ type Config struct { ErupeConfig *_config.Config } -// Server is the MHF custom launcher sign server. -type Server struct { +// APIServer is Erupes Standard API interface +type APIServer struct { sync.Mutex logger *zap.Logger erupeConfig *_config.Config @@ -31,9 +31,9 @@ type Server struct { isShuttingDown bool } -// NewServer creates a new Server type. -func NewServer(config *Config) *Server { - s := &Server{ +// NewAPIServer creates a new Server type. +func NewAPIServer(config *Config) *APIServer { + s := &APIServer{ logger: config.Logger, erupeConfig: config.ErupeConfig, db: config.DB, @@ -43,7 +43,7 @@ func NewServer(config *Config) *Server { } // Start starts the server in a new goroutine. -func (s *Server) Start() error { +func (s *APIServer) Start() error { // Set up the routes responsible for serving the launcher HTML, serverlist, unique name check, and JP auth. r := mux.NewRouter() r.HandleFunc("/launcher", s.Launcher) @@ -56,7 +56,7 @@ func (s *Server) Start() error { r.HandleFunc("/api/ss/bbs/{id}", s.ScreenShotGet) handler := handlers.CORS(handlers.AllowedHeaders([]string{"Content-Type"}))(r) s.httpServer.Handler = handlers.LoggingHandler(os.Stdout, handler) - s.httpServer.Addr = fmt.Sprintf(":%d", s.erupeConfig.SignV2.Port) + s.httpServer.Addr = fmt.Sprintf(":%d", s.erupeConfig.API.Port) serveError := make(chan error, 1) go func() { @@ -76,7 +76,7 @@ func (s *Server) Start() error { } // Shutdown exits the server gracefully. -func (s *Server) Shutdown() { +func (s *APIServer) Shutdown() { s.logger.Debug("Shutting down") s.Lock() diff --git a/server/signv2server/dbutils.go b/server/api/dbutils.go similarity index 81% rename from server/signv2server/dbutils.go rename to server/api/dbutils.go index b2d5872bb..fba1bab5c 100644 --- a/server/signv2server/dbutils.go +++ b/server/api/dbutils.go @@ -1,4 +1,4 @@ -package signv2server +package api import ( "context" @@ -10,7 +10,7 @@ import ( "golang.org/x/crypto/bcrypt" ) -func (s *Server) createNewUser(ctx context.Context, username string, password string) (uint32, uint32, error) { +func (s *APIServer) createNewUser(ctx context.Context, username string, password string) (uint32, uint32, error) { // Create salted hash of user password passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) if err != nil { @@ -32,7 +32,7 @@ func (s *Server) createNewUser(ctx context.Context, username string, password st return id, rights, err } -func (s *Server) createLoginToken(ctx context.Context, uid uint32) (uint32, string, error) { +func (s *APIServer) createLoginToken(ctx context.Context, uid uint32) (uint32, string, error) { loginToken := token.Generate(16) var tid uint32 err := s.db.QueryRowContext(ctx, "INSERT INTO sign_sessions (user_id, token) VALUES ($1, $2) RETURNING id", uid, loginToken).Scan(&tid) @@ -42,7 +42,7 @@ func (s *Server) createLoginToken(ctx context.Context, uid uint32) (uint32, stri return tid, loginToken, nil } -func (s *Server) userIDFromToken(ctx context.Context, token string) (uint32, error) { +func (s *APIServer) userIDFromToken(ctx context.Context, token string) (uint32, error) { var userID uint32 err := s.db.QueryRowContext(ctx, "SELECT user_id FROM sign_sessions WHERE token = $1", token).Scan(&userID) if err == sql.ErrNoRows { @@ -53,7 +53,7 @@ func (s *Server) userIDFromToken(ctx context.Context, token string) (uint32, err return userID, nil } -func (s *Server) createCharacter(ctx context.Context, userID uint32) (Character, error) { +func (s *APIServer) createCharacter(ctx context.Context, userID uint32) (Character, error) { var character Character err := s.db.GetContext(ctx, &character, "SELECT id, name, is_female, weapon_type, hr, gr, last_login FROM characters WHERE is_new_character = true AND user_id = $1 LIMIT 1", @@ -78,7 +78,7 @@ func (s *Server) createCharacter(ctx context.Context, userID uint32) (Character, return character, err } -func (s *Server) deleteCharacter(ctx context.Context, userID uint32, charID uint32) error { +func (s *APIServer) deleteCharacter(ctx context.Context, userID uint32, charID uint32) error { var isNew bool err := s.db.QueryRow("SELECT is_new_character FROM characters WHERE id = $1", charID).Scan(&isNew) if err != nil { @@ -92,7 +92,7 @@ func (s *Server) deleteCharacter(ctx context.Context, userID uint32, charID uint return err } -func (s *Server) getCharactersForUser(ctx context.Context, uid uint32) ([]Character, error) { +func (s *APIServer) getCharactersForUser(ctx context.Context, uid uint32) ([]Character, error) { var characters []Character err := s.db.SelectContext( ctx, &characters, ` @@ -107,7 +107,7 @@ func (s *Server) getCharactersForUser(ctx context.Context, uid uint32) ([]Charac return characters, nil } -func (s *Server) getReturnExpiry(uid uint32) time.Time { +func (s *APIServer) getReturnExpiry(uid uint32) time.Time { var returnExpiry, lastLogin time.Time s.db.Get(&lastLogin, "SELECT COALESCE(last_login, now()) FROM users WHERE id=$1", uid) if time.Now().Add((time.Hour * 24) * -90).After(lastLogin) { @@ -124,7 +124,7 @@ func (s *Server) getReturnExpiry(uid uint32) time.Time { return returnExpiry } -func (s *Server) exportSave(ctx context.Context, uid uint32, cid uint32) (map[string]interface{}, error) { +func (s *APIServer) exportSave(ctx context.Context, uid uint32, cid uint32) (map[string]interface{}, error) { row := s.db.QueryRowxContext(ctx, "SELECT * FROM characters WHERE id=$1 AND user_id=$2", cid, uid) result := make(map[string]interface{}) err := row.MapScan(result) diff --git a/server/signv2server/endpoints.go b/server/api/endpoints.go similarity index 90% rename from server/signv2server/endpoints.go rename to server/api/endpoints.go index dd3864d2a..ef82cecdb 100644 --- a/server/signv2server/endpoints.go +++ b/server/api/endpoints.go @@ -1,4 +1,4 @@ -package signv2server +package api import ( "database/sql" @@ -30,9 +30,9 @@ const ( ) type LauncherResponse struct { - Banners []_config.SignV2Banner `json:"banners"` - Messages []_config.SignV2Message `json:"messages"` - Links []_config.SignV2Link `json:"links"` + Banners []_config.APISignBanner `json:"banners"` + Messages []_config.APISignMessage `json:"messages"` + Links []_config.APISignLink `json:"links"` } type User struct { @@ -75,7 +75,7 @@ type ExportData struct { Character map[string]interface{} `json:"character"` } -func (s *Server) newAuthData(userID uint32, userRights uint32, userTokenID uint32, userToken string, characters []Character) AuthData { +func (s *APIServer) newAuthData(userID uint32, userRights uint32, userTokenID uint32, userToken string, characters []Character) AuthData { resp := AuthData{ CurrentTS: uint32(channelserver.TimeAdjusted().Unix()), ExpiryTS: uint32(s.getReturnExpiry(userID).Unix()), @@ -86,7 +86,7 @@ func (s *Server) newAuthData(userID uint32, userRights uint32, userTokenID uint3 Token: userToken, }, Characters: characters, - PatchServer: s.erupeConfig.SignV2.PatchServer, + PatchServer: s.erupeConfig.API.PatchServer, Notices: []string{}, } if s.erupeConfig.DebugOptions.MaxLauncherHR { @@ -112,16 +112,16 @@ func (s *Server) newAuthData(userID uint32, userRights uint32, userTokenID uint3 return resp } -func (s *Server) Launcher(w http.ResponseWriter, r *http.Request) { +func (s *APIServer) Launcher(w http.ResponseWriter, r *http.Request) { var respData LauncherResponse - respData.Banners = s.erupeConfig.SignV2.Banners - respData.Messages = s.erupeConfig.SignV2.Messages - respData.Links = s.erupeConfig.SignV2.Links + respData.Banners = s.erupeConfig.API.Banners + respData.Messages = s.erupeConfig.API.Messages + respData.Links = s.erupeConfig.API.Links w.Header().Add("Content-Type", "application/json") json.NewEncoder(w).Encode(respData) } -func (s *Server) Login(w http.ResponseWriter, r *http.Request) { +func (s *APIServer) Login(w http.ResponseWriter, r *http.Request) { ctx := r.Context() var reqData struct { Username string `json:"username"` @@ -173,7 +173,7 @@ func (s *Server) Login(w http.ResponseWriter, r *http.Request) { json.NewEncoder(w).Encode(respData) } -func (s *Server) Register(w http.ResponseWriter, r *http.Request) { +func (s *APIServer) Register(w http.ResponseWriter, r *http.Request) { ctx := r.Context() var reqData struct { Username string `json:"username"` @@ -213,7 +213,7 @@ func (s *Server) Register(w http.ResponseWriter, r *http.Request) { json.NewEncoder(w).Encode(respData) } -func (s *Server) CreateCharacter(w http.ResponseWriter, r *http.Request) { +func (s *APIServer) CreateCharacter(w http.ResponseWriter, r *http.Request) { ctx := r.Context() var reqData struct { Token string `json:"token"` @@ -242,7 +242,7 @@ func (s *Server) CreateCharacter(w http.ResponseWriter, r *http.Request) { json.NewEncoder(w).Encode(character) } -func (s *Server) DeleteCharacter(w http.ResponseWriter, r *http.Request) { +func (s *APIServer) DeleteCharacter(w http.ResponseWriter, r *http.Request) { ctx := r.Context() var reqData struct { Token string `json:"token"` @@ -267,7 +267,7 @@ func (s *Server) DeleteCharacter(w http.ResponseWriter, r *http.Request) { json.NewEncoder(w).Encode(struct{}{}) } -func (s *Server) ExportSave(w http.ResponseWriter, r *http.Request) { +func (s *APIServer) ExportSave(w http.ResponseWriter, r *http.Request) { ctx := r.Context() var reqData struct { Token string `json:"token"` @@ -295,7 +295,7 @@ func (s *Server) ExportSave(w http.ResponseWriter, r *http.Request) { w.Header().Add("Content-Type", "application/json") json.NewEncoder(w).Encode(save) } -func (s *Server) ScreenShotGet(w http.ResponseWriter, r *http.Request) { +func (s *APIServer) ScreenShotGet(w http.ResponseWriter, r *http.Request) { // Get the 'id' parameter from the URL vars := mux.Vars(r) token := vars["id"] @@ -321,7 +321,7 @@ func (s *Server) ScreenShotGet(w http.ResponseWriter, r *http.Request) { return } } -func (s *Server) ScreenShot(w http.ResponseWriter, r *http.Request) { +func (s *APIServer) ScreenShot(w http.ResponseWriter, r *http.Request) { // Create a struct representing the XML result type Result struct { XMLName xml.Name `xml:"result"` From 295ff6537bbf94cd5f9207d4d249c5ce1768131e Mon Sep 17 00:00:00 2001 From: stratic-dev Date: Fri, 15 Mar 2024 20:00:39 +0000 Subject: [PATCH 6/6] Added utils to verify paths --- server/api/endpoints.go | 86 ++++++++++++++++++++++++----------------- server/api/utils.go | 37 ++++++++++++++++++ 2 files changed, 88 insertions(+), 35 deletions(-) create mode 100644 server/api/utils.go diff --git a/server/api/endpoints.go b/server/api/endpoints.go index ef82cecdb..4eaac119e 100644 --- a/server/api/endpoints.go +++ b/server/api/endpoints.go @@ -297,8 +297,7 @@ func (s *APIServer) ExportSave(w http.ResponseWriter, r *http.Request) { } func (s *APIServer) ScreenShotGet(w http.ResponseWriter, r *http.Request) { // Get the 'id' parameter from the URL - vars := mux.Vars(r) - token := vars["id"] + token := mux.Vars(r)["id"] var tokenPattern = regexp.MustCompile(`[A-Za-z0-9]+`) if !tokenPattern.MatchString(token) || token == "" { @@ -306,19 +305,28 @@ func (s *APIServer) ScreenShotGet(w http.ResponseWriter, r *http.Request) { } // Open the image file - path := filepath.Join(s.erupeConfig.Screenshots.OutputDir, fmt.Sprintf("%s.jpg", token)) - file, err := os.Open(path) + safePath := s.erupeConfig.Screenshots.OutputDir + path := filepath.Join(safePath, fmt.Sprintf("%s.jpg", token)) + result, err := verifyPath(path, safePath) + if err != nil { - http.Error(w, "Image not found", http.StatusNotFound) - return - } - defer file.Close() - // Set content type header to image/jpeg - w.Header().Set("Content-Type", "image/jpeg") - // Copy the image content to the response writer - if _, err := io.Copy(w, file); err != nil { - http.Error(w, "Unable to send image", http.StatusInternalServerError) - return + fmt.Println("Error " + err.Error()) + } else { + fmt.Println("Canonical: " + result) + + file, err := os.Open(result) + if err != nil { + http.Error(w, "Image not found", http.StatusNotFound) + return + } + defer file.Close() + // Set content type header to image/jpeg + w.Header().Set("Content-Type", "image/jpeg") + // Copy the image content to the response writer + if _, err := io.Copy(w, file); err != nil { + http.Error(w, "Unable to send image", http.StatusInternalServerError) + return + } } } func (s *APIServer) ScreenShot(w http.ResponseWriter, r *http.Request) { @@ -355,33 +363,41 @@ func (s *APIServer) ScreenShot(w http.ResponseWriter, r *http.Request) { result = Result{Code: "400"} } - dir := filepath.Join(s.erupeConfig.Screenshots.OutputDir) - path := filepath.Join(s.erupeConfig.Screenshots.OutputDir, fmt.Sprintf("%s.jpg", token)) - _, err = os.Stat(dir) + safePath := s.erupeConfig.Screenshots.OutputDir + + path := filepath.Join(safePath, fmt.Sprintf("%s.jpg", token)) + verified, err := verifyPath(path, safePath) + if err != nil { - if os.IsNotExist(err) { - err = os.MkdirAll(dir, os.ModePerm) - if err != nil { - s.logger.Error("Error writing screenshot, could not create folder") + result = Result{Code: "500"} + } else { + + _, err = os.Stat(safePath) + if err != nil { + if os.IsNotExist(err) { + err = os.MkdirAll(safePath, os.ModePerm) + if err != nil { + s.logger.Error("Error writing screenshot, could not create folder") + result = Result{Code: "500"} + } + } else { + s.logger.Error("Error writing screenshot") result = Result{Code: "500"} } - } else { - s.logger.Error("Error writing screenshot") + } + // Create or open the output file + outputFile, err := os.Create(verified) + if err != nil { result = Result{Code: "500"} } - } - // Create or open the output file - outputFile, err := os.Create(path) - if err != nil { - result = Result{Code: "500"} - } - defer outputFile.Close() + defer outputFile.Close() - // Encode the image and write it to the file - err = jpeg.Encode(outputFile, img, &jpeg.Options{Quality: s.erupeConfig.Screenshots.UploadQuality}) - if err != nil { - s.logger.Error("Error writing screenshot, could not write file", zap.Error(err)) - result = Result{Code: "500"} + // Encode the image and write it to the file + err = jpeg.Encode(outputFile, img, &jpeg.Options{Quality: s.erupeConfig.Screenshots.UploadQuality}) + if err != nil { + s.logger.Error("Error writing screenshot, could not write file", zap.Error(err)) + result = Result{Code: "500"} + } } } // Marshal the struct into XML diff --git a/server/api/utils.go b/server/api/utils.go new file mode 100644 index 000000000..1a7a18d26 --- /dev/null +++ b/server/api/utils.go @@ -0,0 +1,37 @@ +package api + +import ( + "errors" + "fmt" + "path/filepath" +) + +func inTrustedRoot(path string, trustedRoot string) error { + for path != "/" { + path = filepath.Dir(path) + if path == trustedRoot { + return nil + } + } + return errors.New("path is outside of trusted root") +} + +func verifyPath(path string, trustedRoot string) (string, error) { + + c := filepath.Clean(path) + fmt.Println("Cleaned path: " + c) + + r, err := filepath.EvalSymlinks(c) + if err != nil { + fmt.Println("Error " + err.Error()) + return c, errors.New("Unsafe or invalid path specified") + } + + err = inTrustedRoot(r, trustedRoot) + if err != nil { + fmt.Println("Error " + err.Error()) + return r, errors.New("Unsafe or invalid path specified") + } else { + return r, nil + } +}