use crate::auth; use crate::config::Config; use crate::file::Directory; use crate::header::{self, ContentDisposition}; use crate::mime as mime_util; use crate::paste::{Paste, PasteType}; use crate::util; use crate::AUTH_TOKEN_ENV; use actix_files::NamedFile; use actix_multipart::Multipart; use actix_web::{error, get, post, web, Error, HttpRequest, HttpResponse}; use awc::Client; use byte_unit::Byte; use futures_util::stream::StreamExt; use serde::Deserialize; use std::convert::TryFrom; use std::env; use std::fs; use std::sync::RwLock; /// Shows the landing page. #[get("/")] async fn index(config: web::Data>) -> Result { let config = config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))?; let content_type = config .server .landing_page_content_type .clone() .unwrap_or("text/plain; charset=utf-8".to_string()); match &config.server.landing_page { Some(page) => Ok(HttpResponse::Ok() .content_type(content_type) .body(page.clone())), None => Ok(HttpResponse::Found() .append_header(("Location", env!("CARGO_PKG_HOMEPAGE"))) .finish()), } } /// File serving options (i.e. query parameters). #[derive(Debug, Deserialize)] struct ServeOptions { /// If set to `true`, change the MIME type to `application/octet-stream` and force downloading /// the file. download: bool, } /// Serves a file from the upload directory. #[get("/{file}")] async fn serve( request: HttpRequest, file: web::Path, options: Option>, config: web::Data>, ) -> Result { let config = config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))?; let path = config.server.upload_path.join(&*file); let mut path = util::glob_match_file(path)?; let mut paste_type = PasteType::File; if !path.exists() || path.is_dir() { for type_ in &[PasteType::Url, PasteType::Oneshot, PasteType::OneshotUrl] { let alt_path = type_.get_path(&config.server.upload_path).join(&*file); let alt_path = util::glob_match_file(alt_path)?; if alt_path.exists() || path.file_name().and_then(|v| v.to_str()) == Some(&type_.get_dir()) { path = alt_path; paste_type = *type_; break; } } } if !path.is_file() || !path.exists() { return Err(error::ErrorNotFound("file is not found or expired :(")); } match paste_type { PasteType::File | PasteType::RemoteFile | PasteType::Oneshot => { let mime_type = if options.map(|v| v.download).unwrap_or(false) { mime::APPLICATION_OCTET_STREAM } else { mime_util::get_mime_type(&config.paste.mime_override, file.to_string()) .map_err(error::ErrorInternalServerError)? }; let response = NamedFile::open(&path)? .disable_content_disposition() .set_content_type(mime_type) .prefer_utf8(true) .into_response(&request); if paste_type.is_oneshot() { fs::rename( &path, path.with_file_name(format!( "{}.{}", file, util::get_system_time()?.as_millis() )), )?; } Ok(response) } PasteType::Url => Ok(HttpResponse::Found() .append_header(("Location", fs::read_to_string(&path)?)) .finish()), PasteType::OneshotUrl => { let resp = HttpResponse::Found() .append_header(("Location", fs::read_to_string(&path)?)) .finish(); fs::rename( &path, path.with_file_name(format!("{}.{}", file, util::get_system_time()?.as_millis())), )?; Ok(resp) } } } /// Expose version endpoint #[get("/version")] async fn version( request: HttpRequest, config: web::Data>, ) -> Result { let config = config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))?; let connection = request.connection_info().clone(); let host = connection.peer_addr().unwrap_or("unknown host"); auth::check( host, request.headers(), env::var(AUTH_TOKEN_ENV) .ok() .or_else(|| config.server.auth_token.as_ref().cloned()), )?; if !config.server.expose_version.unwrap_or(false) { log::warn!("server is not configured to expose version endpoint"); Err(error::ErrorForbidden("endpoint is not exposed"))?; } let version = env!("CARGO_PKG_VERSION"); Ok(HttpResponse::Ok().body(version)) } /// Handles file upload by processing `multipart/form-data`. #[post("/")] async fn upload( request: HttpRequest, mut payload: Multipart, client: web::Data, config: web::Data>, ) -> Result { let connection = request.connection_info().clone(); let host = connection.peer_addr().unwrap_or("unknown host"); let server_url = match config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))? .server .url .clone() { Some(v) => v, None => { format!("{}://{}", connection.scheme(), connection.host(),) } }; auth::check( host, request.headers(), env::var(AUTH_TOKEN_ENV).ok().or(config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))? .server .auth_token .as_ref() .cloned()), )?; let time = util::get_system_time()?; let mut expiry_date = header::parse_expiry_date(request.headers(), time)?; if expiry_date.is_none() { expiry_date = config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))? .paste .default_expiry .and_then(|v| time.checked_add(v).map(|t| t.as_millis())); } let mut urls: Vec = Vec::new(); while let Some(item) = payload.next().await { let mut field = item?; let content = ContentDisposition::from(field.content_disposition().clone()); if let Ok(paste_type) = PasteType::try_from(&content) { let mut bytes = Vec::::new(); while let Some(chunk) = field.next().await { bytes.append(&mut chunk?.to_vec()); let config = config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))?; if bytes.len() as u128 > config.server.max_content_length.get_bytes() { log::warn!("Upload rejected for {}", host); return Err(error::ErrorPayloadTooLarge("upload limit exceeded")); } } if bytes.is_empty() { log::warn!("{} sent zero bytes", host); return Err(error::ErrorBadRequest("invalid file size")); } if paste_type != PasteType::Oneshot && paste_type != PasteType::RemoteFile && paste_type != PasteType::OneshotUrl && expiry_date.is_none() && !config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))? .paste .duplicate_files .unwrap_or(true) { let bytes_checksum = util::sha256_digest(&*bytes)?; let config = config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))?; if let Some(file) = Directory::try_from(config.server.upload_path.as_path())? .get_file(bytes_checksum) { urls.push(format!( "{}/{}\n", server_url, file.path .file_name() .map(|v| v.to_string_lossy()) .unwrap_or_default() )); continue; } } let mut paste = Paste { data: bytes.to_vec(), type_: paste_type, }; let file_name = match paste.type_ { PasteType::File | PasteType::Oneshot => { let config = config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))?; paste.store_file(content.get_file_name()?, expiry_date, &config)? } PasteType::RemoteFile => { paste .store_remote_file(expiry_date, &client, &config) .await? } PasteType::Url | PasteType::OneshotUrl => { let config = config .read() .map_err(|_| error::ErrorInternalServerError("cannot acquire config"))?; paste.store_url(expiry_date, &config)? } }; log::info!( "{} ({}) is uploaded from {}", file_name, Byte::from_bytes(paste.data.len() as u128).get_appropriate_unit(false), host ); urls.push(format!("{}/{}\n", server_url, file_name)); } else { log::warn!("{} sent an invalid form field", host); return Err(error::ErrorBadRequest("invalid form field")); } } Ok(HttpResponse::Ok().body(urls.join(""))) } /// Configures the server routes. pub fn configure_routes(cfg: &mut web::ServiceConfig) { cfg.service(index) .service(version) .service(serve) .service(upload) .route("", web::head().to(HttpResponse::MethodNotAllowed)); } #[cfg(test)] mod tests { use super::*; use crate::random::{RandomURLConfig, RandomURLType}; use actix_web::body::BodySize; use actix_web::body::MessageBody; use actix_web::dev::ServiceResponse; use actix_web::error::Error; use actix_web::http::{header, StatusCode}; use actix_web::test::{self, TestRequest}; use actix_web::web::Data; use actix_web::App; use awc::ClientBuilder; use byte_unit::Byte; use glob::glob; use std::path::PathBuf; use std::str; use std::thread; use std::time::Duration; fn get_multipart_request(data: &str, name: &str, filename: &str) -> TestRequest { let multipart_data = format!( "\r\n\ --multipart_bound\r\n\ Content-Disposition: form-data; name=\"{}\"; filename=\"{}\"\r\n\ Content-Type: text/plain; charset=utf-8\r\nContent-Length: {}\r\n\r\n\ {}\r\n\ --multipart_bound--\r\n", name, filename, data.bytes().len(), data, ); TestRequest::post() .insert_header(( header::CONTENT_TYPE, header::HeaderValue::from_static("multipart/mixed; boundary=\"multipart_bound\""), )) .set_payload(multipart_data) } async fn assert_body(response: ServiceResponse, expected: &str) -> Result<(), Error> { let body = response.into_body(); if let BodySize::Sized(size) = body.size() { assert_eq!(size, expected.as_bytes().len() as u64); let body_bytes = actix_web::body::to_bytes(body).await?; let body_text = str::from_utf8(&body_bytes)?; assert_eq!(expected, body_text); Ok(()) } else { Err(error::ErrorInternalServerError("unexpected body type")) } } #[actix_web::test] async fn test_index() { let config = Config::default(); let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config))) .service(index), ) .await; let request = TestRequest::default() .insert_header(("content-type", "text/plain")) .to_request(); let response = test::call_service(&app, request).await; assert_eq!(StatusCode::FOUND, response.status()); } #[actix_web::test] async fn test_index_with_landing_page() -> Result<(), Error> { let mut config = Config::default(); config.server.landing_page = Some(String::from("landing page")); let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config))) .service(index), ) .await; let request = TestRequest::default() .insert_header(("content-type", "text/plain")) .to_request(); let response = test::call_service(&app, request).await; assert_eq!(StatusCode::OK, response.status()); assert_body(response, "landing page").await?; Ok(()) } #[actix_web::test] async fn test_version_without_auth() -> Result<(), Error> { let mut config = Config::default(); config.server.auth_token = Some(String::from("test")); let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let request = TestRequest::default() .insert_header(("content-type", "text/plain")) .uri("/version") .to_request(); let response = test::call_service(&app, request).await; assert_eq!(StatusCode::UNAUTHORIZED, response.status()); assert_body(response, "unauthorized").await?; Ok(()) } #[actix_web::test] async fn test_version_without_config() -> Result<(), Error> { let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(Config::default()))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let request = TestRequest::default() .insert_header(("content-type", "text/plain")) .uri("/version") .to_request(); let response = test::call_service(&app, request).await; assert_eq!(StatusCode::FORBIDDEN, response.status()); assert_body(response, "endpoint is not exposed").await?; Ok(()) } #[actix_web::test] async fn test_version() -> Result<(), Error> { let mut config = Config::default(); config.server.expose_version = Some(true); let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let request = TestRequest::default() .insert_header(("content-type", "text/plain")) .uri("/version") .to_request(); let response = test::call_service(&app, request).await; assert_eq!(StatusCode::OK, response.status()); assert_body(response, env!("CARGO_PKG_VERSION")).await?; Ok(()) } #[actix_web::test] async fn test_auth() -> Result<(), Error> { let mut config = Config::default(); config.server.auth_token = Some(String::from("test")); let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let response = test::call_service(&app, get_multipart_request("", "", "").to_request()).await; assert_eq!(StatusCode::UNAUTHORIZED, response.status()); assert_body(response, "unauthorized").await?; Ok(()) } #[actix_web::test] async fn test_payload_limit() -> Result<(), Error> { let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(Config::default()))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let response = test::call_service( &app, get_multipart_request("test", "file", "test").to_request(), ) .await; assert_eq!(StatusCode::PAYLOAD_TOO_LARGE, response.status()); assert_body(response, "upload limit exceeded").await?; Ok(()) } #[actix_web::test] async fn test_upload_file() -> Result<(), Error> { let mut config = Config::default(); config.server.upload_path = env::current_dir()?; config.server.max_content_length = Byte::from_bytes(100); let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let file_name = "test_file.txt"; let timestamp = util::get_system_time()?.as_secs().to_string(); let response = test::call_service( &app, get_multipart_request(×tamp, "file", file_name).to_request(), ) .await; assert_eq!(StatusCode::OK, response.status()); assert_body(response, &format!("http://localhost:8080/{file_name}\n")).await?; let serve_request = TestRequest::get() .uri(&format!("/{file_name}")) .to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::OK, response.status()); assert_body(response, ×tamp).await?; fs::remove_file(file_name)?; let serve_request = TestRequest::get() .uri(&format!("/{file_name}")) .to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::NOT_FOUND, response.status()); Ok(()) } #[actix_web::test] async fn test_upload_duplicate_file() -> Result<(), Error> { let test_upload_dir = "test_upload"; fs::create_dir(test_upload_dir)?; let mut config = Config::default(); config.server.upload_path = PathBuf::from(&test_upload_dir); config.server.max_content_length = Byte::from_bytes(100); config.paste.duplicate_files = Some(false); config.paste.random_url = RandomURLConfig { enabled: true, type_: RandomURLType::Alphanumeric, ..Default::default() }; let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let response = test::call_service( &app, get_multipart_request("test", "file", "x").to_request(), ) .await; assert_eq!(StatusCode::OK, response.status()); let body = response.into_body(); let first_body_bytes = actix_web::body::to_bytes(body).await?; let response = test::call_service( &app, get_multipart_request("test", "file", "x").to_request(), ) .await; assert_eq!(StatusCode::OK, response.status()); let body = response.into_body(); let second_body_bytes = actix_web::body::to_bytes(body).await?; assert_eq!(first_body_bytes, second_body_bytes); fs::remove_dir_all(test_upload_dir)?; Ok(()) } #[actix_web::test] async fn test_upload_expiring_file() -> Result<(), Error> { let mut config = Config::default(); config.server.upload_path = env::current_dir()?; config.server.max_content_length = Byte::from_bytes(100); let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let file_name = "test_file.txt"; let timestamp = util::get_system_time()?.as_secs().to_string(); let response = test::call_service( &app, get_multipart_request(×tamp, "file", file_name) .insert_header(( header::HeaderName::from_static("expire"), header::HeaderValue::from_static("20ms"), )) .to_request(), ) .await; assert_eq!(StatusCode::OK, response.status()); assert_body(response, &format!("http://localhost:8080/{file_name}\n")).await?; let serve_request = TestRequest::get() .uri(&format!("/{file_name}")) .to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::OK, response.status()); assert_body(response, ×tamp).await?; thread::sleep(Duration::from_millis(40)); let serve_request = TestRequest::get() .uri(&format!("/{file_name}")) .to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::NOT_FOUND, response.status()); if let Some(glob_path) = glob(&format!("{file_name}.[0-9]*")) .map_err(error::ErrorInternalServerError)? .next() { fs::remove_file(glob_path.map_err(error::ErrorInternalServerError)?)?; } Ok(()) } #[actix_web::test] async fn test_upload_remote_file() -> Result<(), Error> { let mut config = Config::default(); config.server.upload_path = env::current_dir()?; config.server.max_content_length = Byte::from_bytes(30000); let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config))) .app_data(Data::new( ClientBuilder::new() .timeout(Duration::from_secs(30)) .finish(), )) .configure(configure_routes), ) .await; let file_name = "Example.jpg"; let response = test::call_service( &app, get_multipart_request( "https://upload.wikimedia.org/wikipedia/en/a/a9/Example.jpg", "remote", file_name, ) .to_request(), ) .await; assert_eq!(StatusCode::OK, response.status()); assert_body(response, &format!("http://localhost:8080/{file_name}\n")).await?; let serve_request = TestRequest::get() .uri(&format!("/{file_name}")) .to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::OK, response.status()); let body = response.into_body(); let body_bytes = actix_web::body::to_bytes(body).await?; assert_eq!( "8c712905b799905357b8202d0cb7a244cefeeccf7aa5eb79896645ac50158ffa", util::sha256_digest(&*body_bytes)? ); fs::remove_file(file_name)?; let serve_request = TestRequest::get() .uri(&format!("/{file_name}")) .to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::NOT_FOUND, response.status()); Ok(()) } #[actix_web::test] async fn test_upload_url() -> Result<(), Error> { let mut config = Config::default(); config.server.upload_path = env::current_dir()?; config.server.max_content_length = Byte::from_bytes(100); let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config.clone()))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let url_upload_path = PasteType::Url.get_path(&config.server.upload_path); fs::create_dir_all(&url_upload_path)?; let response = test::call_service( &app, get_multipart_request(env!("CARGO_PKG_HOMEPAGE"), "url", "").to_request(), ) .await; assert_eq!(StatusCode::OK, response.status()); assert_body(response, "http://localhost:8080/url\n").await?; let serve_request = TestRequest::get().uri("/url").to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::FOUND, response.status()); fs::remove_file(url_upload_path.join("url"))?; fs::remove_dir(url_upload_path)?; let serve_request = TestRequest::get().uri("/url").to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::NOT_FOUND, response.status()); Ok(()) } #[actix_web::test] async fn test_upload_oneshot() -> Result<(), Error> { let mut config = Config::default(); config.server.upload_path = env::current_dir()?; config.server.max_content_length = Byte::from_bytes(100); let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config.clone()))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let oneshot_upload_path = PasteType::Oneshot.get_path(&config.server.upload_path); fs::create_dir_all(&oneshot_upload_path)?; let file_name = "oneshot.txt"; let timestamp = util::get_system_time()?.as_secs().to_string(); let response = test::call_service( &app, get_multipart_request(×tamp, "oneshot", file_name).to_request(), ) .await; assert_eq!(StatusCode::OK, response.status()); assert_body(response, &format!("http://localhost:8080/{file_name}\n")).await?; let serve_request = TestRequest::get() .uri(&format!("/{file_name}")) .to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::OK, response.status()); assert_body(response, ×tamp).await?; let serve_request = TestRequest::get() .uri(&format!("/{file_name}")) .to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::NOT_FOUND, response.status()); if let Some(glob_path) = glob( &oneshot_upload_path .join(format!("{file_name}.[0-9]*")) .to_string_lossy(), ) .map_err(error::ErrorInternalServerError)? .next() { fs::remove_file(glob_path.map_err(error::ErrorInternalServerError)?)?; } fs::remove_dir(oneshot_upload_path)?; Ok(()) } #[actix_web::test] async fn test_upload_oneshot_url() -> Result<(), Error> { let mut config = Config::default(); config.server.upload_path = env::current_dir()?; config.server.max_content_length = Byte::from_bytes(100); let oneshot_url_suffix = "oneshot_url"; let app = test::init_service( App::new() .app_data(Data::new(RwLock::new(config.clone()))) .app_data(Data::new(Client::default())) .configure(configure_routes), ) .await; let url_upload_path = PasteType::OneshotUrl.get_path(&config.server.upload_path); fs::create_dir_all(&url_upload_path)?; let response = test::call_service( &app, get_multipart_request( env!("CARGO_PKG_HOMEPAGE"), oneshot_url_suffix, oneshot_url_suffix, ) .to_request(), ) .await; assert_eq!(StatusCode::OK, response.status()); assert_body( response, &format!("http://localhost:8080/{}\n", oneshot_url_suffix), ) .await?; // Make the oneshot_url request, ensure it is found. let serve_request = TestRequest::with_uri(&format!("/{}", oneshot_url_suffix)).to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::FOUND, response.status()); // Make the same request again, and ensure that the oneshot_url is not found. let serve_request = TestRequest::with_uri(&format!("/{}", oneshot_url_suffix)).to_request(); let response = test::call_service(&app, serve_request).await; assert_eq!(StatusCode::NOT_FOUND, response.status()); // Cleanup fs::remove_dir_all(url_upload_path)?; Ok(()) } }