2017-06-06 17:24:58 +00:00
|
|
|
const express = require('express');
|
2017-06-07 23:16:38 +00:00
|
|
|
const exphbs = require('express-handlebars');
|
2017-06-06 17:24:58 +00:00
|
|
|
const busboy = require('connect-busboy');
|
|
|
|
const path = require('path');
|
|
|
|
const bodyParser = require('body-parser');
|
2017-06-19 22:51:48 +00:00
|
|
|
const helmet = require('helmet');
|
2017-06-07 23:16:38 +00:00
|
|
|
const bytes = require('bytes');
|
|
|
|
const conf = require('./config.js');
|
2017-06-07 21:07:31 +00:00
|
|
|
const storage = require('./storage.js');
|
2017-06-23 17:53:11 +00:00
|
|
|
const Raven = require('raven');
|
2017-07-10 19:19:20 +00:00
|
|
|
const crypto = require('crypto');
|
2017-07-25 21:28:49 +00:00
|
|
|
const fs = require('fs');
|
2017-06-05 22:35:36 +00:00
|
|
|
|
2017-06-24 03:01:32 +00:00
|
|
|
if (conf.sentry_dsn) {
|
2017-06-23 17:53:11 +00:00
|
|
|
Raven.config(conf.sentry_dsn).install();
|
|
|
|
}
|
|
|
|
|
2017-06-08 20:45:28 +00:00
|
|
|
const mozlog = require('./log.js');
|
|
|
|
|
2017-07-11 19:34:49 +00:00
|
|
|
const log = mozlog('send.server');
|
2017-06-05 22:35:36 +00:00
|
|
|
|
2017-06-23 23:53:17 +00:00
|
|
|
const STATIC_PATH = path.join(__dirname, '../public');
|
|
|
|
|
2017-06-06 17:24:58 +00:00
|
|
|
const app = express();
|
2017-06-05 22:35:36 +00:00
|
|
|
|
2017-07-25 21:28:49 +00:00
|
|
|
function allLangs() {
|
|
|
|
return fs
|
|
|
|
.readdirSync(path.join(STATIC_PATH, 'locales'))
|
|
|
|
.map(function(f) {
|
|
|
|
return f.split('.')[0];
|
|
|
|
})
|
|
|
|
.join(',');
|
|
|
|
}
|
|
|
|
|
|
|
|
function prodLangs() {
|
2017-07-29 07:04:50 +00:00
|
|
|
// eslint-disable-next-line security/detect-non-literal-require
|
2017-07-25 21:28:49 +00:00
|
|
|
return require(path.join(
|
|
|
|
__dirname,
|
|
|
|
'..',
|
|
|
|
'package.json'
|
|
|
|
)).availableLanguages.join(',');
|
|
|
|
}
|
|
|
|
|
|
|
|
const availableLanguages = conf.l10n_dev ? allLangs() : prodLangs();
|
|
|
|
|
2017-06-23 18:14:33 +00:00
|
|
|
app.engine(
|
|
|
|
'handlebars',
|
|
|
|
exphbs({
|
|
|
|
defaultLayout: 'main',
|
2017-07-25 21:28:49 +00:00
|
|
|
partialsDir: 'views/partials/',
|
|
|
|
helpers: {
|
|
|
|
availableLanguages,
|
|
|
|
l10nDev: conf.l10n_dev
|
|
|
|
}
|
2017-06-23 18:14:33 +00:00
|
|
|
})
|
|
|
|
);
|
2017-06-07 23:16:38 +00:00
|
|
|
app.set('view engine', 'handlebars');
|
2017-06-01 20:14:14 +00:00
|
|
|
|
2017-06-19 22:51:48 +00:00
|
|
|
app.use(helmet());
|
2017-07-22 00:01:26 +00:00
|
|
|
app.use(
|
|
|
|
helmet.hsts({
|
|
|
|
maxAge: 31536000,
|
|
|
|
force: conf.env === 'production'
|
|
|
|
})
|
|
|
|
);
|
2017-07-12 17:56:04 +00:00
|
|
|
app.use(
|
|
|
|
helmet.contentSecurityPolicy({
|
|
|
|
directives: {
|
2017-07-17 22:49:09 +00:00
|
|
|
defaultSrc: ["'self'"],
|
2017-07-12 17:56:04 +00:00
|
|
|
connectSrc: [
|
2017-07-17 22:49:09 +00:00
|
|
|
"'self'",
|
2017-07-12 17:56:04 +00:00
|
|
|
'https://sentry.prod.mozaws.net',
|
2017-07-25 05:08:43 +00:00
|
|
|
'https://www.google-analytics.com'
|
2017-07-12 17:56:04 +00:00
|
|
|
],
|
2017-07-25 19:08:37 +00:00
|
|
|
imgSrc: ["'self'", 'https://www.google-analytics.com'],
|
2017-07-25 05:08:43 +00:00
|
|
|
scriptSrc: ["'self'"],
|
2017-07-17 22:49:09 +00:00
|
|
|
styleSrc: ["'self'", 'https://code.cdn.mozilla.net'],
|
|
|
|
fontSrc: ["'self'", 'https://code.cdn.mozilla.net'],
|
|
|
|
formAction: ["'none'"],
|
|
|
|
frameAncestors: ["'none'"],
|
2017-07-25 05:08:43 +00:00
|
|
|
objectSrc: ["'none'"],
|
|
|
|
reportUri: '/__cspreport__'
|
2017-07-12 17:56:04 +00:00
|
|
|
}
|
|
|
|
})
|
|
|
|
);
|
2017-07-22 00:01:26 +00:00
|
|
|
app.use(
|
|
|
|
busboy({
|
|
|
|
limits: {
|
|
|
|
fileSize: conf.max_file_size
|
|
|
|
}
|
|
|
|
})
|
|
|
|
);
|
2017-06-01 20:14:14 +00:00
|
|
|
app.use(bodyParser.json());
|
2017-06-23 23:53:17 +00:00
|
|
|
app.use(express.static(STATIC_PATH));
|
2017-06-01 20:14:14 +00:00
|
|
|
|
2017-06-07 23:16:38 +00:00
|
|
|
app.get('/', (req, res) => {
|
2017-07-19 21:00:10 +00:00
|
|
|
res.render('index');
|
|
|
|
});
|
|
|
|
|
2017-07-27 18:24:49 +00:00
|
|
|
app.get('/unsupported/:reason', (req, res) => {
|
2017-07-27 18:54:36 +00:00
|
|
|
const outdated = req.params.reason === 'outdated';
|
2017-07-27 18:24:49 +00:00
|
|
|
res.render('unsupported', {
|
|
|
|
outdated: outdated
|
|
|
|
});
|
2017-07-22 00:40:29 +00:00
|
|
|
});
|
|
|
|
|
2017-07-24 17:24:17 +00:00
|
|
|
app.get('/legal', (req, res) => {
|
|
|
|
res.render('legal');
|
|
|
|
});
|
|
|
|
|
2017-07-19 21:00:10 +00:00
|
|
|
app.get('/jsconfig.js', (req, res) => {
|
|
|
|
res.set('Content-Type', 'application/javascript');
|
|
|
|
res.render('jsconfig', {
|
2017-06-22 21:50:57 +00:00
|
|
|
trackerId: conf.analytics_id,
|
2017-07-19 21:00:10 +00:00
|
|
|
dsn: conf.sentry_id,
|
2017-07-20 19:50:20 +00:00
|
|
|
maxFileSize: conf.max_file_size,
|
2017-07-24 20:07:49 +00:00
|
|
|
expireSeconds: conf.expire_seconds,
|
2017-07-19 21:00:10 +00:00
|
|
|
layout: false
|
2017-06-21 20:54:24 +00:00
|
|
|
});
|
2017-06-07 23:16:38 +00:00
|
|
|
});
|
|
|
|
|
2017-06-08 20:45:28 +00:00
|
|
|
app.get('/exists/:id', (req, res) => {
|
2017-06-09 17:44:12 +00:00
|
|
|
const id = req.params.id;
|
2017-07-11 18:18:31 +00:00
|
|
|
if (!validateID(id)) {
|
|
|
|
res.sendStatus(404);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2017-06-24 00:06:08 +00:00
|
|
|
storage
|
|
|
|
.exists(id)
|
|
|
|
.then(() => {
|
|
|
|
res.sendStatus(200);
|
|
|
|
})
|
|
|
|
.catch(err => res.sendStatus(404));
|
2017-06-08 20:45:28 +00:00
|
|
|
});
|
|
|
|
|
2017-06-06 21:24:51 +00:00
|
|
|
app.get('/download/:id', (req, res) => {
|
2017-06-09 17:44:12 +00:00
|
|
|
const id = req.params.id;
|
2017-07-11 18:18:31 +00:00
|
|
|
if (!validateID(id)) {
|
|
|
|
res.sendStatus(404);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2017-07-25 19:08:37 +00:00
|
|
|
storage
|
|
|
|
.filename(id)
|
|
|
|
.then(filename => {
|
|
|
|
return storage.length(id).then(contentLength => {
|
2017-07-22 00:01:26 +00:00
|
|
|
storage.ttl(id).then(timeToExpiry => {
|
|
|
|
res.render('download', {
|
|
|
|
filename: decodeURIComponent(filename),
|
|
|
|
filesize: bytes(contentLength),
|
|
|
|
sizeInBytes: contentLength,
|
|
|
|
timeToExpiry: timeToExpiry
|
|
|
|
});
|
|
|
|
});
|
2017-06-07 23:16:38 +00:00
|
|
|
});
|
2017-07-25 19:08:37 +00:00
|
|
|
})
|
|
|
|
.catch(() => {
|
|
|
|
res.status(404).render('notfound');
|
|
|
|
});
|
2017-06-01 20:14:14 +00:00
|
|
|
});
|
|
|
|
|
2017-06-06 21:24:51 +00:00
|
|
|
app.get('/assets/download/:id', (req, res) => {
|
2017-06-09 17:44:12 +00:00
|
|
|
const id = req.params.id;
|
2017-06-06 21:24:51 +00:00
|
|
|
if (!validateID(id)) {
|
2017-06-06 17:24:58 +00:00
|
|
|
res.sendStatus(404);
|
2017-06-01 20:14:14 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2017-06-29 17:30:08 +00:00
|
|
|
storage
|
|
|
|
.metadata(id)
|
2017-06-29 17:27:36 +00:00
|
|
|
.then(meta => {
|
2017-07-12 17:53:29 +00:00
|
|
|
storage
|
|
|
|
.length(id)
|
|
|
|
.then(contentLength => {
|
|
|
|
res.writeHead(200, {
|
|
|
|
'Content-Disposition': 'attachment; filename=' + meta.filename,
|
|
|
|
'Content-Type': 'application/octet-stream',
|
|
|
|
'Content-Length': contentLength,
|
|
|
|
'X-File-Metadata': JSON.stringify(meta)
|
|
|
|
});
|
|
|
|
const file_stream = storage.get(id);
|
|
|
|
|
|
|
|
file_stream.on('end', () => {
|
|
|
|
storage
|
|
|
|
.forceDelete(id)
|
|
|
|
.then(err => {
|
|
|
|
if (!err) {
|
|
|
|
log.info('Deleted:', id);
|
|
|
|
}
|
|
|
|
})
|
|
|
|
.catch(err => {
|
|
|
|
log.info('DeleteError:', id);
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
file_stream.pipe(res);
|
|
|
|
})
|
|
|
|
.catch(err => {
|
|
|
|
res.sendStatus(404);
|
2017-06-06 17:23:37 +00:00
|
|
|
});
|
2017-06-07 23:16:38 +00:00
|
|
|
})
|
|
|
|
.catch(err => {
|
|
|
|
res.sendStatus(404);
|
|
|
|
});
|
2017-06-01 20:14:14 +00:00
|
|
|
});
|
|
|
|
|
2017-06-06 21:24:51 +00:00
|
|
|
app.post('/delete/:id', (req, res) => {
|
2017-06-09 17:44:12 +00:00
|
|
|
const id = req.params.id;
|
2017-06-01 20:14:14 +00:00
|
|
|
|
2017-06-06 21:24:51 +00:00
|
|
|
if (!validateID(id)) {
|
2017-06-19 21:30:04 +00:00
|
|
|
res.sendStatus(404);
|
2017-06-01 20:14:14 +00:00
|
|
|
return;
|
|
|
|
}
|
2017-06-06 21:24:51 +00:00
|
|
|
|
2017-06-09 17:44:12 +00:00
|
|
|
const delete_token = req.body.delete_token;
|
2017-06-06 21:24:51 +00:00
|
|
|
|
|
|
|
if (!delete_token) {
|
2017-06-01 20:14:14 +00:00
|
|
|
res.sendStatus(404);
|
2017-07-11 18:18:31 +00:00
|
|
|
return;
|
2017-06-01 20:14:14 +00:00
|
|
|
}
|
|
|
|
|
2017-06-07 21:07:31 +00:00
|
|
|
storage
|
2017-06-07 23:16:38 +00:00
|
|
|
.delete(id, delete_token)
|
2017-06-20 19:52:01 +00:00
|
|
|
.then(err => {
|
2017-06-07 21:07:31 +00:00
|
|
|
if (!err) {
|
2017-06-08 20:45:28 +00:00
|
|
|
log.info('Deleted:', id);
|
2017-06-08 21:38:00 +00:00
|
|
|
res.sendStatus(200);
|
2017-06-07 21:07:31 +00:00
|
|
|
}
|
|
|
|
})
|
|
|
|
.catch(err => res.sendStatus(404));
|
2017-06-01 20:14:14 +00:00
|
|
|
});
|
|
|
|
|
2017-07-10 19:19:20 +00:00
|
|
|
app.post('/upload', (req, res, next) => {
|
|
|
|
const newId = crypto.randomBytes(5).toString('hex');
|
2017-07-11 19:47:40 +00:00
|
|
|
let meta;
|
2017-07-11 19:34:49 +00:00
|
|
|
|
2017-07-11 19:47:40 +00:00
|
|
|
try {
|
|
|
|
meta = JSON.parse(req.header('X-File-Metadata'));
|
2017-07-12 17:53:29 +00:00
|
|
|
} catch (err) {
|
2017-07-11 19:47:40 +00:00
|
|
|
res.sendStatus(400);
|
|
|
|
return;
|
|
|
|
}
|
2017-07-11 18:18:31 +00:00
|
|
|
|
2017-07-12 17:53:29 +00:00
|
|
|
if (
|
|
|
|
!meta.hasOwnProperty('aad') ||
|
|
|
|
!meta.hasOwnProperty('id') ||
|
2017-07-13 21:56:28 +00:00
|
|
|
!meta.hasOwnProperty('filename') ||
|
|
|
|
!validateIV(meta.id)
|
2017-07-12 17:53:29 +00:00
|
|
|
) {
|
2017-07-11 18:18:31 +00:00
|
|
|
res.sendStatus(404);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2017-07-10 19:19:20 +00:00
|
|
|
meta.delete = crypto.randomBytes(10).toString('hex');
|
2017-06-29 17:30:08 +00:00
|
|
|
log.info('meta', meta);
|
2017-06-06 17:24:58 +00:00
|
|
|
req.pipe(req.busboy);
|
2017-06-20 21:33:28 +00:00
|
|
|
|
2017-06-06 17:24:58 +00:00
|
|
|
req.busboy.on('file', (fieldname, file, filename) => {
|
2017-07-10 19:19:20 +00:00
|
|
|
log.info('Uploading:', newId);
|
2017-06-08 20:48:51 +00:00
|
|
|
|
2017-07-22 00:01:26 +00:00
|
|
|
storage.set(newId, file, filename, meta).then(
|
|
|
|
() => {
|
|
|
|
const protocol = conf.env === 'production' ? 'https' : req.protocol;
|
|
|
|
const url = `${protocol}://${req.get('host')}/download/${newId}/`;
|
|
|
|
res.json({
|
|
|
|
url,
|
|
|
|
delete: meta.delete,
|
|
|
|
id: newId
|
|
|
|
});
|
|
|
|
},
|
|
|
|
err => {
|
|
|
|
if (err.message === 'limit') {
|
|
|
|
return res.sendStatus(413);
|
|
|
|
}
|
|
|
|
res.sendStatus(500);
|
2017-07-20 19:50:20 +00:00
|
|
|
}
|
2017-07-22 00:01:26 +00:00
|
|
|
);
|
2017-06-06 21:24:51 +00:00
|
|
|
});
|
2017-07-18 17:52:32 +00:00
|
|
|
|
|
|
|
req.on('close', err => {
|
|
|
|
storage
|
|
|
|
.forceDelete(newId)
|
|
|
|
.then(err => {
|
|
|
|
if (!err) {
|
|
|
|
log.info('Deleted:', newId);
|
|
|
|
}
|
|
|
|
})
|
|
|
|
.catch(err => {
|
|
|
|
log.info('DeleteError:', newId);
|
|
|
|
});
|
2017-07-22 00:01:26 +00:00
|
|
|
});
|
2017-06-01 20:14:14 +00:00
|
|
|
});
|
|
|
|
|
2017-06-22 19:18:07 +00:00
|
|
|
app.get('/__lbheartbeat__', (req, res) => {
|
|
|
|
res.sendStatus(200);
|
|
|
|
});
|
|
|
|
|
2017-06-23 18:14:33 +00:00
|
|
|
app.get('/__heartbeat__', (req, res) => {
|
|
|
|
storage.ping().then(() => res.sendStatus(200), () => res.sendStatus(500));
|
|
|
|
});
|
|
|
|
|
2017-06-23 18:29:45 +00:00
|
|
|
app.get('/__version__', (req, res) => {
|
2017-06-23 23:53:17 +00:00
|
|
|
res.sendFile(path.join(STATIC_PATH, 'version.json'));
|
2017-06-23 18:29:45 +00:00
|
|
|
});
|
|
|
|
|
2017-07-11 19:47:40 +00:00
|
|
|
const server = app.listen(conf.listen_port, () => {
|
2017-07-11 19:34:49 +00:00
|
|
|
log.info('startServer:', `Send app listening on port ${conf.listen_port}!`);
|
2017-06-06 21:24:51 +00:00
|
|
|
});
|
2017-06-01 20:14:14 +00:00
|
|
|
|
2017-06-09 17:44:12 +00:00
|
|
|
const validateID = route_id => {
|
2017-07-07 21:47:56 +00:00
|
|
|
return route_id.match(/^[0-9a-fA-F]{10}$/) !== null;
|
2017-07-11 18:18:31 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
const validateIV = route_id => {
|
|
|
|
return route_id.match(/^[0-9a-fA-F]{24}$/) !== null;
|
2017-07-11 19:47:40 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
server: server,
|
|
|
|
storage: storage
|
2017-07-12 17:53:29 +00:00
|
|
|
};
|