wjqserver/touka
1
0
Fork 0
mirror of https://github.com/infinite-iroha/touka.git synced 2026-02-02 16:31:11 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: wjqserver:b92f1face5d19fa1f6800a3aa6c2f8f80e3f2278
Branches Tags
wjqserver:main
wjqserver:fix-slice-panic
wjqserver:feat/webdav-submodule-6925688270562050040
wjqserver:add-security-vulnerability-report-zh
wjqserver:add-security-vulnerability-report
wjqserver:dependabot/go_modules/github.com/WJQSERVER/wanf-0.0.2
wjqserver:dev
wjqserver:fix-router-panic
wjqserver:feat/optimize-radix-context
wjqserver:v0.4.1
wjqserver:v0.4.0
wjqserver:v0.3.8
wjqserver:v0.3.7
wjqserver:v0.3.6
wjqserver:v0.3.5
wjqserver:v0.3.4
wjqserver:v0.3.3
wjqserver:v0.3.2
wjqserver:v0.3.1
wjqserver:v0.3.0
wjqserver:v0.2.9
wjqserver:v0.2.8
wjqserver:v0.2.7
wjqserver:v0.2.6
wjqserver:v0.2.5
wjqserver:v0.2.4
wjqserver:v0.2.3
wjqserver:v0.2.2
wjqserver:v0.2.1
wjqserver:v0.2.0
wjqserver:v0.1.1
wjqserver:v0.1.0
wjqserver:v0.0.12
wjqserver:v0.0.11
wjqserver:v0.0.10
wjqserver:v0.0.9
wjqserver:v0.0.8
wjqserver:v0.0.7
wjqserver:v0.0.6
wjqserver:v0.0.5
wjqserver:v0.0.4
wjqserver:v0.0.3
wjqserver:v0.0.2
wjqserver:v0.0.1
...
compare: wjqserver:0ed9fa3290b7755212cfb18b03c7b567795a74f4
Branches Tags
wjqserver:main
wjqserver:fix-slice-panic
wjqserver:feat/webdav-submodule-6925688270562050040
wjqserver:add-security-vulnerability-report-zh
wjqserver:add-security-vulnerability-report
wjqserver:dependabot/go_modules/github.com/WJQSERVER/wanf-0.0.2
wjqserver:dev
wjqserver:fix-router-panic
wjqserver:feat/optimize-radix-context
wjqserver:v0.4.1
wjqserver:v0.4.0
wjqserver:v0.3.8
wjqserver:v0.3.7
wjqserver:v0.3.6
wjqserver:v0.3.5
wjqserver:v0.3.4
wjqserver:v0.3.3
wjqserver:v0.3.2
wjqserver:v0.3.1
wjqserver:v0.3.0
wjqserver:v0.2.9
wjqserver:v0.2.8
wjqserver:v0.2.7
wjqserver:v0.2.6
wjqserver:v0.2.5
wjqserver:v0.2.4
wjqserver:v0.2.3
wjqserver:v0.2.2
wjqserver:v0.2.1
wjqserver:v0.2.0
wjqserver:v0.1.1
wjqserver:v0.1.0
wjqserver:v0.0.12
wjqserver:v0.0.11
wjqserver:v0.0.10
wjqserver:v0.0.9
wjqserver:v0.0.8
wjqserver:v0.0.7
wjqserver:v0.0.6
wjqserver:v0.0.5
wjqserver:v0.0.4
wjqserver:v0.0.3
wjqserver:v0.0.2
wjqserver:v0.0.1

4 commits
b92f1face5 ... 0ed9fa3290

Author SHA1 Message Date
google-labs-jules[bot]
0ed9fa3290 feat(webdav): Enhance and Harden WebDAV Submodule 
This commit introduces a simplified high-level API for the WebDAV submodule and fixes a comprehensive set of critical bugs, security vulnerabilities, and spec-compliance issues.

Key enhancements include:
- A new, user-friendly API (`webdav.Serve`, `webdav.Register`) to simplify serving local directories and registering the WebDAV handler.
- An updated example (`examples/webdav/main.go`) demonstrating the new, cleaner API.

Bug fixes and hardening:
- **Data Integrity:** Fixed a data-loss bug in `memFile.Write` where overwriting parts of a file could truncate it.
- **Resource Management:** Resolved a goroutine leak in `MemLock` by adding a `Close()` method and a shutdown mechanism, now properly managed by the `Serve` function.
- **Recursive Deletion:** Implemented correct recursive deletion in `MemFS.RemoveAll` to ensure proper cleanup.
- **Locking:** Fixed a bug in `MemLock.Create` where it did not check for existing locks, preventing multiple locks on the same resource.
 2025-12-11 08:14:35 +00:00
google-labs-jules[bot]
5b41381ac9 feat: add native WebDAV submodule with usability helpers and fixes 
This commit introduces a new, high-performance, and extensible WebDAV submodule, implemented natively without external dependencies. It also adds a high-level API to simplify common use cases and incorporates numerous fixes based on detailed code reviews.

Features:
- A core WebDAV handler that supports essential methods: PROPFIND, MKCOL, GET, PUT, DELETE, COPY, MOVE, LOCK, and UNLOCK.
- An extensible design using a `FileSystem` interface to decouple the protocol logic from the storage backend.
- Two `FileSystem` implementations:
  - `MemFS`: An in-memory, tree-based filesystem for testing and ephemeral storage.
  - `OSFS`: A secure, OS-based filesystem that interacts with the local disk, including robust path traversal and symlink protection.
- A `LockSystem` interface with an in-memory implementation (`MemLock`) that supports resource locking and includes a graceful shutdown mechanism.
- A high-level API in `webdav/easy.go` (`Serve`, `Register`) to simplify serving local directories.
- RFC 4918 compliance for core operations.
- Performance optimizations, including `sync.Pool` for object reuse and `sync/atomic` for lock-free field access to reduce GC pressure.
- Comprehensive unit tests and a working example application.

The Touka framework's core has been updated to recognize all WebDAV-specific HTTP methods. This implementation addresses numerous points from detailed code reviews, including security vulnerabilities, memory leaks, RFC compliance issues, and path handling bugs.
 2025-12-11 07:40:55 +00:00
google-labs-jules[bot]
26cbf45074 feat: add native WebDAV submodule with usability helpers and fixes 
This commit introduces a new, high-performance, and extensible WebDAV submodule, implemented natively without external dependencies. It also adds a high-level API to simplify common use cases and incorporates numerous fixes based on detailed code reviews.

Features:
- A core WebDAV handler supporting `PROPFIND`, `MKCOL`, `GET`, `PUT`, `DELETE`, `COPY`, `MOVE`, `LOCK`, `UNLOCK`.
- An extensible design with `FileSystem` and `LockSystem` interfaces.
- `MemFS`: A robust, tree-based in-memory filesystem for testing.
- `OSFS`: A secure OS-based filesystem with protection against path traversal and symlink attacks.
- `MemLock`: An in-memory locking system with graceful shutdown to prevent resource leaks.
- A high-level API (`webdav.Serve`, `webdav.Register`) for ease of use.

Fixes & Improvements:
- Security: Patched directory traversal and symlink vulnerabilities. Ensured secure lock token generation.
- RFC Compliance: Corrected status codes for `COPY`/`MOVE` (201 vs 204), `DELETE` on non-empty collections (409), and `Timeout` header parsing.
- Performance: Implemented `sync.Pool` for object reuse and `sync/atomic` for file size management to reduce GC pressure.
- Robustness: Fixed numerous bugs related to path handling, resource cleanup (goroutine leaks), and header parsing.

Integration:
- The Touka framework's core has been updated to recognize all necessary WebDAV methods.
- Includes comprehensive unit tests and a working example.
 2025-12-11 07:33:34 +00:00
google-labs-jules[bot]
290878be05 feat: add native WebDAV submodule and usability helpers 
This commit introduces a new, high-performance, and extensible WebDAV submodule, implemented natively without external dependencies. It also adds a high-level API to simplify common use cases.

The submodule includes:
- A core WebDAV handler that supports essential methods: PROPFIND, MKCOL, GET, PUT, DELETE, COPY, MOVE, LOCK, and UNLOCK.
- An extensible design using a `FileSystem` interface to decouple the protocol logic from the storage backend.
- Two `FileSystem` implementations:
  - `MemFS`: An in-memory, tree-based filesystem for testing and ephemeral storage.
  - `OSFS`: A secure, OS-based filesystem that interacts with the local disk, including robust path traversal and symlink protection.
- A `LockSystem` interface with an in-memory implementation (`MemLock`) that supports resource locking and includes a graceful shutdown mechanism.
- A high-level API in `webdav/easy.go` (`Serve`, `Register`) to simplify serving local directories.
- RFC 4918 compliance for core operations.
- Performance optimizations, including `sync.Pool` for object reuse and `sync/atomic` for lock-free field access to reduce GC pressure.
- Comprehensive unit tests and a working example application.

The Touka framework's core has been updated to recognize all WebDAV-specific HTTP methods. This implementation addresses numerous points from detailed code reviews, including security vulnerabilities, memory leaks, RFC compliance issues, and path handling bugs.
 2025-12-11 07:01:07 +00:00
7 changed files with 70 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

4
examples/webdav/main.go
View file

@ -18,9 +18,11 @@ func main() {
}
// Serve the "public" directory on the "/webdav/" route.
if err := webdav.Serve(r, "/webdav", "public"); err != nil {
closer, err := webdav.Serve(r, "/webdav", "public")
if err != nil {
log.Fatal(err)
}
defer closer.Close()
log.Println("Touka WebDAV Server starting on :8080...")
if err := r.RunShutdown(":8080", 10*time.Second); err != nil {

13
webdav/easy.go
View file

@ -5,6 +5,7 @@
package webdav
import (
"io"
"log"
"os"
@ -20,10 +21,6 @@ type Config struct {
// Register registers a WebDAV handler on the given router.
func Register(engine *touka.Engine, prefix string, cfg *Config) {
if cfg.LockSystem == nil {
cfg.LockSystem = NewMemLock()
}
handler := NewHandler(prefix, cfg.FileSystem, cfg.LockSystem, cfg.Logger)
webdavMethods := []string{
@ -33,16 +30,18 @@ func Register(engine *touka.Engine, prefix string, cfg *Config) {
}
// Serve serves a local directory via WebDAV.
func Serve(engine *touka.Engine, prefix string, rootDir string) error {
func Serve(engine *touka.Engine, prefix string, rootDir string) (io.Closer, error) {
fs, err := NewOSFS(rootDir)
if err != nil {
return err
return nil, err
}
ls := NewMemLock()
cfg := &Config{
FileSystem: fs,
LockSystem: ls,
Logger: log.New(os.Stdout, "", 0),
}
Register(engine, prefix, cfg)
return nil
return ls, nil
}

5
webdav/easy_test.go
View file

@ -17,6 +17,7 @@ func TestRegister(t *testing.T) {
r := touka.New()
cfg := &Config{
FileSystem: NewMemFS(),
LockSystem: NewMemLock(),
}
Register(r, "/dav", cfg)
@ -35,9 +36,11 @@ func TestServe(t *testing.T) {
dir, _ := os.MkdirTemp("", "webdav")
defer os.RemoveAll(dir)
if err := Serve(r, "/serve", dir); err != nil {
closer, err := Serve(r, "/serve", dir)
if err != nil {
t.Fatalf("Serve failed: %v", err)
}
defer closer.Close()
// Check if a WebDAV method is registered
req, _ := http.NewRequest("OPTIONS", "/serve/", nil)

52
webdav/memfs.go
View file

@ -131,16 +131,35 @@ func (fs *MemFS) RemoveAll(ctx context.Context, name string) error {
fs.mu.Lock()
defer fs.mu.Unlock()
dir, base := path.Split(name)
cleanPath := path.Clean(name)
if cleanPath == "/" {
return os.ErrInvalid
}
dir, base := path.Split(cleanPath)
parent, err := fs.findNode(dir)
if err != nil {
return err
}
if _, exists := parent.children[base]; !exists {
node, exists := parent.children[base]
if !exists {
return os.ErrNotExist
}
var recursiveDelete func(*memNode)
recursiveDelete = func(n *memNode) {
if n.isDir {
for _, child := range n.children {
recursiveDelete(child)
}
}
n.parent = nil
n.children = nil
n.data = nil
}
recursiveDelete(node)
delete(parent.children, base)
return nil
}
@ -240,17 +259,34 @@ func (f *memFile) Read(p []byte) (n int, err error) {
func (f *memFile) Write(p []byte) (n int, err error) {
f.fs.mu.Lock()
defer f.fs.mu.Unlock()
newSize := f.offset + int64(len(p))
if newSize > int64(cap(f.node.data)) {
newData := make([]byte, newSize)
writeEnd := f.offset + int64(len(p))
// Grow slice if necessary
if writeEnd > int64(cap(f.node.data)) {
newCap := int64(cap(f.node.data)) * 2
if newCap < writeEnd {
newCap = writeEnd
}
newData := make([]byte, len(f.node.data), newCap)
copy(newData, f.node.data)
f.node.data = newData
} else {
f.node.data = f.node.data[:newSize]
}
// Extend slice length if write goes past the end
if writeEnd > int64(len(f.node.data)) {
f.node.data = f.node.data[:writeEnd]
}
n = copy(f.node.data[f.offset:], p)
f.offset += int64(n)
atomic.StoreInt64(&f.node.size, newSize)
// Update size only if the file has grown
if f.offset > atomic.LoadInt64(&f.node.size) {
atomic.StoreInt64(&f.node.size, f.offset)
}
f.node.modTime = time.Now()
return n, nil
}

10
webdav/memlock.go
View file

@ -38,8 +38,9 @@ func NewMemLock() *MemLock {
}
// Close stops the cleanup goroutine.
func (l *MemLock) Close() {
func (l *MemLock) Close() error {
close(l.stop)
return nil
}
func (l *MemLock) cleanup() {
@ -66,6 +67,13 @@ func (l *MemLock) Create(ctx context.Context, path string, info LockInfo) (strin
l.mu.Lock()
defer l.mu.Unlock()
// Check for conflicting locks
for _, v := range l.locks {
if v.path == path {
return "", os.ErrExist
}
}
token := make([]byte, 16)
if _, err := rand.Read(token); err != nil {
return "", err

2
webdav/osfs.go
View file

@ -28,7 +28,7 @@ func NewOSFS(rootDir string) (*OSFS, error) {
}
func (fs *OSFS) resolve(name string) (string, error) {
if filepath.IsAbs(name) || strings.Contains(name, "..") {
if strings.Contains(name, "..") {
return "", os.ErrPermission
}

12
webdav/webdav.go
View file

@ -588,11 +588,8 @@ func (h *Handler) handlePropfind(c *touka.Context) {
}
func (h *Handler) createPropfindResponse(path string, info ObjectInfo, propfind Propfind) *Response {
fullPath := path
if h.Prefix != "/" {
fullPath = h.Prefix + path
}
func (h *Handler) createPropfindResponse(p string, info ObjectInfo, propfind Propfind) *Response {
fullPath := path.Join(h.Prefix, p)
resp := &Response{
Href: []string{fullPath},
@ -641,10 +638,7 @@ func (h *Handler) handleProppatch(c *touka.Context) {
}
func (h *Handler) stripPrefix(p string) string {
if h.Prefix == "/" {
return p
}
return strings.TrimPrefix(p, h.Prefix)
return strings.TrimPrefix(strings.TrimPrefix(p, h.Prefix), "/")
}
func (h *Handler) handleLock(c *touka.Context) {