Context Navigation

source: code/trunk/morty.go@ 59

Last change on this file since 59 was 59, checked in by asciimoo, 9 years ago

Merge pull request #40 from asciimoo/firefox-ua

[fix] Firefox user agent instead of Chrome

File size: 19.8 KB

Rev	Line
[1]	1	package main
	2
	3	import (
	4	"bytes"
	5	"crypto/hmac"
	6	"crypto/sha256"
	7	"encoding/hex"
	8	"errors"
	9	"flag"
	10	"fmt"
	11	"io"
	12	"log"
	13	"net/url"
	14	"regexp"
	15	"strings"
[4]	16	"time"
[1]	17
	18	"github.com/valyala/fasthttp"
	19	"golang.org/x/net/html"
[45]	20	"golang.org/x/net/html/charset"
	21	"golang.org/x/text/encoding"
[1]	22	)
	23
	24	const (
	25	STATE_DEFAULT int = 0
	26	STATE_IN_STYLE int = 1
	27	STATE_IN_NOSCRIPT int = 2
	28	)
	29
	30	var CLIENT *fasthttp.Client = &fasthttp.Client{
	31	MaxResponseBodySize: 10 * 1024 * 1024, // 10M
	32	}
	33
[27]	34	var CSS_URL_REGEXP regexp.Regexp = regexp.MustCompile("url\\((['\"]?)[ \\t\\f]([\u0009\u0021\u0023-\u0026\u0028\u002a-\u007E]+)(['\"]?)\\)?")
[1]	35
	36	var UNSAFE_ELEMENTS [][]byte = [][]byte{
	37	[]byte("applet"),
	38	[]byte("canvas"),
	39	[]byte("embed"),
	40	//[]byte("iframe"),
[46]	41	[]byte("math"),
[1]	42	[]byte("script"),
[46]	43	[]byte("svg"),
[1]	44	}
	45
	46	var SAFE_ATTRIBUTES [][]byte = [][]byte{
	47	[]byte("abbr"),
	48	[]byte("accesskey"),
	49	[]byte("align"),
	50	[]byte("alt"),
[13]	51	[]byte("as"),
[1]	52	[]byte("autocomplete"),
	53	[]byte("charset"),
	54	[]byte("checked"),
	55	[]byte("class"),
	56	[]byte("content"),
	57	[]byte("contenteditable"),
	58	[]byte("contextmenu"),
	59	[]byte("dir"),
	60	[]byte("for"),
	61	[]byte("height"),
	62	[]byte("hidden"),
[46]	63	[]byte("hreflang"),
[1]	64	[]byte("id"),
	65	[]byte("lang"),
	66	[]byte("media"),
	67	[]byte("method"),
	68	[]byte("name"),
	69	[]byte("nowrap"),
	70	[]byte("placeholder"),
	71	[]byte("property"),
	72	[]byte("rel"),
	73	[]byte("spellcheck"),
	74	[]byte("tabindex"),
	75	[]byte("target"),
	76	[]byte("title"),
	77	[]byte("translate"),
	78	[]byte("type"),
	79	[]byte("value"),
	80	[]byte("width"),
	81	}
	82
	83	var SELF_CLOSING_ELEMENTS [][]byte = [][]byte{
	84	[]byte("area"),
	85	[]byte("base"),
	86	[]byte("br"),
	87	[]byte("col"),
	88	[]byte("embed"),
	89	[]byte("hr"),
	90	[]byte("img"),
	91	[]byte("input"),
	92	[]byte("keygen"),
	93	[]byte("link"),
	94	[]byte("meta"),
	95	[]byte("param"),
	96	[]byte("source"),
	97	[]byte("track"),
	98	[]byte("wbr"),
	99	}
	100
[46]	101	var LINK_REL_SAFE_VALUES [][]byte = [][]byte{
	102	[]byte("alternate"),
	103	[]byte("archives"),
	104	[]byte("author"),
	105	[]byte("copyright"),
	106	[]byte("first"),
	107	[]byte("help"),
	108	[]byte("icon"),
	109	[]byte("index"),
	110	[]byte("last"),
	111	[]byte("license"),
	112	[]byte("manifest"),
	113	[]byte("next"),
	114	[]byte("pingback"),
	115	[]byte("prev"),
	116	[]byte("publisher"),
	117	[]byte("search"),
	118	[]byte("shortcut icon"),
	119	[]byte("stylesheet"),
	120	[]byte("up"),
	121	}
	122
	123	var LINK_HTTP_EQUIV_SAFE_VALUES [][]byte = [][]byte{
	124	// X-UA-Compatible will be added automaticaly, so it can be skipped
	125	[]byte("date"),
	126	[]byte("last-modified"),
[50]	127	[]byte("refresh"), // URL rewrite
[46]	128	// []byte("location"), TODO URL rewrite
	129	[]byte("content-language"),
	130	}
	131
[1]	132	type Proxy struct {
[4]	133	Key []byte
	134	RequestTimeout time.Duration
[1]	135	}
	136
	137	type RequestConfig struct {
	138	Key []byte
[23]	139	BaseURL *url.URL
[1]	140	}
	141
[2]	142	var HTML_FORM_EXTENSION string = `<input type="hidden" name="mortyurl" value="%s" /><input type="hidden" name="mortyhash" value="%s" />`
[1]	143
	144	var HTML_BODY_EXTENSION string = `
	145	<div id="mortyheader">
	146	<input type="checkbox" id="mortytoggle" autocomplete="off" />
[36]	147	<div><p>This is a proxified and sanitized view of the page,<br />visit <a href="%s" rel="noreferrer">original site</a>.</p><p><label for="mortytoggle">hide</label></p></div>
[1]	148	</div>
	149	<style>
[36]	150	#mortyheader { position: fixed; padding: 12px 12px 12px 0; margin: 0; box-sizing: content-box; top: 15%%; left: 0; max-width: 140px; color: #444; overflow: hidden; z-index: 110000; font-size: 12px; line-height: normal; }
	151	#mortyheader a { color: #3498db; font-weight: bold; }
	152	#mortyheader p { padding: 0 0 0.7em 0; margin: 0; }
	153	#mortyheader > div { padding: 8px; font-size: 12px !important; font-family: sans !important; border-width: 4px 4px 4px 0; border-style: solid; border-color: #1abc9c; background: #FFF; line-height: 1em; }
[5]	154	#mortyheader label { text-align: right; cursor: pointer; display: block; color: #444; padding: 0; margin: 0; }
[1]	155	input[type=checkbox]#mortytoggle { display: none; }
	156	input[type=checkbox]#mortytoggle:checked ~ div { display: none; }
	157	</style>
	158	`
	159
[46]	160	var HTML_HEAD_CONTENT_TYPE string = `<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
	161	<meta http-equiv="X-UA-Compatible" content="IE=edge">
	162	`
[45]	163
[1]	164	func (p Proxy) RequestHandler(ctx fasthttp.RequestCtx) {
[10]	165
	166	if appRequestHandler(ctx) {
	167	return
	168	}
	169
[1]	170	requestHash := popRequestParam(ctx, []byte("mortyhash"))
	171
	172	requestURI := popRequestParam(ctx, []byte("mortyurl"))
	173
	174	if requestURI == nil {
[35]	175	p.serveMainPage(ctx, 200, nil)
[1]	176	return
	177	}
	178
	179	if p.Key != nil {
	180	if !verifyRequestURI(requestURI, requestHash, p.Key) {
[35]	181	// HTTP status code 403 : Forbidden
	182	p.serveMainPage(ctx, 403, errors.New(`invalid "mortyhash" parameter`))
[1]	183	return
	184	}
	185	}
	186
	187	parsedURI, err := url.Parse(string(requestURI))
	188
[18]	189	if strings.HasSuffix(parsedURI.Host, ".onion") {
[35]	190	// HTTP status code 501 : Not Implemented
	191	p.serveMainPage(ctx, 501, errors.New("Tor urls are not supported yet"))
[18]	192	return
	193	}
	194
[11]	195	if err != nil {
[35]	196	// HTTP status code 500 : Internal Server Error
	197	p.serveMainPage(ctx, 500, err)
[1]	198	return
	199	}
	200
	201	req := fasthttp.AcquireRequest()
	202	defer fasthttp.ReleaseRequest(req)
[12]	203	req.SetConnectionClose()
[1]	204
[47]	205	requestURIStr := string(requestURI)
[1]	206
[47]	207	log.Println("getting", requestURIStr)
[1]	208
[47]	209	req.SetRequestURI(requestURIStr)
[58]	210	req.Header.SetUserAgentBytes([]byte("Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"))
[1]	211
	212	resp := fasthttp.AcquireResponse()
	213	defer fasthttp.ReleaseResponse(resp)
	214
	215	req.Header.SetMethodBytes(ctx.Method())
	216	if ctx.IsPost() \|\| ctx.IsPut() {
	217	req.SetBody(ctx.PostBody())
	218	}
	219
[11]	220	err = CLIENT.DoTimeout(req, resp, p.RequestTimeout)
	221
	222	if err != nil {
[35]	223	if err == fasthttp.ErrTimeout {
	224	// HTTP status code 504 : Gateway Time-Out
	225	p.serveMainPage(ctx, 504, err)
	226	} else {
	227	// HTTP status code 500 : Internal Server Error
	228	p.serveMainPage(ctx, 500, err)
	229	}
[1]	230	return
	231	}
	232
	233	if resp.StatusCode() != 200 {
	234	switch resp.StatusCode() {
[7]	235	case 301, 302, 303, 307, 308:
[1]	236	loc := resp.Header.Peek("Location")
	237	if loc != nil {
[23]	238	rc := &RequestConfig{Key: p.Key, BaseURL: parsedURI}
	239	url, err := rc.ProxifyURI(string(loc))
[1]	240	if err == nil {
	241	ctx.SetStatusCode(resp.StatusCode())
	242	ctx.Response.Header.Add("Location", url)
	243	log.Println("redirect to", string(loc))
	244	return
	245	}
	246	}
	247	}
[47]	248	error_message := fmt.Sprintf("invalid response: %d (%s)", resp.StatusCode(), requestURIStr)
[37]	249	p.serveMainPage(ctx, resp.StatusCode(), errors.New(error_message))
[1]	250	return
	251	}
	252
	253	contentType := resp.Header.Peek("Content-Type")
	254
	255	if contentType == nil {
[35]	256	// HTTP status code 503 : Service Unavailable
	257	p.serveMainPage(ctx, 503, errors.New("invalid content type"))
[1]	258	return
	259	}
	260
[17]	261	if bytes.Contains(bytes.ToLower(contentType), []byte("javascript")) {
[35]	262	// HTTP status code 403 : Forbidden
	263	p.serveMainPage(ctx, 403, errors.New("forbidden content type"))
[17]	264	return
	265	}
	266
[1]	267	contentInfo := bytes.SplitN(contentType, []byte(";"), 2)
	268
	269	var responseBody []byte
	270
[45]	271	if len(contentInfo) == 2 && bytes.Contains(contentInfo[0], []byte("text")) {
	272	e, ename, _ := charset.DetermineEncoding(resp.Body(), string(contentType))
	273	if (e != encoding.Nop) && (!strings.EqualFold("utf-8", ename)) {
	274	responseBody, err = e.NewDecoder().Bytes(resp.Body())
	275	if err != nil {
	276	// HTTP status code 503 : Service Unavailable
	277	p.serveMainPage(ctx, 503, err)
	278	return
	279	}
	280	} else {
	281	responseBody = resp.Body()
[1]	282	}
	283	} else {
	284	responseBody = resp.Body()
	285	}
	286
[52]	287	if bytes.Contains(contentType, []byte("xhtml")) {
	288	ctx.SetContentType("text/html; charset=UTF-8")
	289	} else {
	290	ctx.SetContentType(fmt.Sprintf("%s; charset=UTF-8", contentInfo[0]))
	291	}
[1]	292
	293	switch {
	294	case bytes.Contains(contentType, []byte("css")):
[23]	295	sanitizeCSS(&RequestConfig{Key: p.Key, BaseURL: parsedURI}, ctx, responseBody)
[1]	296	case bytes.Contains(contentType, []byte("html")):
[23]	297	sanitizeHTML(&RequestConfig{Key: p.Key, BaseURL: parsedURI}, ctx, responseBody)
[1]	298	default:
[39]	299	if ctx.Request.Header.Peek("Content-Disposition") != nil {
	300	ctx.Response.Header.AddBytesV("Content-Disposition", ctx.Request.Header.Peek("Content-Disposition"))
	301	}
[1]	302	ctx.Write(responseBody)
	303	}
	304	}
	305
[10]	306	func appRequestHandler(ctx *fasthttp.RequestCtx) bool {
[11]	307	// serve robots.txt
[10]	308	if bytes.Equal(ctx.Path(), []byte("/robots.txt")) {
	309	ctx.SetContentType("text/plain")
	310	ctx.Write([]byte("User-Agent: *\nDisallow: /\n"))
	311	return true
	312	}
[11]	313
[10]	314	return false
	315	}
	316
[1]	317	func popRequestParam(ctx *fasthttp.RequestCtx, paramName []byte) []byte {
	318	param := ctx.QueryArgs().PeekBytes(paramName)
	319
	320	if param == nil {
	321	param = ctx.PostArgs().PeekBytes(paramName)
	322	if param != nil {
	323	ctx.PostArgs().DelBytes(paramName)
	324	}
	325	} else {
	326	ctx.QueryArgs().DelBytes(paramName)
	327	}
	328
	329	return param
	330	}
	331
[9]	332	func sanitizeCSS(rc *RequestConfig, out io.Writer, css []byte) {
[1]	333	// TODO
	334
	335	urlSlices := CSS_URL_REGEXP.FindAllSubmatchIndex(css, -1)
	336
	337	if urlSlices == nil {
[9]	338	out.Write(css)
[1]	339	return
	340	}
	341
	342	startIndex := 0
	343
	344	for _, s := range urlSlices {
[15]	345	urlStart := s[4]
	346	urlEnd := s[5]
[1]	347
[23]	348	if uri, err := rc.ProxifyURI(string(css[urlStart:urlEnd])); err == nil {
[9]	349	out.Write(css[startIndex:urlStart])
	350	out.Write([]byte(uri))
[1]	351	startIndex = urlEnd
	352	} else {
[36]	353	log.Println("cannot proxify css uri:", string(css[urlStart:urlEnd]))
[1]	354	}
	355	}
	356	if startIndex < len(css) {
[9]	357	out.Write(css[startIndex:len(css)])
[1]	358	}
	359	}
	360
[9]	361	func sanitizeHTML(rc *RequestConfig, out io.Writer, htmlDoc []byte) {
[1]	362	r := bytes.NewReader(htmlDoc)
	363	decoder := html.NewTokenizer(r)
	364	decoder.AllowCDATA(true)
	365
	366	unsafeElements := make([][]byte, 0, 8)
	367	state := STATE_DEFAULT
	368	for {
	369	token := decoder.Next()
	370	if token == html.ErrorToken {
	371	err := decoder.Err()
	372	if err != io.EOF {
	373	log.Println("failed to parse HTML:")
	374	}
	375	break
	376	}
	377
	378	if len(unsafeElements) == 0 {
	379
	380	switch token {
	381	case html.StartTagToken, html.SelfClosingTagToken:
	382	tag, hasAttrs := decoder.TagName()
	383	safe := !inArray(tag, UNSAFE_ELEMENTS)
	384	if !safe {
	385	if !inArray(tag, SELF_CLOSING_ELEMENTS) {
	386	var unsafeTag []byte = make([]byte, len(tag))
	387	copy(unsafeTag, tag)
	388	unsafeElements = append(unsafeElements, unsafeTag)
	389	}
	390	break
	391	}
[38]	392	if bytes.Equal(tag, []byte("base")) {
	393	for {
	394	attrName, attrValue, moreAttr := decoder.TagAttr()
[45]	395	if bytes.Equal(attrName, []byte("href")) {
	396	parsedURI, err := url.Parse(string(attrValue))
	397	if err == nil {
	398	rc.BaseURL = parsedURI
	399	}
[38]	400	}
	401	if !moreAttr {
	402	break
	403	}
	404	}
	405	break
	406	}
[1]	407	if bytes.Equal(tag, []byte("noscript")) {
	408	state = STATE_IN_NOSCRIPT
	409	break
	410	}
	411	var attrs [][][]byte
	412	if hasAttrs {
	413	for {
	414	attrName, attrValue, moreAttr := decoder.TagAttr()
[21]	415	attrs = append(attrs, [][]byte{
	416	attrName,
	417	attrValue,
	418	[]byte(html.EscapeString(string(attrValue))),
	419	})
[1]	420	if !moreAttr {
	421	break
	422	}
	423	}
[13]	424	}
	425	if bytes.Equal(tag, []byte("link")) {
	426	sanitizeLinkTag(rc, out, attrs)
	427	break
	428	}
	429
[45]	430	if bytes.Equal(tag, []byte("meta")) {
	431	sanitizeMetaTag(rc, out, attrs)
	432	break
	433	}
	434
[13]	435	fmt.Fprintf(out, "<%s", tag)
	436
	437	if hasAttrs {
[45]	438	sanitizeAttrs(rc, out, attrs)
[1]	439	}
[13]	440
[1]	441	if token == html.SelfClosingTagToken {
[9]	442	fmt.Fprintf(out, " />")
[1]	443	} else {
[9]	444	fmt.Fprintf(out, ">")
[1]	445	if bytes.Equal(tag, []byte("style")) {
	446	state = STATE_IN_STYLE
	447	}
	448	}
[13]	449
[45]	450	if bytes.Equal(tag, []byte("head")) {
[46]	451	fmt.Fprintf(out, HTML_HEAD_CONTENT_TYPE)
[45]	452	}
	453
[1]	454	if bytes.Equal(tag, []byte("form")) {
	455	var formURL *url.URL
	456	for _, attr := range attrs {
	457	if bytes.Equal(attr[0], []byte("action")) {
	458	formURL, _ = url.Parse(string(attr[1]))
[28]	459	formURL = mergeURIs(rc.BaseURL, formURL)
[1]	460	break
	461	}
	462	}
	463	if formURL == nil {
[23]	464	formURL = rc.BaseURL
[1]	465	}
[2]	466	urlStr := formURL.String()
	467	var key string
	468	if rc.Key != nil {
	469	key = hash(urlStr, rc.Key)
	470	}
[9]	471	fmt.Fprintf(out, HTML_FORM_EXTENSION, urlStr, key)
[1]	472
	473	}
	474
	475	case html.EndTagToken:
	476	tag, _ := decoder.TagName()
	477	writeEndTag := true
	478	switch string(tag) {
	479	case "body":
[23]	480	fmt.Fprintf(out, HTML_BODY_EXTENSION, rc.BaseURL.String())
[1]	481	case "style":
	482	state = STATE_DEFAULT
	483	case "noscript":
	484	state = STATE_DEFAULT
	485	writeEndTag = false
	486	}
	487	// skip noscript tags - only the tag, not the content, because javascript is sanitized
	488	if writeEndTag {
[9]	489	fmt.Fprintf(out, "</%s>", tag)
[1]	490	}
	491
	492	case html.TextToken:
	493	switch state {
	494	case STATE_DEFAULT:
[9]	495	fmt.Fprintf(out, "%s", decoder.Raw())
[1]	496	case STATE_IN_STYLE:
[9]	497	sanitizeCSS(rc, out, decoder.Raw())
[1]	498	case STATE_IN_NOSCRIPT:
[9]	499	sanitizeHTML(rc, out, decoder.Raw())
[1]	500	}
	501
[59]	502	case html.CommentToken:
	503	// ignore comment. TODO : parse IE conditional comment
	504
	505	case html.DoctypeToken:
[9]	506	out.Write(decoder.Raw())
[1]	507	}
	508	} else {
	509	switch token {
	510	case html.StartTagToken:
	511	tag, _ := decoder.TagName()
	512	if inArray(tag, UNSAFE_ELEMENTS) {
	513	unsafeElements = append(unsafeElements, tag)
	514	}
	515
	516	case html.EndTagToken:
	517	tag, _ := decoder.TagName()
	518	if bytes.Equal(unsafeElements[len(unsafeElements)-1], tag) {
	519	unsafeElements = unsafeElements[:len(unsafeElements)-1]
	520	}
	521	}
	522	}
	523	}
	524	}
	525
[13]	526	func sanitizeLinkTag(rc *RequestConfig, out io.Writer, attrs [][][]byte) {
	527	exclude := false
	528	for _, attr := range attrs {
	529	attrName := attr[0]
	530	attrValue := attr[1]
	531	if bytes.Equal(attrName, []byte("rel")) {
[46]	532	if !inArray(attrValue, LINK_REL_SAFE_VALUES) {
[13]	533	exclude = true
	534	break
	535	}
	536	}
	537	if bytes.Equal(attrName, []byte("as")) {
	538	if bytes.Equal(attrValue, []byte("script")) {
	539	exclude = true
	540	break
	541	}
	542	}
	543	}
	544
	545	if !exclude {
	546	out.Write([]byte("<link"))
	547	for _, attr := range attrs {
[21]	548	sanitizeAttr(rc, out, attr[0], attr[1], attr[2])
[13]	549	}
	550	out.Write([]byte(">"))
	551	}
	552	}
	553
[45]	554	func sanitizeMetaTag(rc *RequestConfig, out io.Writer, attrs [][][]byte) {
[1]	555	var http_equiv []byte
	556	var content []byte
	557
	558	for _, attr := range attrs {
	559	attrName := attr[0]
	560	attrValue := attr[1]
	561	if bytes.Equal(attrName, []byte("http-equiv")) {
	562	http_equiv = bytes.ToLower(attrValue)
[46]	563	// exclude some <meta http-equiv="..." ..>
	564	if !inArray(http_equiv, LINK_HTTP_EQUIV_SAFE_VALUES) {
	565	return
	566	}
[1]	567	}
	568	if bytes.Equal(attrName, []byte("content")) {
	569	content = attrValue
	570	}
[45]	571	if bytes.Equal(attrName, []byte("charset")) {
	572	// exclude <meta charset="...">
	573	return
	574	}
[1]	575	}
	576
[45]	577	out.Write([]byte("<meta"))
[14]	578	urlIndex := bytes.Index(bytes.ToLower(content), []byte("url="))
	579	if bytes.Equal(http_equiv, []byte("refresh")) && urlIndex != -1 {
	580	contentUrl := content[urlIndex+4:]
[36]	581	// special case of <meta http-equiv="refresh" content="0; url='example.com/url.with.quote.outside'">
[37]	582	if len(contentUrl) >= 2 && (contentUrl[0] == byte('\'') \|\| contentUrl[0] == byte('"')) {
[36]	583	if contentUrl[0] == contentUrl[len(contentUrl)-1] {
[37]	584	contentUrl = contentUrl[1 : len(contentUrl)-1]
[36]	585	}
	586	}
	587	// output proxify result
[23]	588	if uri, err := rc.ProxifyURI(string(contentUrl)); err == nil {
[14]	589	fmt.Fprintf(out, ` http-equiv="refresh" content="%surl=%s"`, content[:urlIndex], uri)
[1]	590	}
	591	} else {
[46]	592	if len(http_equiv) > 0 {
	593	fmt.Fprintf(out, ` http-equiv="%s"`, http_equiv)
	594	}
[9]	595	sanitizeAttrs(rc, out, attrs)
[1]	596	}
[45]	597	out.Write([]byte(">"))
[1]	598	}
	599
[9]	600	func sanitizeAttrs(rc *RequestConfig, out io.Writer, attrs [][][]byte) {
[1]	601	for _, attr := range attrs {
[21]	602	sanitizeAttr(rc, out, attr[0], attr[1], attr[2])
[1]	603	}
	604	}
	605
[21]	606	func sanitizeAttr(rc *RequestConfig, out io.Writer, attrName, attrValue, escapedAttrValue []byte) {
[1]	607	if inArray(attrName, SAFE_ATTRIBUTES) {
[21]	608	fmt.Fprintf(out, " %s=\"%s\"", attrName, escapedAttrValue)
[1]	609	return
	610	}
	611	switch string(attrName) {
	612	case "src", "href", "action":
[23]	613	if uri, err := rc.ProxifyURI(string(attrValue)); err == nil {
[9]	614	fmt.Fprintf(out, " %s=\"%s\"", attrName, uri)
[1]	615	} else {
[36]	616	log.Println("cannot proxify uri:", string(attrValue))
[1]	617	}
	618	case "style":
[21]	619	cssAttr := bytes.NewBuffer(nil)
	620	sanitizeCSS(rc, cssAttr, attrValue)
	621	fmt.Fprintf(out, " %s=\"%s\"", attrName, html.EscapeString(string(cssAttr.Bytes())))
[1]	622	}
	623	}
	624
[36]	625	func mergeURIs(u1, u2 url.URL) url.URL {
[28]	626	return u1.ResolveReference(u2)
[1]	627	}
	628
[23]	629	func (rc *RequestConfig) ProxifyURI(uri string) (string, error) {
[28]	630	// remove javascript protocol
	631	if strings.HasPrefix(uri, "javascript:") {
	632	return "", nil
	633	}
[57]	634
[1]	635	// TODO check malicious data: - e.g. data:script
	636	if strings.HasPrefix(uri, "data:") {
	637	return uri, nil
	638	}
	639
[57]	640	// parse the uri
[1]	641	u, err := url.Parse(uri)
	642	if err != nil {
	643	return "", err
	644	}
[57]	645
	646	// get the fragment (with the prefix "#")
	647	fragment := ""
	648	if len(u.Fragment) > 0 {
	649	fragment = "#" + u.Fragment
	650	}
	651
	652	// reset the fragment: it is not included in the mortyurl
	653	u.Fragment = ""
	654
	655	// merge the URI with the document URI
[28]	656	u = mergeURIs(rc.BaseURL, u)
[1]	657
[57]	658	// simple internal link ?
	659	// some web pages describe the whole link https://same:auth@same.host/same.path?same.query#new.fragment
	660	if u.Scheme == rc.BaseURL.Scheme &&
	661	(rc.BaseURL.User == nil \|\| (u.User != nil && u.User.String() == rc.BaseURL.User.String())) &&
	662	u.Host == rc.BaseURL.Host &&
	663	u.Path == rc.BaseURL.Path &&
	664	u.RawQuery == rc.BaseURL.RawQuery {
	665	// the fragment is the only difference between the document URI and the uri parameter
	666	return fragment, nil
	667	}
	668
	669	// return full URI and fragment (if not empty)
[1]	670	uri = u.String()
	671
	672	if rc.Key == nil {
[57]	673	return fmt.Sprintf("./?mortyurl=%s%s", url.QueryEscape(uri), fragment), nil
[1]	674	}
[57]	675	return fmt.Sprintf("./?mortyhash=%s&mortyurl=%s%s", hash(uri, rc.Key), url.QueryEscape(uri), fragment), nil
[1]	676	}
	677
	678	func inArray(b []byte, a [][]byte) bool {
	679	for _, b2 := range a {
	680	if bytes.Equal(b, b2) {
	681	return true
	682	}
	683	}
	684	return false
	685	}
	686
	687	func hash(msg string, key []byte) string {
	688	mac := hmac.New(sha256.New, key)
	689	mac.Write([]byte(msg))
	690	return hex.EncodeToString(mac.Sum(nil))
	691	}
	692
	693	func verifyRequestURI(uri, hashMsg, key []byte) bool {
	694	h := make([]byte, hex.DecodedLen(len(hashMsg)))
	695	_, err := hex.Decode(h, hashMsg)
	696	if err != nil {
	697	log.Println("hmac error:", err)
	698	return false
	699	}
	700	mac := hmac.New(sha256.New, key)
	701	mac.Write(uri)
	702	return hmac.Equal(h, mac.Sum(nil))
	703	}
	704
[35]	705	func (p Proxy) serveMainPage(ctx fasthttp.RequestCtx, statusCode int, err error) {
[1]	706	ctx.SetContentType("text/html")
[35]	707	ctx.SetStatusCode(statusCode)
[1]	708	ctx.Write([]byte(`<!doctype html>
	709	<head>
[11]	710	<title>MortyProxy</title>
[36]	711	<meta name="viewport" content="width=device-width, initial-scale=1 , maximum-scale=1.0, user-scalable=1" />
[11]	712	<style>
[36]	713	html { height: 100%; }
	714	body { min-height : 100%; display: flex; flex-direction:column; font-family: 'Garamond', 'Georgia', serif; text-align: center; color: #444; background: #FAFAFA; margin: 0; padding: 0; font-size: 1.1em; }
[11]	715	input { border: 1px solid #888; padding: 0.3em; color: #444; background: #FFF; font-size: 1.1em; }
[36]	716	input[placeholder] { width:80%; }
[11]	717	a { text-decoration: none; #2980b9; }
	718	h1, h2 { font-weight: 200; margin-bottom: 2rem; }
	719	h1 { font-size: 3em; }
[36]	720	.container { flex:1; min-height: 100%; margin-bottom: 1em; }
	721	.footer { margin: 1em; }
[11]	722	.footer p { font-size: 0.8em; }
	723	</style>
[1]	724	</head>
[11]	725	<body>
[36]	726	<div class="container">
	727	<h1>MortyProxy</h1>
	728	`))
[11]	729	if err != nil {
	730	log.Println("error:", err)
	731	ctx.Write([]byte("<h2>Error: "))
	732	ctx.Write([]byte(html.EscapeString(err.Error())))
	733	ctx.Write([]byte("</h2>"))
	734	}
[1]	735	if p.Key == nil {
	736	ctx.Write([]byte(`
[36]	737	<form action="post">
	738	Visit url: <input placeholder="https://url.." name="mortyurl" autofocus />
	739	<input type="submit" value="go" />
	740	</form>`))
[11]	741	} else {
	742	ctx.Write([]byte(`<h3>Warning! This instance does not support direct URL opening.</h3>`))
[1]	743	}
	744	ctx.Write([]byte(`
[36]	745	</div>
	746	<div class="footer">
	747	<p>Morty rewrites web pages to exclude malicious HTML tags and CSS/HTML attributes. It also replaces external resource references to prevent third-party information leaks.<br />
	748	<a href="https://github.com/asciimoo/morty">view on github</a>
	749	</p>
	750	</div>
[1]	751	</body>
	752	</html>`))
	753	}
	754
	755	func main() {
	756
[2]	757	listen := flag.String("listen", "127.0.0.1:3000", "Listen address")
[1]	758	key := flag.String("key", "", "HMAC url validation key (hexadecimal encoded) - leave blank to disable")
[24]	759	ipv6 := flag.Bool("ipv6", false, "Allow IPv6 HTTP requests")
[4]	760	requestTimeout := flag.Uint("timeout", 2, "Request timeout")
[1]	761	flag.Parse()
	762
[24]	763	if *ipv6 {
	764	CLIENT.Dial = fasthttp.DialDualStack
	765	}
	766
[4]	767	p := &Proxy{RequestTimeout: time.Duration(requestTimeout) time.Second}
[1]	768
	769	if *key != "" {
	770	p.Key = []byte(*key)
	771	}
	772
	773	log.Println("listening on", *listen)
	774
	775	if err := fasthttp.ListenAndServe(*listen, p.RequestHandler); err != nil {
	776	log.Fatal("Error in ListenAndServe:", err)
	777	}
	778	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: