remotestash icon indicating copy to clipboard operation
remotestash copied to clipboard
verified publisher icon roznet

Fix Python >= 3.7 deprecations, and Improve Server Resilience

Open trinitronx opened this issue 1 year ago • 0 comments

I noticed that after a recent python upgrade (Arch Linux is now on Python 3.10.12) that the server component stopped working due to the removal of some deprecated things in the Python language that were scheduled to be removed since Python 3.7. So this PR started out as just trying to fix those things.

However, it soon grew larger because after fixing those, I found that it was still throwing some exceptions and stack traces when doing things like uploading large files, image mime types, and generally exercising the API in ways that a security researcher might try to do.

I was inspired after reading your blog post about this Father-Son project, which I had been using for many years as a way to use Airdrop clipboard functionality between iOS and Linux.

So, in the spirit of Linux & Open Source, I decided to try my hand at making the server component much more resilient & secure. For example, I tested trying to use curl as the client and sending a large growing log file, but not sending the Content-Length header, which caused a possible DoS-style deadlock condition where both server and client would wait for something to be send from the other which would never happen. This led me towards fixing a bunch of issues that I encountered in testing.

This PR improves the Python-based server component in the following ways:

  • Support large file uploads, including many binary or non-text mime types (as multipart/form-data uploads)
  • Generally make the server much more resilient
    • Fix all Python language deprecations by using the recommended replacements from official Python documentation
    • Encountering an error exception no longer brings down the entire server
    • Send all error responses in JSON to the client for common cases
    • Improve checks for contents.items dict keys before trying to access them (was causing KeyError exceptions in certain cases
  • Improve logging:
    • Add support for up to 5 verbosity levels
    • Log exceptions encountered in server logs
    • Sanitize (backslash-escape + truncate) all client-provided data before logging it
    • Send proper HTTP error codes with stack traces (if verbosity is 3 or higher) when encountering server-side exceptions
    • Add 60 second server-side timeout to handle a request (Prevents indefinite deadlock DoS attack vector mentioned above)
  • Now the server makes Coffee and Tea (er... well really mostly Tea)
    • Just a fun easter-egg type thing, as a classic HTTP response code April Fools' joke

I hope these improvements are helpful to improve the server component. I haven't yet learned Swift, and am not familiar with iOS development yet, so unfortunately I couldn't improve the iOS client at the same time. So, some things I tested like image push only work in one direction (Linux -> iOS), but not yet the other way around. Using two Python-based server/clients should work, however.

P.S. I didn't see an OSI-approved LICENSE file in this repo. Would you be willing to choose a license and officially make this code truly Open-Source? I'd recommend the GPLv3 to help foster the ability of the community to share improvements.

Anyway, Thanks for such a great and useful project!

trinitronx avatar Jun 22 '24 18:06 trinitronx