From 2438394225ca3ee0198453029dae6062c3f2d32c Mon Sep 17 00:00:00 2001 From: Go Johansson Date: Sun, 25 Dec 2022 15:56:07 +0100 Subject: [PATCH] fixes --- package.json | 2 +- src/Classes/Database.php | 140 +++++++++----- src/Classes/Response.php | 383 +++++++++++++++++++------------------- src/Classes/Upload.php | 14 +- src/config.json | 4 +- src/static/php/upload.php | 15 +- 6 files changed, 307 insertions(+), 251 deletions(-) diff --git a/package.json b/package.json index 0123851..394fe4c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "uguu", - "version": "1.6.4", + "version": "1.6.5", "description": "Uguu is a simple lightweight temporary file host with support for drop, paste, click and API uploading.", "homepage": "https://uguu.se", "repository": { diff --git a/src/Classes/Database.php b/src/Classes/Database.php index 848e322..1b8880f 100644 --- a/src/Classes/Database.php +++ b/src/Classes/Database.php @@ -21,8 +21,10 @@ namespace Pomf\Uguu\Classes; + use DateTimeZone; use Exception; use PDO; + use DateTime; class Database { @@ -43,16 +45,21 @@ class Database * * @param $name string The name of the file. * - * @return int The number of rows that match the query. + * @return bool The number of rows that match the query. * @throws \Exception */ - public function dbCheckNameExists(string $name): int + public function dbCheckNameExists(string $name): bool { try { - $q = $this->DB->prepare('SELECT COUNT(filename) FROM files WHERE filename = (:name)'); + $q = $this->DB->prepare('SELECT * FROM files WHERE EXISTS + (SELECT filename FROM files WHERE filename = (:name)) LIMIT 1'); $q->bindValue(':name', $name); $q->execute(); - return $q->fetchColumn(); + $result = $q->fetch(); + if ($result) { + return true; + } + return false; } catch (Exception) { throw new Exception('Cant check if name exists in DB.', 500); } @@ -68,11 +75,12 @@ class Database public function checkFileBlacklist(array $FILE_INFO): void { try { - $q = $this->DB->prepare('SELECT hash, COUNT(*) AS count FROM blacklist WHERE hash = (:hash)'); + $q = $this->DB->prepare('SELECT * FROM blacklist WHERE EXISTS + (SELECT hash FROM blacklist WHERE hash = (:hash)) LIMIT 1'); $q->bindValue(':hash', $FILE_INFO['SHA1']); $q->execute(); $result = $q->fetch(); - if ($result['count'] > 0) { + if ($result) { throw new Exception('File blacklisted!', 415); } } catch (Exception) { @@ -91,12 +99,13 @@ class Database { try { $q = $this->DB->prepare( - 'SELECT filename, COUNT(*) AS count FROM files WHERE hash = (:hash)', + 'SELECT * FROM files WHERE EXISTS + (SELECT filename FROM files WHERE hash = (:hash)) LIMIT 1', ); $q->bindValue(':hash', $hash); $q->execute(); $result = $q->fetch(); - if ($result['count'] > 0) { + if ($result) { return [ 'result' => true, 'name' => $result['filename'], @@ -142,52 +151,81 @@ class Database * Creates a new row in the database with the information provided * * @param $fingerPrintInfo array + * + * @throws \Exception */ public function createRateLimit(array $fingerPrintInfo): void { - $q = $this->DB->prepare( - 'INSERT INTO timestamp (iphash, files, time)' . - 'VALUES (:iphash, :files, :time)', - ); - $q->bindValue(':iphash', $fingerPrintInfo['ip_hash']); - $q->bindValue(':files', $fingerPrintInfo['files_amount']); - $q->bindValue(':time', $fingerPrintInfo['timestamp']); - $q->execute(); + try { + $q = $this->DB->prepare( + 'INSERT INTO ratelimit (iphash, files, time)' . + 'VALUES (:iphash, :files, :time)', + ); + $q->bindValue(':iphash', $fingerPrintInfo['ip_hash']); + $q->bindValue(':files', $fingerPrintInfo['files_amount']); + $q->bindValue(':time', $fingerPrintInfo['timestamp']); + $q->execute(); + } catch (Exception $e) { + throw new Exception(500, $e->getMessage()); + } } /** * Update the rate limit table with the new file count and timestamp * * @param $fCount int The number of files uploaded by the user. - * @param $iStamp boolean A boolean value that determines whether or not to update the timestamp. + * @param $iStamp bool A boolean value that determines whether or not to update the timestamp. * @param $fingerPrintInfo array An array containing the following keys: + * + * @throws \Exception */ public function updateRateLimit(int $fCount, bool $iStamp, array $fingerPrintInfo): void { - if ($iStamp) { - $q = $this->DB->prepare( - 'UPDATE ratelimit SET files = (:files), time = (:time) WHERE iphash = (:iphash)', - ); - $q->bindValue(':time', $fingerPrintInfo['timestamp']); - } else { - $q = $this->DB->prepare( - 'UPDATE ratelimit SET files = (:files) WHERE iphash = (:iphash)', - ); + try { + if ($iStamp) { + $q = $this->DB->prepare( + 'UPDATE ratelimit SET files = (:files), time = (:time) WHERE iphash = (:iphash)', + ); + $q->bindValue(':time', $fingerPrintInfo['timestamp']); + } else { + $q = $this->DB->prepare( + 'UPDATE ratelimit SET files = (:files) WHERE iphash = (:iphash)', + ); + } + $q->bindValue(':files', $fCount); + $q->bindValue(':iphash', $fingerPrintInfo['ip_hash']); + $q->execute(); + } catch (Exception $e) { + throw new Exception(500, $e->getMessage()); } - $q->bindValue(':files', $fCount); - $q->bindValue(':iphash', $fingerPrintInfo['ip_hash']); - $q->execute(); } /** - * Checks if the user has uploaded more than 100 files in the last minute, if so it returns true, if not it updates the database with the new file + * @throws \Exception + */ + public function compareTime(int $timestamp, int $seconds_d): bool + { + $dateTime_end = new DateTime('now', new DateTimeZone('Europe/Stockholm')); + $dateTime_start = new DateTime(); + $dateTime_start->setTimestamp($timestamp); + $diff = strtotime($dateTime_end->format('Y-m-d H:i:s')) - strtotime($dateTime_start->format('Y-m-d H:i:s')); + if ($diff > $seconds_d) { + return true; + } + return false; + } + + /** + * Checks if the user has uploaded more than 100 files in the last minute, if so it returns true, + * if not it updates the database with the new file * count and timestamp * * @param $fingerPrintInfo array An array containing the following: * * @return bool A boolean value. + * @throws \Exception */ - public function checkRateLimit(array $fingerPrintInfo): bool + public function checkRateLimit(array $fingerPrintInfo, int $rateTimeout, int $fileLimit): bool { $q = $this->DB->prepare( 'SELECT files, time, iphash, COUNT(*) AS count FROM ratelimit WHERE iphash = (:iphash)', @@ -195,24 +233,30 @@ class Database $q->bindValue(':iphash', $fingerPrintInfo['ip_hash']); $q->execute(); $result = $q->fetch(); - $nTime = $fingerPrintInfo['timestamp'] - (60); - switch (true) { - //If more then 100 files trigger rate-limit - case $result['files'] > 100: - return true; - //if timestamp is older than one minute, set new files count and timestamp - case $result['time'] < $nTime: - $this->updateRateLimit($fingerPrintInfo['files_amount'], true, $fingerPrintInfo); - break; - //if timestamp isn't older than one-minute update the files count - case $result['time'] > $nTime: - $this->updateRateLimit($fingerPrintInfo['files_amount'] + $result['files'], false, $fingerPrintInfo); - break; - //If there is no other match a record does not exist, create one - default: - $this->createRateLimit($fingerPrintInfo); - break; + + //If there is no other match a record does not exist, create one. + if (!$result['count'] > 0) { + $this->createRateLimit($fingerPrintInfo); + return false; } + + // Apply rate-limit when file count reached and timeout not reached. + if ($result['files'] === $fileLimit and !$this->compareTime($result['time'], $rateTimeout)) { + return true; + } + + // Update timestamp if timeout reached. + if ($this->compareTime($result['time'], $rateTimeout)) { + $this->updateRateLimit($fingerPrintInfo['files_amount'], true, $fingerPrintInfo); + return false; + } + + // Add filecount, timeout not reached. + if ($result['files'] < $fileLimit and !$this->compareTime($result['time'], $rateTimeout)) { + $this->updateRateLimit($result['files'] + $fingerPrintInfo['files_amount'], false, $fingerPrintInfo); + return false; + } + return false; } } diff --git a/src/Classes/Response.php b/src/Classes/Response.php index 678dff6..6d7a9f7 100644 --- a/src/Classes/Response.php +++ b/src/Classes/Response.php @@ -1,4 +1,5 @@ . */ - + namespace Pomf\Uguu\Classes; - - class Response + +class Response +{ + public string $type; + + /** + * Takes a string as an argument and sets the header to the appropriate content type + * + * @param $response_type string The type of response you want to return. + * Valid options are: csv, html, json, text. + */ + public function __construct(string $response_type) { - public string $type; - - /** - * Takes a string as an argument and sets the header to the appropriate content type - * - * @param $response_type string The type of response you want to return. Valid options are: csv, html, json, text. - */ - public function __construct(string $response_type) - { - switch ($response_type) { - case 'csv': - header('Content-Type: text/csv; charset=UTF-8'); - $this->type = $response_type; - break; - case 'html': - header('Content-Type: text/html; charset=UTF-8'); - $this->type = $response_type; - break; - case 'json': - header('Content-Type: application/json; charset=UTF-8'); - $this->type = $response_type; - break; - case 'gyazo': - header('Content-Type: text/plain; charset=UTF-8'); - $this->type = 'text'; - break; - case 'text': - header('Content-Type: text/plain; charset=UTF-8'); - $this->type = $response_type; - break; - default: - header('Content-Type: application/json; charset=UTF-8'); - $this->type = 'json'; - break; - } - } - - /** - * Returns a string based on the type of response requested - * - * @param $code mixed The HTTP status code to return. - * @param $desc string The description of the error. - */ - public function error(mixed $code, string $desc):void - { - $response = match ($this->type) { - 'csv' => $this->csvError($desc), - 'html' => $this->htmlError($code, $desc), - 'json' => $this->jsonError($code, $desc), - 'text' => $this->textError($code, $desc), - }; - http_response_code($code); - echo $response; - } - - /* Returning a string that contains the error message. */ - private static function csvError(string $description):string - { - return '"error"' . "\r\n" . "\"$description\"" . "\r\n"; - } - - /** - * Returns a string containing an HTML paragraph element with the error code and description - * - * @param $code int|string The error code. - * @param $description string The description of the error. - * - * @return string A string. - */ - private static function htmlError(int|string $code, string $description):string - { - return '

ERROR: (' . $code . ') ' . $description . '

'; - } - - /** - * Returns a JSON string with the error code and description - * - * @param $code int|string The error code. - * @param $description string The description of the error. - * - * @return bool|string A JSON string - */ - private static function jsonError(int|string $code, string $description):bool|string - { - return json_encode([ - 'success' => false, - 'errorcode' => $code, - 'description' => $description, - ], JSON_PRETTY_PRINT); - } - - /** - * Returns a string that contains the error code and description - * - * @param $code int|string The error code. - * @param $description string The description of the error. - * - * @return string A string with the error code and description. - */ - private static function textError(int|string $code, string $description):string - { - return 'ERROR: (' . $code . ') ' . $description; - } - - /** - * "If the type is csv, then call the csvSuccess function, if the type is html, then call the htmlSuccess function, etc." - * - * The `match` keyword is a new feature in PHP 8. It's a lot like a switch statement, but it's more powerful - * - * @param $files array An array of file objects. - */ - public function send(array $files):void - { - $response = match ($this->type) { - 'csv' => $this->csvSuccess($files), - 'html' => $this->htmlSuccess($files), - 'json' => $this->jsonSuccess($files), - 'text' => $this->textSuccess($files), - }; - http_response_code(200); // "200 OK". Success. - echo $response; - } - - /** - * Takes an array of files and returns a CSV string - * - * @param $files array An array of files that have been uploaded. - * - * @return string A string of the files in the array. - */ - private static function csvSuccess(array $files):string - { - $result = '"name","url","hash","size"' . "\r\n"; - foreach ($files as $file) { - $result .= '"' . $file['name'] . '"' . ',' . - '"' . $file['url'] . '"' . ',' . - '"' . $file['hash'] . '"' . ',' . - '"' . $file['size'] . '"' . "\r\n"; - } - return $result; - } - - /** - * Takes an array of files and returns a string of HTML links - * - * @param $files array An array of files to be uploaded. - * - * @return string the result of the foreach loop. - */ - private static function htmlSuccess(array $files):string - { - $result = ''; - foreach ($files as $file) { - $result .= '' . $file['url'] . '
'; - } - return $result; - } - - /** - * Returns a JSON string that contains a success message and the files that were uploaded - * - * @param $files array The files to be uploaded. - * - * @return bool|string A JSON string - */ - private static function jsonSuccess(array $files):bool|string - { - return json_encode([ - 'success' => true, - 'files' => $files, - ], JSON_PRETTY_PRINT); - } - - /** - * Takes an array of files and returns a string of URLs - * - * @param $files array The files to be uploaded. - * - * @return string the url of the file. - */ - private static function textSuccess(array $files):string - { - $result = ''; - foreach ($files as $file) { - $result .= $file['url'] . "\n"; - } - return $result; + switch ($response_type) { + case 'csv': + header('Content-Type: text/csv; charset=UTF-8'); + $this->type = $response_type; + break; + case 'html': + header('Content-Type: text/html; charset=UTF-8'); + $this->type = $response_type; + break; + case 'json': + header('Content-Type: application/json; charset=UTF-8'); + $this->type = $response_type; + break; + case 'gyazo': + header('Content-Type: text/plain; charset=UTF-8'); + $this->type = 'text'; + break; + case 'text': + header('Content-Type: text/plain; charset=UTF-8'); + $this->type = $response_type; + break; + default: + header('Content-Type: application/json; charset=UTF-8'); + $this->type = 'json'; + break; } } + + /** + * Returns a string based on the type of response requested + * + * @param $code mixed The HTTP status code to return. + * @param $desc string The description of the error. + */ + public function error(int $code, string $desc): void + { + $response = match ($this->type) { + 'csv' => $this->csvError($desc), + 'html' => $this->htmlError($code, $desc), + 'json' => $this->jsonError($code, $desc), + 'text' => $this->textError($code, $desc), + }; + http_response_code($code); + echo $response; + } + + /* Returning a string that contains the error message. */ + private static function csvError(string $description): string + { + return '"error"' . "\r\n" . "\"$description\"" . "\r\n"; + } + + /** + * Returns a string containing an HTML paragraph element with the error code and description + * + * @param $code int|string The error code. + * @param $description string The description of the error. + * + * @return string A string. + */ + private static function htmlError(int|string $code, string $description): string + { + return '

ERROR: (' . $code . ') ' . $description . '

'; + } + + /** + * Returns a JSON string with the error code and description + * + * @param $code int|string The error code. + * @param $description string The description of the error. + * + * @return bool|string A JSON string + */ + private static function jsonError(int|string $code, string $description): bool|string + { + return json_encode([ + 'success' => false, + 'errorcode' => $code, + 'description' => $description, + ], JSON_PRETTY_PRINT); + } + + /** + * Returns a string that contains the error code and description + * + * @param $code int|string The error code. + * @param $description string The description of the error. + * + * @return string A string with the error code and description. + */ + private static function textError(int|string $code, string $description): string + { + return 'ERROR: (' . $code . ') ' . $description; + } + + /** + * "If the type is csv, then call the csvSuccess function, + * if the type is html, then call the htmlSuccess function, etc." + * + * The `match` keyword is a new feature in PHP 8. It's a lot like a switch statement, but it's more powerful + * + * @param $files array An array of file objects. + */ + public function send(array $files): void + { + $response = match ($this->type) { + 'csv' => $this->csvSuccess($files), + 'html' => $this->htmlSuccess($files), + 'json' => $this->jsonSuccess($files), + 'text' => $this->textSuccess($files), + }; + http_response_code(200); // "200 OK". Success. + echo $response; + } + + /** + * Takes an array of files and returns a CSV string + * + * @param $files array An array of files that have been uploaded. + * + * @return string A string of the files in the array. + */ + private static function csvSuccess(array $files): string + { + $result = '"name","url","hash","size"' . "\r\n"; + foreach ($files as $file) { + $result .= '"' . $file['name'] . '"' . ',' . + '"' . $file['url'] . '"' . ',' . + '"' . $file['hash'] . '"' . ',' . + '"' . $file['size'] . '"' . "\r\n"; + } + return $result; + } + + /** + * Takes an array of files and returns a string of HTML links + * + * @param $files array An array of files to be uploaded. + * + * @return string the result of the foreach loop. + */ + private static function htmlSuccess(array $files): string + { + $result = ''; + foreach ($files as $file) { + $result .= '' . $file['url'] . '
'; + } + return $result; + } + + /** + * Returns a JSON string that contains a success message and the files that were uploaded + * + * @param $files array The files to be uploaded. + * + * @return bool|string A JSON string + */ + private static function jsonSuccess(array $files): bool|string + { + return json_encode([ + 'success' => true, + 'files' => $files, + ], JSON_PRETTY_PRINT); + } + + /** + * Takes an array of files and returns a string of URLs + * + * @param $files array The files to be uploaded. + * + * @return string the url of the file. + */ + private static function textSuccess(array $files): string + { + $result = ''; + foreach ($files as $file) { + $result .= $file['url'] . "\n"; + } + return $result; + } +} diff --git a/src/Classes/Upload.php b/src/Classes/Upload.php index 3739712..6479912 100644 --- a/src/Classes/Upload.php +++ b/src/Classes/Upload.php @@ -126,7 +126,16 @@ class Upload extends Response { switch (true) { case $this->Connector->CONFIG['RATE_LIMIT']: - $this->Connector->checkRateLimit($this->fingerPrintInfo); + if ( + $this->Connector->checkRateLimit( + $this->fingerPrintInfo, + (int) $this->Connector->CONFIG['RATE_LIMIT_TIMEOUT'], + (int) $this->Connector->CONFIG['RATE_LIMIT_FILES'] + ) + ) { + throw new Exception('Rate limit, please wait ' . $this->Connector->CONFIG['RATE_LIMIT_TIMEOUT'] . + ' seconds before uploading again.', 500); + } // Continue case $this->Connector->CONFIG['BLACKLIST_DB']: $this->Connector->checkFileBlacklist($this->FILE_INFO); @@ -274,7 +283,6 @@ class Upload extends Response * and if it does, it generates another one * * @param $extension string The file extension. - * @param $hash string The hash of the file. * * @return string A string * @throws \Exception @@ -293,7 +301,7 @@ class Upload extends Response if (!empty($extension)) { $NEW_NAME .= '.' . $extension; } - } while ($this->Connector->dbCheckNameExists($NEW_NAME) > 0); + } while ($this->Connector->dbCheckNameExists($NEW_NAME)); return $NEW_NAME; } } diff --git a/src/config.json b/src/config.json index 801ebd2..39f5839 100755 --- a/src/config.json +++ b/src/config.json @@ -3,7 +3,7 @@ "allowErrors": false }, "dest": "dist", - "pkgVersion": "1.6.4", + "pkgVersion": "1.6.5", "pages": [ "index.ejs", "faq.ejs", @@ -34,6 +34,8 @@ "BLACKLIST_DB": true, "FILTER_MODE": true, "RATE_LIMIT": false, + "RATE_LIMIT_TIMEOUT": 60, + "RATE_LIMIT_FILES": 100, "FILES_ROOT": "/var/www/files/", "FILES_RETRIES": 15, "FILES_URL": "https://files.domain.com", diff --git a/src/static/php/upload.php b/src/static/php/upload.php index b3f38c9..698cf1e 100644 --- a/src/static/php/upload.php +++ b/src/static/php/upload.php @@ -1,8 +1,5 @@ . */ + require_once __DIR__ . '/../vendor/autoload.php'; - + use Pomf\Uguu\Classes\Upload; use Pomf\Uguu\Classes\Response; @@ -40,10 +38,11 @@ */ function handleFile(string $outputFormat, array $files): void { + $fCount = count($files['size']); $upload = new Upload($outputFormat); $files = $upload->reFiles($files); try { - $upload->fingerPrint(count($files)); + $upload->fingerPrint($fCount); $res = []; foreach ($files as $ignored) { $res[] = $upload->uploadFile(); @@ -52,10 +51,10 @@ function handleFile(string $outputFormat, array $files): void $upload->send($res); } } catch (Exception $e) { - $upload->error($e->getCode(), $e->getMessage()); + $upload->error(500, $e->getMessage()); } } - + $response = new Response('json'); if (!isset($_FILES['files']) or empty($_FILES['files'])) {