From fca0fed9723dc4e15d382c47c6c7121e32fa7399 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Mon, 3 Feb 2025 21:14:39 -0700 Subject: [PATCH 1/3] Validate upload URL before initiating large file upload There seems to be a situation where a large file upload can be marked as non-local and attempt to POST file contents to an invalid URL (in this case, the name of the local upload directory). This obviously results in an error. This change ensures that the designated upload URL is actually a valid URL, otherwise it forces the local-only "dummy" mode to be enabled. See #14 --- backend/server/transfer/upload.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/backend/server/transfer/upload.go b/backend/server/transfer/upload.go index edfba8e..07f6386 100644 --- a/backend/server/transfer/upload.go +++ b/backend/server/transfer/upload.go @@ -4,6 +4,7 @@ import ( "errors" "github.com/benbusby/b2" "log" + "net/url" db "yeetfile/backend/db" "yeetfile/backend/service" "yeetfile/backend/utils" @@ -155,12 +156,22 @@ func InitLargeB2Upload(filename string, upload db.B2Upload) error { return err } + isDummy := info.Dummy + if !isDummy { + // Ensure that the dummy option is enabled if the request URI + // is not actually valid + _, err = url.ParseRequestURI(upload.UploadURL) + if err != nil { + isDummy = true + } + } + return db.UpdateUploadValues( upload.MetadataID, info.UploadURL, info.AuthorizationToken, info.FileID, // Multi-chunk files use the file ID for uploading - info.Dummy) + isDummy) } func ResetLargeUpload(b2FileID string, metadataID string) (b2.FilePartInfo, error) { From 77ddd92c686f8cc98ce5eab8d595a76230415257 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Tue, 4 Feb 2025 12:32:44 -0700 Subject: [PATCH 2/3] Trim whitespace added by bubbletea on login w/ windows CLI Fixes #19 --- cli/commands/auth/login/login.go | 4 ++++ cross_compile.sh | 14 ++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/cli/commands/auth/login/login.go b/cli/commands/auth/login/login.go index e87952e..fcceb0a 100644 --- a/cli/commands/auth/login/login.go +++ b/cli/commands/auth/login/login.go @@ -1,6 +1,7 @@ package login import ( + "strings" "yeetfile/cli/crypto" "yeetfile/cli/globals" "yeetfile/cli/utils" @@ -11,6 +12,9 @@ import ( // generate the login key hash, and stores the user's key pair in their config // directory func LogIn(identifier, password, code string, sessionKey, vaultKey []byte) error { + identifier = strings.TrimSpace(identifier) + password = strings.TrimSpace(password) + userKey, loginKeyHash := crypto.GenerateUserKeys(identifier, password) login := shared.Login{ diff --git a/cross_compile.sh b/cross_compile.sh index feb64e7..8bfdf7c 100755 --- a/cross_compile.sh +++ b/cross_compile.sh @@ -67,10 +67,12 @@ do arch_name="arm32" fi - tar_name="${output_name}_${GOOS}_${arch_name}_${VER}.tar.gz" + compressed_name="${output_name}_${GOOS}_${arch_name}_${VER}.tar.gz" if [ $GOOS = "darwin" ]; then os_name="macOS" - tar_name="${output_name}_macos_${arch_name}_${VER}.tar.gz" + compressed_name="${output_name}_macos_${arch_name}_${VER}.tar.gz" + elif [ $GOOS = "windows" ]; then + compressed_name="${output_name}_windows_${arch_name}_${VER}.zip" fi if [ $GOOS = "windows" ]; then @@ -85,10 +87,14 @@ do exit 1 fi - tar -czvf out/$tar_name $output_name + if [ $GOOS = "windows" ]; then + zip -j out/$compressed_name $output_name + else + tar -czvf out/$compressed_name $output_name + fi rm -f $output_name - full_link="$RELEASE_NOTES_LINK/$tar_name" + full_link="$RELEASE_NOTES_LINK/$compressed_name" printf -- "- $os_name (\`$arch_name\`): [$tar_name]($full_link)\n" >> $RELEASE_NOTES_FILE done From af0b6a375e9c30aa18f51c94fd0215b2e88503cc Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Tue, 4 Feb 2025 12:48:37 -0700 Subject: [PATCH 3/3] Include tld in email obfuscation --- backend/server/auth/handlers.go | 2 +- backend/server/html/handlers.go | 3 +-- backend/utils/misc.go | 31 ---------------------------- shared/utils.go | 36 +++++++++++++++++++++++++++++++++ 4 files changed, 38 insertions(+), 34 deletions(-) diff --git a/backend/server/auth/handlers.go b/backend/server/auth/handlers.go index 573c524..8455f52 100644 --- a/backend/server/auth/handlers.go +++ b/backend/server/auth/handlers.go @@ -161,7 +161,7 @@ func AccountHandler(w http.ResponseWriter, req *http.Request, id string) { return } - obscuredEmail, _ := utils.ObscureEmail(user.Email) + obscuredEmail, _ := shared.ObscureEmail(user.Email) _ = json.NewEncoder(w).Encode(shared.AccountResponse{ Email: obscuredEmail, PaymentID: user.PaymentID, diff --git a/backend/server/html/handlers.go b/backend/server/html/handlers.go index 28eff8c..ec0acb1 100644 --- a/backend/server/html/handlers.go +++ b/backend/server/html/handlers.go @@ -11,7 +11,6 @@ import ( "yeetfile/backend/server/html/templates" "yeetfile/backend/server/session" "yeetfile/backend/server/upgrades" - "yeetfile/backend/utils" "yeetfile/shared" "yeetfile/shared/endpoints" ) @@ -198,7 +197,7 @@ func AccountPageHandler(w http.ResponseWriter, req *http.Request, userID string) successMsg, errorMsg := generateAccountMessages(req) hasHint := user.PasswordHint != nil && len(user.PasswordHint) > 0 - obscuredEmail, _ := utils.ObscureEmail(user.Email) + obscuredEmail, _ := shared.ObscureEmail(user.Email) isPrevUpgraded := user.UpgradeExp.Year() >= 2024 _ = templates.ServeTemplate( diff --git a/backend/utils/misc.go b/backend/utils/misc.go index c1952c8..1d84a43 100644 --- a/backend/utils/misc.go +++ b/backend/utils/misc.go @@ -4,7 +4,6 @@ import ( "crypto/sha1" "encoding/base64" "encoding/json" - "errors" "fmt" "io" "log" @@ -238,36 +237,6 @@ func ParseSizeString(str string) int64 { return 0 } -// ObscureEmail takes an email and strips out the majority of the address and -// domain, adding "***" as an indicator of the obfuscation for both. -func ObscureEmail(email string) (string, error) { - segments := strings.Split(email, "@") - if len(segments) != 2 { - return "", errors.New("invalid email") - } - - address := segments[0] - domain := segments[1] - - var hiddenEmail string - if len(address) > 1 { - hiddenEmail = fmt.Sprintf( - "%c%c***%c@%c***.com", - address[0], - address[1], - address[len(address)-1], - domain[0]) - } else { - hiddenEmail = fmt.Sprintf( - "%c***%c@%c***.com", - address[0], - address[len(address)-1], - domain[0]) - } - - return hiddenEmail, nil -} - // LimitedChunkReader reads the request body, limited to max chunk size + encryption // overhead + 1024 bytes. This is big enough for all data-containing requests // made to the YeetFile API. diff --git a/shared/utils.go b/shared/utils.go index 0d016c9..ccbc8a2 100644 --- a/shared/utils.go +++ b/shared/utils.go @@ -2,6 +2,7 @@ package shared import ( "bufio" + "errors" "fmt" "math" "math/rand" @@ -184,3 +185,38 @@ func ArrayContains(items []string, target string) bool { } return false } + +// ObscureEmail takes an email and strips out the majority of the address and +// domain, adding "***" as an indicator of the obfuscation for both. +func ObscureEmail(email string) (string, error) { + segments := strings.Split(email, "@") + if len(segments) != 2 { + return "", errors.New("invalid email") + } + + address := segments[0] + domain := segments[1] + + segments = strings.Split(email, ".") + ext := segments[len(segments)-1] + + var hiddenEmail string + if len(address) > 1 { + hiddenEmail = fmt.Sprintf( + "%c%c***%c@%c***.%s", + address[0], + address[1], + address[len(address)-1], + domain[0], + ext) + } else { + hiddenEmail = fmt.Sprintf( + "%c***%c@%c***.%s", + address[0], + address[len(address)-1], + domain[0], + ext) + } + + return hiddenEmail, nil +}