- commit
- 485c1f5
- parent
- 1a30037
- author
- Eric Bower
- date
- 2024-04-04 04:01:45 +0000 UTC
refactor(pgs): switch from allowlist to denylist for files
2 files changed,
+24,
-62
+12,
-8
1@@ -8,6 +8,7 @@ import (
2 "log/slog"
3 "os"
4 "path/filepath"
5+ "regexp"
6 "strings"
7 "time"
8
9@@ -360,14 +361,17 @@ func (h *UploadAssetHandler) validateAsset(data *FileData) (bool, error) {
10 return true, nil
11 }
12
13- if !shared.IsExtAllowed(fname, h.Cfg.AllowedExt) {
14- extStr := strings.Join(h.Cfg.AllowedExt, ",")
15- err := fmt.Errorf(
16- "ERROR: (%s) invalid file, format must be (%s), skipping",
17- fname,
18- extStr,
19- )
20- return false, err
21+ dotFileRe := regexp.MustCompile(`/\..+`)
22+ // TODO: let user control this list somehow
23+ denylist := []*regexp.Regexp{dotFileRe}
24+ for _, denyRe := range denylist {
25+ if denyRe.MatchString(data.Filepath) {
26+ err := fmt.Errorf(
27+ "ERROR: (%s) file rejected, https://pico.sh/pgs#file-denylist",
28+ data.Filepath,
29+ )
30+ return false, err
31+ }
32 }
33
34 return true, nil
+12,
-54
1@@ -38,60 +38,18 @@ func NewConfigSite() *shared.ConfigSite {
2 UseImgProxy: useImgProxy == "1",
3 Secret: secret,
4 ConfigCms: config.ConfigCms{
5- Domain: domain,
6- Email: email,
7- Port: port,
8- Protocol: protocol,
9- DbURL: dbURL,
10- StorageDir: storageDir,
11- MinioURL: minioURL,
12- MinioUser: minioUser,
13- MinioPass: minioPass,
14- Description: "A zero-install static site hosting service for hackers",
15- IntroText: intro,
16- Space: "pgs",
17- // IMPORTANT: make sure `shared.GetMimeType` has the extensions being
18- // added here.
19- AllowedExt: []string{
20- ".jpg",
21- ".jpeg",
22- ".png",
23- ".gif",
24- ".webp",
25- ".svg",
26- ".ico",
27- ".html",
28- ".htm",
29- ".css",
30- ".js",
31- ".pdf",
32- ".txt",
33- ".otf",
34- ".ttf",
35- ".woff",
36- ".woff2",
37- ".json",
38- ".md",
39- ".rss",
40- ".xml",
41- ".atom",
42- ".map",
43- ".webmanifest",
44- ".avif",
45- ".heif",
46- ".heic",
47- ".opus",
48- ".wav",
49- ".mp3",
50- ".mp4",
51- ".mpeg",
52- ".wasm",
53- ".xsl",
54- ".opml",
55- ".eot",
56- ".yml",
57- ".yaml",
58- },
59+ Domain: domain,
60+ Email: email,
61+ Port: port,
62+ Protocol: protocol,
63+ DbURL: dbURL,
64+ StorageDir: storageDir,
65+ MinioURL: minioURL,
66+ MinioUser: minioUser,
67+ MinioPass: minioPass,
68+ Description: "A zero-install static site hosting service for hackers",
69+ IntroText: intro,
70+ Space: "pgs",
71 MaxSize: maxSize,
72 MaxAssetSize: maxAssetSize,
73 Logger: shared.CreateLogger(debug == "1"),