ashirt-ops · jkennedyvz · Nov 7, 2023 · Oct 17, 2023 · Oct 18, 2023 · Oct 18, 2023
@@ -5,6 +5,7 @@ package contentstore
 
 import (
 	"io"
+	"time"
 
 	"github.com/ashirt-ops/ashirt-server/backend"
 	"github.com/aws/aws-sdk-go/aws"
@@ -70,6 +71,22 @@ func (s *S3Store) Read(key string) (io.Reader, error) {
 	return res.Body, nil
 }
 
+func (s *S3Store) SendURL(key string) (*string, error) {
+	contentType := "image/jpeg"
+	req, _ := s.s3Client.GetObjectRequest(&s3.GetObjectInput{
+		Bucket:              aws.String(s.bucketName),
+		Key:                 aws.String(key),
+		ResponseContentType: aws.String(contentType),
+	})
+
+	url, err := req.Presign(time.Hour * 8)
+	if err != nil {
+		return nil, backend.WrapError("Unable to get presigned URL", err)
+	}
+
+	return &url, nil
+}
+
 // Delete removes files in in your OS's temp directory
 func (s *S3Store) Delete(key string) error {
 	_, err := s.s3Client.DeleteObject(&s3.DeleteObjectInput{

@@ -23,6 +23,7 @@ type Evidence struct {
 	Operator    User      `json:"operator"`
 	Tags        []Tag     `json:"tags"`
 	ContentType string    `json:"contentType"`
+	SendUrl     bool      `json:"sendUrl"`
 }
 
 type EvidenceMetadata struct {

@@ -4,6 +4,7 @@
 package server
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -479,7 +480,7 @@ func bindWebRoutes(r chi.Router, db *database.Connection, contentStore contentst
 		if dr.Error != nil {
 			return nil, dr.Error
 		}
-		return services.ListEvidenceForOperation(r.Context(), db, i)
+		return services.ListEvidenceForOperation(r.Context(), db, contentStore, i)
 	}))
 
 	route(r, "GET", "/operations/{operation_slug}/evidence/creators", jsonHandler(func(r *http.Request) (interface{}, error) {
@@ -519,7 +520,13 @@ func bindWebRoutes(r chi.Router, db *database.Connection, contentStore contentst
 		if err != nil {
 			return nil, backend.WrapError("Unable to read evidence", err)
 		}
-
+		if s3Store, ok := contentStore.(*contentstore.S3Store); ok && evidence.ContentType == "image" {
+			url, err := services.SendUrl(r.Context(), db, s3Store, i)
+			if err != nil {
+				return nil, backend.WrapError("Unable get s3 URL", err)
+			}
+			return bytes.NewReader([]byte(*url)), nil
+		}
 		if i.LoadPreview {
 			return evidence.Preview, nil
 		}

@@ -257,7 +257,7 @@ func ListEvidenceForFinding(ctx context.Context, db *database.Connection, i List
 
 // ListEvidenceForOperation retrieves all evidence for a particular operation id matching a particular
 // set of filters (e.g. tag:some_tag)
-func ListEvidenceForOperation(ctx context.Context, db *database.Connection, i ListEvidenceForOperationInput) ([]*dtos.Evidence, error) {
+func ListEvidenceForOperation(ctx context.Context, db *database.Connection, contentStore contentstore.Store, i ListEvidenceForOperationInput) ([]*dtos.Evidence, error) {
 	operation, err := lookupOperation(db, i.OperationSlug)
 	if err != nil {
 		return nil, backend.WrapError("Unable to list evidence for an operation", backend.UnauthorizedReadErr(err))
@@ -316,6 +316,12 @@ func ListEvidenceForOperation(ctx context.Context, db *database.Connection, i Li
 	}
 
 	evidenceDTO := make([]*dtos.Evidence, len(evidence))
+
+	sendUrl := false
+	if _, ok := contentStore.(*contentstore.S3Store); ok {
+		sendUrl = true
+	}
+
 	for idx, evi := range evidence {
 		tags, ok := tagsByEvidenceID[evi.ID]
 
@@ -330,11 +336,28 @@ func ListEvidenceForOperation(ctx context.Context, db *database.Connection, i Li
 			OccurredAt:  evi.OccurredAt,
 			ContentType: evi.ContentType,
 			Tags:        tags,
+			SendUrl:     sendUrl,
 		}
 	}
 	return evidenceDTO, nil
 }
 
+func SendUrl(ctx context.Context, db *database.Connection, contentStore *contentstore.S3Store, i ReadEvidenceInput) (*string, error) {
+	operation, evidence, err := lookupOperationEvidence(db, i.OperationSlug, i.EvidenceUUID)
+	if err != nil {
+		return nil, backend.WrapError("Unable to read evidence", backend.UnauthorizedReadErr(err))
+	}
+	if err := policy.Require(middleware.Policy(ctx), policy.CanReadOperation{OperationID: operation.ID}); err != nil {
+		return nil, backend.WrapError("Unwilling to read evidence", backend.UnauthorizedReadErr(err))
+	}
+	str, err := contentStore.SendURL(evidence.FullImageKey)
+	if err != nil {
+		return nil, backend.WrapError("Unable to get image URL", backend.ServerErr(err))
+	}
+
+	return str, nil
+
+}
 func ReadEvidence(ctx context.Context, db *database.Connection, contentStore contentstore.Store, i ReadEvidenceInput) (*ReadEvidenceOutput, error) {
 	operation, evidence, err := lookupOperationEvidence(db, i.OperationSlug, i.EvidenceUUID)
 	if err != nil {

@@ -195,6 +195,7 @@ func TestListEvidenceForFinding(t *testing.T) {
 func TestListEvidenceForOperation(t *testing.T) {
 	RunResettableDBTest(t, func(db *database.Connection, _ TestSeedData) {
 		ctx := contextForUser(UserRon, db)
+		cs, _ := contentstore.NewMemStore()
 
 		masterOp := OpChamberOfSecrets
 		allEvidence := getFullEvidenceByOperationID(t, db, masterOp.ID)
@@ -206,7 +207,7 @@ func TestListEvidenceForOperation(t *testing.T) {
 			Filters:       helpers.TimelineFilters{},
 		}
 
-		foundEvidence, err := services.ListEvidenceForOperation(ctx, db, input)
+		foundEvidence, err := services.ListEvidenceForOperation(ctx, db, cs, input)
 		require.NoError(t, err)
 		require.Equal(t, len(foundEvidence), len(allEvidence))
 		validateEvidenceSets(t, toRealEvidenceList(foundEvidence), allEvidence, validateEvidence)

diff --git a/frontend/nginx.conf b/frontend/nginx.conf
@@ -8,7 +8,7 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox allow-downloads allow-scripts allow-same-origin allow-forms allow-popups; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri 'https://csp.yahoo.com/beacon/csp?src=ashirt'" always;
-
+    
     add_header Strict-transport-security "max-age=31536000" always;
     add_header Expect-CT "max-age=31536000, report-uri='https://csp.yahoo.com/beacon/csp?src=ashirt'" always;
 

diff --git a/frontend/public/index.html b/frontend/public/index.html
@@ -1,10 +1,9 @@
-<!doctype html>
+<!DOCTYPE html>
 <html>
-<head>
-  <title>ASHIRT</title>
-  <link rel="stylesheet" href="/assets/main.css">
-</head>
-<body>
-  <script src="/assets/main.js"></script>
-</body>
-</html>
+  <head>
+    <meta charset="utf-8">
+    <title>ASHIRT</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1"><script defer src="/assets/main-c568069d04dd91a55502.js"></script><link href="/assets/main-b0ad39be34ceaa80dd41.css" rel="stylesheet"></head>
+  <body>
+  </body>
+</html>
@@ -43,6 +43,7 @@ const EvidenceRow = (props: {
         evidenceUuid={props.evidence.uuid}
         contentType={props.evidence.contentType}
         onClick={(e) => { e.stopPropagation(); setLightboxOpen(true)} }
+        useS3Url={props.evidence.sendUrl}
         fitToContainer
         viewHint="small"
         interactionHint="inactive"
@@ -55,6 +56,7 @@ const EvidenceRow = (props: {
           operationSlug={props.operationSlug}
           evidenceUuid={props.evidence.uuid}
           contentType={props.evidence.contentType}
+          useS3Url={props.evidence.sendUrl}
           viewHint="large"
           interactionHint="active"
         />

@@ -40,6 +40,7 @@ export default (props: {
   interactionHint?: InteractionHint,
   className?: string,
   fitToContainer?: boolean,
+  useS3Url: boolean,
   onClick?: (event: React.MouseEvent<HTMLDivElement, MouseEvent>) => void,
 }) => {
   const Component = getComponent(props.contentType)
@@ -65,6 +66,7 @@ type EvidenceProps = {
   evidenceUuid: string,
   viewHint?: EvidenceViewHint,
   interactionHint?: InteractionHint,
+  useS3Url: boolean
 }
 
 const EvidenceCodeblock = (props: EvidenceProps) => {
@@ -77,8 +79,16 @@ const EvidenceCodeblock = (props: EvidenceProps) => {
 }
 
 const EvidenceImage = (props: EvidenceProps) => {
-  const fullUrl = `/web/operations/${props.operationSlug}/evidence/${props.evidenceUuid}/media`
-  return <img src={fullUrl} />
+  if (props.useS3Url) {
+    const wiredUrl = useWiredData<string>(React.useCallback(() => getEvidenceAsString({
+      operationSlug: props.operationSlug,
+      evidenceUuid: props.evidenceUuid,
+    }), [props.operationSlug, props.evidenceUuid]))
+    return wiredUrl.render(url => <img src={url} />)
+  } else {
+    const fullUrl = `/web/operations/${props.operationSlug}/evidence/${props.evidenceUuid}/media`
+    return <img src={fullUrl} />
+  }
 }
 
 const EvidenceEvent = (_props: EvidenceProps) => {

@@ -266,6 +266,7 @@ const uuidToBasicEvidence = (uuid: string): Evidence => ({
   occurredAt: new Date(),
   tags: [],
   contentType: 'none',
+  sendUrl: false
 })
 
 const ChooseEvidenceModal = (props: {

@@ -111,6 +111,7 @@ export default (props: {
           operationSlug={props.operationSlug}
           evidenceUuid={activeEvidence.uuid}
           contentType={activeEvidence.contentType}
+          useS3Url={activeEvidence.sendUrl}
           viewHint="large"
           interactionHint="active"
         />
@@ -158,6 +159,7 @@ const TimelineRow = (props: {
           operationSlug={props.operationSlug}
           evidenceUuid={props.evidence.uuid}
           contentType={props.evidence.contentType}
+          useS3Url={props.evidence.sendUrl}
           viewHint="medium"
           interactionHint="inactive"
         />

@@ -115,6 +115,7 @@ export type Evidence = {
   occurredAt: Date,
   tags: Array<Tag>,
   contentType: SupportedEvidenceType
+  sendUrl: boolean,
 }
 
 export type ExportedEvidence = Omit<Evidence, 'tags' | 'uuid'> & {

@@ -41,7 +41,8 @@ export const BatchRunWorker = (props: {
           occurredAt: new Date(),
           tags: [],
           metadata: [],
-          contentType: 'image'
+          contentType: 'image',
+          sendUrl: false
         }))
       )}
       {...modalProps}

diff --git a/frontend/webpack.config.js b/frontend/webpack.config.js
@@ -107,14 +107,15 @@ module.exports = (env, argv) => ({
         "base-uri 'none'",
         "form-action 'none'",
         "frame-ancestors 'none'",
-        "sandbox allow-scripts allow-same-origin allow-forms allow-popups allow-downloads",
+        "sandbox allow-downloads allow-scripts allow-same-origin allow-forms allow-popups",
 
         // Allow xhr/fonts/images/scripts/css from self
         "connect-src 'self'",
         "font-src 'self'",
+        // amazonaws. or buvcket name
         "img-src 'self' data:",
         "script-src 'self'",
-        "style-src 'self' 'unsafe-inline'",
+        "style-src 'self' 'unsafe-inline'",       
       ].join(';'),
     },
   }