Remove uploadkeys encryption features
It doesn't really make sense to encrypt the keys, but store the secret literally in the same directory. uploadkeys will now be stored in plaintext. The branch `legacy` has the old code from before this commit.
This commit is contained in:
parent
3fcdaa2b10
commit
565a91e4ec
1
.gitignore
vendored
1
.gitignore
vendored
@ -134,4 +134,3 @@ savelog.log
|
|||||||
uwsgi.log
|
uwsgi.log
|
||||||
settings.py
|
settings.py
|
||||||
functions.py
|
functions.py
|
||||||
secret.key
|
|
||||||
|
@ -10,7 +10,6 @@ defaults = {
|
|||||||
"SAVELOG": "savelog.log",
|
"SAVELOG": "savelog.log",
|
||||||
"SAVELOG_CHMOD": "0o644",
|
"SAVELOG_CHMOD": "0o644",
|
||||||
"SAVELOG_KEYPREFIX": 4,
|
"SAVELOG_KEYPREFIX": 4,
|
||||||
"ENCKEY_PATH": "secret.key"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
deftypes = {
|
deftypes = {
|
||||||
@ -20,7 +19,6 @@ deftypes = {
|
|||||||
"SAVELOG": str,
|
"SAVELOG": str,
|
||||||
"SAVELOG_CHMOD": int,
|
"SAVELOG_CHMOD": int,
|
||||||
"SAVELOG_KEYPREFIX": int,
|
"SAVELOG_KEYPREFIX": int,
|
||||||
"ENCKEY_PATH": str,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -94,16 +92,6 @@ if "ROOTURL" in checksettings:
|
|||||||
print("[" + u"\u2713" + "] ROOTURL is good!")
|
print("[" + u"\u2713" + "] ROOTURL is good!")
|
||||||
|
|
||||||
|
|
||||||
# Check if ENCKEY_PATH exists
|
|
||||||
enckey_exists = True
|
|
||||||
if "ENCKEY_PATH" in checksettings:
|
|
||||||
if not os.path.isfile(settings.ENCKEY_PATH):
|
|
||||||
enckey_exists = False
|
|
||||||
print("[!] The path set in ENCKEY_PATH ('{0}') doesn't exist!".format(settings.ENCKEY_PATH))
|
|
||||||
else:
|
|
||||||
print("[" + u"\u2713" + "] ENCKEY_PATH exists!")
|
|
||||||
|
|
||||||
|
|
||||||
# Ask the user if SAVELOG is the intended filename
|
# Ask the user if SAVELOG is the intended filename
|
||||||
if "SAVELOG" in checksettings:
|
if "SAVELOG" in checksettings:
|
||||||
print("[*] SAVELOG was interpreted to be {0}".format(settings.SAVELOG))
|
print("[*] SAVELOG was interpreted to be {0}".format(settings.SAVELOG))
|
||||||
@ -136,10 +124,6 @@ if not uploadfolder_exists:
|
|||||||
summarygood = False
|
summarygood = False
|
||||||
print("UPLOAD_FOLDER ({0}) does not exist!".format(settings.UPLOAD_FOLDER))
|
print("UPLOAD_FOLDER ({0}) does not exist!".format(settings.UPLOAD_FOLDER))
|
||||||
|
|
||||||
if not enckey_exists:
|
|
||||||
summarygood = False
|
|
||||||
print("ENCKEY_PATH ({0}) does not exist!".format(settings.ENCKEY_PATH))
|
|
||||||
|
|
||||||
if not rooturl_good:
|
if not rooturl_good:
|
||||||
summarygood = False
|
summarygood = False
|
||||||
print("ROOTURL may cause issues!")
|
print("ROOTURL may cause issues!")
|
||||||
|
15
imgupload.py
15
imgupload.py
@ -34,20 +34,13 @@ def upload():
|
|||||||
if request.method == "POST": # sanity check: make sure it's a POST request
|
if request.method == "POST": # sanity check: make sure it's a POST request
|
||||||
print("Request method was POST!")
|
print("Request method was POST!")
|
||||||
|
|
||||||
with open(settings.ENCKEY_PATH,"rb") as enckey: # load encryption key
|
with open("uploadkeys", "r") as keyfile: # load valid keys
|
||||||
key = enckey.read()
|
validkeys = keyfile.readlines()
|
||||||
f = Fernet(key)
|
validkeys = [x.strip("\n") for x in validkeys]
|
||||||
|
|
||||||
with open("uploadkeys", "rb") as keyfile:
|
|
||||||
encrypted_data = keyfile.read()
|
|
||||||
decrypted_data = str(f.decrypt(encrypted_data).decode('utf-8'))
|
|
||||||
decrypted_data = decrypted_data.splitlines()
|
|
||||||
|
|
||||||
validkeys = [x.strip("\n") for x in decrypted_data]
|
|
||||||
while "" in validkeys:
|
while "" in validkeys:
|
||||||
validkeys.remove("")
|
validkeys.remove("")
|
||||||
print("Removed blank key(s)")
|
|
||||||
print("Loaded validkeys")
|
print("Loaded validkeys")
|
||||||
|
|
||||||
if "uploadKey" in request.form: # if an uploadKey was provided
|
if "uploadKey" in request.form: # if an uploadKey was provided
|
||||||
if request.form["uploadKey"] in validkeys: # check if uploadKey is valid
|
if request.form["uploadKey"] in validkeys: # check if uploadKey is valid
|
||||||
print("Key is valid!")
|
print("Key is valid!")
|
||||||
|
103
keygen.py
103
keygen.py
@ -1,103 +0,0 @@
|
|||||||
from cryptography.fernet import Fernet
|
|
||||||
from cryptography.fernet import InvalidToken
|
|
||||||
from pathlib import Path
|
|
||||||
import settings
|
|
||||||
import string
|
|
||||||
import secrets
|
|
||||||
import sys
|
|
||||||
import os
|
|
||||||
|
|
||||||
|
|
||||||
# Check if encryption key already exists
|
|
||||||
enckey = Path(settings.ENCKEY_PATH)
|
|
||||||
if enckey.is_file():
|
|
||||||
print("Encryption key found.")
|
|
||||||
else:
|
|
||||||
print("Encryption key not found.")
|
|
||||||
print("Generating key...")
|
|
||||||
key = Fernet.generate_key()
|
|
||||||
with open(settings.ENCKEY_PATH, "wb") as key_file:
|
|
||||||
key_file.write(key)
|
|
||||||
print("Encryption key generated and stored in secret.key.")
|
|
||||||
|
|
||||||
|
|
||||||
# Load encryption key
|
|
||||||
def load_key():
|
|
||||||
with open(settings.ENCKEY_PATH, "rb") as kf:
|
|
||||||
kdata = kf.read()
|
|
||||||
return kdata
|
|
||||||
|
|
||||||
|
|
||||||
# Encrypting and storing of key
|
|
||||||
def encrypt_key(message):
|
|
||||||
key = load_key()
|
|
||||||
keyf = Fernet(key)
|
|
||||||
|
|
||||||
with open('uploadkeys', 'a+') as uploadkeys:
|
|
||||||
print(str(token), file=uploadkeys)
|
|
||||||
|
|
||||||
with open("uploadkeys", "rb") as keyfile:
|
|
||||||
keyfile_data = keyfile.read()
|
|
||||||
|
|
||||||
encrypted_data = keyf.encrypt(keyfile_data)
|
|
||||||
|
|
||||||
with open("uploadkeys", "wb") as keyfile:
|
|
||||||
keyfile.write(encrypted_data)
|
|
||||||
|
|
||||||
|
|
||||||
def ask_yn(msg):
|
|
||||||
resps = {"y": True, "n": False}
|
|
||||||
ask = True
|
|
||||||
while ask:
|
|
||||||
proceedraw = input(msg)
|
|
||||||
if proceedraw.lower() in resps.keys():
|
|
||||||
proceed = resps[proceedraw]
|
|
||||||
ask = False
|
|
||||||
else:
|
|
||||||
print("Invalid response.")
|
|
||||||
return proceed
|
|
||||||
|
|
||||||
|
|
||||||
start = ask_yn("Have you run this program as the correct user (for example, nginx uses www-data)? [y/n] ")
|
|
||||||
if not start:
|
|
||||||
print("Please run this as the correct user with: sudo su [user] -s /bin/sh -c 'python3 keygen/py'")
|
|
||||||
|
|
||||||
else:
|
|
||||||
|
|
||||||
N = 64 # Size of token
|
|
||||||
|
|
||||||
# Generate key
|
|
||||||
token = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(N))
|
|
||||||
|
|
||||||
# Decrypt the existing keyfile
|
|
||||||
key = load_key()
|
|
||||||
keyf = Fernet(key)
|
|
||||||
|
|
||||||
genkey = True
|
|
||||||
uploadkeysp = Path("uploadkeys")
|
|
||||||
if not uploadkeysp.is_file():
|
|
||||||
uploadkeysp.touch()
|
|
||||||
else:
|
|
||||||
with open("uploadkeys", "rb") as ukf:
|
|
||||||
# read the encrypted data
|
|
||||||
encrypted_data = ukf.read()
|
|
||||||
|
|
||||||
try:
|
|
||||||
decrypted_data = keyf.decrypt(encrypted_data) # decrypt data
|
|
||||||
with open("uploadkeys", "wb") as ukf:
|
|
||||||
ukf.write(decrypted_data) # write the original file
|
|
||||||
except InvalidToken:
|
|
||||||
print("The encrypted key data is invalid and cannot be read.")
|
|
||||||
print("It may be necessary to clear the file entirely, which will invalidate all tokens.")
|
|
||||||
proceed = ask_yn("Do you wish to proceed to clearing the uploadkeys file? [y/n] ")
|
|
||||||
|
|
||||||
if proceed:
|
|
||||||
os.remove("uploadkeys")
|
|
||||||
print("Removed uploadkeys file.")
|
|
||||||
proceed2 = ask_yn("Would you like to continue and generate a new token? [y/n] ")
|
|
||||||
if not proceed2:
|
|
||||||
genkey = False
|
|
||||||
|
|
||||||
if genkey:
|
|
||||||
print("Your new token is: " + str(token)) # Print token
|
|
||||||
encrypt_key(str(token)) # Encrypt the key and save
|
|
@ -1,3 +1,2 @@
|
|||||||
Flask_API==2.0
|
Flask_API==2.0
|
||||||
cryptography==3.1
|
|
||||||
Flask==1.1.2
|
Flask==1.1.2
|
||||||
|
@ -4,4 +4,3 @@ ROOTURL = "https://example.com/"
|
|||||||
SAVELOG = "savelog.log"
|
SAVELOG = "savelog.log"
|
||||||
SAVELOG_CHMOD = 0o644
|
SAVELOG_CHMOD = 0o644
|
||||||
SAVELOG_KEYPREFIX = 4
|
SAVELOG_KEYPREFIX = 4
|
||||||
ENCKEY_PATH = "secret.key"
|
|
||||||
|
Reference in New Issue
Block a user