fix ipv6 exploit + minor rewrite

main.py

@@ -10,11 +10,13 @@ from secret import token
 REVERSE_PROXY = False # if True: uses X-Real-IP header instead of remote addr
 BASE_DIR = Path(__file__).parent
 TIMEOUT = 15 * 60
-CONTENT_WARNING = "test post ignore" # "Post from a random person - trinkey is not responsible for the content!!"
+MAX_LENGTH = 100_000
+CONTENT_WARNING = "Post can contain any text"
+PROMO_URL = "\n\nhttps://everyone.trinkey.com/"
 POST_URL = "https://is.trinkey.com/api/iceshrimp/notes"
 RUN_CONF = {
     "debug": True,
-    "host": "127.0.0.1",
+    "host": "0.0.0.0",
     "port": "8000"
 }
 
@@ -30,11 +32,26 @@ except json.JSONDecodeError:
     ...
 
 def save():
+    now = time.time()
+
+    to_remove = []
+    for i in data:
+        if data[i] < now:
+            to_remove.append(i)
+
+    for i in to_remove:
+        del data[i]
+
     with open(BASE_DIR / "blocked.json", "w") as f:
         json.dump(data, f)
 
 def get_ip() -> str:
-    return (flask.request.headers.get("X-Real-IP") if REVERSE_PROXY else flask.request.remote_addr) or "0.0.0.0"
+    ip = (flask.request.headers.get("X-Real-IP") if REVERSE_PROXY else flask.request.remote_addr) or "0.0.0.0"
+
+    if ":" in ip:
+        ip = ip[:20] + ":/64"
+
+    return ip
 
 @app.route("/", methods=["POST", "GET"])
 def index() -> bytes:
@@ -43,12 +60,14 @@ def index() -> bytes:
     message = ""
 
     if flask.request.method == "POST":
-        if not cant_post:
-            content = (flask.request.form.get("text") or "").strip()
+        if cant_post:
+            message = "You can't post yet!"
+        else:
+            content = (flask.request.form.get("text") or "").strip()[:MAX_LENGTH - len(PROMO_URL)]
 
             if content:
                 resp = requests.post(POST_URL, json={
-                    "text": content,
+                    "text": content + PROMO_URL,
                     "cw": CONTENT_WARNING,
                     "replyId": None,
                     "renoteId": None,
@@ -60,20 +79,20 @@ def index() -> bytes:
                 })
 
                 if resp.status_code == 200:
+                    cant_post = True
                     data[ip] = int(time.time() + TIMEOUT)
                     save()
                     message = "Success!"
                 else:
-                    message = f"Got non-200 status code ({resp})"
+                    message = f"Got non-200 status code ({resp.status_code})"
             else:
                 message = "Enter some text!"
-        else:
-            message = "You can't post yet!"
 
     return open(BASE_DIR / "public/index.html", "rb").read() \
             .replace(b"{{ IP }}", str.encode(ip)) \
             .replace(b"{{ EXPIRE }}", str.encode(str(data[ip] if cant_post else 0))) \
-            .replace(b"{{ ERROR }}", str.encode(message))
+            .replace(b"{{ ERROR }}", str.encode(message)) \
+            .replace(b"{{ MAX_LENGTH }}", str.encode(str(MAX_LENGTH - len(PROMO_URL))))
 
 if __name__ == "__main__":
     app.run(**RUN_CONF)

public/index.html

@@ -29,7 +29,7 @@
     <hr>
     <p>Enter your post below. Anyone can post anything, once every 15 minutes per IP address.</p>
     <form method="POST" action="/">
-      <div><textarea name="text" id="text" required placeholder="a stupid fedi post"></textarea></div>
+      <div><textarea name="text" id="text" required maxlength="{{ MAX_LENGTH }}" placeholder="a stupid fedi post"></textarea></div>
       <div><input type="submit" value="Post!"></div>
     </form>
     <small>Moderation enforced at trinkey's discretion. This service can go down temporarily or permanently at any time. All posts are viewable by anyone and cannot be deleted.</small>