Git-Mirrors/mat2-web
1
0
Fork 0
mirror of https://0xacab.org/jvoisin/mat2-web.git synced 2025-02-23 08:39:57 -05:00
Code Issues Packages Projects Releases Wiki Activity
24 Commits 3 Branches 19 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
jvoisin d524c65209 Handle copy/paste
2019-02-23 13:17:22 +01:00
static
Handle copy/paste
2019-02-23 13:17:22 +01:00
templates
Implement drag'n'drop support
2019-02-23 13:07:41 +01:00
.gitlab-ci.yml
Don't cover dependencies in the testsuite
2018-12-16 21:15:35 +01:00
LICENSE
Improve the licensing scheme
2018-12-16 21:54:25 +01:00
main.py
Mitigate filename-based race conditions
2019-02-22 21:17:48 +01:00
README.md
Add a small threat model
2019-02-22 21:20:51 +01:00
tests.py
Mitigate filename-based race conditions
2019-02-22 21:17:48 +01:00

README.md 

                  _   ___                     _     
                 | | |__ \                   | |    
  _ __ ___   __ _| |_   ) |_______      _____| |__    Trashing your meta,
 | '_ ` _ \ / _` | __| / /______\ \ /\ / / _ \ '_ \     keeping your data,
 | | | | | | (_| | |_ / /_       \ V  V /  __/ |_) |      within your browser.
 |_| |_| |_|\__,_|\__|____|       \_/\_/ \___|_.__/

This is an online version of mat2. Keep in mind that this is a beta version, don't rely on it for anything serious, yet.

Demo instance

There is a demo instance deployed a mat2-web.dustri.org. Please don't upload any sensitive files on it.

How to deploy it?

Since mat2 isn't available in debian stable yet, you might want to add this to /etc/apt/preferences.d/ to be able to install mat2 via apt.

Package: *
Pin: release o=Debian,a=unstable
Pin-Priority: 10

Then:

# apt install git nginx-light uwsgi uwsgi-plugin-python3 mat2 --no-install-recommends
# cd /var/www/
# git clone https://0xacab.org/jvoisin/mat2-web.git
# mkdir ./mat2-web/uploads/
# chown -R www-data:www-data ./mat2-web

Since uwsgi isn't fun to configure, feel free to slap this into your /etc/uwsgi/apps-enabled/mat2-web.ini:

[uwsgi]
module=main
chdir = /var/www/mat2-web/
callable = app
wsgi-file = main.py
master = true
workers = 1

uid = www-data
gid = www-data

# kill stalled processes
harakiri = 30
die-on-term = true

socket = mat2-web.sock
chmod-socket = 774
plugins = python3

and this into your /etc/nginx/site-enabled/mat2-web:

location / { try_files $uri @yourapplication; }
location @yourapplication {
	include uwsgi_params;
	uwsgi_pass unix:/var/www/mat2-web/mat2-web.sock;
}

Nginx is the recommended web engine, but you can also use Apache if you prefer:

apt install apache2 libapache2-mod-proxy-uwsgi

and add this to your /etc/apache2/sites-enabled/mat2-web in the virtualhost block:

ProxyPass / unix:/var/www/mat2-web/mat2-web.sock|uwsgi://localhost/

Finally, restart uwsgi and your web server:

systemctl restart uwsgi
systemctl restart nginx/apache/…

It should now be working.

Threat model

  • An attacker in possession of the very same file that a user wants to clean, along with its names, can perform a denial of service by continually requesting this file, and getting it before the user.
  • An attacker in possession of only the name of a file that a user wants to clean can't perform a denial of service attack, since the path to download the cleaned file is not only dependant of the name, but also the content.
  • The server should do its very best to delete files as soon as possible.

Licenses

Description
A web version of mat2! https://metadata.systemli.org/
Readme MIT 2 MiB
Languages
Python 74.1%
HTML 18%
CSS 6.2%
JavaScript 1.7%