no 405

.gitignore

@@ -8,3 +8,4 @@
 !/README.md
 !/files/www/qonq.js
 !/favicon.ico
+!/antiscrape.js

README.md

@@ -17,12 +17,12 @@ The following environment variables are optional.
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `APP_HOSTNAME` | Overrides the hostname for generating URLs. | host header on the upload request |
+| `BASE_HOSTNAME` | Overrides the hostname for generating URLs. | host header on the upload request |
 | `DISCORD_WEBHOOK` | Discord webhook url that newly-uploaded URLs will be sent to to pre-load their embed, which theoretically makes them embed again faster. | `undefined` (disabled) |
 | `PORT` | TCP port to listen on | `8568` |
 | `ADDRESS` | Address to bind to | `'0.0.0.0'` (all) |
 | `FILES_DIR` | Directory to store the files in | `'files'` (relative of working directory) |
-| `TRUST_PROXY` | Value for express's [`'trust proxy'`](https://expressjs.com/en/5x/api.html#trust.proxy.options.table) setting | `'127.0.0.1'` |
+| `TRUST_PROXY` | Value for express's [`'trust proxy'`](https://expressjs.com/en/5x/api.html#trust.proxy.options.table) setting | `'loopback'` |
 
 
 Run with `node qonq.js` or your favorite init system.

antiscrape.js

@@ -0,0 +1,15 @@
+// someone could iterate over all ~1.6 million possible file codes to download all files.
+// prevent this by banning IP addresses that request too many non-existant files.
+
+var ip404 = {};
+module.exports = (req, res, next) => {
+	if (ip404[req.ip]?.size > 10)
+		return res.status(403).send("Banned");
+	res.on("finish", () => {
+		if (res.statusCode == 404 && req.filecode) {
+			if (!ip404[req.ip]) ip404[req.ip] = new Set();
+			ip404[req.ip].add(req.filecode);
+		}
+	});
+	next();
+};

qonq.js

@@ -11,7 +11,7 @@ var FILES_DIR = process.env.FILES_DIR || "files";
 
 var app = express();
 app.set("env", "production");
-app.set('trust proxy', process.env.TRUST_PROXY || "127.0.0.1");
+app.set('trust proxy', process.env.TRUST_PROXY || "loopback");
 app.listen(process.env.PORT || 8568, process.env.ADDRESS);
 app.use((req,res,next) => { res.header("Access-Control-Allow-Origin", '*'); next(); });
 
@@ -46,7 +46,7 @@ app.post("*", (req, res, next) => {
 				var filepath = path.join(webroot, filename);
 				req.pipe(fs.createWriteStream(filepath));
 				req.on("close", () => {
-					var url = g?.next().value || `${req.protocol}://${filecode}.${process.env.APP_HOSTNAME || req.hostname}`;
+					var url = g?.next().value || `${req.protocol}://${filecode}.${process.env.BASE_HOSTNAME || req.hostname}`;
 					res.type('text').send(url);
 					require("./discord-preloader.js")(url);
 				});
@@ -55,16 +55,17 @@ app.post("*", (req, res, next) => {
 	})();
 });
 
+app.use(require("./antiscrape"));
 
 app.get(['/', '/:code/', '/:code/*'], function(req, res, next){
 	var subdomain = req.subdomains.at(-1);
-	var filecode = subdomain || req.params.code;
-	if (!filecode) filecode = "www";
-	var webroot = path.join(FILES_DIR, filecode);
+	req.filecode = subdomain || req.params.code;
+	if (!req.filecode) req.filecode = "www";
+	var webroot = path.join(FILES_DIR, req.filecode);
 	fs.readdir(webroot, function(error, webrootdirlist) {
 		if (error) return void next(error.code == "ENOENT" ? "route" : error);
 		if (webrootdirlist.length > 1) {
-			if (subdomain) req.url = path.join(filecode, req.url);
+			if (subdomain) req.url = path.join(req.filecode, req.url);
 			next();
 		} else if (webrootdirlist.length == 1) {
 			res.sendFile(webrootdirlist[0], {
@@ -76,9 +77,3 @@ app.get(['/', '/:code/', '/:code/*'], function(req, res, next){
 		}
 	});
 }, express.static(FILES_DIR), serveIndex(FILES_DIR, {icons: true}));
-
-
-app.use((req, res) => {
-	if (req.method == "GET") res.status(404).send("This resource does not exist.");
-	else res.sendStatus(405);
-});