whhopsie

2025-07-12 19:51:58 +03:00 · 2025-07-12 19:51:58 +03:00 · 8cce4351f1
commit 8cce4351f1
parent e6b59e4ff1
1 changed files with 47 additions and 7 deletions
--- a/main.go
+++ b/main.go
@ -8,6 +8,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 	"sync"
 	"time"
@ -59,6 +60,8 @@ func wsHandler(w http.ResponseWriter, r *http.Request) {

 	var buffer string
 	var lastPress time.Time
+	var messageCount int
+	startTime := time.Now()

 	for {
 		var keyPress KeyPress
@ -73,6 +76,15 @@ func wsHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		lastPress = now

+		messageCount++
+		if messageCount > 1000 || now.Sub(startTime) > 10*time.Minute {
+			break
+		}
+
+		if len(keyPress.Key) > 1 {
+			continue
+		}
+
 		buffer += keyPress.Key

 		if len(buffer) > 20 {
@ -143,11 +155,33 @@ func wsHandler(w http.ResponseWriter, r *http.Request) {
 func trollingHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	w.Header().Set("Server", "0BSD_FOR_EVERYONE")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("Referrer-Policy", "no-referrer")

-	fileContent, err := os.ReadFile("files/trolling.gif")
+	filePath := filepath.Clean("files/trolling.gif")
+	if !strings.HasPrefix(filePath, "files/") {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+		return
+	}
+
+	fileInfo, err := os.Stat(filePath)
 	if err != nil {
 		log.Printf("Ошибка чтения файла: %v", err)
-		fileContent = []byte("Файл не найден")
+		http.Error(w, "File not found", http.StatusNotFound)
+		return
+	}
+
+	if fileInfo.Size() > 10*1024*1024 {
+		http.Error(w, "File too large", http.StatusRequestEntityTooLarge)
+		return
+	}
+
+	fileContent, err := os.ReadFile(filePath)
+	if err != nil {
+		log.Printf("Ошибка чтения файла: %v", err)
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
 	}

 	base64Content := base64.StdEncoding.EncodeToString(fileContent)
@ -157,6 +191,7 @@ func trollingHandler(w http.ResponseWriter, r *http.Request) {
 <html>
 <head>
    <title>Trolling</title>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src data:;">
    <style>
        body {
            background-color: #000;
@ -185,6 +220,8 @@ func trollingHandler(w http.ResponseWriter, r *http.Request) {
 func statusHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 	w.Header().Set("Server", "0BSD_FOR_EVERYONE")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-Frame-Options", "DENY")

 	openbsdBirth := time.Date(1995, 10, 1, 0, 0, 0, 0, time.UTC)
 	now := time.Now()
@ -212,6 +249,8 @@ func handler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("X-Powered-By", "0BSD_FOR_EVERYONE")
 	w.Header().Set("X-Frame-Options", "SAMEORIGIN")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("Referrer-Policy", "no-referrer")
+	w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';")

 	html := `
 <!DOCTYPE html>
@ -290,11 +329,12 @@ func main() {
 			mux.HandleFunc("/trolling", gzipHandler(trollingHandler))

 			server := &http.Server{
-				Addr:         ":" + p,
-				Handler:      mux,
-				ReadTimeout:  30 * time.Second,
-				WriteTimeout: 30 * time.Second,
-				IdleTimeout:  60 * time.Second,
+				Addr:           ":" + p,
+				Handler:        mux,
+				ReadTimeout:    30 * time.Second,
+				WriteTimeout:   30 * time.Second,
+				IdleTimeout:    60 * time.Second,
+				MaxHeaderBytes: 1 << 20,
 			}

 			log.Printf("Сервер запущен на порту %s", p)