From 2289171b0f9be8fb83370a2477b04e243c94ab02 Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Wed, 26 Dec 2018 00:14:05 -0600 Subject: [PATCH] started a simple board plugin --- .gitlab-ci.yml | 6 --- .travis.yml | 8 ---- onionr-daemon-linux | 2 + onionr/api.py | 58 +++++++++++++++++++++---- onionr/onionrcrypto.py | 2 +- onionr/onionrproofs.py | 2 + onionr/static-data/default_config.json | 6 +-- onionr/static-data/www/board/board.js | 32 ++++++++++++++ onionr/static-data/www/board/index.html | 16 +++++++ onionr/static-data/www/board/theme.css | 0 10 files changed, 105 insertions(+), 27 deletions(-) delete mode 100644 .gitlab-ci.yml delete mode 100644 .travis.yml create mode 100644 onionr-daemon-linux create mode 100644 onionr/static-data/www/board/board.js create mode 100644 onionr/static-data/www/board/index.html create mode 100644 onionr/static-data/www/board/theme.css diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 292dfb14..00000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,6 +0,0 @@ -test: - script: - - apt-get update -qy - - apt-get install -y python3-dev python3-pip tor - - pip3 install -r requirements.txt - - make test \ No newline at end of file diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 603021b5..00000000 --- a/.travis.yml +++ /dev/null @@ -1,8 +0,0 @@ -language: python -python: - - "3.6.4" -# install dependencies -install: - - sudo apt install tor - - pip install -r requirements.txt -script: make test diff --git a/onionr-daemon-linux b/onionr-daemon-linux new file mode 100644 index 00000000..d72ac015 --- /dev/null +++ b/onionr-daemon-linux @@ -0,0 +1,2 @@ +#!/usr/bin/sh +nohup ./run-linux start & disown diff --git a/onionr/api.py b/onionr/api.py index f983677d..753afcce 100755 --- a/onionr/api.py +++ b/onionr/api.py @@ -17,7 +17,7 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . ''' -import flask +import flask, cgi from flask import request, Response, abort, send_from_directory from gevent.pywsgi import WSGIServer import sys, random, threading, hmac, hashlib, base64, time, math, os, json @@ -221,7 +221,8 @@ class API: This initilization defines all of the API entry points and handlers for the endpoints and errors This also saves the used host (random localhost IP address) to the data folder in host.txt ''' - + # assert isinstance(onionrInst, onionr.Onionr) + print(type(onionrInst)) # configure logger and stuff onionr.Onionr.setupConfig('data/', self = self) @@ -234,6 +235,8 @@ class API: bindPort = int(config.get('client.client.port', 59496)) self.bindPort = bindPort + self.whitelistEndpoints = ('site', 'www', 'onionrhome', 'board', 'boardContent') + self.clientToken = config.get('client.webpassword') self.timeBypassToken = base64.b16encode(os.urandom(32)).decode() @@ -249,6 +252,8 @@ class API: '''Validate request has set password and is the correct hostname''' if request.host != '%s:%s' % (self.host, self.bindPort): abort(403) + if request.endpoint in self.whitelistEndpoints: + return try: if not hmac.compare_digest(request.headers['token'], self.clientToken): abort(403) @@ -257,7 +262,8 @@ class API: @app.after_request def afterReq(resp): - resp.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'none'; object-src 'none'; style-src data: 'unsafe-inline'; img-src data:; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'" + #resp.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'none'; object-src 'none'; style-src data: 'unsafe-inline'; img-src data:; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'" + resp.headers['Content-Security-Policy'] = "default-src 'none'; script-src 'self'; object-src 'none'; style-src 'self'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'self'" resp.headers['X-Frame-Options'] = 'deny' resp.headers['X-Content-Type-Options'] = "nosniff" resp.headers['X-API'] = onionr.API_VERSION @@ -265,20 +271,54 @@ class API: resp.headers['Date'] = 'Thu, 1 Jan 1970 00:00:00 GMT' # Clock info is probably useful to attackers. Set to unix epoch. return resp + @app.route('/board/', endpoint='board') + def loadBoard(): + return send_from_directory('static-data/www/board/', "index.html") + + @app.route('/board/', endpoint='boardContent') + def boardContent(path): + return send_from_directory('static-data/www/board/', path) + + @app.route('/www/', endpoint='www') + def wwwPublic(path): + if not config.get("www.private.run", True): + abort(403) + return send_from_directory(config.get('www.private.path', 'static-data/www/private/'), path) + @app.route('/ping') def ping(): return Response("pong!") - @app.route('/') + @app.route('/', endpoint='onionrhome') def hello(): - return Response("hello client") + return Response("Welcome to Onionr") + + @app.route('/getblocksbytype/') + def getBlocksByType(name): + blocks = self._core.getBlocksByType(name) + return Response(','.join(blocks)) + + @app.route('/gethtmlsafeblockdata/') + def getData(name): + resp = '' + if self._core._utils.validateHash(name): + try: + resp = cgi.escape(Block(name).bcontent, quote=True) + except TypeError: + pass + else: + abort(404) + return Response(resp) - @app.route('/site/') - def site(): - bHash = block + @app.route('/site/', endpoint='site') + def site(name): + bHash = name resp = 'Not Found' if self._core._utils.validateHash(bHash): - resp = Block(bHash).bcontent + try: + resp = Block(bHash).bcontent + except TypeError: + pass try: resp = base64.b64decode(resp) except: diff --git a/onionr/onionrcrypto.py b/onionr/onionrcrypto.py index 0daf6e3e..03da9213 100644 --- a/onionr/onionrcrypto.py +++ b/onionr/onionrcrypto.py @@ -268,7 +268,7 @@ class OnionrCrypto: blockHash = blockHash.decode() # bytes on some versions for some reason except AttributeError: pass - + difficulty = onionrproofs.getDifficultyForNewBlock(blockContent, ourBlock=False) if difficulty < int(config.get('general.minimum_block_pow')): diff --git a/onionr/onionrproofs.py b/onionr/onionrproofs.py index 8e3da0a4..f1645a49 100644 --- a/onionr/onionrproofs.py +++ b/onionr/onionrproofs.py @@ -57,6 +57,8 @@ def getDifficultyForNewBlock(data, ourBlock=True): dataSize = len(data.getRaw().encode('utf-8')) elif isinstance(data, str): dataSize = len(data.encode('utf-8')) + elif isinstance(data, bytes): + dataSize = len(data) elif isinstance(data, int): dataSize = data else: diff --git a/onionr/static-data/default_config.json b/onionr/static-data/default_config.json index 524ee185..ed9270db 100644 --- a/onionr/static-data/default_config.json +++ b/onionr/static-data/default_config.json @@ -2,8 +2,8 @@ "general" : { "dev_mode" : true, "display_header" : false, - "minimum_block_pow": 4, - "minimum_send_pow": 4, + "minimum_block_pow": 3, + "minimum_send_pow": 3, "socket_servers": false, "security_level": 0, "max_block_age": 2678400, @@ -69,7 +69,7 @@ }, "allocations" : { - "disk" : 2000, + "disk" : 100000000, "net_total" : 1000000000, "blockCache" : 5000000, "blockCacheTotal" : 50000000 diff --git a/onionr/static-data/www/board/board.js b/onionr/static-data/www/board/board.js new file mode 100644 index 00000000..fbdddd51 --- /dev/null +++ b/onionr/static-data/www/board/board.js @@ -0,0 +1,32 @@ +webpassword = '' +requested = {} +document.getElementById('feed').innerText = 'none :)' + +function httpGet(theUrl) { + var xmlHttp = new XMLHttpRequest() + xmlHttp.open( "GET", theUrl, false ) // false for synchronous request + xmlHttp.setRequestHeader('token', webpassword) + xmlHttp.send( null ) + return xmlHttp.responseText +} +function appendMessages(msg){ + document.getElementById('feed').append(msg) + document.getElementById('feed').appendChild(document.createElement('br')) +} + +function getBlocks(){ + var feedText = httpGet('/getblocksbytype/txt') + var blockList = feedText.split(',') + for (i = 0; i < blockList.length; i++){ + bl = httpGet('/gethtmlsafeblockdata/' + blockList[i]) + appendMessages(bl) + } +} + +document.getElementById('webpassword').oninput = function(){ + webpassword = document.getElementById('webpassword').value +} + +document.getElementById('refreshFeed').onclick = function(){ + getBlocks() +} \ No newline at end of file diff --git a/onionr/static-data/www/board/index.html b/onionr/static-data/www/board/index.html new file mode 100644 index 00000000..3b1c3426 --- /dev/null +++ b/onionr/static-data/www/board/index.html @@ -0,0 +1,16 @@ + + + + + + OnionrBoard + + + +

Onionr Board

+ + +
+ + + \ No newline at end of file diff --git a/onionr/static-data/www/board/theme.css b/onionr/static-data/www/board/theme.css new file mode 100644 index 00000000..e69de29b