refactor(pgs): switch from allowlist to denylist for files

picosh · Apr 4, 2024 · 485c1f5 · 485c1f5
1 parent 1a30037
commit 485c1f5
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 62 deletions.
diff --git a/filehandlers/assets/handler.go b/filehandlers/assets/handler.go
@@ -8,6 +8,7 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"time"
 
@@ -360,14 +361,17 @@ func (h *UploadAssetHandler) validateAsset(data *FileData) (bool, error) {
 		return true, nil
 	}
 
-	if !shared.IsExtAllowed(fname, h.Cfg.AllowedExt) {
-		extStr := strings.Join(h.Cfg.AllowedExt, ",")
-		err := fmt.Errorf(
-			"ERROR: (%s) invalid file, format must be (%s), skipping",
-			fname,
-			extStr,
-		)
-		return false, err
+	dotFileRe := regexp.MustCompile(`/\..+`)
+	// TODO: let user control this list somehow
+	denylist := []*regexp.Regexp{dotFileRe}
+	for _, denyRe := range denylist {
+		if denyRe.MatchString(data.Filepath) {
+			err := fmt.Errorf(
+				"ERROR: (%s) file rejected, https://pico.sh/pgs#file-denylist",
+				data.Filepath,
+			)
+			return false, err
+		}
 	}
 
 	return true, nil

diff --git a/pgs/config.go b/pgs/config.go
@@ -38,60 +38,18 @@ func NewConfigSite() *shared.ConfigSite {
 		UseImgProxy:          useImgProxy == "1",
 		Secret:               secret,
 		ConfigCms: config.ConfigCms{
-			Domain:      domain,
-			Email:       email,
-			Port:        port,
-			Protocol:    protocol,
-			DbURL:       dbURL,
-			StorageDir:  storageDir,
-			MinioURL:    minioURL,
-			MinioUser:   minioUser,
-			MinioPass:   minioPass,
-			Description: "A zero-install static site hosting service for hackers",
-			IntroText:   intro,
-			Space:       "pgs",
-			// IMPORTANT: make sure `shared.GetMimeType` has the extensions being
-			// added here.
-			AllowedExt: []string{
-				".jpg",
-				".jpeg",
-				".png",
-				".gif",
-				".webp",
-				".svg",
-				".ico",
-				".html",
-				".htm",
-				".css",
-				".js",
-				".pdf",
-				".txt",
-				".otf",
-				".ttf",
-				".woff",
-				".woff2",
-				".json",
-				".md",
-				".rss",
-				".xml",
-				".atom",
-				".map",
-				".webmanifest",
-				".avif",
-				".heif",
-				".heic",
-				".opus",
-				".wav",
-				".mp3",
-				".mp4",
-				".mpeg",
-				".wasm",
-				".xsl",
-				".opml",
-				".eot",
-				".yml",
-				".yaml",
-			},
+			Domain:        domain,
+			Email:         email,
+			Port:          port,
+			Protocol:      protocol,
+			DbURL:         dbURL,
+			StorageDir:    storageDir,
+			MinioURL:      minioURL,
+			MinioUser:     minioUser,
+			MinioPass:     minioPass,
+			Description:   "A zero-install static site hosting service for hackers",
+			IntroText:     intro,
+			Space:         "pgs",
 			MaxSize:       maxSize,
 			MaxAssetSize:  maxAssetSize,
 			Logger:        shared.CreateLogger(debug == "1"),