add rich KML support, mitigate KML vulnerabilities

2026-01-11 22:48:50 -07:00
parent eaea2c4edb
commit f985d3433d
8 changed files with 705 additions and 34 deletions
--- a/server/db.go
+++ b/server/db.go
@@ -75,6 +75,7 @@ func createTables() {
 			filename VARCHAR(255),
 			user_id VARCHAR(255),
 			distance DOUBLE,
+			description TEXT,
 			is_public BOOLEAN DEFAULT FALSE,
 			uploaded_at DATETIME,
 			UNIQUE KEY (user_id, filename),
@@ -117,6 +118,8 @@ func createTables() {
 	// Migrations: Ensure trips table uses TIMESTAMP for sync times (breaking change for DATETIME -> TIMESTAMP)
 	db.Exec("ALTER TABLE trips MODIFY last_sync_time TIMESTAMP NULL")
 	db.Exec("ALTER TABLE trips MODIFY next_sync_time TIMESTAMP NULL")
+	// Migration for KML description
+	db.Exec("ALTER TABLE kml_metadata ADD COLUMN IF NOT EXISTS description TEXT")

 	log.Println("Database tables initialized")
 }
--- a/server/kml.go
+++ b/server/kml.go
@@ -2,6 +2,7 @@ package main

 import (
 	"bytes"
+	"database/sql"
 	"encoding/json"
 	"encoding/xml"
 	"fmt"
@@ -13,6 +14,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/microcosm-cc/bluemonday"
 )

 // KML structure for parsing
@@ -22,11 +25,15 @@ type KML struct {
 }

 type KMLDocument struct {
-	Placemarks []KMLPlacemark `xml:"Placemark"`
+	Name        string         `xml:"name"`
+	Description string         `xml:"description"`
+	Placemarks  []KMLPlacemark `xml:"Placemark"`
 }

 type KMLPlacemark struct {
-	LineString KMLLineString `xml:"LineString"`
+	Name        string        `xml:"name"`
+	Description string        `xml:"description"`
+	LineString  KMLLineString `xml:"LineString"`
 }

 type KMLLineString struct {
@@ -39,6 +46,7 @@ type KMLMetadata struct {
 	UserID      string    `json:"user_id"`
 	DisplayName string    `json:"display_name"` // User's display name
 	Distance    float64   `json:"distance"`     // in kilometers
+	Description string    `json:"description"`  // Description from KML or user
 	IsPublic    bool      `json:"is_public"`
 	UploadedAt  time.Time `json:"uploaded_at"`
 	Votes       int       `json:"votes"` // Net votes (calculated from voting system)
@@ -84,8 +92,26 @@ func haversineDistance(lat1, lon1, lat2, lon2 float64) float64 {
 	return earthRadiusKm * c
 }

-// ParseKMLDistance parses a KML file and calculates the total distance
-func ParseKMLDistance(kmlData []byte) (float64, error) {
+// ParseKML parses a KML file and calculates the total distance and extracts description
+func ParseKML(kmlData []byte) (float64, string, error) {
+	// 1. Extract Description (Best Effort via Struct)
+	var kml KML
+	// Ignore errors here as we prioritize distance, description is optional/nice-to-have
+	_ = xml.Unmarshal(kmlData, &kml)
+
+	description := kml.Document.Description
+
+	// Sanitize description
+	p := bluemonday.UGCPolicy()
+	description = p.Sanitize(description)
+
+	if len(description) > 2000 {
+		description = description[:1997] + "..."
+	}
+
+	// 2. Calculate Distance (Robust Streaming)
+	// We re-scan the byte slice using a streaming decoder to find ALL <coordinates> tags,
+	// regardless of nesting (Document -> Folder -> Folder -> Placemark -> LineString).
 	decoder := xml.NewDecoder(bytes.NewReader(kmlData))
 	totalDistance := 0.0

@@ -95,21 +121,21 @@ func ParseKMLDistance(kmlData []byte) (float64, error) {
 			break
 		}
 		if err != nil {
-			return 0, err
+			// If streaming fails, just return what we have so far?
+			// Or return error if it's a fundamental XML error.
+			return totalDistance, description, err
 		}

 		switch se := token.(type) {
 		case xml.StartElement:
-			// We only care about coordinates within a LineString context.
-			// However, since Points have only one coordinate and result in 0 anyway,
-			// searching for any <coordinates> tag is both easier and robust enough.
 			if se.Name.Local == "coordinates" {
 				var coords string
 				if err := decoder.DecodeElement(&coords, &se); err != nil {
 					continue
 				}

-				// Sum up distance from this LineString
+				// Calculate distance for this segment
+				currentSegmentDistance := 0.0
 				items := strings.Fields(coords)
 				var prevLat, prevLon float64
 				first := true
@@ -128,18 +154,19 @@ func ParseKMLDistance(kmlData []byte) (float64, error) {
 					}

 					if !first {
-						totalDistance += haversineDistance(prevLat, prevLon, lat, lon)
+						currentSegmentDistance += haversineDistance(prevLat, prevLon, lat, lon)
 					}

 					prevLat = lat
 					prevLon = lon
 					first = false
 				}
+				totalDistance += currentSegmentDistance
 			}
 		}
 	}

-	return totalDistance, nil
+	return totalDistance, description, nil
 }

 // HandleKMLUpload handles KML file uploads
@@ -168,6 +195,9 @@ func HandleKMLUpload(w http.ResponseWriter, r *http.Request) {
 	}
 	defer file.Close()

+	// Sanitize filename to prevent path traversal
+	handler.Filename = filepath.Base(handler.Filename)
+
 	// Read file data
 	data, err := io.ReadAll(file)
 	if err != nil {
@@ -175,8 +205,16 @@ func HandleKMLUpload(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// Calculate distance
-	distance, err := ParseKMLDistance(data)
+	// Validate MIME type / Content
+	mimeType := http.DetectContentType(data)
+	// KML is XML, so valid types are text/xml, application/xml, or text/plain (often detected for simple XML)
+	if !strings.Contains(mimeType, "xml") && !strings.Contains(mimeType, "text") {
+		http.Error(w, fmt.Sprintf("Invalid file type: %s. Expected KML/XML.", mimeType), http.StatusBadRequest)
+		return
+	}
+
+	// Calculate distance and extract description
+	distance, description, err := ParseKML(data)
 	if err != nil {
 		http.Error(w, fmt.Sprintf("Failed to parse KML: %v", err), http.StatusBadRequest)
 		return
@@ -197,10 +235,10 @@ func HandleKMLUpload(w http.ResponseWriter, r *http.Request) {

 	// Save metadata to database
 	_, err = db.Exec(`
-		INSERT INTO kml_metadata (filename, user_id, distance, is_public, uploaded_at)
-		VALUES (?, ?, ?, ?, NOW())
-		ON DUPLICATE KEY UPDATE distance = ?, uploaded_at = NOW()
-	`, handler.Filename, userID, distance, false, distance)
+		INSERT INTO kml_metadata (filename, user_id, distance, description, is_public, uploaded_at)
+		VALUES (?, ?, ?, ?, ?, NOW())
+		ON DUPLICATE KEY UPDATE distance = ?, description = ?, uploaded_at = NOW()
+	`, handler.Filename, userID, distance, description, false, distance, description)
 	if err != nil {
 		http.Error(w, fmt.Sprintf("Failed to save metadata: %v", err), http.StatusInternalServerError)
 		return
@@ -310,7 +348,7 @@ func fetchKMLList(userID string, mineOnly bool, page, limit int, sortBy string)
 	}

 	query := fmt.Sprintf(`
-		SELECT m.filename, m.user_id, u.display_name, m.distance, m.is_public, m.uploaded_at,
+		SELECT m.filename, m.user_id, u.display_name, m.distance, m.description, m.is_public, m.uploaded_at,
 		       (SELECT COALESCE(SUM(v.vote_value), 0) FROM kml_votes v WHERE v.kml_id = m.id) as votes
 		FROM kml_metadata m
 		JOIN users u ON m.user_id = u.fitbit_user_id
@@ -334,15 +372,71 @@ func queryKMLMetadata(query string, args ...interface{}) ([]KMLMetadata, error)
 	var files []KMLMetadata
 	for rows.Next() {
 		var m KMLMetadata
-		err := rows.Scan(&m.Filename, &m.UserID, &m.DisplayName, &m.Distance, &m.IsPublic, &m.UploadedAt, &m.Votes)
+		var desc sql.NullString // Handle null description
+		err := rows.Scan(&m.Filename, &m.UserID, &m.DisplayName, &m.Distance, &desc, &m.IsPublic, &m.UploadedAt, &m.Votes)
 		if err != nil {
 			return nil, err
 		}
+		m.Description = desc.String
 		files = append(files, m)
 	}
 	return files, nil
 }

+// HandleKMLEdit handles editing KML metadata (description)
+func HandleKMLEdit(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	userID, ok := getUserID(r.Context())
+	if !ok {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	var req struct {
+		Filename    string `json:"filename"`
+		Description string `json:"description"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request", http.StatusBadRequest)
+		return
+	}
+
+	// Sanitize description
+	p := bluemonday.UGCPolicy()
+	req.Description = p.Sanitize(req.Description)
+
+	if len(req.Description) > 2000 {
+		req.Description = req.Description[:1997] + "..."
+	}
+
+	// Update description in database
+	res, err := db.Exec("UPDATE kml_metadata SET description = ? WHERE filename = ? AND user_id = ?", req.Description, req.Filename, userID)
+	if err != nil {
+		http.Error(w, "Failed to update metadata", http.StatusInternalServerError)
+		return
+	}
+
+	rowsAffected, _ := res.RowsAffected()
+	if rowsAffected == 0 {
+		// Could mean file doesn't exist or description didn't change, check existence
+		var exists bool
+		err := db.QueryRow("SELECT EXISTS(SELECT 1 FROM kml_metadata WHERE filename = ? AND user_id = ?)", req.Filename, userID).Scan(&exists)
+		if err == nil && !exists {
+			http.Error(w, "File not found", http.StatusNotFound)
+			return
+		}
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"success": true,
+	})
+}
+
 // HandleKMLPrivacyToggle toggles the privacy setting of a KML file
 func HandleKMLPrivacyToggle(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
--- a/server/main.go
+++ b/server/main.go
@@ -66,6 +66,7 @@ func main() {
 		user, err := GetUser(userID)
 		if err == nil && user != nil {
 			status["user"] = map[string]string{
+				"id":          user.FitbitUserID,
 				"displayName": user.DisplayName,
 				"avatarUrl":   user.AvatarURL,
 			}
@@ -116,6 +117,7 @@ func main() {
 	// 3. KML Management Endpoints
 	http.HandleFunc("/api/kml/upload", RequireAuth(HandleKMLUpload))
 	http.HandleFunc("/api/kml/list", RequireAuth(HandleKMLList))
+	http.HandleFunc("/api/kml/edit", RequireAuth(HandleKMLEdit))
 	http.HandleFunc("/api/kml/privacy", RequireAuth(HandleKMLPrivacyToggle))
 	http.HandleFunc("/api/kml/vote", RequireAuth(HandleKMLVote))
 	http.HandleFunc("/api/kml/delete", RequireAuth(HandleKMLDelete))