marcus
released this
2026-03-14 02:44:32 +01:00
| 36 commits to main since this release
Added
- File upload API (
POST /api/upload) with streaming writes, per-file size limits
(DD_MAX_FILE_SIZE_MB, 1-500 MB) and global storage quota enforcement
(DD_MAX_STORAGE_MB, default 1 GB) checked mid-stream during upload.
- Short-link downloads (
GET /<short_id>) with streaming 64 KB chunked responses,
RFC 5987 Content-Disposition encoding for Unicode filenames, and ASCII fallback.
- Link management: list links (
GET /api/links), expire individual links
(POST /api/links/{id}/expire), and view storage statistics (GET /api/stats)
including bytes used, capacity, and remaining space.
- Background cleanup task that automatically purges expired links and files on a
configurable interval (DD_CLEANUP_INTERVAL_SECONDS).
- CLI client (
ddrop) with upload, fetch, list, stats, expire, and serve
commands, Rich-formatted table output, and human-readable storage usage display.
- CLI
fetch command with --output flag for downloading files by link ID, with
automatic filename extraction from Content-Disposition headers and fallback naming.
stash alias for the upload command.- Configurable upload TTL with
--ttl flag (e.g. 30m, 2h) and server-side
maximum (DD_MAX_TTL, default 48h, supports inf).
- SQLite-backed metadata storage with schema validation on startup that fails fast
on incompatible legacy schemas.
- Docker secrets support via
DD_API_TOKEN_FILE for secure token injection from
secret managers, Swarm, or Kubernetes; mutually exclusive with DD_API_TOKEN.
- Multi-platform container image builds via
docker buildx bake (linux/amd64 +
linux/arm64) with local, default, and release targets in docker-bake.hcl.
- Multi-stage Dockerfile based on
python:3.12.11-alpine3.21 for minimal image size.
- Production-hardened Docker Compose setup: localhost-only binding, read-only root
filesystem, all capabilities dropped, no-new-privileges, init for PID 1
signal handling, health check, named volume for persistence, and graceful 20s
shutdown period.
- Comprehensive test suite (54 tests) covering API, storage, CLI, configuration,
end-to-end flows, and security regression scenarios.
Security
- Secure-by-default authentication: server refuses to start without
DD_API_TOKEN
or DD_API_TOKEN_FILE unless DD_ALLOW_ANON=true is explicitly set.
- Constant-time token comparison using
secrets.compare_digest() to prevent timing
side-channel leakage.
- Filesystem path confinement: file paths are derived from validated link IDs at
runtime, never stored in or read from the database.
- Symlink protection on downloads: rejects symlinked files with a security log entry
and opens files with O_NOFOLLOW (where available) to prevent TOCTOU races.
- Symlink-safe deletion: expire and purge operations remove the symlink itself rather
than following it to an external target.
- Collision-safe link ID generation: uses
INSERT (not INSERT OR REPLACE) with
automatic retry (up to 5 attempts) on ID collision, preventing silent overwrites.
- Upload size and quota enforcement applied mid-stream with immediate abort and
cleanup on breach (HTTP 413 / 507).
- Non-root container runtime (UID/GID 10001) with dedicated
deaddrop user.
- Reverse-proxy rate limiting guidance with example nginx configuration in README.
Downloads