I don't really know Go, but this looks like users are able to upload files to any directory they choose, and any 22-character filename they choose (as long as the filename doesn't already exist), on the whole drive:
https://github.com/Upload/Up1/blob/bf39cfe1a4701f5f9168b1a3865bb5fd7eda021f/server.go#L128
ident := r.FormValue("ident") identPath := path.Join("i", ident) out, err := os.Create(identPath)
Is that true? If so: I can't think of a way to exploit that to useful effect, but there probably is something.
There's certainly nothing wrong with building new software to explore a problem and learn, so I hope nothing I say comes as criticism..
In any case, thanks for working on privacy-friendly tools.
I caught this thread a little bit late unfortunately, but recently I've been working on a newer version of a self-hosted encrypted image/file/paste platform called Up1 (https://github.com/Upload/Up1) . While an older version already exists, it's limited in a few ways, such as only supporting 50MB files (as it has to keep everything in memory), and it doesn't support any special functionality beyond being able to delete your own uploaded files afterwards.
​
The newer version of Up1 will support:
Also for the people who care, the new version is being written in Vue/Typescript in the frontend and Rust in the backend, which is quite a bit easier to develop on than our previous custom frontend framework and backend in Go or Node.
​
If you're interested in this, let me know!