From 1c2d3c8f62247370ad5a4b3ce765c29588aa813c Mon Sep 17 00:00:00 2001
From: Matthijs van Henten <matthijs+foo@technischepartij.nl>
Date: Fri, 22 Apr 2016 10:16:20 +0000
Subject: [PATCH] Blocks .(dot) files in preview

---
 .../lib/middleware/block-dot-files.js         | 18 +++++
 .../lib/middleware/block-tot-files_test.js    | 67 +++++++++++++++++++
 plugins/c9.preview/preview.js                 |  1 +
 3 files changed, 86 insertions(+)
 create mode 100644 plugins/c9.preview/lib/middleware/block-dot-files.js
 create mode 100644 plugins/c9.preview/lib/middleware/block-tot-files_test.js

diff --git a/plugins/c9.preview/lib/middleware/block-dot-files.js b/plugins/c9.preview/lib/middleware/block-dot-files.js
new file mode 100644
index 00000000..5769d0b0
--- /dev/null
+++ b/plugins/c9.preview/lib/middleware/block-dot-files.js
@@ -0,0 +1,18 @@
+"use strict";
+
+var HttpError = require("http-error");
+
+function isDotFile(path){
+    return /^[.]/.test(path)    ;
+}
+
+module.exports = function blockDotFiles(req, res, next){
+    if (!req.params.path) return next();
+    
+    var pathParts = req.params.path.split("/");
+    
+    if (pathParts.some(isDotFile))
+        return next(new HttpError.NotFound("File does not exist"));
+        
+    next();
+};
diff --git a/plugins/c9.preview/lib/middleware/block-tot-files_test.js b/plugins/c9.preview/lib/middleware/block-tot-files_test.js
new file mode 100644
index 00000000..ad1583b0
--- /dev/null
+++ b/plugins/c9.preview/lib/middleware/block-tot-files_test.js
@@ -0,0 +1,67 @@
+"use struct";
+"use server";
+
+require("c9/inline-mocha")(module);
+
+var blockDotFiles = require("./block-dot-files");
+var async = require("async");
+var format = require("util").format;
+var assert = require("assert-diff");
+
+var HttpError = require("http-error");
+
+describe(__filename, function() {
+    it("should block acess to files starting with a dot", function(done) {
+
+        var err404 = new HttpError.NotFound("File does not exist");
+
+        var cases = [
+            {
+                label: "Block ../",
+                path: "../../../../etc/password",
+                err: err404
+            }, 
+            {
+                label: "Block anything starting with a .",
+                path: ".ssh/id_rsa",
+                err: err404
+            }, 
+            {
+                label: "Block anything starting with a .",
+                path: ".git/config",
+                err: err404
+            }, 
+            {
+                label: "Block anything with a . in the start of a pathpart",
+                path: "deep/.git/config",
+                err: err404
+            }, 
+            {
+                label: "Don't block normal paths",
+                path: "one/two/three.txt",
+            }, 
+            {
+                label: "Don't block empty paths",
+                path: "",
+            }, 
+            {
+                label: "Don't choke on undefineds",
+            }, 
+        
+        ];
+
+
+        async.each(cases, function(testCase, next) {
+            var mockReq = {
+                params: {
+                    path: testCase.path
+                }
+            };
+
+            blockDotFiles(mockReq, null, function(err) {
+                assert.deepEqual(err, testCase.err, testCase.label);
+                next();
+            });
+        }, done);
+    });
+});
diff --git a/plugins/c9.preview/preview.js b/plugins/c9.preview/preview.js
index 657df128..bde0ac02 100644
--- a/plugins/c9.preview/preview.js
+++ b/plugins/c9.preview/preview.js
@@ -52,6 +52,7 @@ define(function(require, exports, module) {
         }, [
             requestTimeout(15*60*1000),
             require("./lib/middleware/sanitize-path-param"),
+            require("./lib/middleware/block-dot-files"),
             ratelimit("username", 20 * 1000, 1000),
             handler.getProjectSession(),
             handler.getRole(db),