quad-j/index.js

const config = require('./config');

const express = require('express');
const fileUpload = require('express-fileupload');
const path = require('path');
const fs = require('fs');
const mime = require('mime-types')
const cors = require('cors');

const app = express();

app.use(fileUpload());
app.set('view engine', 'ejs')
app.use(express.urlencoded({ extended: false }));
app.use(express.json());


const isPathValid = (filename, filePath) => {
    if (!filename) {
        return false;
    }

    if (filename.indexOf('\0') !== -1 || filename.indexOf('%') !== -1 || filename.indexOf('/') !== -1 || filename.indexOf('..') !== -1) {
        return false;
    }

    if (!/[A-Za-z1-9.]+/g.test(filename)) {
        return false;
    }

    if (filePath.indexOf(config.storagePath) !== 0) {
        return false;
    }

    return true;
};

const isFilenameValid = (filename) => {
    if (!filename) {
        return false;
    }

    if (filename.indexOf('\0') !== -1 || filename.indexOf('%') !== -1 || filename.indexOf('..') !== -1 || filename.indexOf('&') !== -1) {
        return false;
    }

    if (!/[A-Za-z1-9.]+/g.test(filename)) {
        return false;
    }

    return true;
};

const getFileType = (filename) => {
    const extension = path.extname(filename).substring(1);
    let type = config.files.embed[extension];

    if (!type) {
        type = config.files.other;
    }

    return type;
};

const allowlist = ['https://files.hippoz.xyz/', 'https://hippoz.xyz/', 'https://files.hippoz.xyz', 'https://hippoz.xyz']
const corsOptions = {
    origin: function (origin, callback) {
        if (allowlist.indexOf(origin) !== -1) {
            callback(null, true)
        } else {
            callback(new Error('Not allowed by CORS'))
        }
    }
}

app.get('/', (req, res) => {
    // res.render('upload');
    // TODO: this is only for hippoz. remove the line below and uncomment the line above if you are not hippoz man
    res.redirect(301, 'https://hippoz.xyz/');
});

app.get('/file/:filename', (req, res) => {
    const filename = req.params.filename;
    const filePath = path.join(config.storagePath, filename);
    const isValid = isPathValid(filename, filePath);

    if (!isValid) {
        res.status(400).send('invalid input.');
        return;
    }

    fs.access(filePath, fs.F_OK, (err) => {
        if (err) {
            res.status(404).send('file not found or is invalid.');
            return;
        }

        const type = getFileType(filePath);
        const mimeType = mime.lookup(filePath);

        if (type === config.files.other) {
            res.contentType('text/plain');
        } else {
            res.contentType(mimeType);
        }
        
        res.sendFile(filePath);
    });
});

// TODO: add cors for all endpoints
app.post('/api/upload', [ cors(corsOptions) ], (req, res) => {
    const password = req.body.password;
    const chosenFileName = req.body.filename;

    if (config.passwords.indexOf(password) === -1) {
        return res.status(401).render('uploadfailed', { message: 'the password you entered is not correct.' });
    }

    if (!req.files || Object.keys(req.files).length === 0) {
        return res.status(400).render('uploadfailed', { message: 'you forgot to upload a file.' });
    }

    const file = req.files.file;

    if (!isFilenameValid(chosenFileName)) {
        return res.status(400).render('uploadfailed', { message: 'invalid name.' });
    }

    const filepath = path.join(config.storagePath, chosenFileName);

    if (!isFilenameValid(file.name) || !isPathValid(chosenFileName, filepath)) {
        return res.status(400).render('uploadfailed', { message: 'invalid name.' });
    }

    fs.stat(filepath, (err) => {
        if(err == null) {
            return res.status(400).render('uploadfailed', { message: 'a file with that name already exists.' });
        } else if(err.code === 'ENOENT') {
            file.mv(filepath, (err) => {
                if (err) return res.status(500).render('uploadfailed', { message: 'something went wrong while uploading the file.' });
                res.render('uploaded', { file: { name: chosenFileName }, baseurl: config.url });
            });
        } else {
            return res.status(500).render('uploadfailed', { message: 'something went wrong.' });;
        }
    });
});

app.use(function (err, req, res, next) {
    console.error(err.stack);
    res.status(500).send('internal server error: something went wrong');
});

app.listen(config.server.port, () => {
    console.log(`started server on port ${config.server.port}`);
});
Initial commit. 2020-10-01 23:10:41 +03:00			`const config = require('./config');`

			`const express = require('express');`
			`const fileUpload = require('express-fileupload');`
			`const path = require('path');`
			`const fs = require('fs');`
			`const mime = require('mime-types')`
add cors 2020-10-05 00:15:13 +03:00			`const cors = require('cors');`
Initial commit. 2020-10-01 23:10:41 +03:00
			`const app = express();`

			`app.use(fileUpload());`
			`app.set('view engine', 'ejs')`
added password and added uploaded page 2020-10-02 22:46:23 +03:00			`app.use(express.urlencoded({ extended: false }));`
			`app.use(express.json());`
Initial commit. 2020-10-01 23:10:41 +03:00

			`const isPathValid = (filename, filePath) => {`
			`if (!filename) {`
			`return false;`
			`}`

			`if (filename.indexOf('\0') !== -1 \|\| filename.indexOf('%') !== -1 \|\| filename.indexOf('/') !== -1 \|\| filename.indexOf('..') !== -1) {`
			`return false;`
			`}`

Add support for adding file names. Experimental. 2020-10-03 18:53:43 +03:00			`if (!/[A-Za-z1-9.]+/g.test(filename)) {`
			`return false;`
			`}`

Initial commit. 2020-10-01 23:10:41 +03:00			`if (filePath.indexOf(config.storagePath) !== 0) {`
			`return false;`
			`}`

			`return true;`
			`};`

Add support for adding file names. Experimental. 2020-10-03 18:53:43 +03:00			`const isFilenameValid = (filename) => {`
			`if (!filename) {`
			`return false;`
			`}`

			`if (filename.indexOf('\0') !== -1 \|\| filename.indexOf('%') !== -1 \|\| filename.indexOf('..') !== -1 \|\| filename.indexOf('&') !== -1) {`
			`return false;`
			`}`

			`if (!/[A-Za-z1-9.]+/g.test(filename)) {`
			`return false;`
			`}`

			`return true;`
			`};`

Initial commit. 2020-10-01 23:10:41 +03:00			`const getFileType = (filename) => {`
			`const extension = path.extname(filename).substring(1);`
			`let type = config.files.embed[extension];`

			`if (!type) {`
			`type = config.files.other;`
			`}`

			`return type;`
			`};`

update allowlist 2020-10-05 00:23:56 +03:00			`const allowlist = ['https://files.hippoz.xyz/', 'https://hippoz.xyz/', 'https://files.hippoz.xyz', 'https://hippoz.xyz']`
add cors 2020-10-05 00:15:13 +03:00			`const corsOptions = {`
			`origin: function (origin, callback) {`
fix variable not defined due to typo 2020-10-05 00:20:28 +03:00			`if (allowlist.indexOf(origin) !== -1) {`
update allowlist 2020-10-05 00:23:56 +03:00			`callback(null, true)`
add cors 2020-10-05 00:15:13 +03:00			`} else {`
			`callback(new Error('Not allowed by CORS'))`
			`}`
			`}`
			`}`
Add support for adding file names. Experimental. 2020-10-03 18:53:43 +03:00
			`app.get('/', (req, res) => {`
add cors 2020-10-05 00:15:13 +03:00			`// res.render('upload');`
fix redirect 2020-10-05 00:33:49 +03:00			`// TODO: this is only for hippoz. remove the line below and uncomment the line above if you are not hippoz man`
make home redirect permanent 2020-10-07 19:10:20 +03:00			`res.redirect(301, 'https://hippoz.xyz/');`
Add support for adding file names. Experimental. 2020-10-03 18:53:43 +03:00			`});`

Initial commit. 2020-10-01 23:10:41 +03:00			`app.get('/file/:filename', (req, res) => {`
			`const filename = req.params.filename;`
			`const filePath = path.join(config.storagePath, filename);`
			`const isValid = isPathValid(filename, filePath);`

			`if (!isValid) {`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			`res.status(400).send('invalid input.');`
Initial commit. 2020-10-01 23:10:41 +03:00			`return;`
			`}`

			`fs.access(filePath, fs.F_OK, (err) => {`
			`if (err) {`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			`res.status(404).send('file not found or is invalid.');`
Initial commit. 2020-10-01 23:10:41 +03:00			`return;`
			`}`

			`const type = getFileType(filePath);`
			`const mimeType = mime.lookup(filePath);`

			`if (type === config.files.other) {`
			`res.contentType('text/plain');`
			`} else {`
			`res.contentType(mimeType);`
			`}`

			`res.sendFile(filePath);`
			`});`
			`});`

add cors for upload endpoint only 2020-10-05 00:31:23 +03:00			`// TODO: add cors for all endpoints`
			`app.post('/api/upload', [ cors(corsOptions) ], (req, res) => {`
added password and added uploaded page 2020-10-02 22:46:23 +03:00			`const password = req.body.password;`
Add support for adding file names. Experimental. 2020-10-03 18:53:43 +03:00			`const chosenFileName = req.body.filename;`
added password and added uploaded page 2020-10-02 22:46:23 +03:00
			`if (config.passwords.indexOf(password) === -1) {`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			`return res.status(401).render('uploadfailed', { message: 'the password you entered is not correct.' });`
added password and added uploaded page 2020-10-02 22:46:23 +03:00			`}`

Initial commit. 2020-10-01 23:10:41 +03:00			`if (!req.files \|\| Object.keys(req.files).length === 0) {`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			`return res.status(400).render('uploadfailed', { message: 'you forgot to upload a file.' });`
Initial commit. 2020-10-01 23:10:41 +03:00			`}`

			`const file = req.files.file;`
Add support for adding file names. Experimental. 2020-10-03 18:53:43 +03:00
			`if (!isFilenameValid(chosenFileName)) {`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			`return res.status(400).render('uploadfailed', { message: 'invalid name.' });`
Add support for adding file names. Experimental. 2020-10-03 18:53:43 +03:00			`}`

			`const filepath = path.join(config.storagePath, chosenFileName);`

			`if (!isFilenameValid(file.name) \|\| !isPathValid(chosenFileName, filepath)) {`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			`return res.status(400).render('uploadfailed', { message: 'invalid name.' });`
Add support for adding file names. Experimental. 2020-10-03 18:53:43 +03:00			`}`
add check for files that already exist 2020-10-02 23:03:59 +03:00
turns out it was deprecated... BRUH 2020-10-02 23:08:12 +03:00			`fs.stat(filepath, (err) => {`
			`if(err == null) {`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			`return res.status(400).render('uploadfailed', { message: 'a file with that name already exists.' });`
turns out it was deprecated... BRUH 2020-10-02 23:08:12 +03:00			`} else if(err.code === 'ENOENT') {`
add check for files that already exist 2020-10-02 23:03:59 +03:00			`file.mv(filepath, (err) => {`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			`if (err) return res.status(500).render('uploadfailed', { message: 'something went wrong while uploading the file.' });`
this time maybe actually do it right? 2020-10-18 19:40:30 +03:00			`res.render('uploaded', { file: { name: chosenFileName }, baseurl: config.url });`
add check for files that already exist 2020-10-02 23:03:59 +03:00			`});`
			`} else {`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			`return res.status(500).render('uploadfailed', { message: 'something went wrong.' });;`
add check for files that already exist 2020-10-02 23:03:59 +03:00			`}`
Initial commit. 2020-10-01 23:10:41 +03:00			`});`
			`});`

add error handling 2020-10-05 00:37:01 +03:00			`app.use(function (err, req, res, next) {`
			`console.error(err.stack);`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			`res.status(500).send('internal server error: something went wrong');`
add error handling 2020-10-05 00:37:01 +03:00			`});`

add server listening message and remove unnecessary package 2020-10-02 23:18:53 +03:00			`app.listen(config.server.port, () => {`
change messages to lowercase to fit my style 2020-10-07 18:00:32 +03:00			console.log(`started server on port ${config.server.port}`);
add server listening message and remove unnecessary package 2020-10-02 23:18:53 +03:00			`});`