azures04/crafatar
1
0
Fork 0
mirror of https://github.com/azures04/crafatar.git synced 2026-03-21 23:41:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: azures04:v2.1.4
Branches Tags
azures04:master
azures04:dependabot/npm_and_yarn/flat-and-mocha-5.0.2
azures04:dependabot/npm_and_yarn/qs-6.5.3
azures04:dependabot/npm_and_yarn/minimist-1.2.6
azures04:dependabot/npm_and_yarn/tar-4.4.19
azures04:dependabot/npm_and_yarn/glob-parent-5.1.2
azures04:dependabot/npm_and_yarn/lodash-4.17.21
azures04:dependabot/npm_and_yarn/redis-3.1.1
azures04:dependabot/npm_and_yarn/y18n-4.0.1
azures04:v2.1.5
azures04:v2.1.4
azures04:v2.1.3
azures04:v2.1.2
azures04:v2.1.1
azures04:v2.1.0
azures04:v1.0.0
...
compare: azures04:master
Branches Tags
azures04:master
azures04:dependabot/npm_and_yarn/flat-and-mocha-5.0.2
azures04:dependabot/npm_and_yarn/qs-6.5.3
azures04:dependabot/npm_and_yarn/minimist-1.2.6
azures04:dependabot/npm_and_yarn/tar-4.4.19
azures04:dependabot/npm_and_yarn/glob-parent-5.1.2
azures04:dependabot/npm_and_yarn/lodash-4.17.21
azures04:dependabot/npm_and_yarn/redis-3.1.1
azures04:dependabot/npm_and_yarn/y18n-4.0.1
azures04:v2.1.5
azures04:v2.1.4
azures04:v2.1.3
azures04:v2.1.2
azures04:v2.1.1
azures04:v2.1.0
azures04:v1.0.0

7 Commits
v2.1.4 ... master

Author SHA1 Message Date
Azures
0e2a23ccbb
Use environment variables for endpoint URLs 2025-12-08 21:05:09 +01:00
azures04
41690f84c7 Custom endpoints 
- minor change to customise textures & session server host for custom yggdrasil server
 2025-12-08 21:02:48 +01:00
jomo
d6293cc73d bump version to 2.1.5 2024-02-01 22:29:09 +01:00
jomo
c155c8d098 update dependencies 2024-02-01 22:25:43 +01:00
jomo
bba004acc7 improve URL parsing 
uses `new URL()` and `decodeURI()` instead of `url.parse()`
also checks that the requested file is in a subdirectory of `public/` before serving the file

fixes path traversal vulnerability GHSA-5cxq-25mp-q5f2
 2024-02-01 22:24:29 +01:00
jomo
9cb32a843f strip dashes from uuids before handling them 2024-02-01 22:19:02 +01:00
jomo
e44ebda56f periodically log number of current skin and cape requests 2024-02-01 22:00:44 +01:00
13 changed files with 1332 additions and 701 deletions
Show Stats Expand all files Collapse all files

2
Dockerfile
View File

@ -1,6 +1,6 @@
FROM node:12-alpine AS builder
RUN apk --no-cache add git python build-base redis cairo-dev pango-dev jpeg-dev giflib-dev
RUN apk --no-cache add git python3 build-base redis cairo-dev pango-dev jpeg-dev giflib-dev
RUN adduser -D app
USER app

2
README.md
View File

@ -39,7 +39,7 @@ Please [visit the website](https://crafatar.com) for details.
```sh
docker network create crafatar
docker run --net crafatar -d --name redis redis
docker run --net crafatar -v crafatar-images:/crafatar/images -e REDIS_URL=redis://redis -p 3000:3000 crafatar/crafatar
docker run --net crafatar -v crafatar-images:/home/app/crafatar/images -e REDIS_URL=redis://redis -p 3000:3000 crafatar/crafatar
```
## Manual

4
config.js
View File

@ -60,6 +60,10 @@ var config = {
sidebar: process.env.SPONSOR_SIDE,
top_right: process.env.SPONSOR_TOP_RIGHT
},
endpoints: {
textures_url: process.env.TEXTURES_ENDPOINT || "https://textures.minecraft.net/texture/",
session_url: process.env.SESSION_ENDPOINT || "https://sessionserver.mojang.com/session/minecraft/profile/"
}
};
module.exports = config;

16
lib/helpers.js
View File

@ -7,8 +7,8 @@ var skins = require("./skins");
var path = require("path");
var fs = require("fs");
// 0098cb60-fa8e-427c-b299-793cbd302c9a
var valid_user_id = /^[0-9a-fA-F\-]{32,36}$/; // uuid
// 0098cb60fa8e427cb299793cbd302c9a
var valid_user_id = /^[0-9a-fA-F]{32}$/; // uuid
var hash_pattern = /[0-9a-f]+$/;
// gets the hash from the textures.minecraft.net +url+
@ -122,6 +122,14 @@ var requests = {
cape: {}
};
var loginterval = setInterval(function(){
var skinreqs = Object.keys(requests.skin).length;
var capereqs = Object.keys(requests.cape).length;
if (skinreqs || capereqs) {
logging.log("Currently waiting for " + skinreqs + " skin requests and " + capereqs + " cape requests.");
}
}, 1000);
// add a request for +userId+ and +type+ to the queue
function push_request(userId, type, callback) {
// avoid special properties (e.g. 'constructor')
@ -387,4 +395,8 @@ exp.get_cape = function(rid, userId, callback) {
});
};
exp.stoplog = function() {
clearInterval(loginterval);
}
module.exports = exp;

4
lib/networking.js
View File

@ -5,8 +5,8 @@ var skins = require("./skins");
var http = require("http");
require("./object-patch");
var session_url = "https://sessionserver.mojang.com/session/minecraft/profile/";
var textures_url = "https://textures.minecraft.net/texture/";
var session_url = config.endpoints.session_url;
var textures_url = config.endpoints.textures_url;
// count requests made to session_url in the last 1000ms
var session_requests = [];

22
lib/routes/avatars.js
View File

@ -14,12 +14,10 @@ function handle_default(img_status, userId, size, def, req, err, callback) {
if (defname !== "steve" && defname !== "mhf_steve" && defname !== "alex" && defname !== "mhf_alex") {
if (helpers.id_valid(def)) {
// clean up the old URL to match new image
var parsed = req.url;
delete parsed.query.default;
delete parsed.search;
parsed.path_list[1] = def;
parsed.pathname = "/" + parsed.path_list.join("/");
var newUrl = url.format(parsed);
req.url.searchParams.delete('default');
req.url.path_list[1] = def;
req.url.pathname = req.url.path_list.join('/');
var newUrl = req.url.toString();
callback({
status: img_status,
redirect: newUrl,
@ -53,9 +51,9 @@ function handle_default(img_status, userId, size, def, req, err, callback) {
// GET avatar request
module.exports = function(req, callback) {
var userId = (req.url.path_list[1] || "").split(".")[0];
var size = parseInt(req.url.query.size) || config.avatars.default_size;
var def = req.url.query.default;
var overlay = Object.prototype.hasOwnProperty.call(req.url.query, "overlay") || Object.prototype.hasOwnProperty.call(req.url.query, "helm");
var size = parseInt(req.url.searchParams.get("size")) || config.avatars.default_size;
var def = req.url.searchParams.get("default");
var overlay = req.url.searchParams.has("overlay") || req.url.searchParams.has("helm");
// check for extra paths
if (req.url.path_list.length > 2) {
@ -67,6 +65,9 @@ module.exports = function(req, callback) {
return;
}
// strip dashes
userId = userId.replace(/-/g, "");
// Prevent app from crashing/freezing
if (size < config.avatars.min_size || size > config.avatars.max_size) {
// "Unprocessable Entity", valid request, but semantically erroneous:
@ -84,9 +85,6 @@ module.exports = function(req, callback) {
return;
}
// strip dashes
userId = userId.replace(/-/g, "");
try {
helpers.get_avatar(req.id, userId, overlay, size, function(err, status, image, hash) {
if (err) {

7
lib/routes/capes.js
View File

@ -4,7 +4,7 @@ var cache = require("../cache");
// GET cape request
module.exports = function(req, callback) {
var userId = (req.url.path_list[1] || "").split(".")[0];
var def = req.url.query.default;
var def = req.url.searchParams.get('default');
var rid = req.id;
// check for extra paths
@ -17,6 +17,8 @@ module.exports = function(req, callback) {
return;
}
// strip dashes
userId = userId.replace(/-/g, "");
if (!helpers.id_valid(userId)) {
callback({
status: -2,
@ -25,9 +27,6 @@ module.exports = function(req, callback) {
return;
}
// strip dashes
userId = userId.replace(/-/g, "");
try {
helpers.get_cape(rid, userId, function(err, hash, status, image) {
if (err) {

22
lib/routes/renders.js
View File

@ -17,12 +17,10 @@ function handle_default(rid, scale, overlay, body, img_status, userId, size, def
if (defname !== "steve" && defname !== "mhf_steve" && defname !== "alex" && defname !== "mhf_alex") {
if (helpers.id_valid(def)) {
// clean up the old URL to match new image
var parsed = req.url;
delete parsed.query.default;
delete parsed.search;
parsed.path_list[2] = def;
parsed.pathname = "/" + parsed.path_list.join("/");
var newUrl = url.format(parsed);
req.url.searchParams.delete('default');
req.url.path_list[2] = def;
req.url.pathname = req.url.path_list.join('/');
var newUrl = req.url.toString();
callback({
status: img_status,
redirect: newUrl,
@ -62,9 +60,9 @@ module.exports = function(req, callback) {
var rid = req.id;
var body = raw_type === "body";
var userId = (req.url.path_list[2] || "").split(".")[0];
var def = req.url.query.default;
var scale = parseInt(req.url.query.scale) || config.renders.default_scale;
var overlay = Object.prototype.hasOwnProperty.call(req.url.query, "overlay") || Object.prototype.hasOwnProperty.call(req.url.query, "helm");
var def = req.url.searchParams.get("default");
var scale = parseInt(req.url.searchParams.get("scale")) || config.renders.default_scale;
var overlay = req.url.searchParams.has("overlay") || req.url.searchParams.has("helm");
// check for extra paths
if (req.url.path_list.length > 3) {
@ -85,6 +83,9 @@ module.exports = function(req, callback) {
return;
}
// strip dashes
userId = userId.replace(/-/g, "");
if (scale < config.renders.min_scale || scale > config.renders.max_scale) {
callback({
status: -2,
@ -99,9 +100,6 @@ module.exports = function(req, callback) {
return;
}
// strip dashes
userId = userId.replace(/-/g, "");
try {
helpers.get_render(rid, userId, scale, overlay, body, function(err, status, hash, image) {
if (err) {

17
lib/routes/skins.js
View File

@ -14,12 +14,10 @@ function handle_default(img_status, userId, def, req, err, callback) {
if (defname !== "steve" && defname !== "mhf_steve" && defname !== "alex" && defname !== "mhf_alex") {
if (helpers.id_valid(def)) {
// clean up the old URL to match new image
var parsed = req.url;
delete parsed.query.default;
delete parsed.search;
parsed.path_list[1] = def;
parsed.pathname = "/" + parsed.path_list.join("/");
var newUrl = url.format(parsed);
req.url.searchParams.delete('default');
req.url.path_list[1] = def;
req.url.pathname = req.url.path_list.join('/');
var newUrl = req.url.toString();
callback({
status: img_status,
redirect: newUrl,
@ -62,7 +60,7 @@ function handle_default(img_status, userId, def, req, err, callback) {
// GET skin request
module.exports = function(req, callback) {
var userId = (req.url.path_list[1] || "").split(".")[0];
var def = req.url.query.default;
var def = req.url.searchParams.get("default");
var rid = req.id;
// check for extra paths
@ -75,6 +73,8 @@ module.exports = function(req, callback) {
return;
}
// strip dashes
userId = userId.replace(/-/g, "");
if (!helpers.id_valid(userId)) {
callback({
status: -2,
@ -83,9 +83,6 @@ module.exports = function(req, callback) {
return;
}
// strip dashes
userId = userId.replace(/-/g, "");
try {
helpers.get_skin(rid, userId, function(err, hash, status, image, slim) {
if (err) {

59
lib/server.js
View File

@ -1,6 +1,7 @@
#!/usr/bin/env node
var querystring = require("querystring");
var response = require("./response");
var helpers = require("./helpers.js");
var toobusy = require("toobusy-js");
var logging = require("./logging");
var config = require("../config");
@ -21,24 +22,33 @@ var routes = {
// serves assets from lib/public
function asset_request(req, callback) {
var filename = path.join(__dirname, "public", req.url.path_list.join("/"));
fs.access(filename, function(fs_err) {
if (!fs_err) {
fs.readFile(filename, function(err, data) {
callback({
body: data,
type: mime.getType(filename),
err: err,
const filename = path.join(__dirname, "public", ...req.url.path_list);
const relative = path.relative(path.join(__dirname, "public"), filename);
if (relative && !relative.startsWith('..') && !path.isAbsolute(relative)) {
fs.access(filename, function(fs_err) {
if (!fs_err) {
fs.readFile(filename, function(err, data) {
callback({
body: data,
type: mime.getType(filename),
err: err,
});
});
});
} else {
callback({
body: "Not found",
status: -2,
code: 404,
});
}
});
} else {
callback({
body: "Not found",
status: -2,
code: 404,
});
}
});
} else {
callback({
body: "Forbidden",
status: -2,
code: 403,
});
}
}
// generates a 12 character random string
@ -46,26 +56,18 @@ function request_id() {
return Math.random().toString(36).substring(2, 14);
}
// splits a URL path into an Array
// the path is resolved and decoded
// splits decoded URL path into an Array
function path_list(pathname) {
// remove double and trailing slashes
pathname = pathname.replace(/\/\/+/g, "/").replace(/(.)\/$/, "$1");
var list = pathname.split("/");
list.shift();
for (var i = 0; i < list.length; i++) {
// URL decode
list[i] = querystring.unescape(list[i]);
}
return list;
}
// handles the +req+ by routing to the request to the appropriate module
function requestHandler(req, res) {
req.url = url.parse(req.url, true);
req.url.query = req.url.query || {};
req.url = new URL(decodeURI(req.url), 'http://' + req.headers.host);
req.url.pathname = path.resolve('/', req.url.pathname);
req.url.path_list = path_list(req.url.pathname);
req.id = request_id();
req.start = Date.now();
@ -166,6 +168,7 @@ exp.boot = function(callback) {
// Close the server
exp.close = function(callback) {
helpers.stoplog();
server.close(callback);
};

1822
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

2
package.json
View File

@ -1,6 +1,6 @@
{
"name": "crafatar",
"version": "2.1.4",
"version": "2.1.5",
"private": true,
"scripts": {
"start": "node www.js",

52
test/test.js
View File

@ -88,8 +88,8 @@ describe("Crafatar", function() {
assert.strictEqual(helpers.id_valid("1DCEF164FF0A47F2B9A691385C774EE7"), true);
done();
});
it("dashed uuid is valid", function(done) {
assert.strictEqual(helpers.id_valid("0098cb60-fa8e-427c-b299-793cbd302c9a"), true);
it("dashed uuid is not valid", function(done) {
assert.strictEqual(helpers.id_valid("0098cb60-fa8e-427c-b299-793cbd302c9a"), false);
done();
});
it("username is invalid", function(done) {
@ -158,7 +158,7 @@ describe("Crafatar", function() {
it("should time out on skin download", function(done) {
var original_timeout = config.http_timeout;
config.server.http_timeout = 1;
networking.get_from(rid(), "http://textures.minecraft.net/texture/477be35554684c28bdeee4cf11c591d3c88afb77e0b98da893fd7bc318c65184", function(body, res, error) {
networking.get_from(rid(), config.endpoints.textures_url + "477be35554684c28bdeee4cf11c591d3c88afb77e0b98da893fd7bc318c65184", function(body, res, error) {
assert.notStrictEqual(["ETIMEDOUT", "ESOCKETTIMEDOUT"].indexOf(error.code), -1);
config.server.http_timeout = original_timeout;
done();
@ -166,7 +166,7 @@ describe("Crafatar", function() {
});
it("should not find the skin", function(done) {
assert.doesNotThrow(function() {
networking.get_from(rid(), "http://textures.minecraft.net/texture/this-does-not-exist", function(img, response, err) {
networking.get_from(rid(), config.endpoints.textures_url + "this-does-not-exist", function(img, response, err) {
assert.strictEqual(err, null); // no error here, but it shouldn't throw exceptions
done();
});
@ -300,6 +300,10 @@ describe("Crafatar", function() {
url: "http://localhost:3000/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
crc32: [4264176600],
},
"avatar with existing dashed uuid": {
url: "http://localhost:3000/avatars/853c80ef-3c37-49fd-aa49938b674adae6?size=16",
crc32: [4264176600],
},
"avatar with non-existent uuid": {
url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16",
crc32: [3348154329],
@ -311,7 +315,7 @@ describe("Crafatar", function() {
"avatar with non-existent uuid defaulting to uuid": {
url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&default=853c80ef3c3749fdaa49938b674adae6",
crc32: [0],
redirect: "/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
redirect: "http://localhost:3000/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
},
"avatar with non-existent uuid defaulting to url": {
url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -333,7 +337,7 @@ describe("Crafatar", function() {
"overlay avatar with non-existent uuid defaulting to uuid": {
url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&default=853c80ef3c3749fdaa49938b674adae6",
crc32: [0],
redirect: "/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
redirect: "http://localhost:3000/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
},
"overlay avatar with non-existent uuid defaulting to url": {
url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16&overlay&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -342,7 +346,7 @@ describe("Crafatar", function() {
},
"cape with existing uuid": {
url: "http://localhost:3000/capes/853c80ef3c3749fdaa49938b674adae6",
crc32: [985789174],
crc32: [985789174, 2099310578],
},
"cape with non-existent uuid": {
url: "http://localhost:3000/capes/00000000000000000000000000000000",
@ -368,7 +372,7 @@ describe("Crafatar", function() {
"skin with non-existent uuid defaulting to uuid": {
url: "http://localhost:3000/skins/00000000000000000000000000000000?size=16&default=853c80ef3c3749fdaa49938b674adae6",
crc32: [0],
redirect: "/skins/853c80ef3c3749fdaa49938b674adae6?size=16",
redirect: "http://localhost:3000/skins/853c80ef3c3749fdaa49938b674adae6?size=16",
},
"skin with non-existent uuid defaulting to url": {
url: "http://localhost:3000/skins/00000000000000000000000000000000?default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -390,7 +394,7 @@ describe("Crafatar", function() {
"head render with non-existent uuid defaulting to uuid": {
url: "http://localhost:3000/renders/head/00000000000000000000000000000000?scale=2&default=853c80ef3c3749fdaa49938b674adae6",
crc32: [0],
redirect: "/renders/head/853c80ef3c3749fdaa49938b674adae6?scale=2",
redirect: "http://localhost:3000/renders/head/853c80ef3c3749fdaa49938b674adae6?scale=2",
},
"head render with non-existent uuid defaulting to url": {
url: "http://localhost:3000/renders/head/00000000000000000000000000000000?scale=2&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -412,7 +416,7 @@ describe("Crafatar", function() {
"overlay head with non-existent uuid defaulting to uuid": {
url: "http://localhost:3000/renders/head/00000000000000000000000000000000?scale=2&overlay&default=853c80ef3c3749fdaa49938b674adae6",
crc32: [0],
redirect: "/renders/head/853c80ef3c3749fdaa49938b674adae6?scale=2&overlay=",
redirect: "http://localhost:3000/renders/head/853c80ef3c3749fdaa49938b674adae6?scale=2&overlay=",
},
"overlay head render with non-existent uuid defaulting to url": {
url: "http://localhost:3000/renders/head/00000000000000000000000000000000?scale=2&overlay&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -434,7 +438,7 @@ describe("Crafatar", function() {
"body render with non-existent uuid defaulting to uuid": {
url: "http://localhost:3000/renders/body/00000000000000000000000000000000?scale=2&default=853c80ef3c3749fdaa49938b674adae6",
crc32: [0],
redirect: "/renders/body/853c80ef3c3749fdaa49938b674adae6?scale=2",
redirect: "http://localhost:3000/renders/body/853c80ef3c3749fdaa49938b674adae6?scale=2",
},
"body render with non-existent uuid defaulting to url": {
url: "http://localhost:3000/renders/body/00000000000000000000000000000000?scale=2&default=http%3A%2F%2Fexample.com%2FCaseSensitive",
@ -564,6 +568,30 @@ describe("Crafatar", function() {
});
}(loc));
}
it("should return /public resources", function(done) {
request.get("http://localhost:3000/javascript/crafatar.js", function(error, res, body) {
assert.ifError(error);
assert.strictEqual(res.statusCode, 200);
done();
});
});
it("should not allow path traversal on /public", function(done) {
request.get("http://localhost:3000/../server.js", function(error, res, body) {
assert.ifError(error);
assert.strictEqual(res.statusCode, 404);
done();
});
});
it("should not allow encoded path traversal on /public", function(done) {
request.get("http://localhost:3000/%2E%2E/server.js", function(error, res, body) {
assert.ifError(error);
assert.strictEqual(res.statusCode, 404);
done();
});
});
});
// we have to make sure that we test both a 32x64 and 64x64 skin
@ -682,7 +710,7 @@ describe("Crafatar", function() {
describe("Errors", function() {
before(function() {
before(function() {
cache.get_redis().flushall();
});