bbaovanc/imgupload-legacy
Archived
1
1
Fork 0
Code Issues Pull Requests Releases 12 Wiki Activity

Compare commits

base: bbaovanc:v0.1
Branches Tags
bbaovanc:master bbaovanc:feature-iss4 bbaovanc:legacy
bbaovanc:v2.4 bbaovanc:v2.3 bbaovanc:v2.2.post1 bbaovanc:v2.2 bbaovanc:v2.1.3 bbaovanc:v2.1.2 bbaovanc:v2.1.1 bbaovanc:v2.1 bbaovanc:v2.0 bbaovanc:v1.1 bbaovanc:v1.0 bbaovanc:v0.1
...
compare: bbaovanc:v2.2
Branches Tags
bbaovanc:master bbaovanc:feature-iss4 bbaovanc:legacy
bbaovanc:v2.4 bbaovanc:v2.3 bbaovanc:v2.2.post1 bbaovanc:v2.2 bbaovanc:v2.1.3 bbaovanc:v2.1.2 bbaovanc:v2.1.1 bbaovanc:v2.1 bbaovanc:v2.0 bbaovanc:v1.1 bbaovanc:v1.0 bbaovanc:v0.1

24 Commits
v0.1 ... v2.2

Author SHA1 Message Date
BBaoVanC
7c1f449bce Add "verify" field to request to not save image 
This makes it easy for the user to debug authentication.
 2020-09-05 18:55:56 -05:00
BBaoVanC
0dbcc0e380 Change file extension check to be case-insensitive 2020-09-05 16:21:50 -05:00
BBaoVanC
b8b5a2518c Change abort() calls to JSON responses 
This makes the responses more consistent. Now, all responses are JSON.
 2020-09-05 15:43:36 -05:00
BBaoVanC
805e545b39 Deduplicate code in keyctl.py and add comments 2020-09-04 19:44:46 -05:00
ItHertzSoGood
9a117817f7 Changed random to secrets for cryptographic security 2020-09-04 14:32:53 -07:00
BBaoVanC
c9cd6469a9 Change a couple print statements to logging.info 
Quiet mode is now a little more useful!
 2020-09-04 15:37:34 -05:00
BBaoVanC
6f64890e34 Remove unused imports from imgupload.py 2020-09-04 15:24:49 -05:00
BBaoVanC
91db522363 Add keyctl.py for easy management of uploadkeys 2020-09-04 15:19:40 -05:00
BBaoVanC
9d9b93a9ee Add proper shebangs and block comments 2020-09-04 10:47:20 -05:00
BBaoVanC
565a91e4ec Remove uploadkeys encryption features 
It doesn't really make sense to encrypt the keys, but store the secret
literally in the same directory. uploadkeys will now be stored in
plaintext. The branch `legacy` has the old code from before this commit.
 2020-09-03 21:44:58 -05:00
BBaoVanC
3fcdaa2b10 Fix formatting of README.md 2020-09-02 21:52:13 -05:00
BBaoVanC
4309225185 Add Installation section to README.md 
- Added Installation section to README.md
- Removed old Usage section
 2020-09-02 21:43:31 -05:00
BBaoVanC
065296f84a Rename functions.py to functions.py.default 
Since this is default settings and the user might want to customize
them, functions.py has been renamed. This also will prevent conflicts if
the user has updated their functions.py and then tries to pull.
 2020-09-02 18:04:41 -05:00
BBaoVanC
841bb513d3 Allow easy customization of filename generation 
Added a new file called functions.py which contains user-customizable
functions, instead of requiring the user to edit imgupload.py.
 2020-09-02 17:14:28 -05:00
BBaoVanC
f0bb30a747 Change keygen.py to not require root 
keygen.py now recommends that you run it as the user you want to have
ownership of secret.key and uploadkeys (such as www-data for nginx).
Then, if uploadkeys or secret.key don't exist, they will be created with
the correct ownership.
 2020-09-02 14:26:57 -05:00
BBaoVanC
7fce3f57e9 Remove secrets from requirements.txt 
On macOS, a dependency of secrets fails to install using pip. After
testing, it looks like the secrets module is not required.
 2020-08-31 23:46:28 -05:00
dependabot-preview[bot]
a587040809 Bump cryptography from 2.8 to 3.1 (#2) 2020-09-01 04:41:50 +00:00
BBaoVanC
8a95dbb0fa Remove trailing whitespace from lines 2020-08-31 23:09:39 -05:00
BBaoVanC
a5a22b7c88 Remove UPLOADKEYS_CHMOD option due to keygen.py 
Since keygen.py is run as root, uploadkeys is owned by root. This causes
issues when imgupload.py tries to chmod the uploadkeys file since it
doesn't have permissions to chmod it.
Solution: remove UPLOADKEYS_CHMOD option
 2020-08-31 21:14:09 -05:00
BBaoVanC
7ccaafc6c6 Bugfixes in keygen.py 
- Handle if uploadkeys becomes corrupted
- Disambiguate variable names
- Handle case where the uploadkeys file doesn't already exist
 2020-08-31 20:32:00 -05:00
BBaoVanC
797bebb1a1 Fix ENCKEY_PATH check in configtest.py 2020-08-31 20:29:07 -05:00
quiprr
08f9e13da0 Merge pull request #1 from BBaoVanC/dev 
added encryption to uploadkeys and added a key generator
 2020-08-31 17:13:24 -07:00
ItHertzSoGood
3d1304b3b0 added encryption to uploadkeys and added a key generator 2020-08-31 17:12:39 -07:00
BBaoVanC
4b624f3fed Ignore settings.py and add settings.py.default 2020-08-31 18:48:22 -05:00
8 changed files with 260 additions and 42 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@ -132,3 +132,5 @@ dmypy.json
uploadkeys uploadkeys
savelog.log savelog.log
uwsgi.log uwsgi.log
settings.py
functions.py

26
README.md
View File

@ -1,4 +1,26 @@
# imgupload # imgupload
Python Flask uWSGI application to receive and save images over POST requests. ![CodeFactor Grade](https://img.shields.io/codefactor/grade/github/BBaoVanC/imgupload/master?color=purple) ![GitHub repo size](https://img.shields.io/github/repo-size/bbaovanc/imgupload?color=purple) ![GitHub All Releases](https://img.shields.io/github/downloads/bbaovanc/imgupload/total?color=purple) ![GitHub issues](https://img.shields.io/github/issues/bbaovanc/imgupload?color=purple) ![GitHub closed issues](https://img.shields.io/github/issues-closed/bbaovanc/imgupload?color=purple) ![GitHub](https://img.shields.io/github/license/bbaovanc/imgupload?color=purple)
This project is still in development. Use at your own risk! ### What is imgupload?
imgupload is a Flask + uWSGI application to serve as an all-purpose image/file uploader over POST requests.
### Installation
1. Clone the repository: `git clone https://github.com/BBaoVanC/imgupload.git`
2. Enter the imgupload directory: `cd imgupload`
3. Create a virtualenv: `python3 -m venv env`
4. Enter the virtualenv: `source env/bin/activate`
5. Install dependencies: `python3 -m pip install -r requirements.txt`
6. Run the Flask app
## Running the Flask app
### Using uWSGI
[https://uwsgi-docs.readthedocs.io/en/latest/Configuration.html](https://uwsgi-docs.readthedocs.io/en/latest/Configuration.html)
Instructions specific to imgupload are coming soon
### Using Flask development server
```shell
$ source env/bin/activate # if you haven't already entered the virtualenv
$ export FLASK_APP=imgupload.py
$ flask run
```

8
configtest.py
View File

@ -1,3 +1,9 @@
#!/usr/bin/env python3
"""
configtest.py
Tests the validity of your configuration in settings.py.
"""
import os import os
import settings as settings import settings as settings
@ -9,7 +15,6 @@ defaults = {
"ROOTURL": "https://img.bbaovanc.com/", "ROOTURL": "https://img.bbaovanc.com/",
"SAVELOG": "savelog.log", "SAVELOG": "savelog.log",
"SAVELOG_CHMOD": "0o644", "SAVELOG_CHMOD": "0o644",
"UPLOADKEYS_CHMOD": "0o400",
"SAVELOG_KEYPREFIX": 4, "SAVELOG_KEYPREFIX": 4,
} }
@ -19,7 +24,6 @@ deftypes = {
"ROOTURL": str, "ROOTURL": str,
"SAVELOG": str, "SAVELOG": str,
"SAVELOG_CHMOD": int, "SAVELOG_CHMOD": int,
"UPLOADKEYS_CHMOD": int,
"SAVELOG_KEYPREFIX": int, "SAVELOG_KEYPREFIX": int,
} }

14
functions.py.default Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env python3
"""
functions.py
Functions used by imgupload which can be easily customized.
"""
import string
import random
def generate_name():
chars = string.ascii_letters + string.digits # uppercase, lowercase, and numbers
name = ''.join((random.choice(chars) for i in range(8))) # generate name
return name

57
imgupload.py
View File

@ -1,35 +1,28 @@
from flask import Flask, request, jsonify, abort, Response #!/usr/bin/env python3
"""
imgupload.py
Flask application for processing images uploaded through POST requests.
"""
from flask import Flask, request, jsonify, Response
from flask_api import status from flask_api import status
from pathlib import Path from pathlib import Path
import string
import random
import os import os
import datetime import datetime
import settings # app settings (such as allowed extensions) import settings # app settings (such as allowed extensions)
import functions # custom functions
ALPHANUMERIC = string.ascii_letters + string.digits # uppercase, lowercase, and numbers
app = Flask(__name__) # app is the app app = Flask(__name__) # app is the app
def allowed_extension(testext): def allowed_extension(testext):
if testext in settings.ALLOWED_EXTENSIONS: if testext.lower() in settings.ALLOWED_EXTENSIONS:
return True return True
else: else:
return False return False
def generate_name(extension):
namefound = False
while not namefound:
fname = ''.join((random.choice(ALPHANUMERIC) for i in range(8))) + str(extension)
if not Path(fname).is_file():
namefound = True
return fname
def log_savelog(key, ip, savedname): def log_savelog(key, ip, savedname):
if settings.SAVELOG_KEYPREFIX > 0: if settings.SAVELOG_KEYPREFIX > 0:
with open(settings.SAVELOG, "a+") as slogf: with open(settings.SAVELOG, "a+") as slogf:
@ -40,30 +33,29 @@ def log_savelog(key, ip, savedname):
slogf.write("[{0}] {1} - {2}\n".format(datetime.datetime.now(), ip, savedname)) slogf.write("[{0}] {1} - {2}\n".format(datetime.datetime.now(), ip, savedname))
os.chmod(settings.SAVELOG, settings.SAVELOG_CHMOD) os.chmod(settings.SAVELOG, settings.SAVELOG_CHMOD)
@app.route("/upload", methods = ["POST"]) @app.route("/upload", methods = ["POST"])
def upload(): def upload():
if request.method == "POST": # sanity check: make sure it's a POST request if request.method == "POST": # sanity check: make sure it's a POST request
print("Request method was POST!") print("Request method was POST!")
os.chmod("uploadkeys", settings.UPLOADKEYS_CHMOD)
print("Changed permissions of `uploadkeys`")
with open("uploadkeys", "r") as keyfile: # load valid keys with open("uploadkeys", "r") as keyfile: # load valid keys
validkeys = keyfile.readlines() validkeys = keyfile.readlines()
validkeys = [x.strip("\n") for x in validkeys] validkeys = [x.strip("\n") for x in validkeys]
while "" in validkeys: while "" in validkeys:
validkeys.remove("") validkeys.remove("")
print("removed blank key")
print("Valid keys: {0}".format(validkeys))
print("Loaded validkeys") print("Loaded validkeys")
if "uploadKey" in request.form: # if an uploadKey was provided if "uploadKey" in request.form: # if an uploadKey was provided
if request.form["uploadKey"] in validkeys: # check if uploadKey is valid if request.form["uploadKey"] in validkeys: # check if uploadKey is valid
print("Key is valid!") print("Key is valid!")
if "verify" in request.form.keys():
if request.form["verify"] == "true":
print("Request is asking if key is valid (it is)")
return jsonify({'status': 'key_valid'})
if "imageUpload" in request.files: # check if image to upload was provided if "imageUpload" in request.files: # check if image to upload was provided
f = request.files["imageUpload"] # f is the image to upload f = request.files["imageUpload"] # f is the image to upload
print("Found uploaded image")
else: else:
print("No image upload was found!") print("No image upload was found!")
return jsonify({'status': 'error', 'error': 'NO_IMAGE_UPLOADED'}), status.HTTP_400_BAD_REQUEST return jsonify({'status': 'error', 'error': 'NO_IMAGE_UPLOADED'}), status.HTTP_400_BAD_REQUEST
@ -73,42 +65,37 @@ def upload():
return jsonify({'status': 'error', 'error': 'FILENAME_BLANK'}), status.HTTP_400_BAD_REQUEST return jsonify({'status': 'error', 'error': 'FILENAME_BLANK'}), status.HTTP_400_BAD_REQUEST
fext = Path(f.filename).suffix # get the uploaded extension fext = Path(f.filename).suffix # get the uploaded extension
print("Uploaded file extensions is {0}".format(fext))
if allowed_extension(fext): # if the extension is allowed if allowed_extension(fext): # if the extension is allowed
fname = generate_name(fext) # generate file name print("Generating file with extension {0}".format(fext))
fname = functions.generate_name() + fext # generate file name
print("Generated name: {0}".format(fname)) print("Generated name: {0}".format(fname))
if f: # if the uploaded image exists if f: # if the uploaded image exists
print("Uploaded image exists, obviously.") print("Uploaded image exists")
f.save(os.path.join(settings.UPLOAD_FOLDER, fname)) # save the image f.save(os.path.join(settings.UPLOAD_FOLDER, fname)) # save the image
print("Saved to {0}".format(fname)) print("Saved to {0}".format(fname))
url = settings.ROOTURL + fname # construct the url to the image url = settings.ROOTURL + fname # construct the url to the image
if settings.SAVELOG != "/dev/null": if settings.SAVELOG != "/dev/null":
print("Saving to savelog")
log_savelog(request.form["uploadKey"], request.remote_addr, fname) log_savelog(request.form["uploadKey"], request.remote_addr, fname)
print("Logged message to savelog")
print("Returning json response") print("Returning json response")
return jsonify({'status': 'success', 'url': url, 'name': fname, 'uploadedName': f.filename}), status.HTTP_201_CREATED return jsonify({'status': 'success', 'url': url, 'name': fname, 'uploadedName': f.filename}), status.HTTP_201_CREATED
else: # this shouldn't happen else: # this shouldn't happen
print("Um... uploaded image is nonexistent..? Please report this error!") print("Um... uploaded image... is nonexistent? Please report this error!")
return jsonify({'status': 'error', 'error': 'UPLOADED_IMAGE_FAILED_SANITY_CHECK_1'}), status.HTTP_400_BAD_REQUEST return jsonify({'status': 'error', 'error': 'UPLOADED_IMAGE_FAILED_SANITY_CHECK_1'}), status.HTTP_400_BAD_REQUEST
else: # if the extension was invalid else: # if the extension was invalid
print("Uploaded extension is invalid!") print("Uploaded extension is invalid!")
abort(415) return jsonify({'status': 'error', 'error': 'INVALID_EXTENSION'}), status.HTTP_415_UNSUPPORTED_MEDIA_TYPE
else: # if the key was not valid else: # if the key was not valid
print("Key is invalid!") print("Key is invalid!")
print("Request key: {0}".format(request.form["uploadKey"])) print("Request key: {0}".format(request.form["uploadKey"]))
abort(401) return jsonify({'status': 'error', 'error': 'UNAUTHORIZED'}), status.HTTP_401_UNAUTHORIZED
else: # if uploadKey was not found in request body else: # if uploadKey was not found in request body
print("No uploadKey found in request!") print("No uploadKey found in request!")
abort(401) return jsonify({'status': 'error', 'error': 'UNAUTHORIZED'}), status.HTTP_401_UNAUTHORIZED
else: # if the request method wasn't post
print("Request method was not POST!")
abort(405)
if __name__ == "__main__": if __name__ == "__main__":
print("Run with `flask` or a WSGI server!") print("Run with `flask` or a WSGI server!")

181
keyctl.py Normal file
View File

@ -0,0 +1,181 @@
#!/usr/bin/env python3
"""
keyctl.py
Command-line utility for easy management of the uploadkeys file.
"""
from pathlib import Path
import argparse
import logging
import secrets
import string
def read_keyfile():
with open("uploadkeys", "r") as keyfile: # open uploadkeys
keys = keyfile.readlines() # read all the keys
logging.debug("Read uploadkeys")
keys = [x.strip("\n") for x in keys] # strip newlines from keys
logging.debug("Stripped newlines from keys")
return keys
def genkey(length):
key = ''.join(secrets.choice(string.ascii_letters + string.digits) for x in range(length))
return key
def savekey(key):
if not Path("uploadkeys").is_file(): # if uploadkeys doesn't exist, log an info message
logging.info("uploadkeys file doesn't exist, it will be created.")
with open("uploadkeys", "a+") as keyfile:
keyfile.write(str(key) + "\n") # add the key
logging.debug("Saved a key to uploadkeys: {0}".format(key))
def rmkey(delkey):
removedkey = False
allkeys = read_keyfile()
if delkey in allkeys: # if the key to remove exists
allkeys.remove(delkey) # remove the first instance of the key
removedkey = True
logging.debug("Removed one instance of the key")
with open("uploadkeys", "w") as keyfile:
for k in allkeys:
keyfile.write(k + "\n") # write the remaining keys
if removedkey:
return True
else:
return False
def find_duplicates():
allkeys = read_keyfile()
seen = set()
ukeys = []
dupkeys = []
for x in allkeys:
if x not in seen:
ukeys.append(x)
seen.add(x)
else:
dupkeys.append(x)
return dupkeys
def get_keys():
validkeys = read_keyfile()
while "" in validkeys:
validkeys.remove("")
logging.debug("Removed blank keys")
return validkeys
def cmd_list(args):
validkeys = get_keys()
print("List of upload keys:")
for i in range(len(validkeys)):
showkey = validkeys[i][:6]
if len(validkeys[i]) > 6:
showkey += "..." # add ellipses since the key was shortened in list
print(" [{0}] {1}".format(i+1, showkey))
def cmd_generate(args):
k = genkey(args.length)
logging.debug("Generated a new key: {0}".format(k))
savekey(k)
print("Your new key is: {0}".format(k))
def cmd_add(args):
print("Please type/paste the key you would like to add.")
akr = input("> ")
ak = akr.strip()
print()
logging.debug("Ran strip() on key")
print(ak)
if input("Is the above key correct? [y/N] ").lower() == "y":
logging.debug("Interpreted as yes")
ask_for_key = False
savekey(ak)
logging.info("Added.")
else:
logging.debug("Interpreted as no")
print("No key has been saved.")
def cmd_remove(args):
if rmkey(args.key):
logging.debug("Successfully removed the requested key")
else:
logging.info("No key was removed.")
def cmd_dedupe(args):
dupes = find_duplicates()
if len(dupes) > 0:
for d in dupes:
r = rmkey(d)
logging.debug(r)
logging.info("Removed duplicate key: {0}".format(d))
else:
logging.info("[" + u"\u2713" + "] No duplicate keys found!")
def cmd_show(args):
for k in get_keys():
if k[:6] == args.prefix:
print("Key: {0}".format(k))
break
parser = argparse.ArgumentParser() # create instance of argument parser class
parlog = parser.add_mutually_exclusive_group()
parlog.add_argument("-v", "--verbose", help="show debugging messages", action="store_true")
parlog.add_argument("-q", "--quiet", help="show only warning messages and up", action="store_true")
subparsers = parser.add_subparsers(help="sub-commands")
parser_list = subparsers.add_parser("list", help="list the beginning of each key")
parser_list.set_defaults(func=cmd_list)
parser_gen = subparsers.add_parser("generate", help="generate a key and save it to uploadkeys")
parser_gen.add_argument("length", help="length of key to generate", default=64, type=int, nargs="?")
parser_gen.set_defaults(func=cmd_generate)
parser_add = subparsers.add_parser("add", help="prompts for a key to add to uploadkeys")
parser_add.set_defaults(func=cmd_add)
parser_remove = subparsers.add_parser("remove", help="remove (one instance of) a key from uploadkeys")
parser_remove.add_argument("key", help="key to remove")
parser_remove.set_defaults(func=cmd_remove)
parser_dedupe = subparsers.add_parser("dedupe", help="remove duplicate keys")
parser_dedupe.set_defaults(func=cmd_dedupe)
parser_show = subparsers.add_parser("show", help="show the full key based on the first 6 characters")
parser_show.add_argument("prefix", help="first 6 characters of key (shown by `python3 keyctl.py list`)")
parser_show.set_defaults(func=cmd_show)
args = parser.parse_args() # parse the arguments
if args.verbose:
loglevel = logging.DEBUG
elif args.quiet:
loglevel = logging.WARNING
else:
loglevel = logging.INFO
logging.basicConfig(level=loglevel, format="%(levelname)s: %(message)s")
try:
args.func(args)
except AttributeError:
logging.error("AttributeError")
parser.print_help()

2
requirements.txt Normal file
View File

@ -0,0 +1,2 @@
Flask_API==2.0
Flask==1.1.2

12
settings.py → settings.py.default
View File

@ -1,7 +1,13 @@
UPLOAD_FOLDER = "/var/www/img" #!/usr/bin/env python3
"""
settings.py
User-defined settings used by imgupload.py.
"""
UPLOAD_FOLDER = "/path/to/images"
ALLOWED_EXTENSIONS = [".png", ".jpg", ".jpeg", ".svg", ".bmp", ".gif", ".ico", ".webp"] ALLOWED_EXTENSIONS = [".png", ".jpg", ".jpeg", ".svg", ".bmp", ".gif", ".ico", ".webp"]
ROOTURL = "https://img.bbaovanc.com/" ROOTURL = "https://example.com/"
SAVELOG = "savelog.log" SAVELOG = "savelog.log"
SAVELOG_CHMOD = 0o644 SAVELOG_CHMOD = 0o644
UPLOADKEYS_CHMOD = 0o600
SAVELOG_KEYPREFIX = 4 SAVELOG_KEYPREFIX = 4