nekomimi.pet / wisp.place-monorepo
Monorepo for wisp.place. A static site hosting service built on top of the AT Protocol. wisp.place
fork atom

add docker files, route santization

nekomimi.pet 16730564 c3b334ea

options
unified split
Changed files
+219 -4
.dockerignore
Dockerfile
hosting-service
.dockerignore
Dockerfile
src
lib
utils.ts
server.ts
src
routes
domain.ts
wisp.ts
+11
.dockerignore
··· 1 + node_modules 2 + .git 3 + .gitignore 4 + *.md 5 + .env 6 + .env.local 7 + .DS_Store 8 + dist 9 + *.log 10 + .vscode 11 + .idea
+32
Dockerfile
··· 1 + # Use official Bun image 2 + FROM oven/bun:1.3 AS base 3 + 4 + # Set working directory 5 + WORKDIR /app 6 + 7 + # Copy package files 8 + COPY package.json bun.lock* ./ 9 + 10 + # Install dependencies 11 + RUN bun install --frozen-lockfile 12 + 13 + # Copy source code 14 + COPY src ./src 15 + COPY public ./public 16 + 17 + # Build the application (if needed) 18 + # RUN bun run build 19 + 20 + # Set environment variables (can be overridden at runtime) 21 + ENV PORT=3000 22 + ENV NODE_ENV=production 23 + 24 + # Expose the application port 25 + EXPOSE 3000 26 + 27 + # Health check 28 + HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ 29 + CMD bun -e "fetch('http://localhost:3000/health').then(r => r.ok ? process.exit(0) : process.exit(1)).catch(() => process.exit(1))" 30 + 31 + # Start the application 32 + CMD ["bun", "src/index.ts"]
+34
hosting-service/.dockerignore
··· 1 + # Dependencies 2 + node_modules 3 + 4 + # Environment files 5 + .env 6 + .env.* 7 + !.env.example 8 + 9 + # Git 10 + .git 11 + .gitignore 12 + 13 + # Cache 14 + cache 15 + 16 + # Documentation 17 + *.md 18 + !README.md 19 + 20 + # Logs 21 + *.log 22 + npm-debug.log* 23 + bun-debug.log* 24 + 25 + # OS files 26 + .DS_Store 27 + Thumbs.db 28 + 29 + # IDE 30 + .vscode 31 + .idea 32 + *.swp 33 + *.swo 34 + *~
+31
hosting-service/Dockerfile
··· 1 + # Use official Bun image 2 + FROM oven/bun:1.3 AS base 3 + 4 + # Set working directory 5 + WORKDIR /app 6 + 7 + # Copy package files 8 + COPY package.json bun.lock ./ 9 + 10 + # Install dependencies 11 + RUN bun install --frozen-lockfile --production 12 + 13 + # Copy source code 14 + COPY src ./src 15 + 16 + # Create cache directory 17 + RUN mkdir -p ./cache/sites 18 + 19 + # Set environment variables (can be overridden at runtime) 20 + ENV PORT=3001 21 + ENV NODE_ENV=production 22 + 23 + # Expose the application port 24 + EXPOSE 3001 25 + 26 + # Health check 27 + HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ 28 + CMD bun -e "fetch('http://localhost:3001/health').then(r => r.ok ? process.exit(0) : process.exit(1)).catch(() => process.exit(1))" 29 + 30 + # Start the application 31 + CMD ["bun", "src/index.ts"]
+25 -1
hosting-service/src/lib/utils.ts
··· 153 153 console.log('Cached file', filePath, content.length, 'bytes'); 154 154 } 155 155 156 + /** 157 + * Sanitize a file path to prevent directory traversal attacks 158 + * Removes any path segments that attempt to go up directories 159 + */ 160 + export function sanitizePath(filePath: string): string { 161 + // Remove leading slashes 162 + let cleaned = filePath.replace(/^\/+/, ''); 163 + 164 + // Split into segments and filter out dangerous ones 165 + const segments = cleaned.split('/').filter(segment => { 166 + // Remove empty segments 167 + if (!segment || segment === '.') return false; 168 + // Remove parent directory references 169 + if (segment === '..') return false; 170 + // Remove segments with null bytes 171 + if (segment.includes('\0')) return false; 172 + return true; 173 + }); 174 + 175 + // Rejoin the safe segments 176 + return segments.join('/'); 177 + } 178 + 156 179 export function getCachedFilePath(did: string, site: string, filePath: string): string { 157 - return `${CACHE_DIR}/${did}/${site}/${filePath}`; 180 + const sanitizedPath = sanitizePath(filePath); 181 + return `${CACHE_DIR}/${did}/${site}/${sanitizedPath}`; 158 182 } 159 183 160 184 export function isCached(did: string, site: string): boolean {
+35 -3
hosting-service/src/server.ts
··· 1 1 import { Hono } from 'hono'; 2 2 import { serveStatic } from 'hono/bun'; 3 3 import { getWispDomain, getCustomDomain, getCustomDomainByHash } from './lib/db'; 4 - import { resolveDid, getPdsForDid, fetchSiteRecord, downloadAndCacheSite, getCachedFilePath, isCached } from './lib/utils'; 4 + import { resolveDid, getPdsForDid, fetchSiteRecord, downloadAndCacheSite, getCachedFilePath, isCached, sanitizePath } from './lib/utils'; 5 5 import { rewriteHtmlPaths, isHtmlContent } from './lib/html-rewriter'; 6 6 import { existsSync } from 'fs'; 7 7 8 8 const app = new Hono(); 9 9 10 10 const BASE_HOST = process.env.BASE_HOST || 'wisp.place'; 11 + 12 + /** 13 + * Validate site name (rkey) to prevent injection attacks 14 + * Must match AT Protocol rkey format 15 + */ 16 + function isValidRkey(rkey: string): boolean { 17 + if (!rkey || typeof rkey !== 'string') return false; 18 + if (rkey.length < 1 || rkey.length > 512) return false; 19 + if (rkey === '.' || rkey === '..') return false; 20 + if (rkey.includes('/') || rkey.includes('\\') || rkey.includes('\0')) return false; 21 + const validRkeyPattern = /^[a-zA-Z0-9._~:-]+$/; 22 + return validRkeyPattern.test(rkey); 23 + } 11 24 12 25 // Helper to serve files from cache 13 26 async function serveFromCache(did: string, rkey: string, filePath: string) { ··· 119 132 app.get('/s/:identifier/:site/*', async (c) => { 120 133 const identifier = c.req.param('identifier'); 121 134 const site = c.req.param('site'); 122 - const filePath = c.req.path.replace(`/s/${identifier}/${site}/`, ''); 135 + const rawPath = c.req.path.replace(`/s/${identifier}/${site}/`, ''); 136 + const filePath = sanitizePath(rawPath); 123 137 124 138 console.log('[Direct] Serving', { identifier, site, filePath }); 125 139 140 + // Validate site name (rkey) 141 + if (!isValidRkey(site)) { 142 + return c.text('Invalid site name', 400); 143 + } 144 + 126 145 // Resolve identifier to DID 127 146 const did = await resolveDid(identifier); 128 147 if (!did) { ··· 143 162 // Route 3: DNS routing for custom domains - /hash.dns.wisp.place/* 144 163 app.get('/*', async (c) => { 145 164 const hostname = c.req.header('host') || ''; 146 - const path = c.req.path.replace(/^\//, ''); 165 + const rawPath = c.req.path.replace(/^\//, ''); 166 + const path = sanitizePath(rawPath); 147 167 148 168 console.log('[Request]', { hostname, path }); 149 169 ··· 165 185 } 166 186 167 187 const rkey = customDomain.rkey || 'self'; 188 + if (!isValidRkey(rkey)) { 189 + return c.text('Invalid site configuration', 500); 190 + } 191 + 168 192 const cached = await ensureSiteCached(customDomain.did, rkey); 169 193 if (!cached) { 170 194 return c.text('Site not found', 404); ··· 185 209 } 186 210 187 211 const rkey = domainInfo.rkey || 'self'; 212 + if (!isValidRkey(rkey)) { 213 + return c.text('Invalid site configuration', 500); 214 + } 215 + 188 216 const cached = await ensureSiteCached(domainInfo.did, rkey); 189 217 if (!cached) { 190 218 return c.text('Site not found', 404); ··· 202 230 } 203 231 204 232 const rkey = customDomain.rkey || 'self'; 233 + if (!isValidRkey(rkey)) { 234 + return c.text('Invalid site configuration', 500); 235 + } 236 + 205 237 const cached = await ensureSiteCached(customDomain.did, rkey); 206 238 if (!cached) { 207 239 return c.text('Site not found', 404);
+20
src/routes/domain.ts
··· 229 229 try { 230 230 const { id } = params; 231 231 232 + // Verify ownership before deleting 233 + const domainInfo = await getCustomDomainById(id); 234 + if (!domainInfo) { 235 + throw new Error('Domain not found'); 236 + } 237 + 238 + if (domainInfo.did !== auth.did) { 239 + throw new Error('Unauthorized: You do not own this domain'); 240 + } 241 + 232 242 // Delete from database 233 243 await deleteCustomDomain(id); 234 244 ··· 255 265 try { 256 266 const { id } = params; 257 267 const { siteRkey } = body as { siteRkey: string | null }; 268 + 269 + // Verify ownership before updating 270 + const domainInfo = await getCustomDomainById(id); 271 + if (!domainInfo) { 272 + throw new Error('Domain not found'); 273 + } 274 + 275 + if (domainInfo.did !== auth.did) { 276 + throw new Error('Unauthorized: You do not own this domain'); 277 + } 258 278 259 279 // Update custom domain to point to this site 260 280 await updateCustomDomainRkey(id, siteRkey || 'self');
+31
src/routes/wisp.ts
··· 11 11 } from '../lib/wisp-utils' 12 12 import { upsertSite } from '../lib/db' 13 13 14 + /** 15 + * Validate site name (rkey) according to AT Protocol specifications 16 + * - Must be 1-512 characters 17 + * - Can only contain: alphanumeric, dots, dashes, underscores, tildes, colons 18 + * - Cannot be just "." or ".." 19 + * - Cannot contain path traversal sequences 20 + */ 21 + function isValidSiteName(siteName: string): boolean { 22 + if (!siteName || typeof siteName !== 'string') return false; 23 + 24 + // Length check (AT Protocol rkey limit) 25 + if (siteName.length < 1 || siteName.length > 512) return false; 26 + 27 + // Check for path traversal 28 + if (siteName === '.' || siteName === '..') return false; 29 + if (siteName.includes('/') || siteName.includes('\\')) return false; 30 + if (siteName.includes('\0')) return false; 31 + 32 + // AT Protocol rkey format: alphanumeric, dots, dashes, underscores, tildes, colons 33 + // Based on NSID format rules 34 + const validRkeyPattern = /^[a-zA-Z0-9._~:-]+$/; 35 + if (!validRkeyPattern.test(siteName)) return false; 36 + 37 + return true; 38 + } 39 + 14 40 export const wispRoutes = (client: NodeOAuthClient) => 15 41 new Elysia({ prefix: '/wisp' }) 16 42 .derive(async ({ cookie }) => { ··· 31 57 if (!siteName) { 32 58 console.error('❌ Site name is required'); 33 59 throw new Error('Site name is required') 60 + } 61 + 62 + if (!isValidSiteName(siteName)) { 63 + console.error('❌ Invalid site name format'); 64 + throw new Error('Invalid site name: must be 1-512 characters and contain only alphanumeric, dots, dashes, underscores, tildes, and colons') 34 65 } 35 66 36 67 console.log('✅ Initial validation passed');