From 565a91e4eca9ce8e539c11d2096ad82beb7b6ef7 Mon Sep 17 00:00:00 2001 From: BBaoVanC Date: Thu, 3 Sep 2020 21:44:58 -0500 Subject: [PATCH] Remove uploadkeys encryption features It doesn't really make sense to encrypt the keys, but store the secret literally in the same directory. uploadkeys will now be stored in plaintext. The branch `legacy` has the old code from before this commit. --- .gitignore | 1 - configtest.py | 16 ------- imgupload.py | 15 ++----- keygen.py | 103 -------------------------------------------- requirements.txt | 1 - settings.py.default | 1 - 6 files changed, 4 insertions(+), 133 deletions(-) delete mode 100644 keygen.py diff --git a/.gitignore b/.gitignore index b88a996..d52add7 100644 --- a/.gitignore +++ b/.gitignore @@ -134,4 +134,3 @@ savelog.log uwsgi.log settings.py functions.py -secret.key diff --git a/configtest.py b/configtest.py index 5eb5c91..a74956d 100644 --- a/configtest.py +++ b/configtest.py @@ -10,7 +10,6 @@ defaults = { "SAVELOG": "savelog.log", "SAVELOG_CHMOD": "0o644", "SAVELOG_KEYPREFIX": 4, - "ENCKEY_PATH": "secret.key" } deftypes = { @@ -20,7 +19,6 @@ deftypes = { "SAVELOG": str, "SAVELOG_CHMOD": int, "SAVELOG_KEYPREFIX": int, - "ENCKEY_PATH": str, } @@ -94,16 +92,6 @@ if "ROOTURL" in checksettings: print("[" + u"\u2713" + "] ROOTURL is good!") -# Check if ENCKEY_PATH exists -enckey_exists = True -if "ENCKEY_PATH" in checksettings: - if not os.path.isfile(settings.ENCKEY_PATH): - enckey_exists = False - print("[!] The path set in ENCKEY_PATH ('{0}') doesn't exist!".format(settings.ENCKEY_PATH)) - else: - print("[" + u"\u2713" + "] ENCKEY_PATH exists!") - - # Ask the user if SAVELOG is the intended filename if "SAVELOG" in checksettings: print("[*] SAVELOG was interpreted to be {0}".format(settings.SAVELOG)) @@ -136,10 +124,6 @@ if not uploadfolder_exists: summarygood = False print("UPLOAD_FOLDER ({0}) does not exist!".format(settings.UPLOAD_FOLDER)) -if not enckey_exists: - summarygood = False - print("ENCKEY_PATH ({0}) does not exist!".format(settings.ENCKEY_PATH)) - if not rooturl_good: summarygood = False print("ROOTURL may cause issues!") diff --git a/imgupload.py b/imgupload.py index 405550c..345fe64 100644 --- a/imgupload.py +++ b/imgupload.py @@ -34,20 +34,13 @@ def upload(): if request.method == "POST": # sanity check: make sure it's a POST request print("Request method was POST!") - with open(settings.ENCKEY_PATH,"rb") as enckey: # load encryption key - key = enckey.read() - f = Fernet(key) - - with open("uploadkeys", "rb") as keyfile: - encrypted_data = keyfile.read() - decrypted_data = str(f.decrypt(encrypted_data).decode('utf-8')) - decrypted_data = decrypted_data.splitlines() - - validkeys = [x.strip("\n") for x in decrypted_data] + with open("uploadkeys", "r") as keyfile: # load valid keys + validkeys = keyfile.readlines() + validkeys = [x.strip("\n") for x in validkeys] while "" in validkeys: validkeys.remove("") - print("Removed blank key(s)") print("Loaded validkeys") + if "uploadKey" in request.form: # if an uploadKey was provided if request.form["uploadKey"] in validkeys: # check if uploadKey is valid print("Key is valid!") diff --git a/keygen.py b/keygen.py deleted file mode 100644 index 1ec3643..0000000 --- a/keygen.py +++ /dev/null @@ -1,103 +0,0 @@ -from cryptography.fernet import Fernet -from cryptography.fernet import InvalidToken -from pathlib import Path -import settings -import string -import secrets -import sys -import os - - -# Check if encryption key already exists -enckey = Path(settings.ENCKEY_PATH) -if enckey.is_file(): - print("Encryption key found.") -else: - print("Encryption key not found.") - print("Generating key...") - key = Fernet.generate_key() - with open(settings.ENCKEY_PATH, "wb") as key_file: - key_file.write(key) - print("Encryption key generated and stored in secret.key.") - - -# Load encryption key -def load_key(): - with open(settings.ENCKEY_PATH, "rb") as kf: - kdata = kf.read() - return kdata - - -# Encrypting and storing of key -def encrypt_key(message): - key = load_key() - keyf = Fernet(key) - - with open('uploadkeys', 'a+') as uploadkeys: - print(str(token), file=uploadkeys) - - with open("uploadkeys", "rb") as keyfile: - keyfile_data = keyfile.read() - - encrypted_data = keyf.encrypt(keyfile_data) - - with open("uploadkeys", "wb") as keyfile: - keyfile.write(encrypted_data) - - -def ask_yn(msg): - resps = {"y": True, "n": False} - ask = True - while ask: - proceedraw = input(msg) - if proceedraw.lower() in resps.keys(): - proceed = resps[proceedraw] - ask = False - else: - print("Invalid response.") - return proceed - - -start = ask_yn("Have you run this program as the correct user (for example, nginx uses www-data)? [y/n] ") -if not start: - print("Please run this as the correct user with: sudo su [user] -s /bin/sh -c 'python3 keygen/py'") - -else: - - N = 64 # Size of token - - # Generate key - token = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(N)) - - # Decrypt the existing keyfile - key = load_key() - keyf = Fernet(key) - - genkey = True - uploadkeysp = Path("uploadkeys") - if not uploadkeysp.is_file(): - uploadkeysp.touch() - else: - with open("uploadkeys", "rb") as ukf: - # read the encrypted data - encrypted_data = ukf.read() - - try: - decrypted_data = keyf.decrypt(encrypted_data) # decrypt data - with open("uploadkeys", "wb") as ukf: - ukf.write(decrypted_data) # write the original file - except InvalidToken: - print("The encrypted key data is invalid and cannot be read.") - print("It may be necessary to clear the file entirely, which will invalidate all tokens.") - proceed = ask_yn("Do you wish to proceed to clearing the uploadkeys file? [y/n] ") - - if proceed: - os.remove("uploadkeys") - print("Removed uploadkeys file.") - proceed2 = ask_yn("Would you like to continue and generate a new token? [y/n] ") - if not proceed2: - genkey = False - - if genkey: - print("Your new token is: " + str(token)) # Print token - encrypt_key(str(token)) # Encrypt the key and save diff --git a/requirements.txt b/requirements.txt index 56d1fb7..7d9b535 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,2 @@ Flask_API==2.0 -cryptography==3.1 Flask==1.1.2 diff --git a/settings.py.default b/settings.py.default index 460efcf..06bd33d 100644 --- a/settings.py.default +++ b/settings.py.default @@ -4,4 +4,3 @@ ROOTURL = "https://example.com/" SAVELOG = "savelog.log" SAVELOG_CHMOD = 0o644 SAVELOG_KEYPREFIX = 4 -ENCKEY_PATH = "secret.key"