Merge pull request #10 from quix-labs/feature/security_addon

Add security configuration and error action configuration
quix-labs · Nov 22, 2024 · 26a045a · 26a045a
2 parents f9f0005 + 4cff0e9
commit 26a045a
Show file tree

Hide file tree

Showing 9 changed files with 632 additions and 289 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,4 +3,5 @@ caddy
 .idea
 out
 dist/
-build/
+build/
+test-dataset/
diff --git a/Makefile b/Makefile
@@ -16,10 +16,14 @@ all: clean test build
 build:
 	$(XCADDY) build --output $(OUT_DIR)/$(BINARY_NAME) --with $(MODULE_PATH)=./
 	chmod u+x $(OUT_DIR)/$(BINARY_NAME)
+
+setcap:
+	setcap 'cap_net_bind_service=+ep'  $(OUT_DIR)/$(BINARY_NAME)
+
 test:
 	go test -v ./...
 clean:
 	rm -rf $(OUT_DIR)
 run:
-	$(XCADDY) run
+	XCADDY_SETCAP=1 $(XCADDY) run
 	./$(OUT_DIR)/$(BINARY_NAME)
diff --git a/README.md b/README.md
@@ -72,6 +72,7 @@ the [official documentation for caddy](https://caddyserver.com/docs/build#packag
 ## Example Caddyfile
 
 ### Using file_server
+
 ```plaintext
 localhost {
     root /your-images-directory
@@ -81,6 +82,7 @@ localhost {
 ```
 
 ### Using reverse_proxy
+
 ```plaintext
 localhost {
     reverse_proxy your-domain.com
@@ -142,6 +144,53 @@ caddy.
 * Convert an image to AVIF format with lossless compression:
     * http://example.com/image.jpg?fm=avif&ll=true
 
+## Advanced Configuration
+
+This configuration allows you to control error handling with `on_fail` and `on_security_fail`.
+
+You can also manage query parameter processing using `allowed_params` and `disallowed_params`.
+
+This gives you fine-grained control over image processing in your Caddy server.
+
+
+### Example with `on_fail` and Security Configuration
+```plaintext
+localhost {
+    image_processor {
+        on_fail bypass # Default value
+        security {
+            on_security_fail ignore # Default value
+            
+            disallowed_params w r ... # These parameters are disallowed in the image processing request. You can also use allowed_params to restrict parameters further.
+            # Note: 'allowed_params' and 'disallowed_params' cannot be used together. You must choose one or the other.
+        }
+    }
+}
+```
+
+### Explanation:
+
+* `on_fail`:
+    * `bypass` (default value): If any error occurs, the original, unprocessed image will be returned.
+    * `abort`: If an error occurs, a 500 Internal Server Error response will be returned.
+
+
+* `on_security_fail`:
+    * `ignore` (default value): If any security checks fail, they are ignored, and the image processing continues.
+    * `bypass`: If any security checks fail, the original, unprocessed image will be returned.
+    * `abort`: If any security checks fail, a 400 Bad Request response will be returned.
+
+
+* **Security Configuration** (`disallowed_params` vs `allowed_params`):
+  * `disallowed_params`: Specifies which query parameters are not allowed.
+
+    For example, parameters like w (width) and r (rotation) can be restricted.
+
+  * `allowed_params`: Specify which query parameters are allowed. As an alternative to `disallowed_params`.
+
+  *  **Important**: You cannot use both allowed_params and disallowed_params in the same configuration.
+
+
 ## Planned Features
 
 The following features are planned for future implementation:

diff --git a/errors.go b/errors.go
@@ -0,0 +1,16 @@
+package CADDY_FILE_SERVER
+
+import (
+	"errors"
+	"fmt"
+)
+
+type AbortRequestError struct {
+	Msg string
+}
+
+func (e *AbortRequestError) Error() string {
+	return fmt.Sprintf("request aborted: %s", e.Msg)
+}
+
+var BypassRequestError = errors.New("bypass request")
diff --git a/go.mod b/go.mod
@@ -7,6 +7,8 @@ toolchain go1.22.2
 require (
 	github.com/caddyserver/caddy/v2 v2.8.4
 	github.com/h2non/bimg v1.1.9
+	github.com/klauspost/compress v1.17.11
+	go.uber.org/zap v1.27.0
 )
 
 require (
@@ -53,7 +55,6 @@ require (
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
 	github.com/jackc/pgtype v1.14.0 // indirect
 	github.com/jackc/pgx/v4 v4.18.3 // indirect
-	github.com/klauspost/compress v1.17.8 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
@@ -73,6 +74,7 @@ require (
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/quic-go v0.44.0 // indirect
+	github.com/rs/xid v1.5.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
@@ -96,7 +98,6 @@ require (
 	go.uber.org/automaxprocs v1.5.3 // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
 	go.uber.org/zap/exp v0.2.0 // indirect
 	golang.org/x/crypto v0.23.0 // indirect
 	golang.org/x/crypto/x509roots/fallback v0.0.0-20240507223354-67b13616a595 // indirect
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,4 +3,5 @@ caddy @@
     .idea
     out
     dist/
-    build/
+    build/
+    test-dataset/