Add safe browsing support

oriionn · oriionn · commit cbaf8b741861 · 2023-08-10T02:45:22.000+02:00
diff --git a/app.js b/app.js
@@ -34,6 +34,12 @@ app.get('/', (req, res) => {
     res.sendFile(__dirname + '/public/index.html');
 });
 
+let lookup;
+async function checkURL(url){
+    if(!lookup) lookup = require('safe-browse-url-lookup')({ apiKey: config.SAFE_BROWSING_APIKEY });
+    return await lookup.checkSingle(url)
+}
+
 function generateCode() {
     const buffer = crypto.randomBytes(1);
     const hex = buffer.toString('hex');
@@ -120,18 +126,24 @@ app.get("/s/:code", async (req, res) => {
                 if (password) {
                     let hashPass = SHA256(password).toString();
                     if (hashPass === db[code].password) {
-                        res.redirect(db[code].link);
+                        let isSafe = !(await checkURL(db[code].link));
+                        if (isSafe) res.redirect(db[code].link);
+                        else res.redirect(`/warning?link=${Base64.encode(db[code].link)}`);
                     } else {
                         res.redirect(`/s/${code}`)
                     }
                 } else {
                     res.sendFile(__dirname + '/public/password.html');
                 }
             } else {
-                res.redirect(db[code].link);
+                let isSafe = !(await checkURL(db[code].link));
+                if (isSafe) res.redirect(db[code].link);
+                else res.redirect(`/warning?link=${Base64.encode(db[code].link)}`);
             }
         } else {
-            res.redirect(db[code]);
+            let isSafe = !(await checkURL(db[code]));
+            if (isSafe) res.redirect(db[code]);
+            else res.redirect(`/warning?link=${Base64.encode(db[code])}`);
         }
     } else if (isMongoDB) {
         await client.connect();
@@ -152,15 +164,19 @@ app.get("/s/:code", async (req, res) => {
             if (password) {
                 let hashPass = SHA256(password).toString();
                 if (hashPass === filtered[0].password) {
-                    res.redirect(filtered[0].link);
+                    let isSafe = !(await checkURL(filtered[0].link));
+                    if (isSafe) res.redirect(filtered[0].link);
+                    else res.redirect(`/warning?link=${Base64.encode(filtered[0].link)}`);
                 } else {
                     res.redirect(`/s/${code}`)
                 }
             } else {
                 res.sendFile(__dirname + '/public/password.html');
             }
         } else {
-            res.redirect(filtered[0].link);
+            let isSafe = !(await checkURL(filtered[0].link));
+            if (isSafe) res.redirect(filtered[0].link);
+            else res.redirect(`/warning?link=${Base64.encode(filtered[0].link)}`);
         }
     }
 });
@@ -188,18 +204,21 @@ app.get("/api/s/:code", async (req, res) => {
                 if (password) {
                     let hashPass = SHA256(password).toString();
                     if (hashPass === db[code].password) {
-                        res.json({status: 200, data: {original: db[code].link, shorten: `${config.DOMAIN}/s/${code}`}});
+                        let isSafe = !(await checkURL(db[code].link));
+                        res.json({status: 200, data: {original: db[code].link, shorten: `${config.DOMAIN}/s/${code}`, safe: isSafe }});
                     } else {
                         res.json({status: 401, data: { original: "Error: Unauthorized", shorten: `${config.DOMAIN}/s/${code}` }})
                     }
                 } else {
                     res.json({status: 401, data: { original: "Error: Unauthorized", shorten: `${config.DOMAIN}/s/${code}` }})
                 }
             } else {
-                res.json({status: 200, data: {original: db[code].link, shorten: `${config.DOMAIN}/s/${code}`}});
+                let isSafe = !(await checkURL(db[code].link));
+                res.json({status: 200, data: {original: db[code].link, shorten: `${config.DOMAIN}/s/${code}`, safe: isSafe }});
             }
         } else {
-            res.json({status: 200, data: {original: db[code], shorten: `${config.DOMAIN}/s/${code}`}});
+            let isSafe = !(await checkURL(db[code]));
+            res.json({status: 200, data: {original: db[code], shorten: `${config.DOMAIN}/s/${code}`, safe: isSafe }});
         }
     } else if (isMongoDB) {
         await client.connect();
@@ -241,6 +260,10 @@ app.get("/generated", (req, res) => {
     res.sendFile(__dirname + '/public/generated.html');
 })
 
+app.get("/warning", (req, res) => {
+    res.sendFile(__dirname + '/public/warning.html');
+});
+
 app.listen(process.env.PORT || config.PORT, async () => {
     if (isJSON) {
         if (!config.DB_JSON_PATH) {
diff --git a/config.js b/config.js
@@ -4,6 +4,7 @@ module.exports = {
 
   // The domain name of the website
   DOMAIN: "http://localhost",
+  SAFE_BROWSING_APIKEY: "AIzaSyBovR1bR-aI4KiXZ9AB8MFLIqYROK2V57Y",
 
   // Database type: json, mongodb
   DB_TYPE: "json",
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "quecto",
-  "version": "1.0.5",
+  "version": "1.0.5g",
   "description": "",
   "main": "index.js",
   "scripts": {
@@ -18,6 +18,7 @@
     "js-base64": "^3.7.5",
     "mongodb": "^5.7.0",
     "multer": "^1.4.5-lts.1",
-    "nodemon": "^3.0.1"
+    "nodemon": "^3.0.1",
+    "safe-browse-url-lookup": "^0.1.1"
   }
 }
diff --git a/public/generated.html b/public/generated.html
@@ -29,7 +29,6 @@
         const params = new URLSearchParams(window.location.search);
         const link = params.get("link");
 
-
         form.link.value = Base64.decode(link);
         document.getElementById("qrcode").src = `https://api.qrserver.com/v1/create-qr-code/?size=200x200&data=${Base64.decode(link)}`;
     </script>
diff --git a/public/style.css b/public/style.css
@@ -51,4 +51,26 @@ form input[type="submit"] {
     position: absolute;
     bottom: 10px;
     right: 10px;
+}
+
+h1 {
+    color: red;
+    font-size: 30px;
+    font-family: Arial, Helvetica, sans-serif;
+}
+
+button {
+    background: #2980b9;
+
+    border: none;
+    outline: none;
+    border-radius: 10px;
+
+    font-size: 30px;
+    padding: 15px;
+    cursor: pointer;
+
+    width: 52vw;
+    color: white;
+    height: auto !important;
 }
diff --git a/public/warning.html b/public/warning.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Quecto</title>
+
+    <link rel="stylesheet" href="/public/style.css">
+    <script src="https://cdn.jsdelivr.net/npm/js-base64@3.7.5/base64.min.js"></script>
+</head>
+<body>
+<form>
+    <div class="content">
+        <h1>Warning ! Google has identified the link as potentially dangerous.</h1>
+        <button>Continue</button>
+    </div>
+</form>
+
+<script>
+  const params = new URLSearchParams(window.location.search);
+  const link = params.get("link");
+  document.querySelector("button").onclick = () => window.location.href = Base64.decode(link);
+
+  document.querySelector("form").onsubmit = (e) => e.preventDefault();
+</script>
+</body>
+</html>

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "quecto",`
`3`		`- "version": "1.0.5",`
	`3`	`+ "version": "1.0.5g",`
`4`	`4`	`"description": "",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"scripts": {`
`@@ -18,6 +18,7 @@`
`18`	`18`	`"js-base64": "^3.7.5",`
`19`	`19`	`"mongodb": "^5.7.0",`
`20`	`20`	`"multer": "^1.4.5-lts.1",`
`21`		`- "nodemon": "^3.0.1"`
	`21`	`+ "nodemon": "^3.0.1",`
	`22`	`+ "safe-browse-url-lookup": "^0.1.1"`
`22`	`23`	`}`
`23`	`24`	`}`