hostr/web/routes/file.js

import { join } from 'path';
import mime from 'mime-types';
import models from '../../models';
import hostrFileStream from '../../lib/hostr-file-stream';
import { formatFile } from '../../lib/format';

const storePath = process.env.UPLOAD_STORAGE_PATH;

const referrerRegexes = [
  /^https:\/\/hostr.co/,
  /^https:\/\/localhost.hostr.co/,
  /^http:\/\/localhost:4040/,
];

function userAgentCheck(userAgent) {
  if (!userAgent) {
    return false;
  }
  return userAgent.match(/^(wget|curl|vagrant)/i);
}

function referrerCheck(referrer) {
  return referrer && referrerRegexes.some(regex => referrer.match(regex));
}

function hotlinkCheck(file, userAgent, referrer) {
  return userAgentCheck(userAgent) || file.width || referrerCheck(referrer);
}

export async function get(ctx) {
  if (ctx.params.size && ['150', '970'].indexOf(ctx.params.size) < 0) {
    ctx.throw(404);
    return;
  }

  const file = await models.file.findOne({
    where: {
      id: ctx.params.id,
      name: ctx.params.name,
    },
  });
  ctx.assert(file, 404);

  if (!hotlinkCheck(file, ctx.headers['user-agent'], ctx.headers.referer)) {
    ctx.redirect(`/${file.id}`);
    return;
  }

  if (!file.width && ctx.request.query.warning !== 'on') {
    ctx.redirect(`/${file.id}`);
    return;
  }

  if (file.malware) {
    const { alert } = ctx.request.query;
    if (!alert || !alert.match(/i want to download malware/i)) {
      ctx.redirect(`/${file.id}`);
      return;
    }
  }

  let localPath = join(storePath, file.id[0], `${file.id}_${file.name}`);
  let remotePath = join(file.id[0], `${file.id}_${file.name}`);
  if (ctx.params.size > 0) {
    localPath = join(storePath, file.id[0], ctx.params.size, `${file.id}_${file.name}`);
    remotePath = join(file.id[0], ctx.params.size, `${file.id}_${file.name}`);
  }

  if (file.malware) {
    ctx.statsd.incr('file.malware.download', 1);
  }

  let type = 'application/octet-stream';
  if (file.width > 0) {
    if (ctx.params.size) {
      ctx.statsd.incr('file.view', 1);
    }
    type = mime.lookup(file.name);
  } else {
    ctx.statsd.incr('file.download', 1);
  }

  if (userAgentCheck(ctx.headers['user-agent'])) {
    ctx.set('Content-Disposition', `attachment; filename=${file.name}`);
  }

  ctx.set('Content-type', type);
  ctx.set('Expires', new Date(2020, 1).toISOString());
  ctx.set('Cache-control', 'max-age=2592000');

  if (!ctx.params.size || (ctx.params.size && ctx.params.size > 150)) {
    models.file.accessed(file.id);
  }

  ctx.body = await hostrFileStream(localPath, remotePath);
}

export async function resized(ctx) {
  await get.call(ctx);
}

export async function landing(ctx) {
  const file = await models.file.findOne({
    where: {
      id: ctx.params.id,
    },
  });
  ctx.assert(file, 404);
  if (userAgentCheck(ctx.headers['user-agent'])) {
    ctx.params.name = file.name;
    await get.call(ctx);
    return;
  }

  ctx.statsd.incr('file.landing', 1);
  const formattedFile = formatFile(file);
  await ctx.render('file', { file: formattedFile });
}
Get linting passing again 2016-06-06 15:37:00 +01:00			`import { join } from 'path';`
Initial commit. 2015-07-09 23:01:43 +01:00			`import mime from 'mime-types';`
Postgres. 2016-06-19 10:14:47 -07:00			`import models from '../../models';`
Initial commit. 2015-07-09 23:01:43 +01:00			`import hostrFileStream from '../../lib/hostr-file-stream';`
			`import { formatFile } from '../../lib/format';`

Improve environment variable stuff 2015-08-30 18:35:05 +02:00			`const storePath = process.env.UPLOAD_STORAGE_PATH;`
Initial commit. 2015-07-09 23:01:43 +01:00
Get linting passing again 2016-06-06 15:37:00 +01:00			`const referrerRegexes = [`
			`/^https:\/\/hostr.co/,`
			`/^https:\/\/localhost.hostr.co/,`
			`/^http:\/\/localhost:4040/,`
			`];`

Apply Javascript styleguide 2015-08-23 22:12:32 +01:00			`function userAgentCheck(userAgent) {`
			`if (!userAgent) {`
Initial commit. 2015-07-09 23:01:43 +01:00			`return false;`
			`}`
			`return userAgent.match(/^(wget\|curl\|vagrant)/i);`
Apply Javascript styleguide 2015-08-23 22:12:32 +01:00			`}`
Initial commit. 2015-07-09 23:01:43 +01:00
Get linting passing again 2016-06-06 15:37:00 +01:00			`function referrerCheck(referrer) {`
Fix linting 2018-06-02 18:07:00 +00:00			`return referrer && referrerRegexes.some(regex => referrer.match(regex));`
Get linting passing again 2016-06-06 15:37:00 +01:00			`}`

Apply Javascript styleguide 2015-08-23 22:12:32 +01:00			`function hotlinkCheck(file, userAgent, referrer) {`
Get linting passing again 2016-06-06 15:37:00 +01:00			`return userAgentCheck(userAgent) \|\| file.width \|\| referrerCheck(referrer);`
Apply Javascript styleguide 2015-08-23 22:12:32 +01:00			`}`
Block hotlinking of non-image files. 2015-08-09 01:11:48 +01:00
Update stuff 2018-06-02 15:50:39 +00:00			`export async function get(ctx) {`
			`if (ctx.params.size && ['150', '970'].indexOf(ctx.params.size) < 0) {`
			`ctx.throw(404);`
Ignore invalid resized image sizes 2016-06-06 17:41:00 +01:00			`return;`
			`}`

Update stuff 2018-06-02 15:50:39 +00:00			`const file = await models.file.findOne({`
Postgres. 2016-06-19 10:14:47 -07:00			`where: {`
Update stuff 2018-06-02 15:50:39 +00:00			`id: ctx.params.id,`
			`name: ctx.params.name,`
Postgres. 2016-06-19 10:14:47 -07:00			`},`
Get linting passing again 2016-06-06 15:37:00 +01:00			`});`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.assert(file, 404);`
Add more stat collection 2015-08-09 17:21:39 +01:00
Update stuff 2018-06-02 15:50:39 +00:00			`if (!hotlinkCheck(file, ctx.headers['user-agent'], ctx.headers.referer)) {`
			ctx.redirect(`/${file.id}`);
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Add more stat collection 2015-08-09 17:21:39 +01:00			`}`

Update stuff 2018-06-02 15:50:39 +00:00			`if (!file.width && ctx.request.query.warning !== 'on') {`
			ctx.redirect(`/${file.id}`);
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Block hotlinking of non-image files. 2015-08-09 01:11:48 +01:00			`}`
Add more stat collection 2015-08-09 17:21:39 +01:00
			`if (file.malware) {`
Fix linting 2018-06-02 18:07:00 +00:00			`const { alert } = ctx.request.query;`
Add more stat collection 2015-08-09 17:21:39 +01:00			`if (!alert \|\| !alert.match(/i want to download malware/i)) {`
Update stuff 2018-06-02 15:50:39 +00:00			ctx.redirect(`/${file.id}`);
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Add more stat collection 2015-08-09 17:21:39 +01:00			`}`
			`}`

Postgres. 2016-06-19 10:14:47 -07:00			let localPath = join(storePath, file.id[0], `${file.id}_${file.name}`);
			let remotePath = join(file.id[0], `${file.id}_${file.name}`);
Update stuff 2018-06-02 15:50:39 +00:00			`if (ctx.params.size > 0) {`
			localPath = join(storePath, file.id[0], ctx.params.size, `${file.id}_${file.name}`);
			remotePath = join(file.id[0], ctx.params.size, `${file.id}_${file.name}`);
Initial commit. 2015-07-09 23:01:43 +01:00			`}`
Fix session memory leak 2015-08-22 18:24:39 +01:00
Add more stat collection 2015-08-09 17:21:39 +01:00			`if (file.malware) {`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.statsd.incr('file.malware.download', 1);`
Add more stat collection 2015-08-09 17:21:39 +01:00			`}`

Initial commit. 2015-07-09 23:01:43 +01:00			`let type = 'application/octet-stream';`
			`if (file.width > 0) {`
Update stuff 2018-06-02 15:50:39 +00:00			`if (ctx.params.size) {`
			`ctx.statsd.incr('file.view', 1);`
Add more stat collection 2015-08-09 17:21:39 +01:00			`}`
Postgres. 2016-06-19 10:14:47 -07:00			`type = mime.lookup(file.name);`
Add more stat collection 2015-08-09 17:21:39 +01:00			`} else {`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.statsd.incr('file.download', 1);`
Add more stat collection 2015-08-09 17:21:39 +01:00			`}`

Update stuff 2018-06-02 15:50:39 +00:00			`if (userAgentCheck(ctx.headers['user-agent'])) {`
			ctx.set('Content-Disposition', `attachment; filename=${file.name}`);
Initial commit. 2015-07-09 23:01:43 +01:00			`}`

Update stuff 2018-06-02 15:50:39 +00:00			`ctx.set('Content-type', type);`
			`ctx.set('Expires', new Date(2020, 1).toISOString());`
			`ctx.set('Cache-control', 'max-age=2592000');`
Initial commit. 2015-07-09 23:01:43 +01:00
Update stuff 2018-06-02 15:50:39 +00:00			`if (!ctx.params.size \|\| (ctx.params.size && ctx.params.size > 150)) {`
Postgres. 2016-06-19 10:14:47 -07:00			`models.file.accessed(file.id);`
Use correct size param 2015-08-22 18:48:34 +01:00			`}`
Restore file download counting 2015-08-22 18:40:23 +01:00
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.body = await hostrFileStream(localPath, remotePath);`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`

Update stuff 2018-06-02 15:50:39 +00:00			`export async function resized(ctx) {`
			`await get.call(ctx);`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`

Update stuff 2018-06-02 15:50:39 +00:00			`export async function landing(ctx) {`
			`const file = await models.file.findOne({`
Postgres. 2016-06-19 10:14:47 -07:00			`where: {`
Update stuff 2018-06-02 15:50:39 +00:00			`id: ctx.params.id,`
Postgres. 2016-06-19 10:14:47 -07:00			`},`
			`});`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.assert(file, 404);`
			`if (userAgentCheck(ctx.headers['user-agent'])) {`
			`ctx.params.name = file.name;`
			`await get.call(ctx);`
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`
Fix session memory leak 2015-08-22 18:24:39 +01:00
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.statsd.incr('file.landing', 1);`
Initial commit. 2015-07-09 23:01:43 +01:00			`const formattedFile = formatFile(file);`
Update stuff 2018-06-02 15:50:39 +00:00			`await ctx.render('file', { file: formattedFile });`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`