feat: add max file size limit for hashing functionality

Author: adrianschubek

Dockerfile

@@ -1,6 +1,6 @@
 FROM php:8.5-fpm-alpine AS base
 
-ENV DIRBROWSER_VERSION=4.0.0
+ENV DIRBROWSER_VERSION=4.1.0
 
 RUN apk update && apk upgrade
 
@@ -57,6 +57,8 @@ ENV DATE_FORMAT=relative
 
 ENV HASH=true
 
+ENV HASH_MAX_FILE_SIZE_MB=100
+
 ENV TRANSITION=false
 
 ENV HASH_FOLDER=false	

docs/docs/configuration/hashes.md

@@ -40,11 +40,8 @@ This feature should not be used to restrict access as the hash is publicly avail
 To protect the file use the [password protection](password.mdx) feature.
 :::
 
-:::danger
-If you are hosting large files (1GB+) hashing them may take a significant amount of time and CPU resources on the server potentially leading to a Denial of Service for other users. Consinder disabling this feature in this case `HASH=false`.
-:::
 
 import EnvConfig from '@site/src/components/EnvConfig';
 
 <!-- <EnvConfig name="HASH" init="true" values="true,false"/> -->
-<EnvConfig name="HASH|HASH_REQUIRED|HASH_ALGO" init="true|false|sha256" values="true,false|true,false|md2,md4,md5,sha1,sha224,sha256,sha384,sha512/224,sha512/256,sha512,sha3-224,sha3-256,sha3-384,sha3-512,ripemd128,ripemd160,ripemd256,ripemd320,whirlpool,snefru,snefru256,gost,gost-crypto,adler32,crc32,crc32b,crc32c,fnv132,fnv1a32,fnv164,fnv1a64,joaat,murmur3a,murmur3c,murmur3f,xxh32,xxh64,xxh3,xxh128" desc="|Hash is always required|" versions="3.0|3.3|3.1" />
+<EnvConfig name="HASH|HASH_MAX_FILE_SIZE_MB|HASH_REQUIRED|HASH_ALGO" init="true|100|false|sha256" values="true,false|integer|true,false|md2,md4,md5,sha1,sha224,sha256,sha384,sha512/224,sha512/256,sha512,sha3-224,sha3-256,sha3-384,sha3-512,ripemd128,ripemd160,ripemd256,ripemd320,whirlpool,snefru,snefru256,gost,gost-crypto,adler32,crc32,crc32b,crc32c,fnv132,fnv1a32,fnv164,fnv1a64,joaat,murmur3a,murmur3c,murmur3f,xxh32,xxh64,xxh3,xxh128" desc="|Hash is always required|" versions="3.0|3.3|3.1" />

src/index.php

@@ -52,6 +52,26 @@ function safe_utf8(string $input): string
   return preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/u', '', $input) ?? '';
 }
 
+function hash_max_file_size_bytes(): ?int
+{
+  $raw = getenv('HASH_MAX_FILE_SIZE_MB');
+  if ($raw === false || $raw === '') return null;
+  if (!is_numeric($raw)) return null;
+  $mb = floatval($raw);
+  if ($mb <= 0) return null;
+  $bytes = (int) floor($mb * 1024 * 1024);
+  return $bytes > 0 ? $bytes : null;
+}
+
+function hashing_allowed_for_file(string $path): bool
+{
+  $maxBytes = hash_max_file_size_bytes();
+  if ($maxBytes === null) return true;
+  $size = @filesize($path);
+  if ($size === false) return false;
+  return $size <= $maxBytes;
+}
+
 // fix whitespace in path results in not found errors
 $request_uri = rawurldecode(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH));
 
@@ -506,6 +526,15 @@ function downloadBatch(array $urls) {
   $[if `process.env.HASH`]$
   // only allow download if requested hash matches actual hash
   if (${{`process.env.HASH_REQUIRED === "true" ? "true ||" : ""`}}$ isset($_REQUEST["hash"]) || isset($meta) && $meta->hash_required === true) {
+    if (!hashing_allowed_for_file($local_path)) {
+      http_response_code(413);
+      $limitMb = getenv('HASH_MAX_FILE_SIZE_MB');
+      die("<b>Hashing disabled.</b> File exceeds HASH_MAX_FILE_SIZE_MB (" . htmlspecialchars((string) $limitMb) . " MB).");
+    }
+    if (!isset($_REQUEST["hash"])) {
+      http_response_code(403);
+      die("<b>Access denied.</b> Hash is required for this file.");
+    }
     if ($_REQUEST["hash"] !== hash_file('${{`process.env.HASH_ALGO`}}$', $local_path)) {
       http_response_code(403);
       die("<b>Access denied.</b> Supplied hash does not match actual file hash.");
@@ -521,14 +550,22 @@ function downloadBatch(array $urls) {
 
   $[if `process.env.API === "true"`]$
   if(isset($_REQUEST["info"])) {
+    $hash_value = null;
+    $[end]$
+    $[if `process.env.API === "true" && process.env.HASH === "true"`]$
+    if (hashing_allowed_for_file($local_path)) {
+      $hash_value = hash_file('${{`process.env.HASH_ALGO`}}$', $local_path);
+    }
+    $[end]$
+    $[if `process.env.API === "true"`]$
     $info = [
       "url" => $relative_path, // FIXME: use host domain! abc.de/foobar
       "name" => basename($local_path),
       "mime" => mime_content_type($local_path) ?? "application/octet-stream",
       "size" => filesize($local_path),
       "modified" => filemtime($local_path),
       "downloads" => ${{`process.env.DOWNLOAD_COUNTER === "true" ? "intval($redis->get($relative_path))" : "0"`}}$,
-      "hash_${{`process.env.HASH_ALGO`}}$" => ${{`process.env.HASH === "true" ? "hash_file('"+process.env.HASH_ALGO+"', $local_path)" : "null"`}}$
+      "hash_${{`process.env.HASH_ALGO`}}$" => $hash_value
     ];
     header("Content-Type: application/json");
     die(json_encode($info, JSON_UNESCAPED_SLASHES));
@@ -1155,11 +1192,20 @@ function getRelativeTimeString(date, lang = navigator.language) {
 
     $[if `process.env.HASH === "true"`]$
     // via api bc otherwise we need to include the hash in the tree itself which is costly
+    const HASH_MAX_FILE_SIZE_MB = Number('${{`process.env.HASH_MAX_FILE_SIZE_MB ?? ""`}}$');
+    const HASH_MAX_FILE_SIZE_BYTES = Number.isFinite(HASH_MAX_FILE_SIZE_MB) && HASH_MAX_FILE_SIZE_MB > 0
+      ? Math.floor(HASH_MAX_FILE_SIZE_MB * 1024 * 1024)
+      : null;
+
     const getHashViaApi = async (url) => {
       const res = await fetch(url);
-      if (!res.ok) throw new Error('Hash request failed');
+      if (!res.ok) {
+        if (res.status === 413) throw new Error('too_large');
+        throw new Error('request_failed');
+      }
       const data = await res.json();
       const hash = data.hash_${{`process.env.HASH_ALGO`}}$;
+      if (hash === null || hash === undefined || String(hash).length === 0) throw new Error('unavailable');
       await copyTextToClipboard(String(hash ?? ''));
     }
     $[end]$
@@ -1489,18 +1535,31 @@ function getRelativeTimeString(date, lang = navigator.language) {
           $[if `process.env.LAYOUT === "popup" && process.env.HASH === "true"`]$
           // Show hash entry; actual hash is fetched on demand via API.
           if (typeof getHashViaApi === 'function') {
-            const link = document.createElement('a');
-            link.href = '#';
-            link.className = 'link-primary link-offset-2 link-underline-opacity-25 link-underline-opacity-100-hover';
-            link.textContent = 'Click to calculate hash';
-            link.addEventListener('click', async (e) => {
-              link.textContent = 'Calculating…';
-              e.preventDefault();
-              if (!popupState.apiInfoUrl) return;
-              await getHashViaApi(popupState.apiInfoUrl);
-              link.textContent = 'Hash copied to clipboard';
-            });
-            entries.push({ label: 'Hash', value: link });
+            const fileSize = Number(payload.size ?? 0);
+            const hashingTooLarge = HASH_MAX_FILE_SIZE_BYTES !== null && Number.isFinite(fileSize) && fileSize > HASH_MAX_FILE_SIZE_BYTES;
+            if (hashingTooLarge) {
+              const note = document.createElement('span');
+              note.className = 'text-body-secondary';
+              note.textContent = `Too large to hash (>${HASH_MAX_FILE_SIZE_MB} MB)`;
+              entries.push({ label: 'Hash', value: note });
+            } else {
+              const link = document.createElement('a');
+              link.href = '#';
+              link.className = 'link-primary link-offset-2 link-underline-opacity-25 link-underline-opacity-100-hover';
+              link.textContent = 'Click to calculate hash';
+              link.addEventListener('click', async (e) => {
+                link.textContent = 'Calculating…';
+                e.preventDefault();
+                if (!popupState.apiInfoUrl) return;
+                try {
+                  await getHashViaApi(popupState.apiInfoUrl);
+                  link.textContent = 'Hash copied to clipboard';
+                } catch (err) {
+                  link.textContent = err && String(err.message) === 'too_large' ? 'Too large to hash' : 'Hash unavailable';
+                }
+              });
+              entries.push({ label: 'Hash', value: link });
+            }
           }
           $[end]$
           $[if `process.env.LAYOUT === "popup"`]$