tlsd 2.18.1 → 2.20.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tlsd",
-  "version": "2.18.1",
+  "version": "2.20.0",
   "description": "A server for web app prototyping with HTTPS and Websockets",
   "main": "tlsd.js",
   "bin": {

package/scaffold/static/index.html

@@ -45,6 +45,7 @@
                 const uploadURL = '/';
                 xhr.open( 'PUT', uploadURL, true );
                 xhr.setRequestHeader( 'Content-Type', file.type || 'application/octet-stream' );
+                xhr.setRequestHeader( 'X-Filename', file.name );
                 xhr.onload = () => {
                     if( xhr.status === 200 ) {
                         let result = JSON.parse( xhr.responseText );

package/tlsd.js

@@ -20,6 +20,15 @@ const { D, V, I, W, E } = L;
 const UPLOAD_DIR = process.env.UPLOAD_DIR || "/tmp/tlsd-put-files/";
 const UPLOAD_MAX_BYTES = toInt( process.env.UPLOAD_MAX_BYTES ) || ( 200 * 1024 * 1024 );
 
+function sanitize_upload_filename( raw ) {
+	if( ! raw || typeof raw !== "string" ) return "file";
+	const basename = path.basename( raw.trim() );
+	const sanitized = basename.replace( /[\\/:*?"<>|\x00-\x1f]/g, "_" ).replace( /\.{2,}/g, "." );
+	// Limit to the LAST 40 chars of the sanitized filename
+	const truncated = sanitized.slice( -40 );
+	return truncated || "file";
+}
+
 // DOS protection configuration
 const MAX_RPC_MESSAGE_SIZE = toInt( process.env.MAX_RPC_MESSAGE_SIZE ) || ( 1024 * 1024 ); // 1MB default
 const MAX_WS_CONNECTIONS = toInt( process.env.MAX_WS_CONNECTIONS ) || 1000;
@@ -184,7 +193,7 @@ function make_cookie_setters( res ) {
 //  4) Falls back to legacy directory loader at "root/rpc"
 // If loading succeeds, passes the message to the handler.
 // context may be one of:
-//      { transport_type: "WS", connection: { ... } }
+//      { transport_type: "WS", connection: { name, socket, send, cookies, resource }, ... }
 //      { transport_type: "GET", connection: { req, res } }
 //      { transport_type: "POST", connection: { req, res } }
 // Additionally, context.upload_dir is set to the server's upload directory.
@@ -420,36 +429,47 @@ function csrf_protection( root ) {
 			return;
 		}
 
-		// Validate CSRF token (double-submit cookie pattern)
-		const cookieToken = cookies.csrf_token;
-		const headerToken = req.headers[ "x-csrf-token" ];
-
-		if( ! cookieToken || ! headerToken || cookieToken !== headerToken ) {
-			W( "CSRF token validation failed for " + method + " " + url );
-			res.writeHead( 403, {
-				"Content-Type": "application/json",
-				"Cache-Control": "no-store",
-			} );
-			res.write( o2j( { error: "CSRF token validation failed" } ) );
-			res.end();
+		// In dev mode, skip CSRF validation for PUT (e.g. drag-drop file uploads)
+		if( dev_mode && is_put ) {
+			next();
 			return;
 		}
 
-		// Additional Origin/Referer validation
+		const cookieToken = cookies.csrf_token;
+		const headerToken = req.headers[ "x-csrf-token" ];
+
+		// Origin/Referer validation
 		const origin = req.headers[ "origin" ];
 		const referer = req.headers[ "referer" ];
 		let originValid = false;
 
 		if( origin ) {
-			// Check if origin matches host (with protocol)
 			const expectedOrigin = ( dev_mode ? "http://" : "https://" ) + host;
 			originValid = origin === expectedOrigin;
 		} else if( referer ) {
-			// Fall back to Referer if Origin is missing
 			const expectedReferer = ( dev_mode ? "http://" : "https://" ) + host;
 			originValid = referer.startsWith( expectedReferer );
 		}
 
+		// For PUT (e.g. file uploads), cookie + Origin/Referer is sufficient.
+		// Same-origin XHR sends these automatically; no client-side token handling needed.
+		if( is_put && ! is_rpc && cookieToken && originValid ) {
+			next();
+			return;
+		}
+
+		// Validate CSRF token (double-submit cookie pattern)
+		if( ! cookieToken || ! headerToken || cookieToken !== headerToken ) {
+			W( "CSRF token validation failed for " + method + " " + url );
+			res.writeHead( 403, {
+				"Content-Type": "application/json",
+				"Cache-Control": "no-store",
+			} );
+			res.write( o2j( { error: "CSRF token validation failed" } ) );
+			res.end();
+			return;
+		}
+
 		if( ! originValid ) {
 			W( "CSRF Origin/Referer validation failed for " + method + " " + url + " origin: " + origin + " referer: " + referer );
 			res.writeHead( 403, {
@@ -582,8 +602,17 @@ function put_handler( req, res, next ) {
         fs.mkdirSync( local_path, { recursive: true } );
 
         // generate random hash to store file under locally
-        const hash = sha1( "" + ( Date.now() + Math.random() ) );
-        local_path += "/" + hash;
+        const hash = sha1( "" + ( Date.now() + Math.random() ) ).slice( 0, 16 );  // only use first 16 chars of the hash
+        let raw_filename = req.headers[ "X-Filename" ];
+		if( ! raw_filename ) {
+			// take the filename from the last part of the URL
+			raw_filename = req.url.split( "/" ).pop();
+			// remove any query string
+			raw_filename = raw_filename.split( "?" ).shift();
+		}
+        const sanitized_filename = sanitize_upload_filename( raw_filename );
+		const final_filename = hash + "_" + sanitized_filename;
+        local_path += "/" + final_filename;
 
         D( "PUT: " + local_path );
 
@@ -618,7 +647,7 @@ function put_handler( req, res, next ) {
 			if( responded ) return;
             I( "PUT: " + local_path );
             res.writeHead( 200, { "Content-Type": "application/json" } );
-            res.write( o2j( { hash } ) );
+            res.write( o2j( { hash, filename: final_filename } ) );
             res.end();
         } );
 
@@ -795,7 +824,7 @@ function ws_attach( server, msg_handler ) {
 			socket.send( o2j( msg ) ); 
 		};
 
-		const conn = { name, socket, send, cookies };
+		const conn = { name, socket, send, cookies, resource: wsreq.resource };
 
 		socket.on( "error", function( err ) {
 			E( "WS: error", err.stack || err );