aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorMatt Strapp <matt@mattstrapp.net>2022-03-10 17:19:51 -0600
committerMatt Strapp <matt@mattstrapp.net>2022-03-10 17:19:51 -0600
commitd16cb71aa6b74358442dc38d87814c9f75662e93 (patch)
tree97968a863d0b43b1f88de25720ec26870f2df72a /src
parentBump @typescript-eslint/parser from 5.13.0 to 5.14.0 (#23) (diff)
downloadee4511w-web-d16cb71aa6b74358442dc38d87814c9f75662e93.tar
ee4511w-web-d16cb71aa6b74358442dc38d87814c9f75662e93.tar.gz
ee4511w-web-d16cb71aa6b74358442dc38d87814c9f75662e93.tar.bz2
ee4511w-web-d16cb71aa6b74358442dc38d87814c9f75662e93.tar.lz
ee4511w-web-d16cb71aa6b74358442dc38d87814c9f75662e93.tar.xz
ee4511w-web-d16cb71aa6b74358442dc38d87814c9f75662e93.tar.zst
ee4511w-web-d16cb71aa6b74358442dc38d87814c9f75662e93.zip
Add and run a formatter
Signed-off-by: Matt Strapp <matt@mattstrapp.net>
Diffstat (limited to 'src')
-rw-r--r--src/index.ts17
-rw-r--r--src/public/css/style.css127
-rw-r--r--src/public/js/form.js128
-rw-r--r--src/routes/api.ts287
4 files changed, 284 insertions, 275 deletions
diff --git a/src/index.ts b/src/index.ts
index 63c803c..def7aff 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -20,14 +20,13 @@ const csrf = csurf({ cookie: true });
// Rate limiting
const rateLimiter = rateLimit({
- windowMs: 1 * 60 * 1000, // 1 minute
- max: 40, // Limit each IP to 40 requests per `window` (here, per 1 minutes)
- standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
- legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+ windowMs: 1 * 60 * 1000, // 1 minute
+ max: 40, // Limit each IP to 40 requests per `window` (here, per 1 minutes)
+ standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+ legacyHeaders: false, // Disable the `X-RateLimit-*` headers
});
app.use(rateLimiter);
-
// The API
app.use('/api/v1/', api);
@@ -40,14 +39,14 @@ app.use('/public', express.static(path.join(__dirname, 'public'))); // Set stati
/* ROUTING */
app.get('/', csrf, (req: Request, res: Response) => {
- res.render('index', { csrfToken: req.csrfToken() });
+ res.render('index', { csrfToken: req.csrfToken() });
});
app.get('/about', csrf, (req: Request, res: Response) => {
- res.render('about');
+ res.render('about');
});
// Start the server
const port = env.PORT || 2000;
app.listen(port, () => {
- console.log(`Server is listening on port ${port}`);
-}); \ No newline at end of file
+ console.log(`Server is listening on port ${port}`);
+});
diff --git a/src/public/css/style.css b/src/public/css/style.css
index a106926..3165d06 100644
--- a/src/public/css/style.css
+++ b/src/public/css/style.css
@@ -1,126 +1,117 @@
body {
- background-color: black;
- color: white;
- text-align: center;
- vertical-align: middle;
- position: relative;
+ background-color: black;
+ color: white;
+ text-align: center;
+ vertical-align: middle;
+ position: relative;
}
.header {
- margin: 5px;
- font-family: "Times New Roman", Times, serif;
+ margin: 5px;
+ font-family: 'Times New Roman', Times, serif;
}
-
/* Customize HTML paragraph element margins */
p {
- display: block;
- margin-top: 1em;
- margin-bottom: 1em;
- margin-left: 15%;
- margin-right: 15%;
+ display: block;
+ margin-top: 1em;
+ margin-bottom: 1em;
+ margin-left: 15%;
+ margin-right: 15%;
}
-
/*-------------------------Buttons-----------------------------------------------------*/
-
/* Used for id=button1 */
#actuate-but {
- background-color: #0a3f73;
- border: solid;
- border-color: #d5d6d2;
- color: white;
- padding: 10px 20px;
- text-align: center;
- text-decoration: none;
- font-family: "Constantia", sans-serif;
- border-radius: 10px;
- display: inline-block;
- font-size: 20px;
+ background-color: #0a3f73;
+ border: solid;
+ border-color: #d5d6d2;
+ color: white;
+ padding: 10px 20px;
+ text-align: center;
+ text-decoration: none;
+ font-family: 'Constantia', sans-serif;
+ border-radius: 10px;
+ display: inline-block;
+ font-size: 20px;
}
-
/* Used for id=button1 - What the button looks like when a user puts one's cursor on it */
#actuate-but:hover {
- background-color: white;
- color: maroon;
- cursor: pointer;
+ background-color: white;
+ color: maroon;
+ cursor: pointer;
}
-
a {
- color: blue;
- text-decoration: none;
+ color: blue;
+ text-decoration: none;
}
-
/* Used for the about page*/
.about {
- color: white;
- text-align: center;
- margin: 5px;
- font-size: large;
+ color: white;
+ text-align: center;
+ margin: 5px;
+ font-size: large;
}
-
#Background {
- color: #ffbb00;
+ color: #ffbb00;
}
#Pendulum_info {
- /* #4294cf is similar to a light blue color */
- color: #4294cf;
+ /* #4294cf is similar to a light blue color */
+ color: #4294cf;
}
-
/* Used for id=Start */
#Start {
- font-size: 25px;
- font-weight: bold;
- color: #ffbb00;
+ font-size: 25px;
+ font-weight: bold;
+ color: #ffbb00;
}
-
.navbar {
- top: 0;
- width: 100%;
- list-style-type: none;
- margin: 0;
- padding: 0;
- overflow: hidden;
- background-color: #7a0019;
+ top: 0;
+ width: 100%;
+ list-style-type: none;
+ margin: 0;
+ padding: 0;
+ overflow: hidden;
+ background-color: #7a0019;
}
.navbar li {
- float: left;
+ float: left;
}
.navbar li a {
- display: block;
- color: white;
- text-align: center;
- padding: 14px 16px;
- font-family: "Raleway", sans-serif;
- text-decoration: none;
+ display: block;
+ color: white;
+ text-align: center;
+ padding: 14px 16px;
+ font-family: 'Raleway', sans-serif;
+ text-decoration: none;
}
.navbar li a:hover {
- background-color: #ffcc33;
- color: #000000;
- /* Remove underlines from links */
- text-decoration: none;
+ background-color: #ffcc33;
+ color: #000000;
+ /* Remove underlines from links */
+ text-decoration: none;
}
h2 {
- font-size: larger;
+ font-size: larger;
}
.error {
- color: red;
-} \ No newline at end of file
+ color: red;
+}
diff --git a/src/public/js/form.js b/src/public/js/form.js
index 9e926fa..1e9eaca 100644
--- a/src/public/js/form.js
+++ b/src/public/js/form.js
@@ -1,84 +1,80 @@
// This is split into comments so it doesn't look as gross with the closure tabs
window.onload = function () {
- document.getElementById('nojs').hidden = true;
- document.getElementById('block').hidden = false;
+ document.getElementById('nojs').hidden = true;
+ document.getElementById('block').hidden = false;
};
// File submit AJAX request
// After successful upload, actuate the file by calling actuate() on the successfully uploaded file
document.getElementById('upload').onsubmit = function () {
- // Reset error message and success message
- document.getElementById('upload-err').innerText = '';
- document.getElementById('actuate-err').innerText = '';
- document.getElementById('upload-response').innerText = '';
- document.getElementById('download-link').innerText = '';
- // Make AJAX request
- let xhr = new XMLHttpRequest();
- xhr.open('POST', '/api/v1/upload');
- let formData = new FormData(this);
- xhr.send(formData);
- xhr.onreadystatechange = function () {
- if (xhr.readyState === 4) {
- let response = JSON.parse(xhr.responseText);
- if (xhr.status === 201) {
- // Display upload success message to the user
- document.getElementById('upload-response').innerText = response.msg;
- actuate(response);
- } else {
- // Display upload error message to the user
- document.getElementById('upload-err').innerText = response.error;
- // DEBUG: Print full error if unknown error occurs
- if (xhr.status === 500)
- console.error(response.error_msg);
- }
- }
- };
- document.getElementById('upload').reset();
- return false;
+ // Reset error message and success message
+ document.getElementById('upload-err').innerText = '';
+ document.getElementById('actuate-err').innerText = '';
+ document.getElementById('upload-response').innerText = '';
+ document.getElementById('download-link').innerText = '';
+ // Make AJAX request
+ let xhr = new XMLHttpRequest();
+ xhr.open('POST', '/api/v1/upload');
+ let formData = new FormData(this);
+ xhr.send(formData);
+ xhr.onreadystatechange = function () {
+ if (xhr.readyState === 4) {
+ let response = JSON.parse(xhr.responseText);
+ if (xhr.status === 201) {
+ // Display upload success message to the user
+ document.getElementById('upload-response').innerText = response.msg;
+ actuate(response);
+ } else {
+ // Display upload error message to the user
+ document.getElementById('upload-err').innerText = response.error;
+ // DEBUG: Print full error if unknown error occurs
+ if (xhr.status === 500) console.error(response.error_msg);
+ }
+ }
+ };
+ document.getElementById('upload').reset();
+ return false;
};
// Actuate button AJAX request
// Should always be called after upload
// Implies that upload has been successful since it relies on the upload response
-//
+//
function actuate(file) {
- let xhr = new XMLHttpRequest();
- xhr.open('POST', '/api/v1/actuate');
- let data = {
- file: file.file
- };
- xhr.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
- xhr.setRequestHeader('X-CSRF-TOKEN', file.csrf);
- xhr.send(JSON.stringify(data));
- xhr.onreadystatechange = function () {
- if (xhr.readyState === 4) {
- let response = JSON.parse(xhr.responseText);
- if (xhr.status === 200 || xhr.status === 500) {
- createDownload(response.file);
- }
- if (xhr.status === 500) {
- document.getElementById('actuate-err').innerText = response.error;
- // DEBUG: Print full error if unknown error occurs
- console.error(response.error_msg);
- }
-
- }
- return;
- };
+ let xhr = new XMLHttpRequest();
+ xhr.open('POST', '/api/v1/actuate');
+ let data = {
+ file: file.file,
+ };
+ xhr.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
+ xhr.setRequestHeader('X-CSRF-TOKEN', file.csrf);
+ xhr.send(JSON.stringify(data));
+ xhr.onreadystatechange = function () {
+ if (xhr.readyState === 4) {
+ let response = JSON.parse(xhr.responseText);
+ if (xhr.status === 200 || xhr.status === 500) {
+ createDownload(response.file);
+ }
+ if (xhr.status === 500) {
+ document.getElementById('actuate-err').innerText = response.error;
+ // DEBUG: Print full error if unknown error occurs
+ console.error(response.error_msg);
+ }
+ }
+ return;
+ };
}
-
// Creates the download element
function createDownload(response) {
- if (!response)
- return;
- const tempName = response.filename;
- const downloadName = response.name.split('.')[ 0 ];
- const downloadLink = document.createElement('a');
- downloadLink.setAttribute('href', `/api/v1/download/?filename=${tempName}`);
- downloadLink.setAttribute('download', `${downloadName}.csv`);
- downloadLink.innerText = 'Download CSV of results here.';
- document.getElementById('download-link').appendChild(downloadLink);
- return;
-} \ No newline at end of file
+ if (!response) return;
+ const tempName = response.filename;
+ const downloadName = response.name.split('.')[0];
+ const downloadLink = document.createElement('a');
+ downloadLink.setAttribute('href', `/api/v1/download/?filename=${tempName}`);
+ downloadLink.setAttribute('download', `${downloadName}.csv`);
+ downloadLink.innerText = 'Download CSV of results here.';
+ document.getElementById('download-link').appendChild(downloadLink);
+ return;
+}
diff --git a/src/routes/api.ts b/src/routes/api.ts
index ee80ea5..22edd79 100644
--- a/src/routes/api.ts
+++ b/src/routes/api.ts
@@ -15,15 +15,16 @@ api.use(cookieParser());
const csrf = csurf({ cookie: true });
// For file uploads
-api.use(fileUpload({
+api.use(
+ fileUpload({
preserveExtension: true, // Preserve file extension on upload
safeFileNames: true, // Only allow alphanumeric characters in file names
limits: { fileSize: 1 * 1024 * 1024 }, // Limit file size to 1MB
useTempFiles: true, // Store files in temp instead of memory
tempFileDir: '/tmp/', // Store files in /tmp/
debug: false, // Log debug information
-}));
-
+ })
+);
/*
Upload a file to the server
@@ -44,34 +45,44 @@ api.use(fileUpload({
415 when the file's MIME type is not text/x-python or text/plain (WINDOWS WHY)
500 for any other errors
*/
-api.route('/upload')
- .post(csrf, (req: Request, res: Response) => {
- try {
- // Check if anything was actually uploaded
- if (!req.files || Object.keys(req.files).length === 0)
- return res.status(400).json({ error: 'No file uploaded.' });
-
- const file: UploadedFile = req.files.file as UploadedFile; // Kludge to prevent a compiler error, only one file gets uploaded so this should be fine
-
- // Check if the file is too large (see fileUpload.limits for the limit)
- if (file.truncated)
- return res.status(413).json({ error: 'File uploaded was too large.' });
-
- // Check if the file is a python file
- if (file.mimetype !== 'text/x-python' && file.mimetype !== 'text/plain')
- return res.status(415).json({ error: 'File uploaded was not a Python file.' });
-
- res.status(201).json({ file: { file: file.name, path: file.tempFilePath }, msg: 'File uploaded successfully.', csrf: req.csrfToken() });
- } catch (err) {
- // Generic error handler
- res.status(500).json({ error: 'An unknown error occurred while uploading the file.', error_msg: err });
- }
- })
- // Fallback
- .all(csrf, (req: Request, res: Response) => {
- res.set('Allow', 'POST');
- res.status(405).json({ error: 'Method not allowed.' });
- });
+api
+ .route('/upload')
+ .post(csrf, (req: Request, res: Response) => {
+ try {
+ // Check if anything was actually uploaded
+ if (!req.files || Object.keys(req.files).length === 0)
+ return res.status(400).json({ error: 'No file uploaded.' });
+
+ const file: UploadedFile = req.files.file as UploadedFile; // Kludge to prevent a compiler error, only one file gets uploaded so this should be fine
+
+ // Check if the file is too large (see fileUpload.limits for the limit)
+ if (file.truncated)
+ return res.status(413).json({ error: 'File uploaded was too large.' });
+
+ // Check if the file is a python file
+ if (file.mimetype !== 'text/x-python' && file.mimetype !== 'text/plain')
+ return res
+ .status(415)
+ .json({ error: 'File uploaded was not a Python file.' });
+
+ res.status(201).json({
+ file: { file: file.name, path: file.tempFilePath },
+ msg: 'File uploaded successfully.',
+ csrf: req.csrfToken(),
+ });
+ } catch (err) {
+ // Generic error handler
+ res.status(500).json({
+ error: 'An unknown error occurred while uploading the file.',
+ error_msg: err,
+ });
+ }
+ })
+ // Fallback
+ .all(csrf, (req: Request, res: Response) => {
+ res.set('Allow', 'POST');
+ res.status(405).json({ error: 'Method not allowed.' });
+ });
/*
Actuate the pendulum
@@ -102,20 +113,20 @@ api.route('/upload')
Minimizing PE vectors like running this as an extremely low privilege user is a must.
*/
-api.route('/actuate')
- // Snyk error mitigation, should be fine since the rate limiting is already in place
- // file deepcode ignore NoRateLimitingForExpensiveWebOperation: This is already rate limited by the website, so we don't need to do it again
- .post(csrf, async (req: Request, res: Response) => {
- try {
- const path: string = req.body.file.path;
- // Verify that the file exists and is a regular file
- // Return if not since the res will be sent by the verifyFile function
- if (await verifyFile(path, res) !== true)
- return;
-
- const escaped = quote([ path ]);
- // Run the code
- /*
+api
+ .route('/actuate')
+ // Snyk error mitigation, should be fine since the rate limiting is already in place
+ // file deepcode ignore NoRateLimitingForExpensiveWebOperation: This is already rate limited by the website, so we don't need to do it again
+ .post(csrf, async (req: Request, res: Response) => {
+ try {
+ const path: string = req.body.file.path;
+ // Verify that the file exists and is a regular file
+ // Return if not since the res will be sent by the verifyFile function
+ if ((await verifyFile(path, res)) !== true) return;
+
+ const escaped = quote([path]);
+ // Run the code
+ /*
TODO:
- Potentially add the limiter to one-per-person here
- Add a timeout
@@ -123,37 +134,48 @@ api.route('/actuate')
- Make this more secure
- HOW?
*/
- // let output = '';
- let stderr = '';
- const actuation = spawn('python', escaped.split(' '));
- // actuation.stdout.on('data', (data: Buffer) => {
- // output += data.toString();
- // });
- actuation.stderr.on('data', (data: Buffer) => {
- stderr += `STDERR: ${data.toString()}`;
- });
- actuation.on('close', (code: number) => {
- const filename: string = (req.body.file.path as string).split('/').pop() as string;
- // Make sure the program exited with a code of 0 (success)
- if (code !== 0)
- return res.status(500).json({ error: `Program exited with exit code ${code}`, error_msg: stderr, file: { name: req.body.file.file, filename: filename } });
- return res.status(200).json({ file: { name: req.body.file.file, filename: filename } });
- });
- // Kill the process if it takes too long
- // Default timeout is 120 seconds (2 minutes)
- setTimeout(() => {
- actuation.kill();
- }, 120000);
- } catch (err) {
- // Generic error handler
- return res.status(500).json({ error: 'An unknown error occurred while running the file.', error_msg: err });
- }
- })
- // Fallback
- .all(csrf, (req: Request, res: Response) => {
- res.set('Allow', 'POST');
- return res.status(405).json({ error: 'Method not allowed.' });
- });
+ // let output = '';
+ let stderr = '';
+ const actuation = spawn('python', escaped.split(' '));
+ // actuation.stdout.on('data', (data: Buffer) => {
+ // output += data.toString();
+ // });
+ actuation.stderr.on('data', (data: Buffer) => {
+ stderr += `STDERR: ${data.toString()}`;
+ });
+ actuation.on('close', (code: number) => {
+ const filename: string = (req.body.file.path as string)
+ .split('/')
+ .pop() as string;
+ // Make sure the program exited with a code of 0 (success)
+ if (code !== 0)
+ return res.status(500).json({
+ error: `Program exited with exit code ${code}`,
+ error_msg: stderr,
+ file: { name: req.body.file.file, filename: filename },
+ });
+ return res
+ .status(200)
+ .json({ file: { name: req.body.file.file, filename: filename } });
+ });
+ // Kill the process if it takes too long
+ // Default timeout is 120 seconds (2 minutes)
+ setTimeout(() => {
+ actuation.kill();
+ }, 120000);
+ } catch (err) {
+ // Generic error handler
+ return res.status(500).json({
+ error: 'An unknown error occurred while running the file.',
+ error_msg: err,
+ });
+ }
+ })
+ // Fallback
+ .all(csrf, (req: Request, res: Response) => {
+ res.set('Allow', 'POST');
+ return res.status(405).json({ error: 'Method not allowed.' });
+ });
/*
Download the CSV file after running the pendulum
@@ -166,35 +188,34 @@ api.route('/actuate')
404 when the file is not accessible or does not exist
500 for any other errors
*/
-api.route('/download')
- .get(csrf, async (req: Request, res: Response) => {
- const filename: string = req.query.filename as string;
- if (!filename)
- return res.status(400).json({ error: 'No filename specified.' });
- // Make sure no path traversal is attempted
- // This regex matches all alphanumeric characters, underscores, and dashes.
- // MAKE SURE THIS DOES NOT ALLOW PATH TRAVERSAL
- if (!/^[\w-]+$/.test(filename))
- return res.status(403).json({ error: 'No.' });
-
- const path = `/tmp/${filename}.csv`;
-
- // Verify that the file exists and is a regular file
- // Return if not since the res will be sent by the verifyFile function
- if (await verifyFile(path, res) !== true)
- return;
- // Read the file and send it to the client
- res.type('text/csv');
- // Snyk error mitigation, should be fine since tmp is private and the simple regex above should prevent path traversal
- // deepcode ignore PT: This is probably mitigated by the regex
- return res.sendFile(path);
- })
- // Fallback
- .all(csrf, (req: Request, res: Response) => {
- res.set('Allow', 'GET');
- return res.status(405).json({ error: 'Method not allowed.' });
- });
+api
+ .route('/download')
+ .get(csrf, async (req: Request, res: Response) => {
+ const filename: string = req.query.filename as string;
+ if (!filename)
+ return res.status(400).json({ error: 'No filename specified.' });
+ // Make sure no path traversal is attempted
+ // This regex matches all alphanumeric characters, underscores, and dashes.
+ // MAKE SURE THIS DOES NOT ALLOW PATH TRAVERSAL
+ if (!/^[\w-]+$/.test(filename))
+ return res.status(403).json({ error: 'No.' });
+
+ const path = `/tmp/${filename}.csv`;
+ // Verify that the file exists and is a regular file
+ // Return if not since the res will be sent by the verifyFile function
+ if ((await verifyFile(path, res)) !== true) return;
+ // Read the file and send it to the client
+ res.type('text/csv');
+ // Snyk error mitigation, should be fine since tmp is private and the simple regex above should prevent path traversal
+ // deepcode ignore PT: This is probably mitigated by the regex
+ return res.sendFile(path);
+ })
+ // Fallback
+ .all(csrf, (req: Request, res: Response) => {
+ res.set('Allow', 'GET');
+ return res.status(405).json({ error: 'Method not allowed.' });
+ });
/*
Verify that the file exists and is a regular file
@@ -207,36 +228,38 @@ api.route('/download')
** AFTER THIS POINT, THE API HAS ALREADY SENT A RESPONSE, SO THE FUNCTION THAT CALLED IT SHOULD NOT RETURN ANOTHER RESPONSE **
*/
async function verifyFile(file: string, res: Response) {
- // Make sure the file being requested to run exists
- try {
- await access(file);
- } catch (err) {
- res.status(404).json({ error: 'File is not accessible or does not exist.' });
- return false;
- }
- // This is a try catch because otherwise type checking will fail and get all messed up
- // Handle your promise rejections, kids
- try {
- const stats = await stat(file);
- // Make sure the file being requested to run is a regular file
- if (!stats.isFile()) {
- res.status(400).json({ error: 'File is not a regular file.' });
- return false;
- }
- // Make sure the file being requested to run is not a directory
- else if (stats.isDirectory()) {
- res.status(400).json({ error: 'File is a directory.' });
- return false;
- }
-
-
- // File does exist and is a regular file, so it is good to go
- return true;
+ // Make sure the file being requested to run exists
+ try {
+ await access(file);
+ } catch (err) {
+ res
+ .status(404)
+ .json({ error: 'File is not accessible or does not exist.' });
+ return false;
+ }
+ // This is a try catch because otherwise type checking will fail and get all messed up
+ // Handle your promise rejections, kids
+ try {
+ const stats = await stat(file);
+ // Make sure the file being requested to run is a regular file
+ if (!stats.isFile()) {
+ res.status(400).json({ error: 'File is not a regular file.' });
+ return false;
}
- catch (err) {
- res.status(404).json({ error: 'File is not accessible or does not exist.' });
- return false;
+ // Make sure the file being requested to run is not a directory
+ else if (stats.isDirectory()) {
+ res.status(400).json({ error: 'File is a directory.' });
+ return false;
}
+
+ // File does exist and is a regular file, so it is good to go
+ return true;
+ } catch (err) {
+ res
+ .status(404)
+ .json({ error: 'File is not accessible or does not exist.' });
+ return false;
+ }
}
export default api;