Commit Graph

127 Commits

Author SHA1 Message Date
Bobby
2d147e748b
feat: usergroup-based file retention periods
this supersedes the old temporaryUploadAges, while maintaining full
backwards-compatibility.

please consult config.sample.js if you want to start using this
2022-05-07 02:17:31 +07:00
Bobby
595dd81455
feat: apply access-control-allow-origin globally
instead of only on some arbitrary routes

configurable via config, please check sample, disabled by default

i still recommend configuring from your own http server (nginx, etc.),
if you want to have a more complex per-routes headers
2022-05-02 13:58:04 +07:00
Bobby
86c26cb50c
feat: some bypass support to passthrough scanning
only usergroup and file extension bypass

real file size can't be determined before passthrough scan,
so there's no bypass by max file size
please read the comments in sample config file

refactored utils.clamscan into utils.scan
2022-04-23 04:44:01 +07:00
Bobby
f6a86226a2
fix: re-disable new default helmet modules
this is to align with original behavior pre-Helmet v5 update

this only changes sample config file, and fallback values when helmet
option is missing from config file

otherwise decide at your own discretion (refer to the comments)
2022-04-20 18:37:10 +07:00
Bobby
9af52e068d
docs: config and uploadController 2022-04-16 23:06:25 +07:00
Bobby
99a6fc82ca
fix: passthrough scan should default to off
i'll consider changing the default value once it has feature parity
with the old sequential scan
2022-04-16 13:34:43 +07:00
Bobby
db254c602b
feat: experimental clamscan passthrough support
when enabled, passthrough scanning will be used for non-chunked uploads

upload processing will be significantly faster if scanning is required
2022-04-15 16:41:05 +07:00
Bobby
2081245a79
docs: versioned ref links in config.sample.js 2022-04-15 15:41:16 +07:00
Bobby
6788dc2094
fix: align with clamscan v2 2022-04-15 15:36:50 +07:00
Bobby
be345e3d34
fix: align with express-rate-limit v6 2022-04-15 14:15:32 +07:00
Bobby
2ddd97541e
refactor: config.hsts -> config.helmet
this allows full config to the helmet library

it will fallback to old behavior if helmet entry is not found in
config file, but hsts entry is
2022-03-04 02:04:16 +07:00
Bobby
1cca4e5f69
fix: update duckduckgo proxy url in sample config 2022-03-03 19:46:25 +07:00
Bobby
a4f353ddcf
fix: private upload custom response config option 2021-06-08 07:59:25 +07:00
Bobby Wibowo
48488667c8
feat: limit upload to specific usergroups 2021-05-22 20:59:00 +07:00
Bobby Wibowo
ae6d7936c7
feat: blacklist extensions for strip tags
GIFs are known to not work without custom globally-installed libvips
with ImageMagick or GraphicsMagick support.
https://sharp.pixelplumbing.com/api-output#gif
https://sharp.pixelplumbing.com/install#custom-libvips

It's highly recommended to update your config following the changes to
the sample config file.

This also addressed a bug where images would still get recorded to DB
despite them not existing physically due to strip tags errors.
2021-02-01 06:13:37 +07:00
Bobby Wibowo
664c994855
scanner should NOT be enabled by default
Closes #341
2020-12-26 15:21:49 +07:00
Bobby Wibowo
346d9864f3
improved codes for statistics
much more expandable, and should be easier to understand overall.

make more statistics operations run concurrently to speed them up.

make linuxDiskStats config key obsolete by using systeminformation
package to also query for any mounted file systems.
2020-12-25 21:06:21 +07:00
Bobby Wibowo
896f74e0ca
allow overriding location of chunks
Closes #302
2020-11-10 01:07:10 +07:00
Bobby Wibowo
c16dac81ea
Updated config.sample.js
Didn't mean to have it enabled by default
2020-11-03 23:56:04 +07:00
Bobby Wibowo
b63836c89d
Added Content-Type override when serving with node
Closes #274
2020-11-03 23:53:56 +07:00
Bobby Wibowo
21fae10306
Updated config.sample.js 2020-11-01 07:38:36 +07:00
Bobby Wibowo
88f852584c
!! REPLACED ClamAV BACKEND: clamdjs -> clamscan !!
Update your config file!
2020-11-01 06:35:56 +07:00
Bobby Wibowo
57207493a2
Fixed setContentDisposition throwing errors 2020-10-02 04:58:35 +07:00
Bobby Wibowo
ce599aea19
Updated config.sample.js
It was weird to have both cacheFileIdentifiers and
queryDbForFileCollisions enabled by default.
2020-09-27 05:24:48 +07:00
Bobby Wibowo
ea15b145b1
Added alt stricter file name collision checks 2020-09-27 05:18:42 +07:00
Bobby Wibowo
c8a5f7be16
Added setContentDisposition option
Resolves #192

This added 2 new dependencies:
content-disposition
BobbyWibowo/serve-static

content-disposition:
This has fallback generation for file names that are outside ISO-8859-1.
Plus it was already a sub-dependency due to express to begin with.

BobbyWibowo/serve-static:
A fork of express/serve-static to allow specifying an async setHeaders
function by the name preSetHeaders, that will be awaited before
creating send stream to clients.
2020-09-27 04:33:42 +07:00
Bobby Wibowo
69664b05c2
Clean ups 2020-07-03 22:55:43 +07:00
evanmn
603c9f54e2
Update config.sample.js 2020-07-03 22:50:24 +07:00
Evan McCarthy
8ea0e491cd
add docker-compose stack 2020-07-03 22:50:24 +07:00
Bobby Wibowo
bd3c86c1bb
Fix typos in config.sample.js 2020-06-26 13:58:23 +07:00
Bobby Wibowo
a93e34bf87
Init cf-api-token 2020-06-26 13:48:15 +07:00
Bobby Wibowo
585331c6e5
Added timeout on chunked uploads
The service will now automatically clean up any leftover data from any
inactive & unfinished chunked upload attempts.

Updated config.sample.js for updated description and new sub-option
for chunkSize option.
2020-06-15 23:48:43 +07:00
camjac251
776414814d add user config option for thumbnail size 2020-06-01 04:17:23 -05:00
Bobby Wibowo
62a977542e
Switched to BLAKE3 for file hashing [MORE]
UPDATE YOUR CONFIG FILE IF YOU USE CHUNKED UPLOADS!
Read more about this at the end.

Added new dependency: blake3

Hashes will be created as the uploads are being written to disk.
With exception for chunked uploads!
For them specifically, their hashes will be created as they're being
rebuilt into a single file.
Should still be a lot better than the previous case where it had to
re-read the already written files.

To support that feature, added a new file
controllers/multerStorageController.js.
It's just a custom storage engine for Multer.

chunkSize option now allows setting max chunk size from config file.
Previously it was hardcoded to 95MB, but assuming you have paid
Cloudflare plans, you can actually have up to 500MB.

Also moved the option to be after maxSize and before urlMaxSize.
Made a lot more sense to me this way, as chunked uploads only work on
regular uploads.

Updated v1 version string and rebuilt client assets.
2020-05-29 02:52:58 +07:00
Bobby Wibowo
86b51fe5f5
Added Cookie Consent, among other things
This adds Cookie Consent library at public/libs/cookieconsent.

Added views/cookiepolicy.njk.

Added a new config option cookiePolicy. Disabled by default.

Updated views/faq.njk to use variables wherever applicable.
The variables are initiated at views/_globals.njk.
The said file also contains variables used at views/cookiepolicy.njk.

Restored messages about Cloudflare to FAQ.
They will be shown only if config.cloudflare.purgeCache is enabled.

Statistics will now capitalize first letters of the keys instead.

Updated background color of SweetAlert modals.

Moved table styling from dashboard.css to style.css (global),
since table will also be used in Cookie Policy page.

Bumped v1 version string and rebuilt client assets.
2020-05-17 03:35:54 +07:00
Bobby Wibowo
19b4a5e217
Updated Linux-only disk stats
Restore disk usage stats even when config.linuxDiskStats is off

The said config will now only toggle the 'extended' stats which are
disk usage of each directories within the uploads directory
2020-05-02 19:28:13 +07:00
Bobby Wibowo
325ccfac81
Added config option to enable linux disk stats
The option is disabled by default.
Meaning you need to explicitly set it to true to restore
the old behavior.

The one that uses both "df" and "du" binaries.
I found them to be very slow with 100k+ uploads
on my ancient potato server.
2020-04-08 07:08:18 +07:00
Bobby Wibowo
46fa9677ff
Extended configuration for virus scanning
Added whitelist extensions
Added max size limit
2020-04-04 21:20:01 +07:00
Bobby Wibowo
609753f1e9
Make Helmet's HSTS configurable from config file
Closed #115
2020-02-13 15:03:31 +07:00
Bobby Wibowo
edce59243b
Better cache control when not using CDN 2020-02-11 17:18:04 +07:00
Bobby Wibowo
806acecdbb
Updated explanation of stripTags option in config 2019-12-02 01:02:03 +07:00
Bobby Wibowo
d9ddfe8e9a
Implemented stripping tags from images
... and optionally videos using ffmpeg (still experimental).

Users can choose whether to strip tags of their uploads or not from
the home uploader's Config tab (safe.fiery.me will have it disabled
by default).

The behavior will also be applied to the downloadable ShareX config.

Server owners can choose to force either behavior.

Make sure to add the new config from config.sample.js.

---

Fixed all instances of "e.i." to "e.g.".
My English sucks okay.

Bumped v1 version string.
2019-11-29 20:42:53 +07:00
Bobby Wibowo
a28d862c14
Added group bypass to virus scanning
Also better-ish scan results handling again, I guess

Updated dependency knex: 0.20.0 -> 0.20.1
2019-11-06 03:35:04 +07:00
Bobby Wibowo
fbd8037c35
Updated config.sample.js
Updated sample API rate limits.
This will pretty much be the same ones used live in safe.fiery.me.

This rate limits ALL API calls to 10 requests per second,
but apply stricter limits to login & register endpoints, which are
2 requests per 5 seconds.
Also apply stricter limit to album ZIP download endpoint to
4 requests in 30 seconds.

Also removed forcing 200 HTTP status code from the error responses,
cause front-end will now handle any HTTP status codes properly.
It was previously set to 200 cause frontend couldn't handler
errors properly.

On a side note, rate limiting all API calls is important due to the fact
that any token-based endpoints can be used for brute-forcing tokens.
Some server firewalls can also be used to ban possible brute force
attacks through actively monitoring the HTTP server's access logs,
so you may also want to consider that kind of solution for your site
instead.
2019-10-12 13:55:38 +07:00
Bobby Wibowo
386787c6ce
Updated
Description in album public pages will no longer use h2 tag.
Descriptions that can go up to 4000 chars kinda made no sense to use
that tag.

Use Nunjucks' built-in nl2br tag to replace newlines with <br> tag.

Removed unused macro from faq.njk.

Better extensions filter list in URL uploads tab.

Updated config.sample.js with sample usage of the URL uploads extensions
filter.
2019-09-19 15:30:00 +07:00
Bobby Wibowo
19dcd4fd02
Updated 2019-09-09 01:27:14 +07:00
Bobby Wibowo
1a0d85cc6c
Updated 2019-09-09 01:21:01 +07:00
Bobby Wibowo
4bad86003c
Updated
I forgot to update sample config file in the previous commit.
config.uploads.fileLength -> config.uploads.fileIdentifierLength.

Updated README.md.
2019-09-08 09:28:13 +07:00
Bobby Wibowo
02e2e402c3
!!! MASSIVE OVERHAUL !!!
As the title says, this commit is a massive overhaul.
I've rewritten/restrucuted almost everything in the controller scripts.
Because of that, there's a considerable possibility that I've broken
something somewhere.

Notable changes:

Added temporary uploads.

Removed file name length changer from dashboard,
in favor of an equivalent in homepage config tab.
This allows non-registered users to also set file name length.

A bunch of other undocmented stuff.
I don't know, I'm too tired to remember them all.
2019-09-08 08:56:29 +07:00
Bobby Wibowo
e45d854c09
Updated
* Updated path resolving for upload folder option.
This SHOULD now allow using an absolute path, even those outside of
the lolisafe installation.

* Added a config option at uploads -> generateThumbs, named placeholder.
It's a string option that lets you set path of the placeholder image
for files whose thumbnail could not be generated.
It defaults to the old hard-coded path when set to falsy value.

* Fixed thumbs script not using upload folder from config file.

* Added filters for thumb generation error handling.
This is used to ignore some common error messages,
such as file formats not being supported.
2019-08-23 16:49:53 +07:00