diff options
| -rw-r--r-- | package.json | 1 | ||||
| -rw-r--r-- | src/routes/api.ts | 162 | ||||
| -rw-r--r-- | yarn.lock | 5 |
3 files changed, 81 insertions, 87 deletions
diff --git a/package.json b/package.json index 9739358..57b1c43 100644 --- a/package.json +++ b/package.json @@ -7,7 +7,6 @@ "express-fileupload": "^1.3.1", "express-rate-limit": "^6.2.1", "helmet": "^5.0.2", - "loglevel": "^1.8.0", "shell-quote": "^1.7.3" }, "devDependencies": { diff --git a/src/routes/api.ts b/src/routes/api.ts index c3518d6..77b3c79 100644 --- a/src/routes/api.ts +++ b/src/routes/api.ts @@ -17,12 +17,12 @@ const csrf = csurf({ cookie: true }); // For file uploads api.use(fileUpload({ - preserveExtension: true, // Preserve file extension on upload - safeFileNames: true, // Only allow alphanumeric characters in file names - limits: { fileSize: 1 * 1024 * 1024 }, // Limit file size to 1MB - useTempFiles: true, // Store files in temp instead of memory - tempFileDir: '/tmp/', // Store files in /tmp/ - debug: false, // Log debug information + preserveExtension: true, // Preserve file extension on upload + safeFileNames: true, // Only allow alphanumeric characters in file names + limits: { fileSize: 1 * 1024 * 1024 }, // Limit file size to 1MB + useTempFiles: true, // Store files in temp instead of memory + tempFileDir: '/tmp/', // Store files in /tmp/ + debug: false, // Log debug information })); @@ -46,33 +46,33 @@ api.use(fileUpload({ 500 for any other errors */ api.route('/upload') - .post(csrf, (req: Request, res: Response) => { - try { - // Check if anything was actually uploaded - if (!req.files || Object.keys(req.files).length === 0) - return res.status(400).json({ error: 'No file uploaded.' }); - - const file: UploadedFile = req.files.file as UploadedFile; // Kludge to prevent a compiler error, only one file gets uploaded so this should be fine - - // Check if the file is too large (see fileUpload.limits for the limit) - if (file.truncated) - return res.status(413).json({ error: 'File uploaded was too large.' }); - - // Check if the file is a python file - if (file.mimetype !== 'text/x-python') - return res.status(415).json({ error: 'File uploaded was not a Python file.' }); - - res.status(201).json({ file: file.name, path: file.tempFilePath, msg: 'File uploaded successfully.', csrf: req.csrfToken() }); - } catch (err) { - // Generic error handler - res.status(500).json({ error: 'An unknown error occurred while uploading the file.', error_msg: err }); - } - }) - // Fallback - .all(csrf, (req: Request, res: Response) => { - res.set('Allow', 'POST'); - res.status(405).json({ error: 'Method not allowed.' }); - }); + .post(csrf, (req: Request, res: Response) => { + try { + // Check if anything was actually uploaded + if (!req.files || Object.keys(req.files).length === 0) + return res.status(400).json({ error: 'No file uploaded.' }); + + const file: UploadedFile = req.files.file as UploadedFile; // Kludge to prevent a compiler error, only one file gets uploaded so this should be fine + + // Check if the file is too large (see fileUpload.limits for the limit) + if (file.truncated) + return res.status(413).json({ error: 'File uploaded was too large.' }); + + // Check if the file is a python file + if (file.mimetype !== 'text/x-python') + return res.status(415).json({ error: 'File uploaded was not a Python file.' }); + + res.status(201).json({ file: file.name, path: file.tempFilePath, msg: 'File uploaded successfully.', csrf: req.csrfToken() }); + } catch (err) { + // Generic error handler + res.status(500).json({ error: 'An unknown error occurred while uploading the file.', error_msg: err }); + } + }) + // Fallback + .all(csrf, (req: Request, res: Response) => { + res.set('Allow', 'POST'); + res.status(405).json({ error: 'Method not allowed.' }); + }); /* Actuate the pendulum @@ -99,54 +99,54 @@ api.route('/upload') */ api.route('/actuate') - // Snyk error mitigation, should be fine since the rate limiting is already in place - // file deepcode ignore NoRateLimitingForExpensiveWebOperation: This is already rate limited by the website, so we don't need to do it again - .post(csrf, async (req: Request, res: Response) => { - // Make sure the file being requested to run exists - try { - await access(req.body.path); - } catch (err) { - return res.status(403).json({ error: 'File is not accessible or does not exist.' }); - } - - - const stats: Stats = await stat(req.body.path); - // Make sure the file being requested to run is a regular file - if (!stats.isFile()) - return res.status(400).json({ error: 'File is not a regular file.' }); - // Make sure the file being requested to run is not a directory - if (stats.isDirectory()) - return res.status(400).json({ error: 'File is a directory.' }); - - const escaped = quote( [ req.body.path ] ); - // Run the code - /* - TODO: - - Potentially add the limiter to one-per-person here - - Add a timeout - - Communicate to the machine to give up (the user as well), maybe just kill the process? - - Make this more secure - - HOW? - */ - let output = ''; - const actuation = spawn('python', escaped.split(' ')); - actuation.stdout.on('data', (data: Buffer) => { - output += data.toString(); - }); - actuation.stderr.on('data', (data: Buffer) => { - output += `STDERR: ${data.toString()}`; - }); - actuation.on('close', (code: number) => { - if (code !== 0) - res.status(500).json({ error: `Program exited with exit code ${code}`, error_msg: output }); - res.status(200).json({ stdout: output }); - }); - }) - // Fallback - .all(csrf, (req: Request, res: Response) => { - res.set('Allow', 'POST'); - res.status(405).json({ error: 'Method not allowed.' }); + // Snyk error mitigation, should be fine since the rate limiting is already in place + // file deepcode ignore NoRateLimitingForExpensiveWebOperation: This is already rate limited by the website, so we don't need to do it again + .post(csrf, async (req: Request, res: Response) => { + // Make sure the file being requested to run exists + try { + await access(req.body.path); + } catch (err) { + return res.status(403).json({ error: 'File is not accessible or does not exist.' }); + } + + + const stats: Stats = await stat(req.body.path); + // Make sure the file being requested to run is a regular file + if (!stats.isFile()) + return res.status(400).json({ error: 'File is not a regular file.' }); + // Make sure the file being requested to run is not a directory + if (stats.isDirectory()) + return res.status(400).json({ error: 'File is a directory.' }); + + const escaped = quote([req.body.path]); + // Run the code + /* + TODO: + - Potentially add the limiter to one-per-person here + - Add a timeout + - Communicate to the machine to give up (the user as well), maybe just kill the process? + - Make this more secure + - HOW? + */ + let output = ''; + const actuation = spawn('python', escaped.split(' ')); + actuation.stdout.on('data', (data: Buffer) => { + output += data.toString(); + }); + actuation.stderr.on('data', (data: Buffer) => { + output += `STDERR: ${data.toString()}`; + }); + actuation.on('close', (code: number) => { + if (code !== 0) + return res.status(500).json({ error: `Program exited with exit code ${code}`, error_msg: output }); + return res.status(200).json({ stdout: output }); }); + }) + // Fallback + .all(csrf, (req: Request, res: Response) => { + res.set('Allow', 'POST'); + res.status(405).json({ error: 'Method not allowed.' }); + }); -export default api;
\ No newline at end of file +export default api; @@ -1663,11 +1663,6 @@ lodash.merge@^4.6.2: resolved "https://registry.yarnpkg.com/lodash.merge/-/lodash.merge-4.6.2.tgz#558aa53b43b661e1925a0afdfa36a9a1085fe57a" integrity sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ== -loglevel@^1.8.0: - version "1.8.0" - resolved "https://registry.yarnpkg.com/loglevel/-/loglevel-1.8.0.tgz#e7ec73a57e1e7b419cb6c6ac06bf050b67356114" - integrity sha512-G6A/nJLRgWOuuwdNuA6koovfEV1YpqqAG4pRUlFaz3jj2QNZ8M4vBqnVA+HBTmU/AMNUtlOsMmSpF6NyOjztbA== - lowercase-keys@^1.0.0, lowercase-keys@^1.0.1: version "1.0.1" resolved "https://registry.yarnpkg.com/lowercase-keys/-/lowercase-keys-1.0.1.tgz#6f9e30b47084d971a7c820ff15a6c5167b74c26f" |