From 150c06a1171be1ad965afc37beeec9863818b508 Mon Sep 17 00:00:00 2001 From: Matt Strapp Date: Mon, 14 Feb 2022 15:39:22 -0600 Subject: maybe achieve feature parity Signed-off-by: Matt Strapp --- src/public/css/style.css | 36 ++++----------- src/public/example.py | 42 +++++++++++++++++ src/public/js/form.js | 45 ++++++++++++++++-- src/public/lib/prism.css | 3 ++ src/public/lib/prism.js | 4 ++ src/routes/api.ts | 112 +++++++++++++++++++++++++++++++++++---------- src/views/pages/about.ejs | 6 +-- src/views/pages/index.ejs | 35 +++++++++----- src/views/partials/nav.ejs | 2 +- 9 files changed, 214 insertions(+), 71 deletions(-) create mode 100644 src/public/example.py create mode 100644 src/public/lib/prism.css create mode 100644 src/public/lib/prism.js (limited to 'src') diff --git a/src/public/css/style.css b/src/public/css/style.css index 0e7892d..d48e8b9 100644 --- a/src/public/css/style.css +++ b/src/public/css/style.css @@ -7,8 +7,6 @@ body { } .header { - - /* top: 30px; */ margin: 5px; font-family: "Times New Roman", Times, serif; } @@ -55,44 +53,21 @@ p { a { - color: white; + color: blue; text-decoration: none; } -/* Used for id=main */ +/* Used for the about page*/ -#main { +.about { color: white; - /* border-style: solid; */ - /* border: 1px solid maroon; */ text-align: center; margin: 5px; -} - -#about { font-size: large; } - -/* Used for id=title2 */ - -#title2 { - font-size: xx-large; - font-weight: bold; - margin-top: 20px; -} - - -/* Used for id=title3 */ - -#title3 { - font-size: xx-large; - font-weight: bold; - margin-top: 15px; -} - #Background { color: #ffbb00; } @@ -140,4 +115,9 @@ a { color: #000000; /* Remove underlines from links */ text-decoration: none; +} + +.error { + color: red; + font-size: larger; } \ No newline at end of file diff --git a/src/public/example.py b/src/public/example.py new file mode 100644 index 0000000..27f5835 --- /dev/null +++ b/src/public/example.py @@ -0,0 +1,42 @@ +import sys +sys.path.insert(0, '/home/pi/pendulum/System') +from System.system import System +import time +from sys import exit +sys.path.insert(0, '/home/pi/pendulum/System') +from encoder import Encoder +import RPi.GPIO as GPIO + +clk_pin = 3 +cs_pin = 23 +data_pin = 2 + +e = Encoder(clk_pin, cs_pin, data_pin) +e.set_zero() +sys = System(angular_units = 'Radians') + +for x in range(4,20): + linear = 0 + + print("beginning of test with speed " + str(x)) + + while linear > -7: + sys.adjust(-5) + angle, linear = sys.measure() + print("Angle: " + str(angle) + ", Linear: " + str(linear)) + time.sleep(0.1) + sys.adjust(0) + time.sleep(3) + sys.add_log("this is a test with speed " + str(x)) + + while linear < 7: + sys.adjust(x) + angle, linear = sys.measure() + print("Angle: " + str(angle) + ", Linear: " + str(linear)) + sys.add_results(e.read_position('Degrees'), linear, x) + time.sleep(0.1) + sys.adjust(0) + print("end of test with speed " + str(x)) + time.sleep(3) +deinitialize() +exit() diff --git a/src/public/js/form.js b/src/public/js/form.js index 7085422..f58a27f 100644 --- a/src/public/js/form.js +++ b/src/public/js/form.js @@ -1,5 +1,14 @@ +window.onload = function () { + document.getElementById('nojs').hidden = true; + document.getElementById('block').hidden = false; +}; + // File submit AJAX request document.getElementById('upload').onsubmit = function () { + // Reset error message + document.getElementById('upload-err').innerText = ''; + document.getElementById('actuate-err').innerText = ''; + // Make AJAX request let xhr = new XMLHttpRequest(); xhr.open('POST', '/api/v1/upload'); let formData = new FormData(this); @@ -8,11 +17,41 @@ document.getElementById('upload').onsubmit = function () { if (xhr.readyState === 4) { let response = JSON.parse(xhr.responseText); if (xhr.status === 200) { - console.log(response); + actuate(response); } else { - console.log(response.error); + // Display upload error message to the user + document.getElementById('upload-err').innerText = response.error; + // DEBUG: Print full error if unknown error occurs + if (xhr.status === 500) + console.error(response.error_msg); } } }; return false; -}; \ No newline at end of file +}; + +function actuate(file) { + let xhr = new XMLHttpRequest(); + xhr.open('POST', '/api/v1/actuate'); + let data = { + name: file.name, + path: file.path, + }; + xhr.setRequestHeader('Content-Type', 'application/json; charset=utf-8'); + xhr.setRequestHeader('X-CSRF-TOKEN', file.csrf); + xhr.send(JSON.stringify(data)); + xhr.onreadystatechange = function () { + if (xhr.readyState === 4) { + let response = JSON.parse(xhr.responseText); + if (xhr.status === 200) { + console.log(response); + } else { + // Display upload error message to the user + document.getElementById('actuate-err').innerText = response.error; + // DEBUG: Print full error if unknown error occurs + if (xhr.status === 500) + console.error(response.error_msg); + } + } + }; +} \ No newline at end of file diff --git a/src/public/lib/prism.css b/src/public/lib/prism.css new file mode 100644 index 0000000..4fb0a7c --- /dev/null +++ b/src/public/lib/prism.css @@ -0,0 +1,3 @@ +/* PrismJS 1.26.0 +https://prismjs.com/download.html#themes=prism-okaidia&languages=python */ +code[class*=language-],pre[class*=language-]{color:#f8f8f2;background:0 0;text-shadow:0 1px rgba(0,0,0,.3);font-family:Consolas,Monaco,'Andale Mono','Ubuntu Mono',monospace;font-size:1em;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none}pre[class*=language-]{padding:1em;margin:.5em 0;overflow:auto;border-radius:.3em}:not(pre)>code[class*=language-],pre[class*=language-]{background:#272822}:not(pre)>code[class*=language-]{padding:.1em;border-radius:.3em;white-space:normal}.token.cdata,.token.comment,.token.doctype,.token.prolog{color:#8292a2}.token.punctuation{color:#f8f8f2}.token.namespace{opacity:.7}.token.constant,.token.deleted,.token.property,.token.symbol,.token.tag{color:#f92672}.token.boolean,.token.number{color:#ae81ff}.token.attr-name,.token.builtin,.token.char,.token.inserted,.token.selector,.token.string{color:#a6e22e}.language-css .token.string,.style .token.string,.token.entity,.token.operator,.token.url,.token.variable{color:#f8f8f2}.token.atrule,.token.attr-value,.token.class-name,.token.function{color:#e6db74}.token.keyword{color:#66d9ef}.token.important,.token.regex{color:#fd971f}.token.bold,.token.important{font-weight:700}.token.italic{font-style:italic}.token.entity{cursor:help} diff --git a/src/public/lib/prism.js b/src/public/lib/prism.js new file mode 100644 index 0000000..958c4c6 --- /dev/null +++ b/src/public/lib/prism.js @@ -0,0 +1,4 @@ +/* PrismJS 1.26.0 +https://prismjs.com/download.html#themes=prism-okaidia&languages=python */ +var _self="undefined"!=typeof window?window:"undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?self:{},Prism=function(u){var t=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,n=0,e={},M={manual:u.Prism&&u.Prism.manual,disableWorkerMessageHandler:u.Prism&&u.Prism.disableWorkerMessageHandler,util:{encode:function e(n){return n instanceof W?new W(n.type,e(n.content),n.alias):Array.isArray(n)?n.map(e):n.replace(/&/g,"&").replace(/=l.reach);y+=m.value.length,m=m.next){var k=m.value;if(t.length>n.length)return;if(!(k instanceof W)){var x,b=1;if(h){if(!(x=z(p,y,n,f))||x.index>=n.length)break;var w=x.index,A=x.index+x[0].length,E=y;for(E+=m.value.length;E<=w;)m=m.next,E+=m.value.length;if(E-=m.value.length,y=E,m.value instanceof W)continue;for(var P=m;P!==t.tail&&(El.reach&&(l.reach=j);var C=m.prev;S&&(C=I(t,C,S),y+=S.length),T(t,C,b);var N=new W(o,g?M.tokenize(L,g):L,d,L);if(m=I(t,C,N),O&&I(t,m,O),1l.reach&&(l.reach=_.reach)}}}}}}(e,a,n,a.head,0),function(e){var n=[],t=e.head.next;for(;t!==e.tail;)n.push(t.value),t=t.next;return n}(a)},hooks:{all:{},add:function(e,n){var t=M.hooks.all;t[e]=t[e]||[],t[e].push(n)},run:function(e,n){var t=M.hooks.all[e];if(t&&t.length)for(var r,a=0;r=t[a++];)r(n)}},Token:W};function W(e,n,t,r){this.type=e,this.content=n,this.alias=t,this.length=0|(r||"").length}function z(e,n,t,r){e.lastIndex=n;var a=e.exec(t);if(a&&r&&a[1]){var i=a[1].length;a.index+=i,a[0]=a[0].slice(i)}return a}function i(){var e={value:null,prev:null,next:null},n={value:null,prev:e,next:null};e.next=n,this.head=e,this.tail=n,this.length=0}function I(e,n,t){var r=n.next,a={value:t,prev:n,next:r};return n.next=a,r.prev=a,e.length++,a}function T(e,n,t){for(var r=n.next,a=0;a"+a.content+""},!u.document)return u.addEventListener&&(M.disableWorkerMessageHandler||u.addEventListener("message",function(e){var n=JSON.parse(e.data),t=n.language,r=n.code,a=n.immediateClose;u.postMessage(M.highlight(r,M.languages[t],t)),a&&u.close()},!1)),M;var r=M.util.currentScript();function a(){M.manual||M.highlightAll()}if(r&&(M.filename=r.src,r.hasAttribute("data-manual")&&(M.manual=!0)),!M.manual){var l=document.readyState;"loading"===l||"interactive"===l&&r&&r.defer?document.addEventListener("DOMContentLoaded",a):window.requestAnimationFrame?window.requestAnimationFrame(a):window.setTimeout(a,16)}return M}(_self);"undefined"!=typeof module&&module.exports&&(module.exports=Prism),"undefined"!=typeof global&&(global.Prism=Prism); +Prism.languages.python={comment:{pattern:/(^|[^\\])#.*/,lookbehind:!0,greedy:!0},"string-interpolation":{pattern:/(?:f|fr|rf)(?:("""|''')[\s\S]*?\1|("|')(?:\\.|(?!\2)[^\\\r\n])*\2)/i,greedy:!0,inside:{interpolation:{pattern:/((?:^|[^{])(?:\{\{)*)\{(?!\{)(?:[^{}]|\{(?!\{)(?:[^{}]|\{(?!\{)(?:[^{}])+\})+\})+\}/,lookbehind:!0,inside:{"format-spec":{pattern:/(:)[^:(){}]+(?=\}$)/,lookbehind:!0},"conversion-option":{pattern:/![sra](?=[:}]$)/,alias:"punctuation"},rest:null}},string:/[\s\S]+/}},"triple-quoted-string":{pattern:/(?:[rub]|br|rb)?("""|''')[\s\S]*?\1/i,greedy:!0,alias:"string"},string:{pattern:/(?:[rub]|br|rb)?("|')(?:\\.|(?!\1)[^\\\r\n])*\1/i,greedy:!0},function:{pattern:/((?:^|\s)def[ \t]+)[a-zA-Z_]\w*(?=\s*\()/g,lookbehind:!0},"class-name":{pattern:/(\bclass\s+)\w+/i,lookbehind:!0},decorator:{pattern:/(^[\t ]*)@\w+(?:\.\w+)*/m,lookbehind:!0,alias:["annotation","punctuation"],inside:{punctuation:/\./}},keyword:/\b(?:_(?=\s*:)|and|as|assert|async|await|break|case|class|continue|def|del|elif|else|except|exec|finally|for|from|global|if|import|in|is|lambda|match|nonlocal|not|or|pass|print|raise|return|try|while|with|yield)\b/,builtin:/\b(?:__import__|abs|all|any|apply|ascii|basestring|bin|bool|buffer|bytearray|bytes|callable|chr|classmethod|cmp|coerce|compile|complex|delattr|dict|dir|divmod|enumerate|eval|execfile|file|filter|float|format|frozenset|getattr|globals|hasattr|hash|help|hex|id|input|int|intern|isinstance|issubclass|iter|len|list|locals|long|map|max|memoryview|min|next|object|oct|open|ord|pow|property|range|raw_input|reduce|reload|repr|reversed|round|set|setattr|slice|sorted|staticmethod|str|sum|super|tuple|type|unichr|unicode|vars|xrange|zip)\b/,boolean:/\b(?:False|None|True)\b/,number:/\b0(?:b(?:_?[01])+|o(?:_?[0-7])+|x(?:_?[a-f0-9])+)\b|(?:\b\d+(?:_\d+)*(?:\.(?:\d+(?:_\d+)*)?)?|\B\.\d+(?:_\d+)*)(?:e[+-]?\d+(?:_\d+)*)?j?(?!\w)/i,operator:/[-+%=]=?|!=|:=|\*\*?=?|\/\/?=?|<[<=>]?|>[=>]?|[&|^~]/,punctuation:/[{}[\];(),.:]/},Prism.languages.python["string-interpolation"].inside.interpolation.inside.rest=Prism.languages.python,Prism.languages.py=Prism.languages.python; diff --git a/src/routes/api.ts b/src/routes/api.ts index e360709..1e9cd49 100644 --- a/src/routes/api.ts +++ b/src/routes/api.ts @@ -2,38 +2,104 @@ import express, { Request, Response } from 'express'; import csurf from 'csurf'; import cookieParser from 'cookie-parser'; import fileUpload, { UploadedFile } from 'express-fileupload'; -import slowDown from 'express-slow-down'; +import rateLimit from 'express-rate-limit'; +import { access, stat } from 'fs/promises'; +import { quote } from 'shell-quote'; +import { exec } from 'child_process'; const api = express.Router(); // For file uploads -api.use(fileUpload()); - -// Slow down everything to prevent DoS attacks -const speedLimiter = slowDown({ - windowMs: 5 * 60 * 1000, // 5 minutes - delayAfter: 50, // allow 50 requests per 5 minutes, then... - delayMs: 500 // begin adding 500ms of delay per request above 100: - // request # 101 is delayed by 500ms - // request # 102 is delayed by 1000ms - // request # 103 is delayed by 1500ms - // etc. +api.use(fileUpload({ + preserveExtension: true, // Preserve file extension on upload + safeFileNames: true, // Only allow alphanumeric characters in file names + limits: { fileSize: 1 * 1024 * 1024 }, // Limit file size to 1MB + useTempFiles: true, // Store files in temp instead of memory + tempFileDir: '/tmp/', // Store files in /tmp/ + debug: false, // Log debug information +})); + +// Slow down frequent requests to prevent DoS attacks +const rateLimiter = rateLimit({ + windowMs: 1 * 60 * 1000, // 1 minute + max: 10, // Limit each IP to 10 requests per `window` (here, per 1 minutes) + standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers + legacyHeaders: false, // Disable the `X-RateLimit-*` headers }); -api.use(speedLimiter); +api.use(rateLimiter); // CSRF protection api.use(cookieParser()); const csrf = csurf({ cookie: true }); -api.post('/upload', csrf, (req: Request, res: Response) => { - // Check if there is a file - if (!req.files || Object.keys(req.files).length === 0) - return res.status(400).json({ error: 'No file uploaded' }); - const file: UploadedFile = req.files.file as UploadedFile; // Kludge to prevent a compiler error - // Check if the file is a python file - if (file.mimetype !== 'text/x-python') - return res.status(400).json({ error: 'Not a Python file' }); - res.status(200).json({ file: file.name }); -}); +api.use(express.json()); +api.route('/upload') + .post(csrf, (req: Request, res: Response) => { + try { + // Check if anything was actually uploaded + if (!req.files || Object.keys(req.files).length === 0) + return res.status(400).json({ error: 'No file uploaded.' }); + + const file: UploadedFile = req.files.file as UploadedFile; // Kludge to prevent a compiler error, only one file gets uploaded so this should be fine + + // Check if the file is too large (see fileUpload.limits for the limit) + if (file.truncated) + return res.status(413).json({ error: 'File uploaded was too large.' }); + + // Check if the file is a python file + if (file.mimetype !== 'text/x-python') + return res.status(415).json({ error: 'File uploaded was not a Python file.' }); + + res.status(200).json({ file: file.name, path: file.tempFilePath, csrf: req.csrfToken() }); + } catch (err) { + // Generic error handler + res.status(500).json({ error: 'An unknown error occurred while uploading the file.', error_msg: err }); + } + }) + // Fallback + .all(csrf, (req: Request, res: Response) => { + res.set('Allow', 'POST'); + res.status(405).json({ error: 'Method not allowed.' }); + }); + +/* + This route is probably a complete security hole. It allows anyone with a login cookie access to run arbitrary Python code on the server. + + Minimizing PE vectors like running this as a low privilege user is a must. +*/ +api.route('/actuate') + .post(csrf, async (req: Request, res: Response) => { + // Make sure the file being requested to run exists + try { + await access(req.body.path); + } catch (err) { + return res.status(403).json({ error: 'File is not accessible.' }); + } + + + const stats = await stat(req.body.path); + // Make sure the file being requested to run is a regular file + if (!stats.isFile()) + return res.status(403).json({ error: 'File is not a regular file.' }); + // Make sure the file being requested to run is not a directory + if (stats.isDirectory()) + return res.status(403).json({ error: 'File is a directory.' }); + + const escaped = quote([ 'python', req.body.path]); + // Run the code + exec(escaped, (err, stdout, stderr) => { + if (err) + return res.status(500).json({ error: 'An unknown error occurred while executing the file.', error_msg: stderr }); + + // Return the output + res.status(200).json({ output: stdout }); + }); + }) + // Fallback + .all(csrf, (req: Request, res: Response) => { + res.set('Allow', 'POST'); + res.status(405).json({ error: 'Method not allowed.' }); + }); + export default api; \ No newline at end of file diff --git a/src/views/pages/about.ejs b/src/views/pages/about.ejs index 2feede5..26e5687 100644 --- a/src/views/pages/about.ejs +++ b/src/views/pages/about.ejs @@ -15,9 +15,8 @@

Remotely Accessible Inverted Pendulum

-
-
-

+
+

Created by
Abrar Nair Islam, Brendan Lake, Cory Ohnsted, Matt Strapp, Kiflu Woldegiorgis (2022)
Sam Hansen, Rezkath Awal, Donovan Peterson, Joseph Jewett (2021)
@@ -35,7 +34,6 @@

A vertical pendulum that is balanced via the base moving.
Controlled movements are determined by measuring the position and speed of the pendulum and base.

-

diff --git a/src/views/pages/index.ejs b/src/views/pages/index.ejs index 8b5f044..81624f6 100644 --- a/src/views/pages/index.ejs +++ b/src/views/pages/index.ejs @@ -2,25 +2,36 @@ - + <%- include('../partials/head.ejs') %> + Upload your code here! <%- include('../partials/nav.ejs') %> -
-

Please upload a Python file (.py file extension) to run on the Inverted Pendulum.

-

-
- - -

-

- - -
+
+

Please enable JavaScript to use the inverted pendulum.

+
+