search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Allow WebAPI to specify filename and mime type for result data
[qBittorrent.git] / src / webui / webapplication.cpp
blobb615728cacf9d6253f28cfb51ab05915245aabc1
1 /*
2 * Bittorrent Client using Qt and libtorrent.
3 * Copyright (C) 2014, 2022-2023 Vladimir Golovnev <glassez@yandex.ru>
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version 2
8 * of the License, or (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 *
19 * In addition, as a special exception, the copyright holders give permission to
20 * link this program with the OpenSSL project's "OpenSSL" library (or with
21 * modified versions of it that use the same license as the "OpenSSL" library),
22 * and distribute the linked executables. You must obey the GNU General Public
23 * License in all respects for all of the code used other than "OpenSSL". If you
24 * modify file(s), you may extend this exception to your version of the file(s),
25 * but you are not obligated to do so. If you do not wish to do so, delete this
26 * exception statement from your version.
27 */
28
29 #include "webapplication.h"
30
31 #include <algorithm>
32 #include <chrono>
33
34 #include <QDateTime>
35 #include <QDebug>
36 #include <QDir>
37 #include <QFileInfo>
38 #include <QJsonDocument>
39 #include <QMetaObject>
40 #include <QMimeDatabase>
41 #include <QMimeType>
42 #include <QNetworkCookie>
43 #include <QRegularExpression>
44 #include <QThread>
45 #include <QTimer>
46 #include <QUrl>
47
48 #include "base/algorithm.h"
49 #include "base/http/httperror.h"
50 #include "base/logger.h"
51 #include "base/preferences.h"
52 #include "base/types.h"
53 #include "base/utils/fs.h"
54 #include "base/utils/io.h"
55 #include "base/utils/misc.h"
56 #include "base/utils/random.h"
57 #include "base/utils/string.h"
58 #include "api/apierror.h"
59 #include "api/appcontroller.h"
60 #include "api/authcontroller.h"
61 #include "api/logcontroller.h"
62 #include "api/rsscontroller.h"
63 #include "api/searchcontroller.h"
64 #include "api/synccontroller.h"
65 #include "api/torrentscontroller.h"
66 #include "api/transfercontroller.h"
67 #include "freediskspacechecker.h"
68
69 const int MAX_ALLOWED_FILESIZE = 10 * 1024 * 1024;
70 const QString DEFAULT_SESSION_COOKIE_NAME = u"SID"_s;
71
72 const QString WWW_FOLDER = u":/www"_s;
73 const QString PUBLIC_FOLDER = u"/public"_s;
74 const QString PRIVATE_FOLDER = u"/private"_s;
75
76 using namespace std::chrono_literals;
77
78 const std::chrono::seconds FREEDISKSPACE_CHECK_TIMEOUT = 30s;
79
80 namespace
81 {
82 QStringMap parseCookie(const QStringView cookieStr)
83 {
84 // [rfc6265] 4.2.1. Syntax
85 QStringMap ret;
86 const QList<QStringView> cookies = cookieStr.split(u';', Qt::SkipEmptyParts);
87
88 for (const auto &cookie : cookies)
89 {
90 const int idx = cookie.indexOf(u'=');
91 if (idx < 0)
92 continue;
93
94 const QString name = cookie.left(idx).trimmed().toString();
95 const QString value = Utils::String::unquote(cookie.mid(idx + 1).trimmed()).toString();
96 ret.insert(name, value);
97 }
98 return ret;
99 }
100
101 QUrl urlFromHostHeader(const QString &hostHeader)
102 {
103 if (!hostHeader.contains(u"://"))
104 return {u"http://"_s + hostHeader};
105 return hostHeader;
106 }
107
108 QString getCachingInterval(QString contentType)
109 {
110 contentType = contentType.toLower();
111
112 if (contentType.startsWith(u"image/"))
113 return u"private, max-age=604800"_s; // 1 week
114
115 if ((contentType == Http::CONTENT_TYPE_CSS)
116 || (contentType == Http::CONTENT_TYPE_JS))
117 {
118 // short interval in case of program update
119 return u"private, max-age=43200"_s; // 12 hrs
120 }
121
122 return u"no-store"_s;
123 }
124
125 QString createLanguagesOptionsHtml()
126 {
127 // List language files
128 const QStringList langFiles = QDir(u":/www/translations"_s)
129 .entryList({u"webui_*.qm"_s}, QDir::Files, QDir::Name);
130
131 QStringList languages;
132 languages.reserve(langFiles.size());
133
134 for (const QString &langFile : langFiles)
135 {
136 const auto langCode = QStringView(langFile).sliced(6).chopped(3); // remove "webui_" and ".qm"
137 const QString entry = u"<option value=\"%1\">%2</option>"_s
138 .arg(langCode, Utils::Misc::languageToLocalizedString(langCode));
139 languages.append(entry);
140 }
141
142 return languages.join(u'\n');
143 }
144
145 bool isValidCookieName(const QString &cookieName)
146 {
147 if (cookieName.isEmpty() || (cookieName.size() > 128))
148 return false;
149
150 const QRegularExpression invalidNameRegex {u"[^a-zA-Z0-9_\\-]"_s};
151 if (invalidNameRegex.match(cookieName).hasMatch())
152 return false;
153
154 return true;
155 }
156 }
157
158 WebApplication::WebApplication(IApplication *app, QObject *parent)
159 : ApplicationComponent(app, parent)
160 , m_cacheID {QString::number(Utils::Random::rand(), 36)}
161 , m_authController {new AuthController(this, app, this)}
162 , m_workerThread {new QThread}
163 , m_freeDiskSpaceChecker {new FreeDiskSpaceChecker}
164 , m_freeDiskSpaceCheckingTimer {new QTimer(this)}
165 {
166 declarePublicAPI(u"auth/login"_s);
167
168 configure();
169 connect(Preferences::instance(), &Preferences::changed, this, &WebApplication::configure);
170
171 m_sessionCookieName = Preferences::instance()->getWebAPISessionCookieName();
172 if (!isValidCookieName(m_sessionCookieName))
173 {
174 if (!m_sessionCookieName.isEmpty())
175 {
176 LogMsg(tr("Unacceptable session cookie name is specified: '%1'. Default one is used.")
177 .arg(m_sessionCookieName), Log::WARNING);
178 }
179 m_sessionCookieName = DEFAULT_SESSION_COOKIE_NAME;
180 }
181
182 m_freeDiskSpaceChecker->moveToThread(m_workerThread.get());
183 connect(m_workerThread.get(), &QThread::finished, m_freeDiskSpaceChecker, &QObject::deleteLater);
184 m_workerThread->start();
185
186 m_freeDiskSpaceCheckingTimer->setInterval(FREEDISKSPACE_CHECK_TIMEOUT);
187 m_freeDiskSpaceCheckingTimer->setSingleShot(true);
188 connect(m_freeDiskSpaceCheckingTimer, &QTimer::timeout, m_freeDiskSpaceChecker, &FreeDiskSpaceChecker::check);
189 connect(m_freeDiskSpaceChecker, &FreeDiskSpaceChecker::checked, m_freeDiskSpaceCheckingTimer, qOverload<>(&QTimer::start));
190 QMetaObject::invokeMethod(m_freeDiskSpaceChecker, &FreeDiskSpaceChecker::check);
191 }
192
193 WebApplication::~WebApplication()
194 {
195 // cleanup sessions data
196 qDeleteAll(m_sessions);
197 }
198
199 void WebApplication::sendWebUIFile()
200 {
201 if (request().path.contains(u'\\'))
202 throw BadRequestHTTPError();
203
204 if (const QList<QStringView> pathItems = QStringView(request().path).split(u'/', Qt::SkipEmptyParts)
205 ; pathItems.contains(u".") || pathItems.contains(u".."))
206 {
207 throw BadRequestHTTPError();
208 }
209
210 const QString path = (request().path != u"/")
211 ? request().path
212 : u"/index.html"_s;
213
214 Path localPath = m_rootFolder
215 / Path(session() ? PRIVATE_FOLDER : PUBLIC_FOLDER)
216 / Path(path);
217 if (!localPath.exists() && session())
218 {
219 // try to send public file if there is no private one
220 localPath = m_rootFolder / Path(PUBLIC_FOLDER) / Path(path);
221 }
222
223 if (m_isAltUIUsed)
224 {
225 if (!Utils::Fs::isRegularFile(localPath))
226 throw InternalServerErrorHTTPError(tr("Unacceptable file type, only regular file is allowed."));
227
228 const QString rootFolder = m_rootFolder.data();
229
230 QFileInfo fileInfo {localPath.parentPath().data()};
231 while (fileInfo.path() != rootFolder)
232 {
233 if (fileInfo.isSymLink())
234 throw InternalServerErrorHTTPError(tr("Symlinks inside alternative UI folder are forbidden."));
235
236 fileInfo.setFile(fileInfo.path());
237 }
238 }
239
240 sendFile(localPath);
241 }
242
243 void WebApplication::translateDocument(QString &data) const
244 {
245 const QRegularExpression regex(u"QBT_TR\\((([^\\)]|\\)(?!QBT_TR))+)\\)QBT_TR\\[CONTEXT=([a-zA-Z_][a-zA-Z0-9_]*)\\]"_s);
246
247 int i = 0;
248 bool found = true;
249 while (i < data.size() && found)
250 {
251 QRegularExpressionMatch regexMatch;
252 i = data.indexOf(regex, i, &regexMatch);
253 if (i >= 0)
254 {
255 const QString sourceText = regexMatch.captured(1);
256 const QString context = regexMatch.captured(3);
257
258 const QString loadedText = m_translationFileLoaded
259 ? m_translator.translate(context.toUtf8().constData(), sourceText.toUtf8().constData())
260 : QString();
261 // `loadedText` is empty when translation is not provided
262 // it should fallback to `sourceText`
263 QString translation = loadedText.isEmpty() ? sourceText : loadedText;
264
265 // Use HTML code for quotes to prevent issues with JS
266 translation.replace(u'\'', u"&#39;"_s);
267 translation.replace(u'\"', u"&#34;"_s);
268
269 data.replace(i, regexMatch.capturedLength(), translation);
270 i += translation.length();
271 }
272 else
273 {
274 found = false; // no more translatable strings
275 }
276
277 data.replace(u"${LANG}"_s, m_currentLocale.left(2));
278 data.replace(u"${CACHEID}"_s, m_cacheID);
279 }
280 }
281
282 WebSession *WebApplication::session()
283 {
284 return m_currentSession;
285 }
286
287 const Http::Request &WebApplication::request() const
288 {
289 return m_request;
290 }
291
292 const Http::Environment &WebApplication::env() const
293 {
294 return m_env;
295 }
296
297 void WebApplication::setUsername(const QString &username)
298 {
299 m_authController->setUsername(username);
300 }
301
302 void WebApplication::setPasswordHash(const QByteArray &passwordHash)
303 {
304 m_authController->setPasswordHash(passwordHash);
305 }
306
307 void WebApplication::doProcessRequest()
308 {
309 const QRegularExpressionMatch match = m_apiPathPattern.match(request().path);
310 if (!match.hasMatch())
311 {
312 sendWebUIFile();
313 return;
314 }
315
316 const QString action = match.captured(u"action"_s);
317 const QString scope = match.captured(u"scope"_s);
318
319 // Check public/private scope
320 if (!session() && !isPublicAPI(scope, action))
321 throw ForbiddenHTTPError();
322
323 // Find matching API
324 APIController *controller = nullptr;
325 if (session())
326 controller = session()->getAPIController(scope);
327 if (!controller)
328 {
329 if (scope == u"auth")
330 controller = m_authController;
331 else
332 throw NotFoundHTTPError();
333 }
334
335 // Filter HTTP methods
336 const auto allowedMethodIter = m_allowedMethod.find({scope, action});
337 if (allowedMethodIter == m_allowedMethod.end())
338 {
339 // by default allow both GET, POST methods
340 if ((m_request.method != Http::METHOD_GET) && (m_request.method != Http::METHOD_POST))
341 throw MethodNotAllowedHTTPError();
342 }
343 else
344 {
345 if (*allowedMethodIter != m_request.method)
346 throw MethodNotAllowedHTTPError();
347 }
348
349 DataMap data;
350 for (const Http::UploadedFile &torrent : request().files)
351 data[torrent.filename] = torrent.data;
352
353 try
354 {
355 const APIResult result = controller->run(action, m_params, data);
356 switch (result.data.userType())
357 {
358 case QMetaType::QJsonDocument:
359 print(result.data.toJsonDocument().toJson(QJsonDocument::Compact), Http::CONTENT_TYPE_JSON);
360 break;
361 case QMetaType::QByteArray:
362 {
363 const auto resultData = result.data.toByteArray();
364 print(resultData, (!result.mimeType.isEmpty() ? result.mimeType : Http::CONTENT_TYPE_TXT));
365 if (!result.filename.isEmpty())
366 {
367 setHeader({u"Content-Disposition"_s, u"attachment; filename=\"%1\""_s.arg(result.filename)});
368 }
369 }
370 break;
371 case QMetaType::QString:
372 default:
373 print(result.data.toString(), Http::CONTENT_TYPE_TXT);
374 break;
375 }
376 }
377 catch (const APIError &error)
378 {
379 // re-throw as HTTPError
380 switch (error.type())
381 {
382 case APIErrorType::AccessDenied:
383 throw ForbiddenHTTPError(error.message());
384 case APIErrorType::BadData:
385 throw UnsupportedMediaTypeHTTPError(error.message());
386 case APIErrorType::BadParams:
387 throw BadRequestHTTPError(error.message());
388 case APIErrorType::Conflict:
389 throw ConflictHTTPError(error.message());
390 case APIErrorType::NotFound:
391 throw NotFoundHTTPError(error.message());
392 default:
393 Q_ASSERT(false);
394 }
395 }
396 }
397
398 void WebApplication::configure()
399 {
400 const auto *pref = Preferences::instance();
401
402 const bool isAltUIUsed = pref->isAltWebUIEnabled();
403 const Path rootFolder = (!isAltUIUsed ? Path(WWW_FOLDER) : pref->getWebUIRootFolder());
404 if ((isAltUIUsed != m_isAltUIUsed) || (rootFolder != m_rootFolder))
405 {
406 m_isAltUIUsed = isAltUIUsed;
407 m_rootFolder = rootFolder;
408 m_translatedFiles.clear();
409 if (!m_isAltUIUsed)
410 LogMsg(tr("Using built-in WebUI."));
411 else
412 LogMsg(tr("Using custom WebUI. Location: \"%1\".").arg(m_rootFolder.toString()));
413 }
414
415 const QString newLocale = pref->getLocale();
416 if (m_currentLocale != newLocale)
417 {
418 m_currentLocale = newLocale;
419 m_translatedFiles.clear();
420
421 m_translationFileLoaded = m_translator.load((m_rootFolder / Path(u"translations/webui_"_s) + newLocale).data());
422 if (m_translationFileLoaded)
423 {
424 LogMsg(tr("WebUI translation for selected locale (%1) has been successfully loaded.")
425 .arg(newLocale));
426 }
427 else
428 {
429 LogMsg(tr("Couldn't load WebUI translation for selected locale (%1).").arg(newLocale), Log::WARNING);
430 }
431 }
432
433 m_isLocalAuthEnabled = pref->isWebUILocalAuthEnabled();
434 m_isAuthSubnetWhitelistEnabled = pref->isWebUIAuthSubnetWhitelistEnabled();
435 m_authSubnetWhitelist = pref->getWebUIAuthSubnetWhitelist();
436 m_sessionTimeout = pref->getWebUISessionTimeout();
437
438 m_domainList = pref->getServerDomains().split(u';', Qt::SkipEmptyParts);
439 std::for_each(m_domainList.begin(), m_domainList.end(), [](QString &entry) { entry = entry.trimmed(); });
440
441 m_isCSRFProtectionEnabled = pref->isWebUICSRFProtectionEnabled();
442 m_isSecureCookieEnabled = pref->isWebUISecureCookieEnabled();
443 m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
444 m_isHttpsEnabled = pref->isWebUIHttpsEnabled();
445
446 m_prebuiltHeaders.clear();
447 m_prebuiltHeaders.push_back({Http::HEADER_X_XSS_PROTECTION, u"1; mode=block"_s});
448 m_prebuiltHeaders.push_back({Http::HEADER_X_CONTENT_TYPE_OPTIONS, u"nosniff"_s});
449
450 if (!m_isAltUIUsed)
451 {
452 m_prebuiltHeaders.push_back({Http::HEADER_CROSS_ORIGIN_OPENER_POLICY, u"same-origin"_s});
453 m_prebuiltHeaders.push_back({Http::HEADER_REFERRER_POLICY, u"same-origin"_s});
454 }
455
456 const bool isClickjackingProtectionEnabled = pref->isWebUIClickjackingProtectionEnabled();
457 if (isClickjackingProtectionEnabled)
458 m_prebuiltHeaders.push_back({Http::HEADER_X_FRAME_OPTIONS, u"SAMEORIGIN"_s});
459
460 const QString contentSecurityPolicy =
461 (m_isAltUIUsed
462 ? QString()
463 : u"default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"_s)
464 + (isClickjackingProtectionEnabled ? u" frame-ancestors 'self';"_s : QString())
465 + (m_isHttpsEnabled ? u" upgrade-insecure-requests;"_s : QString());
466 if (!contentSecurityPolicy.isEmpty())
467 m_prebuiltHeaders.push_back({Http::HEADER_CONTENT_SECURITY_POLICY, contentSecurityPolicy});
468
469 if (pref->isWebUICustomHTTPHeadersEnabled())
470 {
471 const QString customHeaders = pref->getWebUICustomHTTPHeaders();
472 const QList<QStringView> customHeaderLines = QStringView(customHeaders).trimmed().split(u'\n', Qt::SkipEmptyParts);
473
474 for (const QStringView line : customHeaderLines)
475 {
476 const int idx = line.indexOf(u':');
477 if (idx < 0)
478 {
479 // require separator `:` to be present even if `value` field can be empty
480 LogMsg(tr("Missing ':' separator in WebUI custom HTTP header: \"%1\"").arg(line.toString()), Log::WARNING);
481 continue;
482 }
483
484 const QString header = line.left(idx).trimmed().toString();
485 const QString value = line.mid(idx + 1).trimmed().toString();
486 m_prebuiltHeaders.push_back({header, value});
487 }
488 }
489
490 m_isReverseProxySupportEnabled = pref->isWebUIReverseProxySupportEnabled();
491 if (m_isReverseProxySupportEnabled)
492 {
493 const QStringList proxyList = pref->getWebUITrustedReverseProxiesList().split(u';', Qt::SkipEmptyParts);
494
495 m_trustedReverseProxyList.clear();
496 m_trustedReverseProxyList.reserve(proxyList.size());
497
498 for (QString proxy : proxyList)
499 {
500 if (!proxy.contains(u'/'))
501 {
502 const QAbstractSocket::NetworkLayerProtocol protocol = QHostAddress(proxy).protocol();
503 if (protocol == QAbstractSocket::IPv4Protocol)
504 {
505 proxy.append(u"/32");
506 }
507 else if (protocol == QAbstractSocket::IPv6Protocol)
508 {
509 proxy.append(u"/128");
510 }
511 }
512
513 const std::optional<Utils::Net::Subnet> subnet = Utils::Net::parseSubnet(proxy);
514 if (subnet)
515 m_trustedReverseProxyList.push_back(subnet.value());
516 }
517
518 if (m_trustedReverseProxyList.isEmpty())
519 m_isReverseProxySupportEnabled = false;
520 }
521 }
522
523 void WebApplication::declarePublicAPI(const QString &apiPath)
524 {
525 m_publicAPIs << apiPath;
526 }
527
528 void WebApplication::sendFile(const Path &path)
529 {
530 const QDateTime lastModified = Utils::Fs::lastModified(path);
531
532 // find translated file in cache
533 if (!m_isAltUIUsed)
534 {
535 if (const auto it = m_translatedFiles.constFind(path);
536 (it != m_translatedFiles.constEnd()) && (lastModified <= it->lastModified))
537 {
538 print(it->data, it->mimeType);
539 setHeader({Http::HEADER_CACHE_CONTROL, getCachingInterval(it->mimeType)});
540 return;
541 }
542 }
543
544 const auto readResult = Utils::IO::readFile(path, MAX_ALLOWED_FILESIZE);
545 if (!readResult)
546 {
547 const QString message = tr("Web server error. %1").arg(readResult.error().message);
548
549 switch (readResult.error().status)
550 {
551 case Utils::IO::ReadError::NotExist:
552 qDebug("%s", qUtf8Printable(message));
553 // don't write log messages here to avoid exhausting the disk space
554 throw NotFoundHTTPError();
555
556 case Utils::IO::ReadError::ExceedSize:
557 qWarning("%s", qUtf8Printable(message));
558 LogMsg(message, Log::WARNING);
559 throw InternalServerErrorHTTPError(readResult.error().message);
560
561 case Utils::IO::ReadError::Failed:
562 case Utils::IO::ReadError::SizeMismatch:
563 LogMsg(message, Log::WARNING);
564 throw InternalServerErrorHTTPError(readResult.error().message);
565 }
566
567 throw InternalServerErrorHTTPError(tr("Web server error. Unknown error."));
568 }
569
570 QByteArray data = readResult.value();
571 const QMimeType mimeType = QMimeDatabase().mimeTypeForFileNameAndData(path.data(), data);
572 const bool isTranslatable = !m_isAltUIUsed && mimeType.inherits(u"text/plain"_s);
573
574 if (isTranslatable)
575 {
576 auto dataStr = QString::fromUtf8(data);
577 // Translate the file
578 translateDocument(dataStr);
579
580 // Add the language options
581 if (path == (m_rootFolder / Path(PRIVATE_FOLDER) / Path(u"views/preferences.html"_s)))
582 dataStr.replace(u"${LANGUAGE_OPTIONS}"_s, createLanguagesOptionsHtml());
583
584 data = dataStr.toUtf8();
585 m_translatedFiles[path] = {data, mimeType.name(), lastModified}; // caching translated file
586 }
587
588 print(data, mimeType.name());
589 setHeader({Http::HEADER_CACHE_CONTROL, getCachingInterval(mimeType.name())});
590 }
591
592 Http::Response WebApplication::processRequest(const Http::Request &request, const Http::Environment &env)
593 {
594 m_currentSession = nullptr;
595 m_request = request;
596 m_env = env;
597 m_params.clear();
598
599 if (m_request.method == Http::METHOD_GET)
600 {
601 for (auto iter = m_request.query.cbegin(); iter != m_request.query.cend(); ++iter)
602 m_params[iter.key()] = QString::fromUtf8(iter.value());
603 }
604 else
605 {
606 m_params = m_request.posts;
607 }
608
609 // clear response
610 clear();
611
612 try
613 {
614 // block suspicious requests
615 if ((m_isCSRFProtectionEnabled && isCrossSiteRequest(m_request))
616 || (m_isHostHeaderValidationEnabled && !validateHostHeader(m_domainList)))
617 {
618 throw UnauthorizedHTTPError();
619 }
620
621 // reverse proxy resolve client address
622 m_clientAddress = resolveClientAddress();
623
624 sessionInitialize();
625 doProcessRequest();
626 }
627 catch (const HTTPError &error)
628 {
629 status(error.statusCode(), error.statusText());
630 print((!error.message().isEmpty() ? error.message() : error.statusText()), Http::CONTENT_TYPE_TXT);
631 }
632
633 for (const Http::Header &prebuiltHeader : asConst(m_prebuiltHeaders))
634 setHeader(prebuiltHeader);
635
636 return response();
637 }
638
639 QString WebApplication::clientId() const
640 {
641 return m_clientAddress.toString();
642 }
643
644 void WebApplication::sessionInitialize()
645 {
646 Q_ASSERT(!m_currentSession);
647
648 const QString sessionId {parseCookie(m_request.headers.value(u"cookie"_s)).value(m_sessionCookieName)};
649
650 // TODO: Additional session check
651
652 if (!sessionId.isEmpty())
653 {
654 m_currentSession = m_sessions.value(sessionId);
655 if (m_currentSession)
656 {
657 if (m_currentSession->hasExpired(m_sessionTimeout))
658 {
659 // session is outdated - removing it
660 delete m_sessions.take(sessionId);
661 m_currentSession = nullptr;
662 }
663 else
664 {
665 m_currentSession->updateTimestamp();
666 }
667 }
668 else
669 {
670 qDebug() << Q_FUNC_INFO << "session does not exist!";
671 }
672 }
673
674 if (!m_currentSession && !isAuthNeeded())
675 sessionStart();
676 }
677
678 QString WebApplication::generateSid() const
679 {
680 QString sid;
681
682 do
683 {
684 const quint32 tmp[] =
685 {Utils::Random::rand(), Utils::Random::rand(), Utils::Random::rand()
686 , Utils::Random::rand(), Utils::Random::rand(), Utils::Random::rand()};
687 sid = QString::fromLatin1(QByteArray::fromRawData(reinterpret_cast<const char *>(tmp), sizeof(tmp)).toBase64());
688 }
689 while (m_sessions.contains(sid));
690
691 return sid;
692 }
693
694 bool WebApplication::isAuthNeeded()
695 {
696 if (!m_isLocalAuthEnabled && Utils::Net::isLoopbackAddress(m_clientAddress))
697 return false;
698 if (m_isAuthSubnetWhitelistEnabled && Utils::Net::isIPInSubnets(m_clientAddress, m_authSubnetWhitelist))
699 return false;
700 return true;
701 }
702
703 bool WebApplication::isPublicAPI(const QString &scope, const QString &action) const
704 {
705 return m_publicAPIs.contains(u"%1/%2"_s.arg(scope, action));
706 }
707
708 void WebApplication::sessionStart()
709 {
710 Q_ASSERT(!m_currentSession);
711
712 // remove outdated sessions
713 Algorithm::removeIf(m_sessions, [this](const QString &, const WebSession *session)
714 {
715 if (session->hasExpired(m_sessionTimeout))
716 {
717 delete session;
718 return true;
719 }
720
721 return false;
722 });
723
724 m_currentSession = new WebSession(generateSid(), app());
725 m_sessions[m_currentSession->id()] = m_currentSession;
726
727 m_currentSession->registerAPIController<AppController>(u"app"_s);
728 m_currentSession->registerAPIController<LogController>(u"log"_s);
729 m_currentSession->registerAPIController<RSSController>(u"rss"_s);
730 m_currentSession->registerAPIController<SearchController>(u"search"_s);
731 m_currentSession->registerAPIController<TorrentsController>(u"torrents"_s);
732 m_currentSession->registerAPIController<TransferController>(u"transfer"_s);
733
734 auto *syncController = m_currentSession->registerAPIController<SyncController>(u"sync"_s);
735 syncController->updateFreeDiskSpace(m_freeDiskSpaceChecker->lastResult());
736 connect(m_freeDiskSpaceChecker, &FreeDiskSpaceChecker::checked, syncController, &SyncController::updateFreeDiskSpace);
737
738 QNetworkCookie cookie {m_sessionCookieName.toLatin1(), m_currentSession->id().toUtf8()};
739 cookie.setHttpOnly(true);
740 cookie.setSecure(m_isSecureCookieEnabled && m_isHttpsEnabled);
741 cookie.setPath(u"/"_s);
742 QByteArray cookieRawForm = cookie.toRawForm();
743 if (m_isCSRFProtectionEnabled)
744 cookieRawForm.append("; SameSite=Strict");
745 else if (cookie.isSecure())
746 cookieRawForm.append("; SameSite=None");
747 setHeader({Http::HEADER_SET_COOKIE, QString::fromLatin1(cookieRawForm)});
748 }
749
750 void WebApplication::sessionEnd()
751 {
752 Q_ASSERT(m_currentSession);
753
754 QNetworkCookie cookie {m_sessionCookieName.toLatin1()};
755 cookie.setPath(u"/"_s);
756 cookie.setExpirationDate(QDateTime::currentDateTime().addDays(-1));
757
758 delete m_sessions.take(m_currentSession->id());
759 m_currentSession = nullptr;
760
761 setHeader({Http::HEADER_SET_COOKIE, QString::fromLatin1(cookie.toRawForm())});
762 }
763
764 bool WebApplication::isCrossSiteRequest(const Http::Request &request) const
765 {
766 // https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Verifying_Same_Origin_with_Standard_Headers
767
768 const auto isSameOrigin = [](const QUrl &left, const QUrl &right) -> bool
769 {
770 // [rfc6454] 5. Comparing Origins
771 return ((left.port() == right.port())
772 // && (left.scheme() == right.scheme()) // not present in this context
773 && (left.host() == right.host()));
774 };
775
776 const QString targetOrigin = request.headers.value(Http::HEADER_X_FORWARDED_HOST, request.headers.value(Http::HEADER_HOST));
777 const QString originValue = request.headers.value(Http::HEADER_ORIGIN);
778 const QString refererValue = request.headers.value(Http::HEADER_REFERER);
779
780 if (originValue.isEmpty() && refererValue.isEmpty())
781 {
782 // owasp.org recommends to block this request, but doing so will inevitably lead Web API users to spoof headers
783 // so lets be permissive here
784 return false;
785 }
786
787 // sent with CORS requests, as well as with POST requests
788 if (!originValue.isEmpty())
789 {
790 const bool isInvalid = !isSameOrigin(urlFromHostHeader(targetOrigin), originValue);
791 if (isInvalid)
792 {
793 LogMsg(tr("WebUI: Origin header & Target origin mismatch! Source IP: '%1'. Origin header: '%2'. Target origin: '%3'")
794 .arg(m_env.clientAddress.toString(), originValue, targetOrigin)
795 , Log::WARNING);
796 }
797 return isInvalid;
798 }
799
800 if (!refererValue.isEmpty())
801 {
802 const bool isInvalid = !isSameOrigin(urlFromHostHeader(targetOrigin), refererValue);
803 if (isInvalid)
804 {
805 LogMsg(tr("WebUI: Referer header & Target origin mismatch! Source IP: '%1'. Referer header: '%2'. Target origin: '%3'")
806 .arg(m_env.clientAddress.toString(), refererValue, targetOrigin)
807 , Log::WARNING);
808 }
809 return isInvalid;
810 }
811
812 return true;
813 }
814
815 bool WebApplication::validateHostHeader(const QStringList &domains) const
816 {
817 const QUrl hostHeader = urlFromHostHeader(m_request.headers[Http::HEADER_HOST]);
818 const QString requestHost = hostHeader.host();
819
820 // (if present) try matching host header's port with local port
821 const int requestPort = hostHeader.port();
822 if ((requestPort != -1) && (m_env.localPort != requestPort))
823 {
824 LogMsg(tr("WebUI: Invalid Host header, port mismatch. Request source IP: '%1'. Server port: '%2'. Received Host header: '%3'")
825 .arg(m_env.clientAddress.toString()).arg(m_env.localPort)
826 .arg(m_request.headers[Http::HEADER_HOST])
827 , Log::WARNING);
828 return false;
829 }
830
831 // try matching host header with local address
832 const bool sameAddr = m_env.localAddress.isEqual(QHostAddress(requestHost));
833
834 if (sameAddr)
835 return true;
836
837 // try matching host header with domain list
838 for (const auto &domain : domains)
839 {
840 const QRegularExpression domainRegex {Utils::String::wildcardToRegexPattern(domain), QRegularExpression::CaseInsensitiveOption};
841 if (requestHost.contains(domainRegex))
842 return true;
843 }
844
845 LogMsg(tr("WebUI: Invalid Host header. Request source IP: '%1'. Received Host header: '%2'")
846 .arg(m_env.clientAddress.toString(), m_request.headers[Http::HEADER_HOST])
847 , Log::WARNING);
848 return false;
849 }
850
851 QHostAddress WebApplication::resolveClientAddress() const
852 {
853 if (!m_isReverseProxySupportEnabled)
854 return m_env.clientAddress;
855
856 // Only reverse proxy can overwrite client address
857 if (!Utils::Net::isIPInSubnets(m_env.clientAddress, m_trustedReverseProxyList))
858 return m_env.clientAddress;
859
860 const QString forwardedFor = m_request.headers.value(Http::HEADER_X_FORWARDED_FOR);
861
862 if (!forwardedFor.isEmpty())
863 {
864 // client address is the 1st global IP in X-Forwarded-For or, if none available, the 1st IP in the list
865 const QStringList remoteIpList = forwardedFor.split(u',', Qt::SkipEmptyParts);
866
867 if (!remoteIpList.isEmpty())
868 {
869 QHostAddress clientAddress;
870
871 for (const QString &remoteIp : remoteIpList)
872 {
873 if (clientAddress.setAddress(remoteIp) && clientAddress.isGlobal())
874 return clientAddress;
875 }
876
877 if (clientAddress.setAddress(remoteIpList[0]))
878 return clientAddress;
879 }
880 }
881
882 return m_env.clientAddress;
883 }
884
885 // WebSession
886
887 WebSession::WebSession(const QString &sid, IApplication *app)
888 : ApplicationComponent(app)
889 , m_sid {sid}
890 {
891 updateTimestamp();
892 }
893
894 QString WebSession::id() const
895 {
896 return m_sid;
897 }
898
899 bool WebSession::hasExpired(const qint64 seconds) const
900 {
901 if (seconds <= 0)
902 return false;
903 return m_timer.hasExpired(seconds * 1000);
904 }
905
906 void WebSession::updateTimestamp()
907 {
908 m_timer.start();
909 }
910
911 APIController *WebSession::getAPIController(const QString &scope) const
912 {
913 return m_apiControllers.value(scope);
914 }