Nixius
/
hastebin
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
hastebin/README.md

9.3 KiB
Raw Blame History

Hastebin

Hastebin is an open-source pastebin software written in node.js, which is easily installable in any network. It can be backed by either redis or filesystem, and has a very easy adapter interface for other stores. A publicly available version can be found at haste.nixc.us

Quick Start

# Clone the repository
git clone https://github.com/seejohnrun/haste-server.git
cd haste-server

# Install dependencies
npm install

# Start with file storage (no Redis needed)
npm run start:dev

# Access in your browser
# http://localhost:7777

Features

  • Simple: Easy to set up and use
  • Secure: Includes CSP and other security headers
  • Flexible: Supports multiple storage backends (Redis, File, Postgres, etc.)
  • Customizable: Configurable via environment variables or config file
  • Modern: Self-destructing pastes with syntax highlighting

Installation

Quick Install

# Clone the repository
git clone https://github.com/seejohnrun/haste-server.git
cd haste-server

# Install dependencies
npm install

# Start with file storage (no Redis needed)
npm run start:file
# OR run directly with environment variables
# NODE_ENV=development HASTEBIN_STORAGE_TYPE=file node server.js

Running Options

# Start with default settings (requires Redis)
npm start

# Start in development mode with file storage
npm run start:dev

# Same as start:dev (for backward compatibility)
npm run start:file

Docker Installation

# Clone the repository
git clone https://github.com/seejohnrun/haste-server.git
cd haste-server

# Start with Docker Compose (includes Redis)
docker compose up -d

The Docker container is configured to use Redis as the storage backend by default. The docker-compose.yml file sets up both a Hastebin container and a Redis container, linking them together.

If you need to customize the Docker setup, you can modify the environment variables in the docker-compose.yml file:

environment:
  - NODE_ENV=production
  - STORAGE_TYPE=redis
  - STORAGE_HOST=redis
  - HASTEBIN_ENABLE_CSP=true
  - HASTEBIN_ENABLE_HSTS=true

The container exists at git.nixc.us/colin/haste:haste-production and may be made public eventually.

Configuration

Environment Variables

Hastebin can be configured using the following environment variables:

# Server configuration
HASTEBIN_PORT=7777                   # Port to listen on (default: 7777)
HASTEBIN_HOST=0.0.0.0                # Host to bind to (default: 0.0.0.0)

# Storage configuration
HASTEBIN_STORAGE_TYPE=file           # Storage type: file, redis, postgres, etc.
HASTEBIN_STORAGE_PATH=./data         # Path for file storage
DATABASE_URL=postgres://user:pass@host:5432/db  # For postgres storage

# Docker-specific storage settings
STORAGE_TYPE=redis                   # Storage type in Docker (default: redis)
STORAGE_HOST=redis                   # Redis host in Docker environment
STORAGE_PORT=6379                    # Redis port
STORAGE_PASSWORD=                    # Redis password if needed
STORAGE_DB=0                         # Redis database number

# Security settings
HASTEBIN_ENABLE_CSP=true             # Enable Content Security Policy
HASTEBIN_ENABLE_HSTS=true            # Enable HTTP Strict Transport Security
HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION=true  # Enable Cross-Origin Isolation
HASTEBIN_BYPASS_CSP_IN_DEV=true      # Bypass CSP in development mode

# Other settings
NODE_ENV=development                 # Environment: development or production

You can also configure Hastebin by editing the config.js file.

Security Settings

The security section in the configuration allows you to control various security features, particularly the Content Security Policy (CSP):

{
  "security": {
    "csp": true,                  // Enable/disable CSP entirely
    "hsts": false,                // Enable HTTP Strict Transport Security
    "scriptSources": [],          // Additional allowed script sources
    "bypassCSPInDev": false,      // Use permissive CSP in development mode
    "allowUnsafeHashes": true,    // Allow 'unsafe-hashes' in production for event handlers
    "enableCrossOriginIsolation": false // Enable strict Cross-Origin isolation headers
  }
}

Content Security Policy Options

  • csp - Enable or disable Content Security Policy headers (default: true)
  • hsts - Enable HTTP Strict Transport Security headers (default: false)
  • scriptSources - Additional script sources to allow - comma-separated list in env vars
  • bypassCSPInDev - In development mode (NODE_ENV=development), use a more permissive CSP that includes 'unsafe-inline' (default: false)
  • allowUnsafeHashes - Allow 'unsafe-hashes' in production mode for DOM event handlers (default: true)
  • enableCrossOriginIsolation - Enable strict Cross-Origin isolation headers (COEP, COOP, CORP) which enhance security but may break certain integrations (default: false)

Environment Variables for Security Settings

You can set these options through environment variables:

  • HASTEBIN_ENABLE_CSP - Enable/disable CSP (true/false)
  • HASTEBIN_ENABLE_HSTS - Enable/disable HSTS (true/false)
  • HASTEBIN_SCRIPT_SOURCES - Additional script sources (comma-separated)
  • HASTEBIN_BYPASS_CSP_IN_DEV - Allow unsafe-inline in development (true/false)
  • HASTEBIN_ALLOW_UNSAFE_HASHES - Allow unsafe-hashes in production (true/false)
  • HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION - Enable Cross-Origin isolation headers (true/false)

CSP Implementation Details

The Content Security Policy implementation in Hastebin uses nonces to secure inline scripts while maintaining functionality:

  1. Nonces: A unique cryptographic nonce is generated for each request and applied to all script tags
  2. Development Mode: When running with NODE_ENV=development, you can bypass strict CSP checks using the bypassCSPInDev option
  3. Production Mode: In production, the CSP is configured to use nonces for all scripts, with optional 'unsafe-hashes' for event handlers
  4. Templates: The template system automatically injects nonces into script tags, so you don't need to manually add them to the HTML

Additional Security Headers

Besides CSP, Hastebin implements several other security headers:

  1. X-Content-Type-Options: nosniff

Troubleshooting

Common Issues

Port Already in Use

If you see an error like Error: listen EADDRINUSE: address already in use :::7777:

# Find and kill processes using port 7777
lsof -i :7777 -t | xargs kill -9 || true

# Or use a different port
HASTEBIN_PORT=8000 npm run start:file

Redis Connection Issues

If you're using Redis and see connection errors:

# Check if Redis is running
redis-cli ping

# Start Redis if needed
redis-server

# Or use file storage instead
npm run start:file

Permission Issues with File Storage

If you see permission errors when using file storage:

# Create data directory with proper permissions
mkdir -p data
chmod 777 data
HASTEBIN_STORAGE_PATH=./data npm run start:file

Test Server Issues

If tests are failing:

# Make sure no server is running
lsof -i :7777 -t | xargs kill -9 || true

# Run tests with clean environment
npm run test:all

Testing

Quick Test Commands

# Start a local test server with file storage
npm run start:dev

# Run all tests
npm test

# Run core functionality tests
npm run test:core

# Run security tests
npm run test:security

Test Structure

Hastebin includes a comprehensive test suite covering both core functionality and security features. The tests are organized in the following structure:

test/
├── core/                           # Core functionality tests
│   └── core_functionality_spec.js  # Tests for basic operations
├── security/                       # Security-related tests
│   ├── security_spec.js           # Main security test suite
│   └── security_shell_spec.sh     # Shell-based security tests
├── key_generators/                 # Key generator tests
├── utils/                         # Test utilities
│   └── test-local.js             # Local test server setup
└── document_handler_spec.js       # Document handler tests

Running Test Suites

# Run all tests (unit + security)
npm run test:all

# Run specific test suites
npm run test:core          # Run core functionality tests
npm run test:security      # Run all security tests

# Run specific security tests
npm run test:security:csp      # Test CSP configuration
npm run test:security:cors     # Test CORS settings
npm run test:security:combined # Test combined security features

Storage

API Usage

Creating a Document

# Using curl
curl -X POST -d "Hello, world!" http://localhost:7777/documents

# Response: {"key":"uniquekey"}

Retrieving a Document

# Using curl
curl http://localhost:7777/raw/uniquekey

# Response: Hello, world!

Document Formats

  • http://localhost:7777/uniquekey - HTML view with syntax highlighting
  • http://localhost:7777/raw/uniquekey - Raw document content
  • http://localhost:7777/documents/uniquekey - JSON response with document content

Client Libraries

  • haste-client - Command line client for Hastebin
  • Example usage: cat file.txt | haste

License Update