├── .gitignore
├── Dockerfile
├── LICENSE
├── MANIFEST.in
├── Makefile
├── README.md
├── TODO.todo
├── bin
└── secureshare-control
├── etc
└── secureshare-dist.yml
├── media
└── demo.gif
├── secureshare-supervisord.conf
├── secureshare
├── __init__.py
├── resources
│ └── sql
│ │ ├── stor.add.sql
│ │ ├── stor.delete.expired.sql
│ │ ├── stor.delete.sql
│ │ ├── stor.expire.sql
│ │ ├── stor.get.sql
│ │ ├── token.add.sql
│ │ ├── token.delete.expired.sql
│ │ ├── token.delete.sql
│ │ └── token.get.sql
└── server.py
└── setup.py
/.gitignore:
--------------------------------------------------------------------------------
1 | etc/secureshare.yml
2 | *.pyc
3 | __pycache__
4 | secureshare.egg-info
5 | dist
6 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | from altertech/pytpl:37
2 | RUN /opt/venv/bin/pip3 install PyMySQL
3 | COPY ./secureshare-supervisord.conf /etc/supervisor/conf.d/
4 | RUN /opt/venv/bin/pip3 install --no-cache-dir secureshare==0.0.22
5 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright [yyyy] [name of copyright owner]
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/MANIFEST.in:
--------------------------------------------------------------------------------
1 | include secureshare/resources/sql/*
2 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | VERSION=0.0.22
2 |
3 | all:
4 | @echo "Select target"
5 |
6 | ver:
7 | find . -type f -name "*.py" -exec \
8 | sed -i "s/^__version__ = .*/__version__ = '${VERSION}'/g" {} \;
9 | find ./bin -type f -exec sed -i "s/^__version__ = .*/__version__ = '${VERSION}'/g" {} \;
10 | sed -i "s/secureshare==.*/secureshare==${VERSION}/" Dockerfile
11 |
12 | clean:
13 | rm -rf dist build secureshare.egg-info
14 |
15 | d: clean sdist
16 |
17 | sdist:
18 | python3 setup.py sdist
19 |
20 | build: clean build-packages
21 |
22 | build-packages:
23 | python3 setup.py build
24 |
25 | pub:
26 | jks build secureshare
27 |
28 | pub-pypi:
29 | twine upload dist/*
30 |
31 | docker-build:
32 | docker build -t altertech/secureshare:${VERSION}-${BUILD_NUMBER} .
33 | docker tag altertech/secureshare:${VERSION}-${BUILD_NUMBER} altertech/secureshare:latest
34 |
35 | docker-pub:
36 | docker push altertech/secureshare:${VERSION}-${BUILD_NUMBER}
37 | docker push altertech/secureshare:latest
38 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SecureShare
2 |
3 | Simple secure file sharing personal server, Docker/Kubernetes compatible.
4 | SecureShare can share any text information (pastebin-like) and small binary
5 | files as well.
6 |
7 | ## What is SecureShare
8 |
9 | SecureShare allows quickly and securely share small files, documents and
10 | command pipe outputs. The files are uploaded via HTTP POST to your host or
11 | SecureShare Kubernetes pod, encrypted and securely stored inside the database.
12 |
13 | After the server returns you the shared HTTP URL. It's not possible to retrieve
14 | uploaded file contents without the URL, as the file content is AES256-encrypted
15 | inside the database.
16 |
17 | The URLS can be one-shot (self-destructing after the first access). Also, all
18 | URLs expire after the specified period of time.
19 |
20 | SecureShare is useful for:
21 |
22 | * sharing sensitive data with co-workers/customers
23 | * requesting sensitive data from co-workers/customers
24 | * get rid of garbage-full public "exchange" directories.
25 |
26 | SecureShare isn't yet-another cloud service. You run your own secure dedicated
27 | instance, on any Linux system or inside K8S-cluster.
28 |
29 | 
30 |
31 | ## Installing
32 |
33 | ```
34 | pip3 install secureshare
35 | # install gunicorn for Python3, if not present in system
36 | pip3 install gunicorn
37 | ```
38 |
39 | SQL database is required. Supported and tested:
40 |
41 | * SQLite
42 | * MySQL
43 | * PostgreSQL
44 |
45 | Docker image: https://hub.docker.com/r/altertech/secureshare
46 |
47 | (config should be mounted as /config/secureshare.yml)
48 |
49 | ## Client
50 |
51 | https://github.com/alttch/sshare
52 |
53 | ```
54 | pip3 install sshare
55 | ```
56 |
57 | ## Launching server
58 |
59 | Use *secureshare-control* script to manage the server.
60 |
61 | ## Using client
62 |
63 | Secure sharing files from the command line has never been easier:
64 |
65 | ```
66 | # share a file
67 | sshare path/to/file
68 | ```
69 |
70 | ```
71 | # share a file with self-destructing one-shot link
72 | sshare path/to/file -s
73 | ```
74 |
75 | ```
76 | # share a command output
77 | cat /etc/passwd | sshare
78 | # don't share that ;)
79 | ```
80 |
81 | ## Sharing something really important
82 |
83 | Option "-c" tells the client to encrypt file on the local machine. The server
84 | stores such files as-is:
85 |
86 | ```
87 | sshare /etc/passwd -c
88 | ```
89 |
90 | The data is encrypted using OpenSSL AES-256-CBC with PBKDF2 derivation
91 | function. After uploading, the client generates a hint command, which can be
92 | used as-is to download file:
93 |
94 | ```
95 | =========================================================
96 | Decrypt password: 9aIEE8cZAFbc
97 |
98 | curl -s https://domainx/d/329pmriChoQ8DhZkE/-/passwd |
99 | openssl aes-256-cbc -d -a -pbkdf2 -out passwd
100 | =========================================================
101 | ```
102 |
103 | Passwords are auto-generated, use "-w" option to specify the own one.
104 |
105 | ## Usage without a client on 3rd party servers:
106 |
107 | ```
108 | # generate one-time token (on a trusted system)
109 | sshare c:token
110 | ```
111 |
112 | ```
113 | # upload desired file with generated token (on an untrusted system)
114 | curl -v -F 'oneshot=1' -F 'file=@path/to/file' -Hx-auth-key:GENERATED_TOKEN https://YOUR_DOMAIN/u
115 | ```
116 |
117 | ## API
118 |
119 | ### Authentication
120 |
121 | Set *X-Auth-Key* HTTP header to *upload-key* value from the server config.
122 | There's only one upload / management key (at this moment) but one-time tokens
123 | can be additionally generated.
124 |
125 | ### Generating new one-time token
126 |
127 | A HTTP POST request to /api/v1/token will return new one-time authentication
128 | token, arguments:
129 |
130 | * **expires** set token expiration time (in seconds from now), optional
131 |
132 | ### Uploading
133 |
134 | Send files as multipart MIME forms POST requests to
135 |
136 | ```
137 | http://YOURDOMAIN/u
138 | ```
139 |
140 | with arguments:
141 |
142 | * **file** file data (required)
143 | * **oneshot=1** generate one-shot (self-destructing) link
144 | * **expires** set link expiration time (in seconds from now)
145 | * **fname** override file name
146 | * **sha256sum** ask server to check SHA256 sum of the received file
147 | * **raw=1** store raw (don't encrypt) file in DB. Useful for already encrypted
148 | data
149 |
150 | ### Deleting files / tokens
151 |
152 | Uploaded files and tokens can be deleted with DELETE HTTP method (requires
153 | valid key)
154 |
155 | Files can be also deleted by specifying *?c=delete* URL ending (requires URL
156 | knowledge only)
157 |
158 | ## Security
159 |
160 | A shared file URL looks like:
161 |
162 | ```
163 | http://YOURDOMAIN/d///
164 | ```
165 |
166 | ID is used to locate file in the storage database. The database stores files
167 | encrypted, so the server can't decrypt a requested file without the complete
168 | generated URL.
169 |
170 | If the URL is lost, file decryption becomes impossible.
171 |
172 | ### Previews
173 |
174 | When sharing links with messengers, they may fetch content for preview, which's
175 | insecure and may destroy one-shot links. The following messenger user agents
176 | are banned automatically:
177 |
178 | * WhatsApp
179 | * Viber
180 | * Telegram
181 | * Facebook Messenger
182 | * Skype
183 |
184 | The list is located in secureshare/server.py BANNED_AGENTS variable (send me a
185 | pull request to extend).
186 |
187 | ## WebUI
188 |
189 | Maybe later.
190 |
191 | ## Size limits
192 |
193 | SecureShare is created to securely share small files < 100MB. Sharing larger
194 | files isn't recommended, as it may produce DB / encryption overheads.
195 |
--------------------------------------------------------------------------------
/TODO.todo:
--------------------------------------------------------------------------------
1 | - [ ] API keys + management API
2 | - [ ] object ownership + log data
3 | - [ ] client share m/h/d
4 |
--------------------------------------------------------------------------------
/bin/secureshare-control:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | __version__ = '0.0.22'
4 |
5 | product_build = 'alpha'
6 |
7 | from pathlib import Path
8 | from pyaltt2.app import manage_gunicorn_app
9 |
10 | dir_me = Path(__file__).absolute().parents[1]
11 |
12 | manage_gunicorn_app('secureshare',
13 | dir_me,
14 | version=__version__,
15 | build=product_build,
16 | default_port=8008,
17 | api_uri='/')
18 |
--------------------------------------------------------------------------------
/etc/secureshare-dist.yml:
--------------------------------------------------------------------------------
1 | secureshare:
2 | db: postgresql://user:pass@host/secureshare
3 | # url: http://externaldomain
4 | db-clean-interval: 60
5 | upload-key: mykey
6 | default-expires: 604800
7 | default-token-expires: 600
8 | gunicorn:
9 | #path: gunicorn
10 | listen: 0.0.0.0:8008
11 | start-failed-after: 5
12 | force-stop-after: 10
13 | launch-debug: true
14 | extra-options: -w 2 --log-level INFO
15 |
--------------------------------------------------------------------------------
/media/demo.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alttch/secureshare/424436412ec658b7d07adac43564ad5baaf50475/media/demo.gif
--------------------------------------------------------------------------------
/secureshare-supervisord.conf:
--------------------------------------------------------------------------------
1 | [program:secureshare]
2 | command=/opt/venv/bin/secureshare-control launch
3 | autorestart=true
4 | autostart=true
5 | priority=100
6 | redirect_stderr=true
7 | stdout_logfile=/dev/fd/1
8 | stdout_logfile_maxbytes=0
9 | environment=SECURESHARE_CONFIG=/config/secureshare.yml
10 |
--------------------------------------------------------------------------------
/secureshare/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alttch/secureshare/424436412ec658b7d07adac43564ad5baaf50475/secureshare/__init__.py
--------------------------------------------------------------------------------
/secureshare/resources/sql/stor.add.sql:
--------------------------------------------------------------------------------
1 | INSERT INTO stor(id, fname, sha256sum, mimetype, d, expires, oneshot, data)
2 | VALUES (:id, :fname, :sha256sum, :mimetype, :d, :expires, :oneshot, :data)
3 |
--------------------------------------------------------------------------------
/secureshare/resources/sql/stor.delete.expired.sql:
--------------------------------------------------------------------------------
1 | DELETE
2 | FROM stor
3 | WHERE expires <= :d
4 |
--------------------------------------------------------------------------------
/secureshare/resources/sql/stor.delete.sql:
--------------------------------------------------------------------------------
1 | DELETE FROM stor
2 | WHERE id=:id
3 |
--------------------------------------------------------------------------------
/secureshare/resources/sql/stor.expire.sql:
--------------------------------------------------------------------------------
1 | UPDATE stor
2 | SET expires='1970-01-01 00:00:00'
3 | WHERE id=:id
4 |
--------------------------------------------------------------------------------
/secureshare/resources/sql/stor.get.sql:
--------------------------------------------------------------------------------
1 | SELECT mimetype,
2 | oneshot,
3 | sha256sum,
4 | data
5 | FROM stor
6 | WHERE id=:id
7 | AND fname=:fname
8 | AND expires>:d
9 |
--------------------------------------------------------------------------------
/secureshare/resources/sql/token.add.sql:
--------------------------------------------------------------------------------
1 | INSERT INTO tokens(id, d, expires)
2 | VALUES (:id, :d, :expires)
3 |
--------------------------------------------------------------------------------
/secureshare/resources/sql/token.delete.expired.sql:
--------------------------------------------------------------------------------
1 | DELETE
2 | FROM tokens
3 | WHERE expires <= :d
4 |
--------------------------------------------------------------------------------
/secureshare/resources/sql/token.delete.sql:
--------------------------------------------------------------------------------
1 | DELETE FROM tokens
2 | WHERE id=:id
3 |
--------------------------------------------------------------------------------
/secureshare/resources/sql/token.get.sql:
--------------------------------------------------------------------------------
1 | SELECT id, d, expires FROM tokens WHERE id=:id AND expires>:d
2 |
--------------------------------------------------------------------------------
/secureshare/server.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import os
4 | import threading
5 | import logging
6 | import time
7 | import traceback
8 | import mimetypes
9 | from hashlib import sha256
10 | from pathlib import Path
11 | from functools import partial, wraps
12 |
13 | from flask import Flask, make_response, request, jsonify, abort
14 | from sqlalchemy import (MetaData, Table, Column, CHAR, VARCHAR, DateTime,
15 | LargeBinary, BOOLEAN)
16 | from pyaltt2.config import load_yaml, config_value
17 | from pyaltt2.db import Database
18 | from pyaltt2.res import ResourceStorage
19 | from pyaltt2.converters import val_to_boolean
20 | from datetime import datetime, timedelta
21 | import pyaltt2.crypto as cr
22 | import pytz
23 |
24 | logger = logging.getLogger('gunicorn.error')
25 |
26 | dir_me = Path(__file__).absolute().parents[1]
27 |
28 | rs = ResourceStorage(mod='secureshare')
29 | rq = partial(rs.get, resource_subdir='sql', ext='sql')
30 |
31 | app = Flask(__name__)
32 |
33 | config = load_yaml(os.getenv('SECURESHARE_CONFIG'))['secureshare']
34 |
35 | UPLOAD_KEY = config['upload-key']
36 |
37 | db = Database(config['db'], rq_func=rq)
38 |
39 | EXTERNAL_URL = config.get('url', '')
40 |
41 | # list of banned user agents to block link preview fetch (startswith, lowercase)
42 | BANNED_AGENTS = ['telegrambot', 'whatsapp', 'viber', 'facebookexternalhit']
43 | BANNED_AGENTS_CONTAINS = ['skypeuripreview']
44 |
45 |
46 | def ok(data=None):
47 | result = {'ok': True}
48 | if data:
49 | result.update(data)
50 | return jsonify(result)
51 |
52 |
53 | def ok_empty():
54 | return make_response('', 204)
55 |
56 |
57 | @app.route('/', methods=['GET'])
58 | def index():
59 | return ';)'
60 |
61 |
62 | @app.route('/robots.txt', methods=['GET'])
63 | def robots_txt():
64 | return """User-agent: *
65 | Disallow: /
66 | """
67 |
68 |
69 | @app.route('/ping', methods=['GET'])
70 | def ping():
71 | db.connect()
72 | return make_response('', 204)
73 |
74 |
75 | def check_token(token):
76 | try:
77 | db.qlookup('token.get', id=token, d=datetime.now())
78 | return True
79 | except LookupError:
80 | return False
81 |
82 |
83 | def auth(f):
84 |
85 | @wraps(f)
86 | def do(*args, **kwargs):
87 | key = request.headers.get('x-auth-key')
88 | if key != UPLOAD_KEY and not check_token(key):
89 | return make_response('Invalid upload key', 403)
90 | result = f(*args, **kwargs)
91 | if key is not None and key.startswith('token:'):
92 | db.query('token.delete', id=key)
93 | return result
94 |
95 | return do
96 |
97 |
98 | @app.route('/api/v1/token', methods=['POST'])
99 | @auth
100 | def create_token():
101 | token = f'token:{cr.gen_random_str(32)}'
102 | d_now = datetime.now()
103 | esecs = int(request.form.get('expires', config['default-token-expires']))
104 | expires = (d_now + timedelta(seconds=esecs)).replace(
105 | tzinfo=pytz.timezone(time.tzname[0]))
106 | db.query('token.add', id=token, d=d_now, expires=expires)
107 | location = (f'{EXTERNAL_URL}/api/v1/token/{token}')
108 | response = make_response(dict(token=token, url=location), 201)
109 | response.headers['Cache-Control'] = ('no-cache, no-store, must-revalidate,'
110 | ' post-check=0, pre-check=0')
111 | response.headers['Pragma'] = 'no-cache'
112 | response.headers['Expires'] = expires.isoformat() + 'Z'
113 | response.headers['Location'] = location
114 | if EXTERNAL_URL:
115 | response.autocorrect_location_header = False
116 | return response
117 |
118 |
119 | @app.route('/api/v1/token/', methods=['DELETE'])
120 | @auth
121 | def delete_token(token):
122 | if db.query('token.delete', id=token).rowcount < 1:
123 | abort(404)
124 | else:
125 | return ok_empty()
126 |
127 |
128 | @app.route('/u', methods=['POST'])
129 | @auth
130 | def upload():
131 | f = request.files.get('file', request.form.get('file'))
132 | if f is None:
133 | return make_response('File not uploaded', 403)
134 | filename = request.form.get('fname', f.filename)
135 | if filename is None:
136 | return make_response('File name not specified', 403)
137 | esecs = int(request.form.get('expires', config['default-expires']))
138 | d_now = datetime.now()
139 | expires = (d_now + timedelta(seconds=esecs)).replace(
140 | tzinfo=pytz.timezone(time.tzname[0]))
141 | data = f.stream.read()
142 | sha256sum_gen = sha256()
143 | sha256sum_gen.update(data)
144 | sha256sum = sha256sum_gen.hexdigest()
145 | received_sha256sum = request.form.get('sha256sum')
146 | if received_sha256sum and received_sha256sum != sha256sum:
147 | return make_response('Checksum does not match', 422)
148 | file_id = cr.gen_random_str(16)
149 | filename = os.path.basename(filename)
150 | oneshot = val_to_boolean(request.form.get('oneshot', False))
151 | store_as_raw = val_to_boolean(request.form.get('raw', False))
152 | if store_as_raw:
153 | contents = data
154 | file_key = '-'
155 | else:
156 | file_key = cr.gen_random_str(16)
157 | engine = cr.Rioja(file_key, bits=256)
158 | contents = engine.encrypt(data, b64=False)
159 | location = (f'{EXTERNAL_URL}/d/{file_id}/' f'{file_key}/{filename}')
160 | response = make_response(dict(url=location), 201)
161 | response.headers['Location'] = location
162 | if EXTERNAL_URL:
163 | response.autocorrect_location_header = False
164 | response.headers['Cache-Control'] = ('no-cache, no-store, must-revalidate,'
165 | ' post-check=0, pre-check=0')
166 | response.headers['Pragma'] = 'no-cache'
167 | response.headers['Expires'] = expires.isoformat() + 'Z'
168 | mimetype = mimetypes.guess_type(filename)[0]
169 | if mimetype is None:
170 | mimetype = 'application/octet-stream'
171 | if mimetype == 'application/octet-stream':
172 | try:
173 | data.decode()
174 | mimetype = 'text/plain'
175 | except:
176 | pass
177 | db.query('stor.add',
178 | id=file_id,
179 | fname=filename,
180 | sha256sum=sha256sum,
181 | mimetype=mimetype,
182 | d=d_now,
183 | expires=expires,
184 | oneshot=oneshot,
185 | data=contents)
186 | return response
187 |
188 |
189 | @app.route('/d///', methods=['DELETE'])
190 | @auth
191 | def delete_upload(file_id, file_key, file_name):
192 | if db.query('stor.delete', id=file_id).rowcount < 1:
193 | abort(404)
194 | else:
195 | return ok_empty()
196 |
197 |
198 | @app.route('/d///', methods=['GET'])
199 | def download(file_id, file_key, file_name):
200 | ua = request.headers.get('User-Agent', '').lower()
201 | for banned_ua in BANNED_AGENTS:
202 | if ua.startswith(banned_ua):
203 | return ''
204 | for banned_ua in BANNED_AGENTS_CONTAINS:
205 | if banned_ua in ua:
206 | return ''
207 | delete = request.args.get('c') == 'delete'
208 | try:
209 | f = db.qlookup('stor.get',
210 | id=file_id,
211 | fname=file_name,
212 | d=datetime.now())
213 | except LookupError:
214 | abort(404)
215 | data = f['data']
216 | try:
217 | data = data.tobytes()
218 | except:
219 | pass
220 | if file_key == '-':
221 | contents = data
222 | else:
223 | try:
224 | engine = cr.Rioja(file_key, bits=256)
225 | contents = engine.decrypt(data, b64=False)
226 | except ValueError:
227 | abort(403)
228 | if delete or f['oneshot']:
229 | db.query('stor.delete', id=file_id)
230 | if delete:
231 | return ok()
232 | response = make_response(contents)
233 | ct = f['mimetype']
234 | if ct.startswith('text/'):
235 | ct += '; charset=utf-8'
236 | response.headers['Content-Type'] = ct
237 | response.headers['x-hash-sha256'] = f['sha256sum']
238 | if val_to_boolean(request.args.get('raw')):
239 | response.headers[
240 | 'Content-Disposition'] = f'attachment;filename={file_name}'
241 | return response
242 |
243 |
244 | def clean_db():
245 | while True:
246 | logger.debug('cleaner worker running')
247 | try:
248 | db.query('stor.delete.expired', d=datetime.now())
249 | db.query('token.delete.expired', d=datetime.now())
250 | except:
251 | logger.error(traceback.format_exc())
252 | time.sleep(config.get('db-clean-interval', 60))
253 |
254 |
255 | dbconn = db.connect()
256 |
257 | if 'mysql' in db.db.name:
258 | from sqlalchemy.dialects.mysql import DATETIME, LONGBLOB
259 | DateTime = partial(DATETIME, fsp=6)
260 | LargeBinary = LONGBLOB
261 |
262 | meta = MetaData()
263 | stor = Table('stor',
264 | meta,
265 | Column('id', CHAR(16), primary_key=True),
266 | Column('fname', VARCHAR(255), nullable=False),
267 | Column('sha256sum', CHAR(64), nullable=False),
268 | Column('mimetype', VARCHAR(255), nullable=False),
269 | Column('d', DateTime(timezone=True), nullable=False),
270 | Column('expires', DateTime(timezone=True), nullable=False),
271 | Column('oneshot', BOOLEAN, nullable=False, server_default='0'),
272 | Column('data', LargeBinary, nullable=False),
273 | mysql_engine='InnoDB',
274 | mysql_charset='utf8mb4')
275 | tokens = Table('tokens',
276 | meta,
277 | Column('id', CHAR(38), primary_key=True),
278 | Column('d', DateTime(timezone=True), nullable=False),
279 | Column('expires', DateTime(timezone=True), nullable=False),
280 | mysql_engine='InnoDB',
281 | mysql_charset='utf8mb4')
282 |
283 | meta.create_all(dbconn)
284 |
285 | dbconn.close()
286 |
287 | threading.Thread(target=clean_db, daemon=True).start()
288 |
--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
1 | __version__ = '0.0.22'
2 |
3 | import setuptools
4 |
5 | with open('README.md', 'r') as fh:
6 | long_description = fh.read()
7 |
8 | setuptools.setup(name='secureshare',
9 | version=__version__,
10 | author='Altertech',
11 | author_email='pr@altertech.com',
12 | description='Secure share',
13 | long_description=long_description,
14 | long_description_content_type='text/markdown',
15 | url='https://github.com/alttch/secureshare',
16 | packages=setuptools.find_packages(),
17 | include_package_data=True,
18 | license='Apache License 2.0',
19 | install_requires=[
20 | 'requests', 'pyyaml', 'sqlalchemy', 'pyaltt2>=0.0.97',
21 | 'flask', 'psycopg2', 'pytz', 'pycrypto'
22 | ],
23 | classifiers=(
24 | 'Programming Language :: Python :: 3',
25 | 'License :: OSI Approved :: Apache Software License',
26 | 'Topic :: Communications',
27 | ),
28 | scripts=['bin/secureshare-control'])
29 |
--------------------------------------------------------------------------------