From 3d1304b3b0e02e261a17039ff971cbc659e86c3e Mon Sep 17 00:00:00 2001
From: ItHertzSoGood <60296901+ItHertzSoGood@users.noreply.github.com>
Date: Mon, 31 Aug 2020 17:12:39 -0700
Subject: [PATCH] added encryption to uploadkeys and added a key generator

---
 .gitignore          |  1 +
 README.md           |  9 +++++--
 configtest.py       | 13 ++++++++-
 imgupload.py        | 27 +++++++++++--------
 keygen.py           | 65 +++++++++++++++++++++++++++++++++++++++++++++
 requirements.txt    |  4 +++
 settings.py.default |  1 +
 7 files changed, 106 insertions(+), 14 deletions(-)
 create mode 100644 keygen.py
 create mode 100644 requirements.txt

diff --git a/.gitignore b/.gitignore
index e402fc8..18de657 100644
--- a/.gitignore
+++ b/.gitignore
@@ -133,3 +133,4 @@ uploadkeys
 savelog.log
 uwsgi.log
 settings.py
+secret.key
\ No newline at end of file
diff --git a/README.md b/README.md
index 23e1690..125a8e0 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,9 @@
 # imgupload
-Python Flask uWSGI application to receive and save images over POST requests.
+![CodeFactor Grade](https://img.shields.io/codefactor/grade/github/BBaoVanC/imgupload/master?color=purple) ![GitHub repo size](https://img.shields.io/github/repo-size/bbaovanc/imgupload?color=purple) ![GitHub All Releases](https://img.shields.io/github/downloads/bbaovanc/imgupload/total?color=purple) ![GitHub issues](https://img.shields.io/github/issues/bbaovanc/imgupload?color=purple) ![GitHub closed issues](https://img.shields.io/github/issues-closed/bbaovanc/imgupload?color=purple) ![GitHub](https://img.shields.io/github/license/bbaovanc/imgupload?color=purple)  
 
-This project is still in development. Use at your own risk!
+### What is imgupload? 
+imgupload is a Flask + uWSGI application to serve as an all-purpose image/file uploader over POST requests.
+
+### Usage
+Make sure you install the dependencies first. To do this, run `sudo python3 -m pip install -r requirements.txt`.  
+To deploy imgupload, run `flask run`.
\ No newline at end of file
diff --git a/configtest.py b/configtest.py
index c0971f9..a70c3c9 100644
--- a/configtest.py
+++ b/configtest.py
@@ -11,6 +11,7 @@ defaults = {
     "SAVELOG_CHMOD": "0o644",
     "UPLOADKEYS_CHMOD": "0o400",
     "SAVELOG_KEYPREFIX": 4,
+    "ENCKEY_PATH": "secret.key"
 }
 
 deftypes = {
@@ -21,6 +22,7 @@ deftypes = {
     "SAVELOG_CHMOD": int,
     "UPLOADKEYS_CHMOD": int,
     "SAVELOG_KEYPREFIX": int,
+    "ENCKEY_PATH": str,
 }
 
 
@@ -54,7 +56,7 @@ if "ALLOWED_EXTENSIONS" in checksettings:
     for e in settings.ALLOWED_EXTENSIONS:
         if not e.startswith("."):
             invalid_exts.append(e)
-
+    
     if len(invalid_exts) > 0:
         print("[!] The following extensions listed in ALLOWED_EXTENSIONS are invalid:")
         for e in invalid_exts:
@@ -99,6 +101,15 @@ if "SAVELOG" in checksettings:
     print("[*] SAVELOG was interpreted to be {0}".format(settings.SAVELOG))
     print("[*] If this is not the intended filename, please fix it.")
 
+# Check if ENCKEY_PATH exists
+enckey_exists = True
+if "UPLOAD_FOLDER" in checksettings:
+    if not os.path.isfile(settings.ENCKEY_PATH):
+        enckey_exists = False
+        print("[!] The path set in ENCKEY_PATH ('{0}') doesn't exist!".format(settings.ENCKEY_PATH))
+    else:
+        print("[" + u"\u2713" + "] ENCKEY_PATH exists!")
+
 
 # Show summary
 print()
diff --git a/imgupload.py b/imgupload.py
index 968112f..7b4cbe1 100644
--- a/imgupload.py
+++ b/imgupload.py
@@ -1,4 +1,5 @@
 from flask import Flask, request, jsonify, abort, Response
+from cryptography.fernet import Fernet
 from flask_api import status
 from pathlib import Path
 import string
@@ -40,28 +41,32 @@ def log_savelog(key, ip, savedname):
             slogf.write("[{0}] {1} - {2}\n".format(datetime.datetime.now(), ip, savedname))
         os.chmod(settings.SAVELOG, settings.SAVELOG_CHMOD)
 
-
 @app.route("/upload", methods = ["POST"])
 def upload():
     if request.method == "POST":  # sanity check: make sure it's a POST request
         print("Request method was POST!")
 
         os.chmod("uploadkeys", settings.UPLOADKEYS_CHMOD)
-        print("Changed permissions of `uploadkeys`")
-        with open("uploadkeys", "r") as keyfile:  # load valid keys
-            validkeys = keyfile.readlines()
-        validkeys = [x.strip("\n") for x in validkeys]
+        with open(settings.ENCKEY_PATH,"rb") as enckey: # load encryption key
+            key = enckey.read()
+        f = Fernet(key)
+
+        with open("uploadkeys", "rb") as keyfile:
+            encrypted_data = keyfile.read()
+        decrypted_data = str(f.decrypt(encrypted_data).decode('utf-8'))
+        decrypted_data = decrypted_data.splitlines()
+
+        validkeys = [x.strip("\n") for x in decrypted_data]
         while "" in validkeys:
             validkeys.remove("")
+            print("Removed blank key(s)")
         print("Loaded validkeys")
-
         if "uploadKey" in request.form:  # if an uploadKey was provided
             if request.form["uploadKey"] in validkeys:  # check if uploadKey is valid
                 print("Key is valid!")
 
                 if "imageUpload" in request.files:  # check if image to upload was provided
                     f = request.files["imageUpload"]  # f is the image to upload
-                    print("Found uploaded image")
                 else:
                     print("No image upload was found!")
                     return jsonify({'status': 'error', 'error': 'NO_IMAGE_UPLOADED'}), status.HTTP_400_BAD_REQUEST
@@ -71,23 +76,23 @@ def upload():
                     return jsonify({'status': 'error', 'error': 'FILENAME_BLANK'}), status.HTTP_400_BAD_REQUEST
 
                 fext = Path(f.filename).suffix  # get the uploaded extension
-                print("Uploaded file extensions is {0}".format(fext))
                 if allowed_extension(fext):  # if the extension is allowed
+                    print("Generating file with extension {0}".format(fext))
                     fname = generate_name(fext)  # generate file name
                     print("Generated name: {0}".format(fname))
 
                     if f:  # if the uploaded image exists
-                        print("Uploaded image exists, obviously.")
+                        print("Uploaded image exists")
                         f.save(os.path.join(settings.UPLOAD_FOLDER, fname))  # save the image
                         print("Saved to {0}".format(fname))
                         url = settings.ROOTURL + fname  # construct the url to the image
                         if settings.SAVELOG != "/dev/null":
+                            print("Saving to savelog")
                             log_savelog(request.form["uploadKey"], request.remote_addr, fname)
-                            print("Logged message to savelog")
                         print("Returning json response")
                         return jsonify({'status': 'success', 'url': url, 'name': fname, 'uploadedName': f.filename}), status.HTTP_201_CREATED
                     else:  # this shouldn't happen
-                        print("Um... uploaded image is nonexistent..? Please report this error!")
+                        print("Um... uploaded image... is nonexistent? Please report this error!")
                         return jsonify({'status': 'error', 'error': 'UPLOADED_IMAGE_FAILED_SANITY_CHECK_1'}), status.HTTP_400_BAD_REQUEST
 
                 else:  # if the extension was invalid
diff --git a/keygen.py b/keygen.py
new file mode 100644
index 0000000..c9e58c6
--- /dev/null
+++ b/keygen.py
@@ -0,0 +1,65 @@
+from cryptography.fernet import Fernet
+from pathlib import Path
+import settings
+import string
+import secrets
+import sys
+import os
+
+# Check if the script is ran as root 
+if os.geteuid() != 0:
+    exit("Root privileges are necessary to run this script.\nPlease try again as root or using `sudo`.")
+
+# Check if encryption key exists
+enckey = Path(settings.ENCKEY_PATH)
+if enckey.is_file():
+	print("Encryption key found.")
+else:
+    print("Encryption key not found.")
+    print("Generating key...")
+    key = Fernet.generate_key()
+    with open(settings.ENCKEY_PATH, "wb") as key_file:
+        key_file.write(key)
+    print("Encryption key generated and stored in secret.key.")
+
+# Load encryption key
+def load_key():
+    return open(settings.ENCKEY_PATH, "rb").read()
+
+# Set size of string
+N = 64
+
+# Generating of key
+token = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(64))
+
+# Decrypt the existing keyfile
+key = load_key()
+f = Fernet(key)
+with open("uploadkeys", "rb") as file:
+    # read the encrypted data
+    encrypted_data = file.read()
+# decrypt data
+decrypted_data = f.decrypt(encrypted_data)
+# write the original file
+with open("uploadkeys", "wb") as file:
+    file.write(decrypted_data)
+
+# Encrypting and storing of key
+def encrypt_key(message):
+    key = load_key()
+    f = Fernet(key)
+
+    with open('uploadkeys', 'a+') as uploadkeys:
+        print(str(token), file=uploadkeys)
+
+    with open("uploadkeys", "rb") as keyfile:
+        keyfile_data = keyfile.read()
+
+    encrypted_data = f.encrypt(keyfile_data)
+
+    with open("uploadkeys", "wb") as keyfile:
+        keyfile.write(encrypted_data)
+
+# Print result on display and call encrypt_key
+print("Your new token is: " + str(token))
+encrypt_key(str(token))
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..63aa297
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,4 @@
+Flask_API==2.0
+cryptography==2.8
+Flask==1.1.2
+secrets==1.0.2
\ No newline at end of file
diff --git a/settings.py.default b/settings.py.default
index 5149189..08f0789 100644
--- a/settings.py.default
+++ b/settings.py.default
@@ -5,3 +5,4 @@ SAVELOG = "savelog.log"
 SAVELOG_CHMOD = 0o644
 UPLOADKEYS_CHMOD = 0o600
 SAVELOG_KEYPREFIX = 4
+ENCKEY_PATH = "secret.key"