Fix formatting of README.md

- Added Installation section to README.md
- Removed old Usage section

.gitignore

@@ -132,3 +132,6 @@ dmypy.json
 uploadkeys
 savelog.log
 uwsgi.log
+settings.py
+functions.py
+secret.key

README.md

@@ -1,4 +1,26 @@
 # imgupload
-Python Flask uWSGI application to receive and save images over POST requests.
+![CodeFactor Grade](https://img.shields.io/codefactor/grade/github/BBaoVanC/imgupload/master?color=purple) ![GitHub repo size](https://img.shields.io/github/repo-size/bbaovanc/imgupload?color=purple) ![GitHub All Releases](https://img.shields.io/github/downloads/bbaovanc/imgupload/total?color=purple) ![GitHub issues](https://img.shields.io/github/issues/bbaovanc/imgupload?color=purple) ![GitHub closed issues](https://img.shields.io/github/issues-closed/bbaovanc/imgupload?color=purple) ![GitHub](https://img.shields.io/github/license/bbaovanc/imgupload?color=purple)
 
-This project is still in development. Use at your own risk!
+### What is imgupload?
+imgupload is a Flask + uWSGI application to serve as an all-purpose image/file uploader over POST requests.
+
+### Installation
+1. Clone the repository: `git clone https://github.com/BBaoVanC/imgupload.git`
+2. Enter the imgupload directory: `cd imgupload`
+3. Create a virtualenv: `python3 -m venv env`
+4. Enter the virtualenv: `source env/bin/activate`
+5. Install dependencies: `python3 -m pip install -r requirements.txt`
+6. Run the Flask app
+
+## Running the Flask app
+### Using uWSGI
+[https://uwsgi-docs.readthedocs.io/en/latest/Configuration.html](https://uwsgi-docs.readthedocs.io/en/latest/Configuration.html)
+
+Instructions specific to imgupload are coming soon
+
+### Using Flask development server
+```shell
+$ source env/bin/activate  # if you haven't already entered the virtualenv
+$ export FLASK_APP=imgupload.py
+$ flask run
+```

configtest.py

@@ -9,8 +9,8 @@ defaults = {
     "ROOTURL": "https://img.bbaovanc.com/",
     "SAVELOG": "savelog.log",
     "SAVELOG_CHMOD": "0o644",
-    "UPLOADKEYS_CHMOD": "0o400",
     "SAVELOG_KEYPREFIX": 4,
+    "ENCKEY_PATH": "secret.key"
 }
 
 deftypes = {
@@ -19,8 +19,8 @@ deftypes = {
     "ROOTURL": str,
     "SAVELOG": str,
     "SAVELOG_CHMOD": int,
-    "UPLOADKEYS_CHMOD": int,
     "SAVELOG_KEYPREFIX": int,
+    "ENCKEY_PATH": str,
 }
 
 
@@ -94,6 +94,16 @@ if "ROOTURL" in checksettings:
         print("[" + u"\u2713" + "] ROOTURL is good!")
 
 
+# Check if ENCKEY_PATH exists
+enckey_exists = True
+if "ENCKEY_PATH" in checksettings:
+    if not os.path.isfile(settings.ENCKEY_PATH):
+        enckey_exists = False
+        print("[!] The path set in ENCKEY_PATH ('{0}') doesn't exist!".format(settings.ENCKEY_PATH))
+    else:
+        print("[" + u"\u2713" + "] ENCKEY_PATH exists!")
+
+
 # Ask the user if SAVELOG is the intended filename
 if "SAVELOG" in checksettings:
     print("[*] SAVELOG was interpreted to be {0}".format(settings.SAVELOG))
@@ -126,6 +136,10 @@ if not uploadfolder_exists:
     summarygood = False
     print("UPLOAD_FOLDER ({0}) does not exist!".format(settings.UPLOAD_FOLDER))
 
+if not enckey_exists:
+    summarygood = False
+    print("ENCKEY_PATH ({0}) does not exist!".format(settings.ENCKEY_PATH))
+
 if not rooturl_good:
     summarygood = False
     print("ROOTURL may cause issues!")

functions.py.default

@@ -0,0 +1,8 @@
+import string
+import random
+
+
+def generate_name():
+    chars = string.ascii_letters + string.digits  # uppercase, lowercase, and numbers
+    name = ''.join((random.choice(chars) for i in range(8)))  # generate name
+    return name

imgupload.py

@@ -1,15 +1,13 @@
 from flask import Flask, request, jsonify, abort, Response
+from cryptography.fernet import Fernet
 from flask_api import status
 from pathlib import Path
-import string
 import random
 import os
 import datetime
 
 import settings  # app settings (such as allowed extensions)
-
+import functions  # custom functions
-
-ALPHANUMERIC = string.ascii_letters + string.digits  # uppercase, lowercase, and numbers
 
 app = Flask(__name__)  # app is the app
 
@@ -21,15 +19,6 @@ def allowed_extension(testext):
         return False
 
 
-def generate_name(extension):
-    namefound = False
-    while not namefound:
-        fname = ''.join((random.choice(ALPHANUMERIC) for i in range(8))) + str(extension)
-        if not Path(fname).is_file():
-            namefound = True
-    return fname
-
-
 def log_savelog(key, ip, savedname):
     if settings.SAVELOG_KEYPREFIX > 0:
         with open(settings.SAVELOG, "a+") as slogf:
@@ -40,30 +29,31 @@ def log_savelog(key, ip, savedname):
             slogf.write("[{0}] {1} - {2}\n".format(datetime.datetime.now(), ip, savedname))
         os.chmod(settings.SAVELOG, settings.SAVELOG_CHMOD)
 
-
 @app.route("/upload", methods = ["POST"])
 def upload():
     if request.method == "POST":  # sanity check: make sure it's a POST request
         print("Request method was POST!")
 
-        os.chmod("uploadkeys", settings.UPLOADKEYS_CHMOD)
+        with open(settings.ENCKEY_PATH,"rb") as enckey: # load encryption key
-        print("Changed permissions of `uploadkeys`")
+            key = enckey.read()
-        with open("uploadkeys", "r") as keyfile:  # load valid keys
+        f = Fernet(key)
-            validkeys = keyfile.readlines()
+
-        validkeys = [x.strip("\n") for x in validkeys]
+        with open("uploadkeys", "rb") as keyfile:
+            encrypted_data = keyfile.read()
+        decrypted_data = str(f.decrypt(encrypted_data).decode('utf-8'))
+        decrypted_data = decrypted_data.splitlines()
+
+        validkeys = [x.strip("\n") for x in decrypted_data]
         while "" in validkeys:
             validkeys.remove("")
-            print("removed blank key")
+            print("Removed blank key(s)")
-        print("Valid keys: {0}".format(validkeys))
         print("Loaded validkeys")
-
         if "uploadKey" in request.form:  # if an uploadKey was provided
             if request.form["uploadKey"] in validkeys:  # check if uploadKey is valid
                 print("Key is valid!")
 
                 if "imageUpload" in request.files:  # check if image to upload was provided
                     f = request.files["imageUpload"]  # f is the image to upload
-                    print("Found uploaded image")
                 else:
                     print("No image upload was found!")
                     return jsonify({'status': 'error', 'error': 'NO_IMAGE_UPLOADED'}), status.HTTP_400_BAD_REQUEST
@@ -73,23 +63,23 @@ def upload():
                     return jsonify({'status': 'error', 'error': 'FILENAME_BLANK'}), status.HTTP_400_BAD_REQUEST
 
                 fext = Path(f.filename).suffix  # get the uploaded extension
-                print("Uploaded file extensions is {0}".format(fext))
                 if allowed_extension(fext):  # if the extension is allowed
-                    fname = generate_name(fext)  # generate file name
+                    print("Generating file with extension {0}".format(fext))
+                    fname = functions.generate_name() + fext  # generate file name
                     print("Generated name: {0}".format(fname))
 
                     if f:  # if the uploaded image exists
-                        print("Uploaded image exists, obviously.")
+                        print("Uploaded image exists")
                         f.save(os.path.join(settings.UPLOAD_FOLDER, fname))  # save the image
                         print("Saved to {0}".format(fname))
                         url = settings.ROOTURL + fname  # construct the url to the image
                         if settings.SAVELOG != "/dev/null":
+                            print("Saving to savelog")
                             log_savelog(request.form["uploadKey"], request.remote_addr, fname)
-                            print("Logged message to savelog")
                         print("Returning json response")
                         return jsonify({'status': 'success', 'url': url, 'name': fname, 'uploadedName': f.filename}), status.HTTP_201_CREATED
                     else:  # this shouldn't happen
-                        print("Um... uploaded image is nonexistent..? Please report this error!")
+                        print("Um... uploaded image... is nonexistent? Please report this error!")
                         return jsonify({'status': 'error', 'error': 'UPLOADED_IMAGE_FAILED_SANITY_CHECK_1'}), status.HTTP_400_BAD_REQUEST
 
                 else:  # if the extension was invalid

keygen.py

@@ -0,0 +1,103 @@
+from cryptography.fernet import Fernet
+from cryptography.fernet import InvalidToken
+from pathlib import Path
+import settings
+import string
+import secrets
+import sys
+import os
+
+
+# Check if encryption key already exists
+enckey = Path(settings.ENCKEY_PATH)
+if enckey.is_file():
+    print("Encryption key found.")
+else:
+    print("Encryption key not found.")
+    print("Generating key...")
+    key = Fernet.generate_key()
+    with open(settings.ENCKEY_PATH, "wb") as key_file:
+        key_file.write(key)
+    print("Encryption key generated and stored in secret.key.")
+
+
+# Load encryption key
+def load_key():
+    with open(settings.ENCKEY_PATH, "rb") as kf:
+        kdata = kf.read()
+    return kdata
+
+
+# Encrypting and storing of key
+def encrypt_key(message):
+    key = load_key()
+    keyf = Fernet(key)
+
+    with open('uploadkeys', 'a+') as uploadkeys:
+        print(str(token), file=uploadkeys)
+
+    with open("uploadkeys", "rb") as keyfile:
+        keyfile_data = keyfile.read()
+
+    encrypted_data = keyf.encrypt(keyfile_data)
+
+    with open("uploadkeys", "wb") as keyfile:
+        keyfile.write(encrypted_data)
+
+
+def ask_yn(msg):
+    resps = {"y": True, "n": False}
+    ask = True
+    while ask:
+        proceedraw = input(msg)
+        if proceedraw.lower() in resps.keys():
+            proceed = resps[proceedraw]
+            ask = False
+        else:
+            print("Invalid response.")
+    return proceed
+
+
+start = ask_yn("Have you run this program as the correct user (for example, nginx uses www-data)? [y/n] ")
+if not start:
+    print("Please run this as the correct user with: sudo su [user] -s /bin/sh -c 'python3 keygen/py'")
+
+else:
+
+    N = 64  # Size of token
+
+    # Generate key
+    token = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(N))
+
+    # Decrypt the existing keyfile
+    key = load_key()
+    keyf = Fernet(key)
+
+    genkey = True
+    uploadkeysp = Path("uploadkeys")
+    if not uploadkeysp.is_file():
+        uploadkeysp.touch()
+    else:
+        with open("uploadkeys", "rb") as ukf:
+            # read the encrypted data
+            encrypted_data = ukf.read()
+
+        try:
+            decrypted_data = keyf.decrypt(encrypted_data)  # decrypt data
+            with open("uploadkeys", "wb") as ukf:
+                ukf.write(decrypted_data)  # write the original file
+        except InvalidToken:
+            print("The encrypted key data is invalid and cannot be read.")
+            print("It may be necessary to clear the file entirely, which will invalidate all tokens.")
+            proceed = ask_yn("Do you wish to proceed to clearing the uploadkeys file? [y/n] ")
+
+            if proceed:
+                os.remove("uploadkeys")
+                print("Removed uploadkeys file.")
+                proceed2 = ask_yn("Would you like to continue and generate a new token? [y/n] ")
+                if not proceed2:
+                    genkey = False
+
+    if genkey:
+        print("Your new token is: " + str(token))  # Print token
+        encrypt_key(str(token))  # Encrypt the key and save

requirements.txt

@@ -0,0 +1,3 @@
+Flask_API==2.0
+cryptography==3.1
+Flask==1.1.2

settings.py.default

@@ -1,7 +1,7 @@
-UPLOAD_FOLDER = "/var/www/img"
+UPLOAD_FOLDER = "/path/to/images"
 ALLOWED_EXTENSIONS = [".png", ".jpg", ".jpeg", ".svg", ".bmp", ".gif", ".ico",  ".webp"]
-ROOTURL = "https://img.bbaovanc.com/"
+ROOTURL = "https://example.com/"
 SAVELOG = "savelog.log"
 SAVELOG_CHMOD = 0o644
-UPLOADKEYS_CHMOD = 0o600
 SAVELOG_KEYPREFIX = 4
+ENCKEY_PATH = "secret.key"