Compare commits
5 Commits
fix/20-spl
...
fix/remove
| Author | SHA1 | Date | |
|---|---|---|---|
|
55bb620de0 | ||
|
|
215ddb7f72 | ||
|
|
27739da046 | ||
| 2e934c8894 | |||
| 2f15340f26 |
25
Dockerfile
25
Dockerfile
@@ -1,32 +1,31 @@
|
||||
# Lint stage — fast feedback on formatting and lint issues
|
||||
# golangci/golangci-lint:v2.10.1, 2026-03-01
|
||||
FROM golangci/golangci-lint@sha256:ea84d14c2fef724411be7dc45e09e6ef721d748315252b02df19a7e3113ee763 AS lint
|
||||
# Lint stage
|
||||
# golangci/golangci-lint:v2.10.1-alpine, 2026-02-17
|
||||
FROM golangci/golangci-lint:v2.10.1-alpine@sha256:33bc6b6156d4c7da87175f187090019769903d04dd408833b83083ed214b0ddf AS lint
|
||||
|
||||
# Install CGO dependencies needed for static analysis of vips/libheif code
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
libvips-dev \
|
||||
libheif-dev \
|
||||
pkg-config \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
RUN apk add --no-cache make build-base vips-dev libheif-dev pkgconfig
|
||||
|
||||
WORKDIR /src
|
||||
|
||||
# Copy go mod files first for better layer caching
|
||||
COPY go.mod go.sum ./
|
||||
RUN go mod download
|
||||
|
||||
# Copy source code
|
||||
COPY . .
|
||||
|
||||
# Run formatting check and linter
|
||||
RUN make fmt-check
|
||||
RUN make lint
|
||||
|
||||
# Build stage — tests and compilation
|
||||
# Build stage
|
||||
# golang:1.25.4-alpine, 2026-02-25
|
||||
FROM golang:1.25.4-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS builder
|
||||
|
||||
ARG VERSION=dev
|
||||
|
||||
# Force BuildKit to run the lint stage by creating a stage dependency
|
||||
# Depend on lint stage passing
|
||||
COPY --from=lint /src/go.sum /dev/null
|
||||
|
||||
ARG VERSION=dev
|
||||
|
||||
# Install build dependencies for CGO image libraries
|
||||
RUN apk add --no-cache \
|
||||
build-base \
|
||||
|
||||
@@ -98,9 +98,7 @@ expiration 1704067200:
|
||||
|
||||
**Whitelist patterns:**
|
||||
|
||||
- **Exact match**: `cdn.example.com` — matches only that host
|
||||
- **Suffix match**: `.example.com` — matches `cdn.example.com`,
|
||||
`images.example.com`, and `example.com`
|
||||
- **Exact match only**: `cdn.example.com` — matches only that host
|
||||
|
||||
### Configuration
|
||||
|
||||
|
||||
2
TODO.md
2
TODO.md
@@ -6,7 +6,7 @@ Remaining tasks sorted by priority for a working 1.0 release.
|
||||
|
||||
### Image Processing
|
||||
- [x] Add WebP encoding support (currently returns error)
|
||||
- [ ] Add AVIF encoding support (currently returns error)
|
||||
- [x] Add AVIF encoding support (implemented via govips)
|
||||
|
||||
### Manual Testing (verify auth/encrypted URLs work)
|
||||
- [ ] Manual test: visit `/`, see login form
|
||||
|
||||
@@ -13,8 +13,7 @@ state_dir: ./data
|
||||
# Generate with: openssl rand -base64 32
|
||||
signing_key: "CHANGE_ME_generate_with_openssl_rand_base64_32"
|
||||
|
||||
# Hosts that don't require signatures
|
||||
# Use "." prefix for wildcard subdomain matching (e.g., ".example.com" matches "cdn.example.com")
|
||||
# Hosts that don't require signatures (exact match only)
|
||||
whitelist_hosts:
|
||||
- s3.sneak.cloud
|
||||
- static.sneak.cloud
|
||||
|
||||
@@ -6,22 +6,19 @@ import (
|
||||
)
|
||||
|
||||
// HostWhitelist implements the Whitelist interface for checking allowed source hosts.
|
||||
// Only exact host matches are supported. Leading dots in patterns are stripped
|
||||
// (e.g. ".example.com" becomes an exact match for "example.com").
|
||||
type HostWhitelist struct {
|
||||
// exactHosts contains hosts that must match exactly (e.g., "cdn.example.com")
|
||||
exactHosts map[string]struct{}
|
||||
// suffixHosts contains domain suffixes to match (e.g., ".example.com" matches "cdn.example.com")
|
||||
suffixHosts []string
|
||||
// hosts contains hosts that must match exactly (e.g., "cdn.example.com")
|
||||
hosts map[string]struct{}
|
||||
}
|
||||
|
||||
// NewHostWhitelist creates a whitelist from a list of host patterns.
|
||||
// Patterns starting with "." are treated as suffix matches.
|
||||
// Examples:
|
||||
// - "cdn.example.com" - exact match only
|
||||
// - ".example.com" - matches cdn.example.com, images.example.com, etc.
|
||||
// All patterns are treated as exact matches. Leading dots are stripped
|
||||
// for backwards compatibility (e.g. ".example.com" matches "example.com" only).
|
||||
func NewHostWhitelist(patterns []string) *HostWhitelist {
|
||||
w := &HostWhitelist{
|
||||
exactHosts: make(map[string]struct{}),
|
||||
suffixHosts: make([]string, 0),
|
||||
hosts: make(map[string]struct{}),
|
||||
}
|
||||
|
||||
for _, pattern := range patterns {
|
||||
@@ -30,17 +27,22 @@ func NewHostWhitelist(patterns []string) *HostWhitelist {
|
||||
continue
|
||||
}
|
||||
|
||||
if strings.HasPrefix(pattern, ".") {
|
||||
w.suffixHosts = append(w.suffixHosts, pattern)
|
||||
} else {
|
||||
w.exactHosts[pattern] = struct{}{}
|
||||
// Strip leading dot — suffix matching is not supported.
|
||||
// ".example.com" is treated as exact match for "example.com".
|
||||
pattern = strings.TrimPrefix(pattern, ".")
|
||||
|
||||
if pattern == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
w.hosts[pattern] = struct{}{}
|
||||
}
|
||||
|
||||
return w
|
||||
}
|
||||
|
||||
// IsWhitelisted checks if a URL's host is in the whitelist.
|
||||
// Only exact host matches are supported.
|
||||
func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
|
||||
if u == nil {
|
||||
return false
|
||||
@@ -51,32 +53,17 @@ func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
// Check exact match
|
||||
if _, ok := w.exactHosts[host]; ok {
|
||||
return true
|
||||
}
|
||||
_, ok := w.hosts[host]
|
||||
|
||||
// Check suffix match
|
||||
for _, suffix := range w.suffixHosts {
|
||||
if strings.HasSuffix(host, suffix) {
|
||||
return true
|
||||
}
|
||||
// Also match if host equals the suffix without the leading dot
|
||||
// e.g., pattern ".example.com" should match "example.com"
|
||||
if host == strings.TrimPrefix(suffix, ".") {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
return ok
|
||||
}
|
||||
|
||||
// IsEmpty returns true if the whitelist has no entries.
|
||||
func (w *HostWhitelist) IsEmpty() bool {
|
||||
return len(w.exactHosts) == 0 && len(w.suffixHosts) == 0
|
||||
return len(w.hosts) == 0
|
||||
}
|
||||
|
||||
// Count returns the total number of whitelist entries.
|
||||
func (w *HostWhitelist) Count() int {
|
||||
return len(w.exactHosts) + len(w.suffixHosts)
|
||||
return len(w.hosts)
|
||||
}
|
||||
|
||||
@@ -31,41 +31,47 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "suffix match",
|
||||
name: "dot prefix does not enable suffix matching",
|
||||
patterns: []string{".example.com"},
|
||||
testURL: "https://cdn.example.com/image.jpg",
|
||||
want: true,
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "suffix match deep subdomain",
|
||||
name: "dot prefix does not match deep subdomain",
|
||||
patterns: []string{".example.com"},
|
||||
testURL: "https://cdn.images.example.com/image.jpg",
|
||||
want: true,
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "suffix match apex domain",
|
||||
name: "dot prefix stripped matches apex domain exactly",
|
||||
patterns: []string{".example.com"},
|
||||
testURL: "https://example.com/image.jpg",
|
||||
want: true,
|
||||
},
|
||||
{
|
||||
name: "suffix match not found",
|
||||
name: "dot prefix does not match unrelated domain",
|
||||
patterns: []string{".example.com"},
|
||||
testURL: "https://notexample.com/image.jpg",
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "suffix match partial not allowed",
|
||||
name: "dot prefix does not match partial domain",
|
||||
patterns: []string{".example.com"},
|
||||
testURL: "https://fakeexample.com/image.jpg",
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "multiple patterns",
|
||||
patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
|
||||
name: "multiple patterns exact only",
|
||||
patterns: []string{"cdn.example.com", "photos.images.org", "static.test.net"},
|
||||
testURL: "https://photos.images.org/image.jpg",
|
||||
want: true,
|
||||
},
|
||||
{
|
||||
name: "multiple patterns no suffix match",
|
||||
patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
|
||||
testURL: "https://photos.images.org/image.jpg",
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "empty whitelist",
|
||||
patterns: []string{},
|
||||
@@ -90,6 +96,12 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
|
||||
testURL: "https://cdn.example.com/image.jpg",
|
||||
want: true,
|
||||
},
|
||||
{
|
||||
name: "whitespace dot prefix stripped matches exactly",
|
||||
patterns: []string{" .other.com "},
|
||||
testURL: "https://other.com/image.jpg",
|
||||
want: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
@@ -139,6 +151,11 @@ func TestHostWhitelist_IsEmpty(t *testing.T) {
|
||||
patterns: []string{"example.com"},
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "dot prefix entry still counts",
|
||||
patterns: []string{".example.com"},
|
||||
want: false,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
@@ -168,7 +185,7 @@ func TestHostWhitelist_Count(t *testing.T) {
|
||||
want: 3,
|
||||
},
|
||||
{
|
||||
name: "suffix hosts only",
|
||||
name: "dot prefix hosts treated as exact",
|
||||
patterns: []string{".a.com", ".b.com"},
|
||||
want: 2,
|
||||
},
|
||||
@@ -177,6 +194,11 @@ func TestHostWhitelist_Count(t *testing.T) {
|
||||
patterns: []string{"exact.com", ".suffix.com"},
|
||||
want: 2,
|
||||
},
|
||||
{
|
||||
name: "dot prefix deduplicates with exact",
|
||||
patterns: []string{"example.com", ".example.com"},
|
||||
want: 1,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
|
||||
@@ -48,7 +48,7 @@ fi
|
||||
|
||||
# Test 3: Wrong password shows error
|
||||
echo "--- Test 3: Login with wrong password ---"
|
||||
WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "password=wrong-key" -c "$COOKIE_JAR")
|
||||
WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "key=wrong-key" -c "$COOKIE_JAR")
|
||||
if echo "$WRONG_LOGIN" | grep -qi "invalid\|error\|incorrect\|wrong"; then
|
||||
pass "Wrong password shows error message"
|
||||
else
|
||||
@@ -57,7 +57,7 @@ fi
|
||||
|
||||
# Test 4: Correct password redirects to generator
|
||||
echo "--- Test 4: Login with correct signing key ---"
|
||||
curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
|
||||
curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
|
||||
GENERATOR_PAGE=$(curl -sf "$BASE_URL/" -b "$COOKIE_JAR")
|
||||
if echo "$GENERATOR_PAGE" | grep -qi "generate\|url\|source\|logout"; then
|
||||
pass "Correct password shows generator page"
|
||||
@@ -68,12 +68,12 @@ fi
|
||||
# Test 5: Generate encrypted URL
|
||||
echo "--- Test 5: Generate encrypted URL ---"
|
||||
GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
|
||||
-d "source_url=$TEST_IMAGE_URL" \
|
||||
-d "url=$TEST_IMAGE_URL" \
|
||||
-d "width=800" \
|
||||
-d "height=600" \
|
||||
-d "format=jpeg" \
|
||||
-d "quality=85" \
|
||||
-d "fit_mode=cover" \
|
||||
-d "fit=cover" \
|
||||
-d "ttl=3600")
|
||||
if echo "$GEN_RESULT" | grep -q "/v1/e/"; then
|
||||
pass "Encrypted URL generated"
|
||||
@@ -121,10 +121,10 @@ fi
|
||||
# Test 9: Generate short-TTL URL and verify expiration
|
||||
echo "--- Test 9: Expired URL returns 410 ---"
|
||||
# Login again
|
||||
curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
|
||||
curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
|
||||
# Generate URL with 1 second TTL
|
||||
GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
|
||||
-d "source_url=$TEST_IMAGE_URL" \
|
||||
-d "url=$TEST_IMAGE_URL" \
|
||||
-d "width=100" \
|
||||
-d "height=100" \
|
||||
-d "format=jpeg" \
|
||||
|
||||
Reference in New Issue
Block a user