mirror of https://github.com/lus/pasty.git
Add content length cap for paste creation endpoint (#8)
* add content length cap * add development docker compose stack * Fix paste creation error notification data * Add length cap to hastebin endpoint as well * Mention length cap in Readme Co-authored-by: Lukas Schulte Pelkum <kbrt@protonmail.com>
This commit is contained in:
parent
ef364db0e5
commit
8cbb62070e
|
@ -54,6 +54,7 @@ Pasty will be available at http://localhost:8080.
|
||||||
| `PASTY_DELETION_TOKEN_MASTER` | `<empty>` | `string` | Defines the master deletion token which is authorized to delete every paste (even if deletion tokens are disabled) |
|
| `PASTY_DELETION_TOKEN_MASTER` | `<empty>` | `string` | Defines the master deletion token which is authorized to delete every paste (even if deletion tokens are disabled) |
|
||||||
| `PASTY_DELETION_TOKEN_LENGTH` | `12` | `number` | Defines the length of the deletion token of a paste |
|
| `PASTY_DELETION_TOKEN_LENGTH` | `12` | `number` | Defines the length of the deletion token of a paste |
|
||||||
| `PASTY_RATE_LIMIT` | `30-M` | `string` | Defines the rate limit of the API (see https://github.com/ulule/limiter#usage) |
|
| `PASTY_RATE_LIMIT` | `30-M` | `string` | Defines the rate limit of the API (see https://github.com/ulule/limiter#usage) |
|
||||||
|
| `PASTY_LENGTH_CAP` | `50000` | `number` | Defines the maximum amount of characters a paste is allowed to contain (a value `<= 0` means no limit) |
|
||||||
|
|
||||||
## AutoDelete
|
## AutoDelete
|
||||||
Pasty provides an intuitive system to automatically delete pastes after a specific amount of time. You can configure it with the following variables:
|
Pasty provides an intuitive system to automatically delete pastes after a specific amount of time. You can configure it with the following variables:
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
version: "3"
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
postgres:
|
||||||
|
|
||||||
|
services:
|
||||||
|
postgres:
|
||||||
|
image: "postgres:12-alpine"
|
||||||
|
ports:
|
||||||
|
- "5432:5432"
|
||||||
|
volumes:
|
||||||
|
- "postgres:/var/lib/postgresql/data"
|
||||||
|
environment:
|
||||||
|
POSTGRES_PASSWORD: "dev"
|
||||||
|
POSTGRES_USER: "dev"
|
||||||
|
POSTGRES_DB: "pasty"
|
|
@ -18,6 +18,7 @@ type Config struct {
|
||||||
DeletionTokenMaster string
|
DeletionTokenMaster string
|
||||||
DeletionTokenLength int
|
DeletionTokenLength int
|
||||||
RateLimit string
|
RateLimit string
|
||||||
|
LengthCap int
|
||||||
AutoDelete *AutoDeleteConfig
|
AutoDelete *AutoDeleteConfig
|
||||||
File *FileConfig
|
File *FileConfig
|
||||||
Postgres *PostgresConfig
|
Postgres *PostgresConfig
|
||||||
|
@ -76,6 +77,7 @@ func Load() {
|
||||||
DeletionTokenMaster: env.MustString("DELETION_TOKEN_MASTER", ""),
|
DeletionTokenMaster: env.MustString("DELETION_TOKEN_MASTER", ""),
|
||||||
DeletionTokenLength: env.MustInt("DELETION_TOKEN_LENGTH", 12),
|
DeletionTokenLength: env.MustInt("DELETION_TOKEN_LENGTH", 12),
|
||||||
RateLimit: env.MustString("RATE_LIMIT", "30-M"),
|
RateLimit: env.MustString("RATE_LIMIT", "30-M"),
|
||||||
|
LengthCap: env.MustInt("LENGTH_CAP", 50_000),
|
||||||
AutoDelete: &AutoDeleteConfig{
|
AutoDelete: &AutoDeleteConfig{
|
||||||
Enabled: env.MustBool("AUTODELETE", false),
|
Enabled: env.MustBool("AUTODELETE", false),
|
||||||
Lifetime: env.MustDuration("AUTODELETE_LIFETIME", 720*time.Hour),
|
Lifetime: env.MustDuration("AUTODELETE_LIFETIME", 720*time.Hour),
|
||||||
|
|
|
@ -13,6 +13,14 @@ import (
|
||||||
|
|
||||||
// HastebinSupportHandler handles the legacy hastebin requests
|
// HastebinSupportHandler handles the legacy hastebin requests
|
||||||
func HastebinSupportHandler(ctx *fasthttp.RequestCtx) {
|
func HastebinSupportHandler(ctx *fasthttp.RequestCtx) {
|
||||||
|
// Check content length before reading body into memory
|
||||||
|
if config.Current.LengthCap > 0 &&
|
||||||
|
ctx.Request.Header.ContentLength() > config.Current.LengthCap {
|
||||||
|
ctx.SetStatusCode(fasthttp.StatusBadRequest)
|
||||||
|
ctx.SetBodyString("request body length overflow")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// Define the paste content
|
// Define the paste content
|
||||||
var content string
|
var content string
|
||||||
switch string(ctx.Request.Header.ContentType()) {
|
switch string(ctx.Request.Header.ContentType()) {
|
||||||
|
|
|
@ -51,6 +51,14 @@ func v1GetPaste(ctx *fasthttp.RequestCtx) {
|
||||||
|
|
||||||
// v1PostPaste handles the 'POST /v1/pastes' endpoint
|
// v1PostPaste handles the 'POST /v1/pastes' endpoint
|
||||||
func v1PostPaste(ctx *fasthttp.RequestCtx) {
|
func v1PostPaste(ctx *fasthttp.RequestCtx) {
|
||||||
|
// Check content length before reading body into memory
|
||||||
|
if config.Current.LengthCap > 0 &&
|
||||||
|
ctx.Request.Header.ContentLength() > config.Current.LengthCap {
|
||||||
|
ctx.SetStatusCode(fasthttp.StatusBadRequest)
|
||||||
|
ctx.SetBodyString("request body length overflow")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// Unmarshal the body
|
// Unmarshal the body
|
||||||
values := make(map[string]string)
|
values := make(map[string]string)
|
||||||
err := json.Unmarshal(ctx.PostBody(), &values)
|
err := json.Unmarshal(ctx.PostBody(), &values)
|
||||||
|
|
|
@ -57,7 +57,7 @@ export function setupButtons() {
|
||||||
// Create the paste
|
// Create the paste
|
||||||
const response = await api.createPaste(input.value);
|
const response = await api.createPaste(input.value);
|
||||||
if (!response.ok) {
|
if (!response.ok) {
|
||||||
notifications.error("Failed creating the paste: <b>" + data + "</b>");
|
notifications.error("Failed creating the paste: <b>" + await response.text() + "</b>");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
const data = await response.json();
|
const data = await response.json();
|
||||||
|
|
Loading…
Reference in New Issue