chore (refactoring): cleanup plugin

2025-12-06 08:22:24 +01:00 · 2025-06-30 12:11:42 +10:00 · 2025-06-30 12:11:42 +10:00 · 72312435cf
commit 72312435cf
parent e3f910814a
5 changed files with 39 additions and 27 deletions
--- a/server/plugin/plg_authenticate_admin/index.go
+++ b/server/plugin/plg_authenticate_admin/index.go
@ -2,9 +2,12 @@ package plg_authenticate_admin

 import (
 	"fmt"
-	. "github.com/mickael-kerjean/filestash/server/common"
-	"golang.org/x/crypto/bcrypt"
+	"html"
 	"net/http"
+
+	. "github.com/mickael-kerjean/filestash/server/common"
+
+	"golang.org/x/crypto/bcrypt"
 )

 func init() {
@ -45,7 +48,7 @@ func (this Admin) EntryPoint(idpParams map[string]string, req *http.Request, res
 			MaxAge: -1,
 			Path:   "/",
 		})
-		return fmt.Sprintf(`<p class="flash">%s</p>`, c.Value)
+		return fmt.Sprintf(`<p class="flash">%s</p>`, html.EscapeString(c.Value))
 	}
 	res.Header().Set("Content-Type", "text/html; charset=utf-8")
 	res.WriteHeader(http.StatusOK)
--- a/server/plugin/plg_authenticate_htpasswd/index.go
+++ b/server/plugin/plg_authenticate_htpasswd/index.go
@ -5,15 +5,16 @@ import (
 	"crypto/subtle"
 	"encoding/base64"
 	"fmt"
-	. "github.com/mickael-kerjean/filestash/server/common"
+	"html"
+	"net/http"
+	"strings"

+	. "github.com/mickael-kerjean/filestash/server/common"
 	"github.com/mickael-kerjean/filestash/server/plugin/plg_authenticate_htpasswd/deps/crypt"
 	"github.com/mickael-kerjean/filestash/server/plugin/plg_authenticate_htpasswd/deps/crypt/apr1_crypt"
 	"github.com/mickael-kerjean/filestash/server/plugin/plg_authenticate_htpasswd/deps/crypt/md5_crypt"
 	"github.com/mickael-kerjean/filestash/server/plugin/plg_authenticate_htpasswd/deps/crypt/sha256_crypt"
 	"github.com/mickael-kerjean/filestash/server/plugin/plg_authenticate_htpasswd/deps/crypt/sha512_crypt"
-	"net/http"
-	"strings"
 )

 func init() {
@ -65,7 +66,7 @@ func (this Htpasswd) EntryPoint(idpParams map[string]string, req *http.Request,
 			MaxAge: -1,
 			Path:   "/",
 		})
-		return fmt.Sprintf(`<p class="flash">%s</p>`, c.Value)
+		return fmt.Sprintf(`<p class="flash">%s</p>`, html.EscapeString(c.Value))
 	}
 	res.Header().Set("Content-Type", "text/html; charset=utf-8")
 	res.WriteHeader(http.StatusOK)
--- a/server/plugin/plg_authenticate_local/auth.go
+++ b/server/plugin/plg_authenticate_local/auth.go
@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"html"
 	"image/png"
 	"net/http"
 	"text/template"
@ -93,7 +94,7 @@ func (this SimpleAuth) EntryPoint(idpParams map[string]string, req *http.Request
 			MaxAge: -1,
 			Path:   "/",
 		})
-		return fmt.Sprintf(`<p class="flash">%s</p>`, c.Value)
+		return fmt.Sprintf(`<p class="flash">%s</p>`, html.EscapeString(c.Value))
 	}
 	res.Header().Set("Content-Type", "text/html; charset=utf-8")
 	res.WriteHeader(http.StatusOK)
--- a/server/plugin/plg_authenticate_local/handler.go
+++ b/server/plugin/plg_authenticate_local/handler.go
@ -2,9 +2,9 @@ package plg_authenticate_local

 import (
 	_ "embed"
+	"html/template"
 	"net/http"
 	"net/url"
-	"text/template"

 	. "github.com/mickael-kerjean/filestash/server/common"
 )
--- a/server/plugin/plg_authenticate_passthrough/index.go
+++ b/server/plugin/plg_authenticate_passthrough/index.go
@ -2,8 +2,10 @@ package plg_authenticate_passthrough

 import (
 	"fmt"
-	. "github.com/mickael-kerjean/filestash/server/common"
+	"html"
 	"net/http"
+
+	. "github.com/mickael-kerjean/filestash/server/common"
 )

 func init() {
@ -36,32 +38,37 @@ func (this Admin) Setup() Form {

 func (this Admin) EntryPoint(idpParams map[string]string, req *http.Request, res http.ResponseWriter) error {
 	res.Header().Set("Content-Type", "text/html; charset=utf-8")
-	getParams := "?label=" + req.URL.Query().Get("label") + "&state=" + req.URL.Query().Get("state")
+	getParams := "?label=" + html.EscapeString(req.URL.Query().Get("label")) + "&state=" + html.EscapeString(req.URL.Query().Get("state"))
 	switch idpParams["strategy"] {
 	case "direct":
 		res.WriteHeader(http.StatusOK)
-		res.Write([]byte(Page(`<h2 style="display:none;">PASSTHROUGH</h2><script>location.href = "` + WithBase("/api/session/auth/") + getParams + `"</script>`)))
+		res.Write([]byte(Page(`
+            <form action="` + WithBase("/api/session/auth/"+getParams) + `" method="post"></form>
+            <script>document.querySelector("form").submit();</script>
+        `)))
 	case "password_only":
 		res.WriteHeader(http.StatusOK)
 		res.Write([]byte(Page(`
-      <form action="` + WithBase("/api/session/auth/"+getParams) + `" method="post">
-        <label>
-          <input type="password" name="password" value="" placeholder="Password" />
-        </label>
-        <button>CONNECT</button>
-      </form>`)))
+            <form action="` + WithBase("/api/session/auth/"+getParams) + `" method="post">
+                <label>
+                    <input type="password" name="password" value="" placeholder="Password" />
+                </label>
+                <button>CONNECT</button>
+            </form>
+        `)))
 	case "username_and_password":
 		res.WriteHeader(http.StatusOK)
 		res.Write([]byte(Page(`
-      <form action="` + WithBase("/api/session/auth/"+getParams) + `" method="post">
-        <label>
-          <input type="text" name="user" value="" placeholder="User" />
-        </label>
-        <label>
-          <input type="password" name="password" value="" placeholder="Password" />
-        </label>
-        <button>CONNECT</button>
-      </form>`)))
+            <form action="` + WithBase("/api/session/auth/"+getParams) + `" method="post">
+                <label>
+                    <input type="text" name="user" value="" placeholder="User" />
+                </label>
+                <label>
+                    <input type="password" name="password" value="" placeholder="Password" />
+                </label>
+                <button>CONNECT</button>
+            </form>
+        `)))
 	default:
 		res.WriteHeader(http.StatusNotFound)
 		res.Write([]byte(Page(fmt.Sprintf("Unknown strategy: '%s'", idpParams["strategy"]))))