Quad4-Software/software-station
2
0
Fork 0
Code Issues Pull Requests 5 Actions Packages Projects Releases 1 Wiki Activity

Update security middleware and update Docker configurations
All checks were successful
CI / build (push) Successful in 1m15s
Details
renovate / renovate (push) Successful in 1m19s
Details

Browse Source 
- Added a new parameter to the SecurityMiddleware function to allow custom handling of forbidden requests.
- Updated Docker configurations to enable asset caching for improved performance.
- Bumped version number in the Dockerfile to 0.3.0 and refined the image description for clarity.
- Adjusted various frontend components and error handling to support new rate limiting and forbidden access messages.
- Improved documentation in multiple languages to reflect recent changes in features and security measures.
This commit is contained in:
ivan
2025-12-27 21:53:10 -06:00
parent bbbe1903fd
commit d954d7fe4b
22 changed files with 321 additions and 171 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@@ -32,13 +32,13 @@ WORKDIR /app
ARG BUILD_DATE
ARG VCS_REF
ARG VERSION="0.2.0"
ARG VERSION="0.3.0"
LABEL org.opencontainers.image.created=$BUILD_DATE \
org.opencontainers.image.title="Software Station" \
org.opencontainers.image.description="A software distribution platform." \
org.opencontainers.image.description="A secure software distribution platform." \
org.opencontainers.image.url="https://quad4.io" \
org.opencontainers.image.documentation="https://github.com/Quad4-Software/software-station/blob/main/README.md" \
org.opencontainers.image.documentation="https://git.quad4.io/Quad4-Software/software-station/src/branch/master/frontend/src/lib/docs" \
org.opencontainers.image.source="https://github.com/Quad4-Software/software-station" \
org.opencontainers.image.version=$VERSION \
org.opencontainers.image.revision=$VCS_REF \

4
Makefile
View File

@@ -1,4 +1,4 @@
.PHONY: all build-frontend build-go build-wasm clean release run lint scan check format test test-wasm dev docker-build
.PHONY: all build-frontend build-go build-wasm clean release run lint scan check format tidy test test-wasm dev docker-build
BINARY_NAME=software-station
FRONTEND_DIR=frontend
@@ -51,6 +51,8 @@ scan:
check:
cd $(FRONTEND_DIR) && pnpm run check
tidy: format lint check
test: test-wasm
go test -v -coverpkg=./... ./...

1
docker-compose.coolify.yaml
View File

@@ -12,6 +12,7 @@ services:
CONFIG_PATH: /app/data/software.txt
UA_BLOCKLIST_PATH: /app/data/ua-blocklist.txt
ALLOWED_ORIGINS: https://software.quad4.io
CACHE_ASSETS: true
volumes:
- software-station-data:/app/data
- software-station-cache:/app/.cache

1
docker-compose.yml
View File

@@ -12,6 +12,7 @@ services:
- GITEA_SERVER=${GITEA_SERVER:-https://git.quad4.io}
- CONFIG_PATH=/app/data/software.txt
- UA_BLOCKLIST_PATH=/app/data/ua-blocklist.txt
- CACHE_ASSETS=true
security_opt:
- no-new-privileges:true
restart: unless-stopped

6
frontend/src/lib/components/SearchBar.svelte
View File

@@ -5,10 +5,10 @@
let { searchQuery = $bindable('') }: { searchQuery?: string } = $props();
</script>
<div class="flex flex-col gap-4 md:flex-row md:items-center md:justify-between">
<div class="flex flex-col gap-3 sm:gap-4 md:flex-row md:items-center md:justify-between">
<div>
<h1 class="text-3xl font-bold tracking-tight">{$t('common.title')}</h1>
<p class="text-muted-foreground mt-1">{$t('common.subtitle')}</p>
<h1 class="text-2xl sm:text-3xl font-bold tracking-tight">{$t('common.title')}</h1>
<p class="text-sm sm:text-base text-muted-foreground mt-1">{$t('common.subtitle')}</p>
</div>
<div class="relative w-full md:w-72">
<Search class="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />

1
frontend/src/lib/docs/software/webnews.de.md
View File

@@ -17,6 +17,7 @@ Web News ist ein auf Privatsphäre ausgerichteter, offline-fähiger RSS-Reader u
## Privatsphäre und Sicherheit
Web News basiert auf einer "Zero-Knowledge"-Philosophie, um sicherzustellen, dass Benutzerdaten privat bleiben:
- **Datensouveränität**: Ihre Leseliste und Ihr Verlauf verlassen niemals Ihr Gerät.
- **Anonymer Zugriff**: Verwendet 16-stellige Kontonummern für den Serverzugriff anstelle von persönlichen Identifikatoren.
- **Gehärtetes Backend**: Verfügt über integriertes Bot-Blocking, Ratenbegrenzung und sichere Token-Generierung.

1
frontend/src/lib/docs/software/webnews.it.md
View File

@@ -17,6 +17,7 @@ Web News è un lettore RSS orientato alla privacy, progettato per funzionare off
## Privacy e sicurezza
Web News è costruito su una filosofia "zero-knowledge" per garantire che i dati degli utenti rimangano privati:
- **Sovranità dei dati**: La tua lista di lettura e la tua cronologia non lasciano mai il tuo dispositivo.
- **Accesso anonimo**: Utilizza numeri di conto a 16 cifre per l'accesso al server invece di identificatori personali.
- **Backend blindato**: Include blocco dei bot integrato, limitazione della frequenza e generazione di token sicuri.

1
frontend/src/lib/docs/software/webnews.md
View File

@@ -17,6 +17,7 @@ Web News is a privacy-focused, offline-first RSS reader and full-text extractor.
## Privacy and Security
Web News is built on a "zero-knowledge" philosophy to ensure user data remains private:
- **Data Sovereignty**: Your reading list and history never leave your device.
- **Anonymous Access**: Uses 16-digit account numbers for server access instead of personal identifiers.
- **Hardened Backend**: Features built-in bot blocking, rate limiting, and secure token generation.

1
frontend/src/lib/docs/software/webnews.ru.md
View File

@@ -17,6 +17,7 @@ Web News — это ориентированный на конфиденциал
## Конфиденциальность и безопасность
Web News построен на философии «нулевого знания», чтобы гарантировать приватность пользовательских данных:
- **Суверенитет данных**: Ваш список чтения и история никогда не покидают ваше устройство.
- **Анонимный доступ**: Использует 16-значные номера счетов для доступа к серверу вместо личных идентификаторов.
- **Защищенный бэкенд**: Встроенная блокировка ботов, ограничение скорости и безопасная генерация токенов.

6
frontend/src/lib/i18n/locales/de.json
View File

@@ -35,7 +35,11 @@
"pageNotFound": "Seite nicht gefunden",
"pageNotFoundDesc": "Die gesuchte Seite wurde möglicherweise entfernt, ihr Name wurde geändert oder sie ist vorübergehend nicht verfügbar.",
"error": "Fehler",
"backHome": "Zurück zur Startseite"
"backHome": "Zurück zur Startseite",
"tooManyRequests": "Zu viele Anfragen",
"tooManyRequestsDesc": "Sie haben in kurzer Zeit zu viele Anfragen gesendet. Bitte warten Sie einen Moment und versuchen Sie es dann erneut.",
"forbidden": "Zugriff verweigert",
"forbiddenDesc": "Ihr Zugriff wurde von unserem Sicherheitssystem eingeschränkt. Dies kann aufgrund verdächtiger Muster oder automatisiertem Bot-Verhalten passieren."
},
"os": {
"windows": "Windows",

6
frontend/src/lib/i18n/locales/en.json
View File

@@ -35,7 +35,11 @@
"pageNotFound": "Page Not Found",
"pageNotFoundDesc": "The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.",
"error": "Error",
"backHome": "Back to Home"
"backHome": "Back to Home",
"tooManyRequests": "Too Many Requests",
"tooManyRequestsDesc": "You've sent too many requests in a short period of time. Please slow down and try again later.",
"forbidden": "Access Denied",
"forbiddenDesc": "Your access has been restricted by our security system. This can happen due to suspicious patterns or automated bot behavior."
},
"os": {
"windows": "Windows",

6
frontend/src/lib/i18n/locales/it.json
View File

@@ -35,7 +35,11 @@
"pageNotFound": "Pagina non trovata",
"pageNotFoundDesc": "La pagina che stai cercando potrebbe essere stata rimossa, aver cambiato nome o essere temporaneamente non disponibile.",
"error": "Errore",
"backHome": "Torna alla Home"
"backHome": "Torna alla Home",
"tooManyRequests": "Troppe richieste",
"tooManyRequestsDesc": "Hai inviato troppe richieste in un breve periodo di tempo. Per favore, rallenta e riprova più tardi.",
"forbidden": "Accesso negato",
"forbiddenDesc": "Il tuo accesso è stato limitato dal nostro sistema di sicurezza. Ciò può accadere a causa di pattern sospetti o comportamenti da bot automatizzati."
},
"os": {
"windows": "Windows",

6
frontend/src/lib/i18n/locales/ru.json
View File

@@ -35,7 +35,11 @@
"pageNotFound": "Страница не найдена",
"pageNotFoundDesc": "Запрошенная страница могла быть удалена, ее название изменено или она временно недоступна.",
"error": "Ошибка",
"backHome": "На главную"
"backHome": "На главную",
"tooManyRequests": "Слишком много запросов",
"tooManyRequestsDesc": "Вы отправили слишком много запросов за короткий промежуток времени. Пожалуйста, подождите и попробуйте позже.",
"forbidden": "Доступ запрещен",
"forbiddenDesc": "Ваш доступ был ограничен нашей системой безопасности. Это может произойти из-за подозрительной активности или использования ботов."
},
"os": {
"windows": "Windows",

32
frontend/src/routes/+error.svelte
View File

@@ -7,6 +7,8 @@
const message = $page.error?.message || $t('common.errorOccurred');
const is404 = status === 404;
const is429 = status === 429;
const is403 = status === 403;
</script>
<div class="flex flex-col items-center justify-center py-20 px-4 text-center">
@@ -14,6 +16,28 @@
<div class="absolute -inset-4 bg-primary/10 blur-3xl rounded-full"></div>
{#if is404}
<h1 class="text-9xl font-black text-primary/20 relative select-none">404</h1>
{:else if is429}
<div class="relative">
<h1 class="text-9xl font-black text-primary/20 relative select-none">429</h1>
<div class="absolute inset-0 flex items-center justify-center translate-y-4">
<div
class="bg-background/80 backdrop-blur-sm p-3 rounded-full shadow-xl border border-border"
>
<AlertCircle class="w-12 h-12 text-primary" />
</div>
</div>
</div>
{:else if is403}
<div class="relative">
<h1 class="text-9xl font-black text-destructive/20 relative select-none">403</h1>
<div class="absolute inset-0 flex items-center justify-center translate-y-4">
<div
class="bg-background/80 backdrop-blur-sm p-3 rounded-full shadow-xl border border-border"
>
<AlertCircle class="w-12 h-12 text-destructive" />
</div>
</div>
</div>
{:else}
<AlertCircle class="w-32 h-32 text-destructive relative opacity-20" />
{/if}
@@ -22,6 +46,10 @@
<h2 class="text-3xl font-bold mb-4">
{#if is404}
{$t('common.pageNotFound')}
{:else if is429}
{$t('common.tooManyRequests')}
{:else if is403}
{$t('common.forbidden')}
{:else}
{$t('common.error')} {status}
{/if}
@@ -30,6 +58,10 @@
<p class="text-muted-foreground max-w-md mb-8">
{#if is404}
{$t('common.pageNotFoundDesc')}
{:else if is429}
{$t('common.tooManyRequestsDesc')}
{:else if is403}
{$t('common.forbiddenDesc')}
{:else}
{message}
{/if}

24
frontend/src/routes/+layout.svelte
View File

@@ -52,9 +52,9 @@
>
<nav class="border-b border-border bg-card/50 backdrop-blur-sm sticky top-0 z-50">
<div
class="max-w-[1600px] mx-auto px-4 sm:px-6 lg:px-8 h-16 flex items-center justify-between"
class="max-w-[1600px] mx-auto px-4 sm:px-6 lg:px-8 flex flex-col gap-3 md:h-16 md:flex-row md:items-center md:justify-between py-3 md:py-0"
>
<div class="flex items-center gap-3">
<div class="flex items-center gap-2 sm:gap-3 flex-wrap">
<img src="/logo.png" alt="Quad4 Logo" width="32" height="32" class="w-8 h-8 rounded-md" />
<a href="/" class="text-xl font-bold tracking-tight">Software Station</a>
<span class="text-muted-foreground mx-1">|</span>
@@ -71,11 +71,11 @@
: 'hover:text-primary'} transition-colors">Docs</a
>
</div>
<div class="flex items-center gap-4">
<div class="flex items-center gap-3 sm:gap-4 w-full md:w-auto justify-end">
{#if !verifierGloballyDisabled}
<button
onclick={() => ($verifierDisabled = !$verifierDisabled)}
class="hidden sm:flex p-2 rounded-lg hover:bg-accent transition-colors {$verifierDisabled
class="flex p-2 rounded-lg hover:bg-accent transition-colors {$verifierDisabled
? 'text-destructive'
: 'text-muted-foreground'}"
title={$verifierDisabled ? 'Verifier Disabled' : 'Verifier Enabled'}
@@ -129,22 +129,6 @@
<VerificationToasts />
{#if !verifierGloballyDisabled}
<button
onclick={() => ($verifierDisabled = !$verifierDisabled)}
class="sm:hidden fixed bottom-6 right-6 z-[100] p-4 rounded-full bg-primary text-primary-foreground shadow-2xl shadow-primary/30 transition-all active:scale-95 {$verifierDisabled
? 'bg-destructive shadow-destructive/30'
: ''}"
aria-label={$verifierDisabled ? 'Enable Verifier' : 'Disable Verifier'}
>
{#if $verifierDisabled}
<ShieldOff class="w-6 h-6" />
{:else}
<Shield class="w-6 h-6" />
{/if}
</button>
{/if}
{#if !page.url.pathname.startsWith('/docs')}
<footer class="border-t border-border mt-auto pt-6 pb-4">
<div class="max-w-[1600px] mx-auto px-4 text-center space-y-3">

9
frontend/src/routes/+page.svelte
View File

@@ -42,14 +42,13 @@
);
</script>
<div class="space-y-8 min-h-[600px]">
<div class="h-[56px]">
<!-- Reserve space for SearchBar -->
<div class="space-y-6 sm:space-y-8 min-h-[600px]">
<div class="pt-1 sm:pt-2">
<SearchBar bind:searchQuery />
</div>
{#if loading}
<div class="grid grid-cols-1 md:grid-cols-2 2xl:grid-cols-3 gap-6">
<div class="grid grid-cols-1 md:grid-cols-2 2xl:grid-cols-3 gap-5 sm:gap-6">
{#each Array(6) as _}
<div
class="flex flex-col h-[400px] rounded-xl border border-border bg-card overflow-hidden"
@@ -106,7 +105,7 @@
<p class="text-muted-foreground">{$t('common.tryAdjusting')}</p>
</div>
{:else}
<div class="grid grid-cols-1 md:grid-cols-2 2xl:grid-cols-3 gap-6">
<div class="grid grid-cols-1 md:grid-cols-2 2xl:grid-cols-3 gap-5 sm:gap-6">
{#each filteredSoftware as software}
<SoftwareCard {software} {expandedReleases} onToggleReleases={toggleReleases} />
{/each}

BIN
frontend/static/verifier/verifier.wasm
View File

Binary file not shown.

301
frontend/static/verifier/wasm_exec.js
View File

@@ -2,22 +2,30 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
"use strict";
'use strict';
(() => {
const enosys = () => {
const err = new Error("not implemented");
err.code = "ENOSYS";
const err = new Error('not implemented');
err.code = 'ENOSYS';
return err;
};
if (!globalThis.fs) {
let outputBuf = "";
let outputBuf = '';
globalThis.fs = {
constants: { O_WRONLY: -1, O_RDWR: -1, O_CREAT: -1, O_TRUNC: -1, O_APPEND: -1, O_EXCL: -1, O_DIRECTORY: -1 }, // unused
constants: {
O_WRONLY: -1,
O_RDWR: -1,
O_CREAT: -1,
O_TRUNC: -1,
O_APPEND: -1,
O_EXCL: -1,
O_DIRECTORY: -1,
}, // unused
writeSync(fd, buf) {
outputBuf += decoder.decode(buf);
const nl = outputBuf.lastIndexOf("\n");
const nl = outputBuf.lastIndexOf('\n');
if (nl != -1) {
console.log(outputBuf.substring(0, nl));
outputBuf = outputBuf.substring(nl + 1);
@@ -32,81 +40,147 @@
const n = this.writeSync(fd, buf);
callback(null, n);
},
chmod(path, mode, callback) { callback(enosys()); },
chown(path, uid, gid, callback) { callback(enosys()); },
close(fd, callback) { callback(enosys()); },
fchmod(fd, mode, callback) { callback(enosys()); },
fchown(fd, uid, gid, callback) { callback(enosys()); },
fstat(fd, callback) { callback(enosys()); },
fsync(fd, callback) { callback(null); },
ftruncate(fd, length, callback) { callback(enosys()); },
lchown(path, uid, gid, callback) { callback(enosys()); },
link(path, link, callback) { callback(enosys()); },
lstat(path, callback) { callback(enosys()); },
mkdir(path, perm, callback) { callback(enosys()); },
open(path, flags, mode, callback) { callback(enosys()); },
read(fd, buffer, offset, length, position, callback) { callback(enosys()); },
readdir(path, callback) { callback(enosys()); },
readlink(path, callback) { callback(enosys()); },
rename(from, to, callback) { callback(enosys()); },
rmdir(path, callback) { callback(enosys()); },
stat(path, callback) { callback(enosys()); },
symlink(path, link, callback) { callback(enosys()); },
truncate(path, length, callback) { callback(enosys()); },
unlink(path, callback) { callback(enosys()); },
utimes(path, atime, mtime, callback) { callback(enosys()); },
chmod(path, mode, callback) {
callback(enosys());
},
chown(path, uid, gid, callback) {
callback(enosys());
},
close(fd, callback) {
callback(enosys());
},
fchmod(fd, mode, callback) {
callback(enosys());
},
fchown(fd, uid, gid, callback) {
callback(enosys());
},
fstat(fd, callback) {
callback(enosys());
},
fsync(fd, callback) {
callback(null);
},
ftruncate(fd, length, callback) {
callback(enosys());
},
lchown(path, uid, gid, callback) {
callback(enosys());
},
link(path, link, callback) {
callback(enosys());
},
lstat(path, callback) {
callback(enosys());
},
mkdir(path, perm, callback) {
callback(enosys());
},
open(path, flags, mode, callback) {
callback(enosys());
},
read(fd, buffer, offset, length, position, callback) {
callback(enosys());
},
readdir(path, callback) {
callback(enosys());
},
readlink(path, callback) {
callback(enosys());
},
rename(from, to, callback) {
callback(enosys());
},
rmdir(path, callback) {
callback(enosys());
},
stat(path, callback) {
callback(enosys());
},
symlink(path, link, callback) {
callback(enosys());
},
truncate(path, length, callback) {
callback(enosys());
},
unlink(path, callback) {
callback(enosys());
},
utimes(path, atime, mtime, callback) {
callback(enosys());
},
};
}
if (!globalThis.process) {
globalThis.process = {
getuid() { return -1; },
getgid() { return -1; },
geteuid() { return -1; },
getegid() { return -1; },
getgroups() { throw enosys(); },
getuid() {
return -1;
},
getgid() {
return -1;
},
geteuid() {
return -1;
},
getegid() {
return -1;
},
getgroups() {
throw enosys();
},
pid: -1,
ppid: -1,
umask() { throw enosys(); },
cwd() { throw enosys(); },
chdir() { throw enosys(); },
}
umask() {
throw enosys();
},
cwd() {
throw enosys();
},
chdir() {
throw enosys();
},
};
}
if (!globalThis.path) {
globalThis.path = {
resolve(...pathSegments) {
return pathSegments.join("/");
}
}
return pathSegments.join('/');
},
};
}
if (!globalThis.crypto) {
throw new Error("globalThis.crypto is not available, polyfill required (crypto.getRandomValues only)");
throw new Error(
'globalThis.crypto is not available, polyfill required (crypto.getRandomValues only)'
);
}
if (!globalThis.performance) {
throw new Error("globalThis.performance is not available, polyfill required (performance.now only)");
throw new Error(
'globalThis.performance is not available, polyfill required (performance.now only)'
);
}
if (!globalThis.TextEncoder) {
throw new Error("globalThis.TextEncoder is not available, polyfill required");
throw new Error('globalThis.TextEncoder is not available, polyfill required');
}
if (!globalThis.TextDecoder) {
throw new Error("globalThis.TextDecoder is not available, polyfill required");
throw new Error('globalThis.TextDecoder is not available, polyfill required');
}
const encoder = new TextEncoder("utf-8");
const decoder = new TextDecoder("utf-8");
const encoder = new TextEncoder('utf-8');
const decoder = new TextDecoder('utf-8');
globalThis.Go = class {
constructor() {
this.argv = ["js"];
this.argv = ['js'];
this.env = {};
this.exit = (code) => {
if (code !== 0) {
console.warn("exit code:", code);
console.warn('exit code:', code);
}
};
this._exitPromise = new Promise((resolve) => {
@@ -119,17 +193,17 @@
const setInt64 = (addr, v) => {
this.mem.setUint32(addr + 0, v, true);
this.mem.setUint32(addr + 4, Math.floor(v / 4294967296), true);
}
};
const setInt32 = (addr, v) => {
this.mem.setUint32(addr + 0, v, true);
}
};
const getInt64 = (addr) => {
const low = this.mem.getUint32(addr + 0, true);
const high = this.mem.getInt32(addr + 4, true);
return low + high * 4294967296;
}
};
const loadValue = (addr) => {
const f = this.mem.getFloat64(addr, true);
@@ -142,12 +216,12 @@
const id = this.mem.getUint32(addr, true);
return this._values[id];
}
};
const storeValue = (addr, v) => {
const nanHead = 0x7FF80000;
const nanHead = 0x7ff80000;
if (typeof v === "number" && v !== 0) {
if (typeof v === 'number' && v !== 0) {
if (isNaN(v)) {
this.mem.setUint32(addr + 4, nanHead, true);
this.mem.setUint32(addr, 0, true);
@@ -175,30 +249,30 @@
this._goRefCounts[id]++;
let typeFlag = 0;
switch (typeof v) {
case "object":
case 'object':
if (v !== null) {
typeFlag = 1;
}
break;
case "string":
case 'string':
typeFlag = 2;
break;
case "symbol":
case 'symbol':
typeFlag = 3;
break;
case "function":
case 'function':
typeFlag = 4;
break;
}
this.mem.setUint32(addr + 4, nanHead | typeFlag, true);
this.mem.setUint32(addr, id, true);
}
};
const loadSlice = (addr) => {
const array = getInt64(addr + 0);
const len = getInt64(addr + 8);
return new Uint8Array(this._inst.exports.mem.buffer, array, len);
}
};
const loadSliceOfValues = (addr) => {
const array = getInt64(addr + 0);
@@ -208,18 +282,18 @@
a[i] = loadValue(array + i * 8);
}
return a;
}
};
const loadString = (addr) => {
const saddr = getInt64(addr + 0);
const len = getInt64(addr + 8);
return decoder.decode(new DataView(this._inst.exports.mem.buffer, saddr, len));
}
};
const testCallExport = (a, b) => {
this._inst.exports.testExport0();
return this._inst.exports.testExport(a, b);
}
};
const timeOrigin = Date.now() - performance.now();
this.importObject = {
@@ -234,7 +308,7 @@
// This changes the SP, thus we have to update the SP used by the imported function.
// func wasmExit(code int32)
"runtime.wasmExit": (sp) => {
'runtime.wasmExit': (sp) => {
sp >>>= 0;
const code = this.mem.getInt32(sp + 8, true);
this.exited = true;
@@ -247,7 +321,7 @@
},
// func wasmWrite(fd uintptr, p unsafe.Pointer, n int32)
"runtime.wasmWrite": (sp) => {
'runtime.wasmWrite': (sp) => {
sp >>>= 0;
const fd = getInt64(sp + 8);
const p = getInt64(sp + 16);
@@ -256,47 +330,50 @@
},
// func resetMemoryDataView()
"runtime.resetMemoryDataView": (sp) => {
'runtime.resetMemoryDataView': (sp) => {
sp >>>= 0;
this.mem = new DataView(this._inst.exports.mem.buffer);
},
// func nanotime1() int64
"runtime.nanotime1": (sp) => {
'runtime.nanotime1': (sp) => {
sp >>>= 0;
setInt64(sp + 8, (timeOrigin + performance.now()) * 1000000);
},
// func walltime() (sec int64, nsec int32)
"runtime.walltime": (sp) => {
'runtime.walltime': (sp) => {
sp >>>= 0;
const msec = (new Date).getTime();
const msec = new Date().getTime();
setInt64(sp + 8, msec / 1000);
this.mem.setInt32(sp + 16, (msec % 1000) * 1000000, true);
},
// func scheduleTimeoutEvent(delay int64) int32
"runtime.scheduleTimeoutEvent": (sp) => {
'runtime.scheduleTimeoutEvent': (sp) => {
sp >>>= 0;
const id = this._nextCallbackTimeoutID;
this._nextCallbackTimeoutID++;
this._scheduledTimeouts.set(id, setTimeout(
() => {
this._resume();
while (this._scheduledTimeouts.has(id)) {
// for some reason Go failed to register the timeout event, log and try again
// (temporary workaround for https://github.com/golang/go/issues/28975)
console.warn("scheduleTimeoutEvent: missed timeout event");
this._scheduledTimeouts.set(
id,
setTimeout(
() => {
this._resume();
}
},
getInt64(sp + 8),
));
while (this._scheduledTimeouts.has(id)) {
// for some reason Go failed to register the timeout event, log and try again
// (temporary workaround for https://github.com/golang/go/issues/28975)
console.warn('scheduleTimeoutEvent: missed timeout event');
this._resume();
}
},
getInt64(sp + 8)
)
);
this.mem.setInt32(sp + 16, id, true);
},
// func clearTimeoutEvent(id int32)
"runtime.clearTimeoutEvent": (sp) => {
'runtime.clearTimeoutEvent': (sp) => {
sp >>>= 0;
const id = this.mem.getInt32(sp + 8, true);
clearTimeout(this._scheduledTimeouts.get(id));
@@ -304,13 +381,13 @@
},
// func getRandomData(r []byte)
"runtime.getRandomData": (sp) => {
'runtime.getRandomData': (sp) => {
sp >>>= 0;
crypto.getRandomValues(loadSlice(sp + 8));
},
// func finalizeRef(v ref)
"syscall/js.finalizeRef": (sp) => {
'syscall/js.finalizeRef': (sp) => {
sp >>>= 0;
const id = this.mem.getUint32(sp + 8, true);
this._goRefCounts[id]--;
@@ -323,13 +400,13 @@
},
// func stringVal(value string) ref
"syscall/js.stringVal": (sp) => {
'syscall/js.stringVal': (sp) => {
sp >>>= 0;
storeValue(sp + 24, loadString(sp + 8));
},
// func valueGet(v ref, p string) ref
"syscall/js.valueGet": (sp) => {
'syscall/js.valueGet': (sp) => {
sp >>>= 0;
const result = Reflect.get(loadValue(sp + 8), loadString(sp + 16));
sp = this._inst.exports.getsp() >>> 0; // see comment above
@@ -337,31 +414,31 @@
},
// func valueSet(v ref, p string, x ref)
"syscall/js.valueSet": (sp) => {
'syscall/js.valueSet': (sp) => {
sp >>>= 0;
Reflect.set(loadValue(sp + 8), loadString(sp + 16), loadValue(sp + 32));
},
// func valueDelete(v ref, p string)
"syscall/js.valueDelete": (sp) => {
'syscall/js.valueDelete': (sp) => {
sp >>>= 0;
Reflect.deleteProperty(loadValue(sp + 8), loadString(sp + 16));
},
// func valueIndex(v ref, i int) ref
"syscall/js.valueIndex": (sp) => {
'syscall/js.valueIndex': (sp) => {
sp >>>= 0;
storeValue(sp + 24, Reflect.get(loadValue(sp + 8), getInt64(sp + 16)));
},
// valueSetIndex(v ref, i int, x ref)
"syscall/js.valueSetIndex": (sp) => {
'syscall/js.valueSetIndex': (sp) => {
sp >>>= 0;
Reflect.set(loadValue(sp + 8), getInt64(sp + 16), loadValue(sp + 24));
},
// func valueCall(v ref, m string, args []ref) (ref, bool)
"syscall/js.valueCall": (sp) => {
'syscall/js.valueCall': (sp) => {
sp >>>= 0;
try {
const v = loadValue(sp + 8);
@@ -379,7 +456,7 @@
},
// func valueInvoke(v ref, args []ref) (ref, bool)
"syscall/js.valueInvoke": (sp) => {
'syscall/js.valueInvoke': (sp) => {
sp >>>= 0;
try {
const v = loadValue(sp + 8);
@@ -396,7 +473,7 @@
},
// func valueNew(v ref, args []ref) (ref, bool)
"syscall/js.valueNew": (sp) => {
'syscall/js.valueNew': (sp) => {
sp >>>= 0;
try {
const v = loadValue(sp + 8);
@@ -413,13 +490,13 @@
},
// func valueLength(v ref) int
"syscall/js.valueLength": (sp) => {
'syscall/js.valueLength': (sp) => {
sp >>>= 0;
setInt64(sp + 16, parseInt(loadValue(sp + 8).length));
},
// valuePrepareString(v ref) (ref, int)
"syscall/js.valuePrepareString": (sp) => {
'syscall/js.valuePrepareString': (sp) => {
sp >>>= 0;
const str = encoder.encode(String(loadValue(sp + 8)));
storeValue(sp + 16, str);
@@ -427,20 +504,20 @@
},
// valueLoadString(v ref, b []byte)
"syscall/js.valueLoadString": (sp) => {
'syscall/js.valueLoadString': (sp) => {
sp >>>= 0;
const str = loadValue(sp + 8);
loadSlice(sp + 16).set(str);
},
// func valueInstanceOf(v ref, t ref) bool
"syscall/js.valueInstanceOf": (sp) => {
'syscall/js.valueInstanceOf': (sp) => {
sp >>>= 0;
this.mem.setUint8(sp + 24, (loadValue(sp + 8) instanceof loadValue(sp + 16)) ? 1 : 0);
this.mem.setUint8(sp + 24, loadValue(sp + 8) instanceof loadValue(sp + 16) ? 1 : 0);
},
// func copyBytesToGo(dst []byte, src ref) (int, bool)
"syscall/js.copyBytesToGo": (sp) => {
'syscall/js.copyBytesToGo': (sp) => {
sp >>>= 0;
const dst = loadSlice(sp + 8);
const src = loadValue(sp + 32);
@@ -455,7 +532,7 @@
},
// func copyBytesToJS(dst ref, src []byte) (int, bool)
"syscall/js.copyBytesToJS": (sp) => {
'syscall/js.copyBytesToJS': (sp) => {
sp >>>= 0;
const dst = loadValue(sp + 8);
const src = loadSlice(sp + 16);
@@ -469,20 +546,21 @@
this.mem.setUint8(sp + 48, 1);
},
"debug": (value) => {
debug: (value) => {
console.log(value);
},
}
},
};
}
async run(instance) {
if (!(instance instanceof WebAssembly.Instance)) {
throw new Error("Go.run: WebAssembly.Instance expected");
throw new Error('Go.run: WebAssembly.Instance expected');
}
this._inst = instance;
this.mem = new DataView(this._inst.exports.mem.buffer);
this._values = [ // JS values that Go currently has references to, indexed by reference id
this._values = [
// JS values that Go currently has references to, indexed by reference id
NaN,
0,
null,
@@ -492,7 +570,8 @@
this,
];
this._goRefCounts = new Array(this._values.length).fill(Infinity); // number of references that Go has to a JS value, indexed by reference id
this._ids = new Map([ // mapping from JS values to reference ids
this._ids = new Map([
// mapping from JS values to reference ids
[0, 1],
[null, 2],
[true, 3],
@@ -500,7 +579,7 @@
[globalThis, 5],
[this, 6],
]);
this._idPool = []; // unused ids that have been garbage collected
this._idPool = []; // unused ids that have been garbage collected
this.exited = false; // whether the Go program has exited
// Pass command line arguments and environment variables to WebAssembly by writing them to the linear memory.
@@ -508,7 +587,7 @@
const strPtr = (str) => {
const ptr = offset;
const bytes = encoder.encode(str + "\0");
const bytes = encoder.encode(str + '\0');
new Uint8Array(this.mem.buffer, offset, bytes.length).set(bytes);
offset += bytes.length;
if (offset % 8 !== 0) {
@@ -542,7 +621,7 @@
// Keep in sync with cmd/link/internal/ld/data.go:wasmMinDataAddr.
const wasmMinDataAddr = 4096 + 8192;
if (offset >= wasmMinDataAddr) {
throw new Error("total length of command line and environment variables exceeds limit");
throw new Error('total length of command line and environment variables exceeds limit');
}
this._inst.exports.run(argc, argv);
@@ -554,7 +633,7 @@
_resume() {
if (this.exited) {
throw new Error("Go program has already exited");
throw new Error('Go program has already exited');
}
this._inst.exports.resume();
if (this.exited) {
@@ -571,5 +650,5 @@
return event.result;
};
}
}
};
})();

14
internal/security/security.go
View File

@@ -193,7 +193,7 @@ func GetSafeHTTPClient(timeout time.Duration) *http.Client {
}
}
func SecurityMiddleware(s *stats.Service, bb *BotBlocker) func(http.Handler) http.Handler {
func SecurityMiddleware(s *stats.Service, bb *BotBlocker, forbiddenHandler http.HandlerFunc) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
start := time.Now()
@@ -240,7 +240,11 @@ func SecurityMiddleware(s *stats.Service, bb *BotBlocker) func(http.Handler) htt
s.GlobalStats.Lock()
s.GlobalStats.BlockedRequests[fingerprint] = true
s.GlobalStats.Unlock()
http.Error(w, "Bots are not allowed", http.StatusForbidden)
if forbiddenHandler != nil {
forbiddenHandler(w, r)
} else {
http.Error(w, "Bots are not allowed", http.StatusForbidden)
}
return
}
@@ -250,7 +254,11 @@ func SecurityMiddleware(s *stats.Service, bb *BotBlocker) func(http.Handler) htt
s.GlobalStats.BlockedRequests[fingerprint] = true
s.GlobalStats.Unlock()
log.Printf("Blocked suspicious request: %s from %s (%s)", r.URL.String(), r.RemoteAddr, r.UserAgent())
http.Error(w, "Forbidden", http.StatusForbidden)
if forbiddenHandler != nil {
forbiddenHandler(w, r)
} else {
http.Error(w, "Forbidden", http.StatusForbidden)
}
return
}
}

2
internal/security/security_test.go
View File

@@ -100,7 +100,7 @@ func TestGetRequestFingerprint(t *testing.T) {
func TestSecurityMiddleware(t *testing.T) {
statsService := stats.NewService("test-hashes.json")
botBlocker := NewBotBlocker("")
handler := SecurityMiddleware(statsService, botBlocker)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler := SecurityMiddleware(statsService, botBlocker, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))

62
main.go
View File

@@ -87,7 +87,38 @@ func main() {
r.Use(middleware.Logger)
r.Use(middleware.Recoverer)
r.Use(middleware.Compress(api.CompressionLevel))
r.Use(security.SecurityMiddleware(statsService, botBlocker))
contentStatic, err := fs.Sub(frontendBuild, "frontend/build")
if err != nil {
log.Fatal(err)
}
serveIndex := func(w http.ResponseWriter, r *http.Request, status int) {
indexData, err := fs.ReadFile(contentStatic, "index.html")
if err != nil {
http.Error(w, "Index not found", http.StatusInternalServerError)
return
}
// Inject global configuration
html := string(indexData)
configJS := fmt.Sprintf("<script>window.VERIFIER_GLOBALLY_DISABLED = %v;</script>", *disableVerifier)
html = strings.Replace(html, "</head>", configJS+"</head>", 1)
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(status)
_, _ = w.Write([]byte(html))
}
staticHandler := http.FileServer(http.FS(contentStatic))
r.Use(security.SecurityMiddleware(statsService, botBlocker, func(w http.ResponseWriter, r *http.Request) {
if strings.HasPrefix(r.URL.Path, "/api") {
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
serveIndex(w, r, http.StatusForbidden)
}))
r.Use(httprate.Limit(
security.GlobalRateLimit,
@@ -95,6 +126,13 @@ func main() {
httprate.WithKeyFuncs(func(r *http.Request) (string, error) {
return security.GetRequestFingerprint(r, statsService), nil
}),
httprate.WithLimitHandler(func(w http.ResponseWriter, r *http.Request) {
if strings.HasPrefix(r.URL.Path, "/api") {
http.Error(w, "Too Many Requests", http.StatusTooManyRequests)
return
}
serveIndex(w, r, http.StatusTooManyRequests)
}),
))
r.Route("/api", func(r chi.Router) {
@@ -104,6 +142,9 @@ func main() {
httprate.WithKeyFuncs(func(r *http.Request) (string, error) {
return security.GetRequestFingerprint(r, statsService), nil
}),
httprate.WithLimitHandler(func(w http.ResponseWriter, r *http.Request) {
http.Error(w, "Too Many Requests", http.StatusTooManyRequests)
}),
))
r.Get("/software", apiServer.APISoftwareHandler)
r.Get("/download", apiServer.DownloadProxyHandler)
@@ -113,12 +154,6 @@ func main() {
r.Get("/rss", apiServer.RSSHandler)
})
contentStatic, err := fs.Sub(frontendBuild, "frontend/build")
if err != nil {
log.Fatal(err)
}
staticHandler := http.FileServer(http.FS(contentStatic))
r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
path := r.URL.Path
if path == "/" {
@@ -147,18 +182,7 @@ func main() {
return
}
indexData, err := fs.ReadFile(contentStatic, "index.html")
if err != nil {
http.Error(w, "Index not found", http.StatusInternalServerError)
return
}
// Inject global configuration
html := string(indexData)
configJS := fmt.Sprintf("<script>window.VERIFIER_GLOBALLY_DISABLED = %v;</script>", *disableVerifier)
html = strings.Replace(html, "</head>", configJS+"</head>", 1)
http.ServeContent(w, r, "index.html", time.Unix(0, 0), strings.NewReader(html))
serveIndex(w, r, http.StatusOK)
return
}
if err := f.Close(); err != nil {

2
main_test.go
View File

@@ -51,7 +51,7 @@ func TestMainHandlers(t *testing.T) {
apiServer := api.NewServer("", initialSoftware, statsService, true)
r := chi.NewRouter()
r.Use(security.SecurityMiddleware(statsService, botBlocker))
r.Use(security.SecurityMiddleware(statsService, botBlocker, nil))
r.Get("/api/software", apiServer.APISoftwareHandler)
r.Get("/api/stats", statsService.APIStatsHandler)
r.Get("/api/download", apiServer.DownloadProxyHandler)