From 37a4f8370188cebbd683775a648f67e82a61dce3 Mon Sep 17 00:00:00 2001
From: HoshinoKoji <hoshino_koji@163.com>
Date: Tue, 11 Mar 2025 19:31:12 +0800
Subject: [PATCH] Implement parameter processing

---
 src/index.js   | 23 +++++++++++++++++++----
 wrangler.jsonc | 12 ++++++++++--
 2 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/src/index.js b/src/index.js
index 0682d90..a8e96af 100644
--- a/src/index.js
+++ b/src/index.js
@@ -13,7 +13,7 @@ import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 export default {
 	async fetch(request, env, ctx) {
 		const url = new URL(request.url);
-		const key = url.pathname;
+		const rawKey = url.pathname.slice(1); // remove leading slash
 		
 		if (url.hostname !== '127.0.0.1' && url.protocol === 'http:') {
 			return new Response(null, { status: 301, headers: {
@@ -21,6 +21,10 @@ export default {
 			}});
 		}
 		
+		if (!rawKey) {
+			return new Response('Invalid key', { status: 400 });
+		}
+		
 		let endpoint, accessKeyId, secretAccessKey, region, bucket;
 		switch (url.searchParams.get('backend')) {
 			case 'r2':
@@ -34,7 +38,7 @@ export default {
 				endpoint = env.COS_GLOBAL_ENDPOINT;
 				accessKeyId = env.COS_GLOBAL_ACCESS_KEY_ID;
 				secretAccessKey = env.COS_GLOBAL_SECRET_ACCESS_KEY;
-				region = 'accelerate';
+				region = env.COS_GLOBAL_REGION;
 				bucket = env.COS_GLOBAL_BUCKET;
 				break;
 			case 'cos-cn':
@@ -47,6 +51,14 @@ export default {
 			default:
 				return new Response('Invalid backend', { status: 400 });
 		}
+
+		const expId = url.searchParams.get('expId');
+		const participantId = url.searchParams.get('participantId');
+		const pat = /^[a-zA-Z0-9]{1,64}$/;
+		if (!expId || !participantId || expId.includes('/') || !participantId.match(pat)) {
+			// prevent path traversal
+			return new Response('Invalid expId or participantId', { status: 400 });
+		}
 		
 		const client = new S3Client({
 			endpoint,
@@ -56,8 +68,11 @@ export default {
 			signatureVersion: 'v4',
 		});
 		
-		const command = new PutObjectCommand({ Bucket: bucket, Key: key });
-  		const signedUrl = await getSignedUrl(client, command, { expiresIn: 24*60*60 });
+		const command = new PutObjectCommand({
+			Bucket: bucket,
+			Key: `${expId}/${participantId}/${rawKey}`
+		});
+  		const signedUrl = await getSignedUrl(client, command, { expiresIn: 12*60*60 });
 		return new Response(signedUrl);
 	},
 };
\ No newline at end of file
diff --git a/wrangler.jsonc b/wrangler.jsonc
index 7a11767..67da4a2 100644
--- a/wrangler.jsonc
+++ b/wrangler.jsonc
@@ -12,7 +12,7 @@
 	"compatibility_date": "2025-03-10",
 	"observability": {
 		"enabled": true
-	}
+	},
 	/**
 	 * Smart Placement
 	 * Docs: https://developers.cloudflare.com/workers/configuration/smart-placement/#smart-placement
@@ -30,7 +30,15 @@
 	 * Environment Variables
 	 * https://developers.cloudflare.com/workers/wrangler/configuration/#environment-variables
 	 */
-	// "vars": { "MY_VARIABLE": "production_value" },
+	"vars": {
+		"R2_BUCKET": "experiment",
+		"COS_GLOBAL_ENDPOINT": "https://cos.accelerate.myqcloud.com",
+		"COS_GLOBAL_REGION": "accelerate",
+		"COS_GLOBAL_BUCKET": "hoshino-exp-1304089692",
+		"COS_CN_ENDPOINT": "https://cos.ap-beijing.myqcloud.com",
+		"COS_CN_REGION": "ap-beijing",
+		"COS_CN_BUCKET": "hoshino-exp-cn-1304089692",
+	}
 	/**
 	 * Note: Use secrets to store sensitive data.
 	 * https://developers.cloudflare.com/workers/configuration/secrets/