tlsd 2.19.0 → 2.20.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tlsd",
-  "version": "2.19.0",
+  "version": "2.20.1",
   "description": "A server for web app prototyping with HTTPS and Websockets",
   "main": "tlsd.js",
   "bin": {

package/scaffold/static/index.html

@@ -45,6 +45,7 @@
                 const uploadURL = '/';
                 xhr.open( 'PUT', uploadURL, true );
                 xhr.setRequestHeader( 'Content-Type', file.type || 'application/octet-stream' );
+                xhr.setRequestHeader( 'X-Filename', file.name );
                 xhr.onload = () => {
                     if( xhr.status === 200 ) {
                         let result = JSON.parse( xhr.responseText );

package/tlsd.js

@@ -20,6 +20,15 @@ const { D, V, I, W, E } = L;
 const UPLOAD_DIR = process.env.UPLOAD_DIR || "/tmp/tlsd-put-files/";
 const UPLOAD_MAX_BYTES = toInt( process.env.UPLOAD_MAX_BYTES ) || ( 200 * 1024 * 1024 );
 
+function sanitize_upload_filename( raw ) {
+	if( ! raw || typeof raw !== "string" ) return "file";
+	const basename = path.basename( raw.trim() );
+	const sanitized = basename.replace( /[\\/:*?"<>|\x00-\x1f]/g, "_" ).replace( /\.{2,}/g, "." );
+	// Limit to the LAST 40 chars of the sanitized filename
+	const truncated = sanitized.slice( -40 );
+	return truncated || "file";
+}
+
 // DOS protection configuration
 const MAX_RPC_MESSAGE_SIZE = toInt( process.env.MAX_RPC_MESSAGE_SIZE ) || ( 1024 * 1024 ); // 1MB default
 const MAX_WS_CONNECTIONS = toInt( process.env.MAX_WS_CONNECTIONS ) || 1000;
@@ -420,36 +429,47 @@ function csrf_protection( root ) {
 			return;
 		}
 
-		// Validate CSRF token (double-submit cookie pattern)
-		const cookieToken = cookies.csrf_token;
-		const headerToken = req.headers[ "x-csrf-token" ];
-
-		if( ! cookieToken || ! headerToken || cookieToken !== headerToken ) {
-			W( "CSRF token validation failed for " + method + " " + url );
-			res.writeHead( 403, {
-				"Content-Type": "application/json",
-				"Cache-Control": "no-store",
-			} );
-			res.write( o2j( { error: "CSRF token validation failed" } ) );
-			res.end();
+		// In dev mode, skip CSRF validation for PUT (e.g. drag-drop file uploads)
+		if( dev_mode && is_put ) {
+			next();
 			return;
 		}
 
-		// Additional Origin/Referer validation
+		const cookieToken = cookies.csrf_token;
+		const headerToken = req.headers[ "x-csrf-token" ];
+
+		// Origin/Referer validation
 		const origin = req.headers[ "origin" ];
 		const referer = req.headers[ "referer" ];
 		let originValid = false;
 
 		if( origin ) {
-			// Check if origin matches host (with protocol)
 			const expectedOrigin = ( dev_mode ? "http://" : "https://" ) + host;
 			originValid = origin === expectedOrigin;
 		} else if( referer ) {
-			// Fall back to Referer if Origin is missing
 			const expectedReferer = ( dev_mode ? "http://" : "https://" ) + host;
 			originValid = referer.startsWith( expectedReferer );
 		}
 
+		// For PUT (e.g. file uploads), cookie + Origin/Referer is sufficient.
+		// Same-origin XHR sends these automatically; no client-side token handling needed.
+		if( is_put && ! is_rpc && cookieToken && originValid ) {
+			next();
+			return;
+		}
+
+		// Validate CSRF token (double-submit cookie pattern)
+		if( ! cookieToken || ! headerToken || cookieToken !== headerToken ) {
+			W( "CSRF token validation failed for " + method + " " + url );
+			res.writeHead( 403, {
+				"Content-Type": "application/json",
+				"Cache-Control": "no-store",
+			} );
+			res.write( o2j( { error: "CSRF token validation failed" } ) );
+			res.end();
+			return;
+		}
+
 		if( ! originValid ) {
 			W( "CSRF Origin/Referer validation failed for " + method + " " + url + " origin: " + origin + " referer: " + referer );
 			res.writeHead( 403, {
@@ -578,54 +598,117 @@ function put_handler( req, res, next ) {
 			return;
 		}
 
-        let local_path = UPLOAD_DIR;
-        fs.mkdirSync( local_path, { recursive: true } );
+        const upload_dir = UPLOAD_DIR;
+        fs.mkdirSync( upload_dir, { recursive: true } );
+
+		// Kick off the upload, given the initial available bytes on the dest filesystem.
+		// available_bytes is re-queried every 500ms throughout the transfer so that
+		// concurrent uploads are accounted for.
+		const do_put = function( initial_available_bytes ) {
+			let available_bytes = initial_available_bytes;
+
+			// Preflight: reject immediately if Content-Length already exceeds threshold
+			if( content_length && content_length > available_bytes * 0.8 ) {
+				W( "PUT: Content-Length " + content_length + " exceeds 80% of available space (" + available_bytes + " bytes)" );
+				res.writeHead( 507, { "Content-Type": "application/json" } );
+				res.write( o2j( { error: "Insufficient storage space" } ) );
+				res.end();
+				return;
+			}
 
-        // generate random hash to store file under locally
-        const hash = sha1( "" + ( Date.now() + Math.random() ) );
-        local_path += "/" + hash;
+			// generate random hash to store file under locally
+			const hash = sha1( "" + ( Date.now() + Math.random() ) ).slice( 0, 16 );  // only use first 16 chars of the hash
+			let raw_filename = req.headers[ "X-Filename" ];
+			if( ! raw_filename ) {
+				// take the filename from the last part of the URL
+				raw_filename = req.url.split( "/" ).pop();
+				// remove any query string
+				raw_filename = raw_filename.split( "?" ).shift();
+			}
+			const sanitized_filename = sanitize_upload_filename( raw_filename );
+			const final_filename = hash + "_" + sanitized_filename;
+			const local_path = upload_dir + "/" + final_filename;
+
+			D( "PUT: " + local_path );
+
+			const writeStream = fs.createWriteStream( local_path );
+
+			let responded = false;
+			let received_bytes = 0;
+
+			const abort_with = function( status, message, log_msg ) {
+				if( responded ) return;
+				responded = true;
+				clearInterval( disk_poll );
+				W( log_msg );
+				try { req.unpipe( writeStream ); } catch( _e ) {}
+				try { writeStream.destroy(); } catch( _e ) {}
+				try { req.destroy(); } catch( _e ) {}
+				try { fs.unlink( local_path, function( ){} ); } catch( _e ) {}
+				res.writeHead( status, { "Content-Type": "application/json" } );
+				res.write( o2j( { error: message } ) );
+				res.end();
+			};
 
-        D( "PUT: " + local_path );
+			// Poll available disk space every 500ms so concurrent uploads are reflected
+			const disk_poll = setInterval( function( ) {
+				fs.statfs( upload_dir, function( err, stats ) {
+					if( ! err ) {
+						available_bytes = stats.bavail * stats.bsize;
+						D( "PUT: disk poll available=" + available_bytes );
+					}
+				} );
+			}, 500 );
+
+			// Streaming size guard - checks against the latest available_bytes each chunk
+			req.on( "data", function( chunk ) {
+				received_bytes += chunk.length;
+				if( received_bytes > UPLOAD_MAX_BYTES ) {
+					abort_with( 413, "Payload too large", "PUT: stream exceeded cap: " + received_bytes + " > " + UPLOAD_MAX_BYTES );
+				} else if( received_bytes > available_bytes * 0.8 ) {
+					abort_with( 507, "Insufficient storage space", "PUT: stream exceeded 80% of available space: " + received_bytes + " > " + ( available_bytes * 0.8 ) );
+				}
+			} );
 
-		const writeStream = fs.createWriteStream( local_path );
+			req.pipe( writeStream );
 
-		let responded = false;
-		let received_bytes = 0;
-		const abort_too_large = function( ) {
-			if( responded ) return;
-			responded = true;
-			try { req.unpipe( writeStream ); } catch( _e ) {}
-			try { writeStream.destroy(); } catch( _e ) {}
-			try { req.destroy(); } catch( _e ) {}
-			try { fs.unlink( local_path, function( ){} ); } catch( _e ) {}
-			res.writeHead( 413, { "Content-Type": "application/json" } );
-			res.write( o2j( { error: "Payload too large" } ) );
-			res.end();
+			writeStream.on( "finish", ( ) => {
+				if( responded ) return;
+				clearInterval( disk_poll );
+				I( "PUT: " + local_path );
+				res.writeHead( 200, { "Content-Type": "application/json" } );
+				res.write( o2j( { hash, filename: final_filename } ) );
+				res.end();
+			} );
+
+			writeStream.on( "error", ( error ) => {
+				if( responded ) return;
+				clearInterval( disk_poll );
+				fail( "PUT: " + local_path + " failed during stream", error.stack );
+			} );
 		};
 
-		// Streaming size guard
-		req.on( "data", function( chunk ) {
-			received_bytes += chunk.length;
-			if( received_bytes > UPLOAD_MAX_BYTES ) {
-				W( "PUT: stream exceeded cap: " + received_bytes + " > " + UPLOAD_MAX_BYTES );
-				abort_too_large( );
+		if( typeof fs.statfs !== "function" ) {
+			E( "PUT: fs.statfs unavailable, aborting transfer" );
+			res.writeHead( 503, { "Content-Type": "application/json" } );
+			res.write( o2j( { error: "Disk space check unavailable" } ) );
+			res.end();
+			return;
+		}
+
+		fs.statfs( upload_dir, function( err, stats ) {
+			if( err ) {
+				E( "PUT: statfs failed, aborting transfer: " + err.message );
+				res.writeHead( 503, { "Content-Type": "application/json" } );
+				res.write( o2j( { error: "Disk space check failed" } ) );
+				res.end();
+				return;
 			}
+			const available_bytes = stats.bavail * stats.bsize;
+			D( "PUT: disk available=" + available_bytes );
+			do_put( available_bytes );
 		} );
 
-        req.pipe( writeStream );
-
-		writeStream.on( "finish", ( ) => {
-			if( responded ) return;
-            I( "PUT: " + local_path );
-            res.writeHead( 200, { "Content-Type": "application/json" } );
-            res.write( o2j( { hash } ) );
-            res.end();
-        } );
-
-		writeStream.on( "error", ( error ) => {
-			if( responded ) return;
-            fail( "PUT: " + local_path + " failed during stream", error.stack );
-        } );
     } catch ( error ) {
         fail( "PUT: failed", error.stack );
     }