Merge pull request +13629 from c9/api-preview-block-dotfiles

Blocks .(dot) files in preview
2016-04-22 13:12:45 +02:00 · 2016-04-22 13:12:45 +02:00 · f129d0fd76
commit f129d0fd76
--- a/plugins/c9.preview/lib/middleware/block-dot-files.js
+++ b/plugins/c9.preview/lib/middleware/block-dot-files.js
@ -0,0 +1,18 @@
+"use strict";
+
+var HttpError = require("http-error");
+
+function isDotFile(path){
+    return /^[.]/.test(path)    ;
+}
+
+module.exports = function blockDotFiles(req, res, next){
+    if (!req.params.path) return next();
+    
+    var pathParts = req.params.path.split("/");
+    
+    if (pathParts.some(isDotFile))
+        return next(new HttpError.NotFound("File does not exist"));
+        
+    next();
+};
--- a/plugins/c9.preview/lib/middleware/block-tot-files_test.js
+++ b/plugins/c9.preview/lib/middleware/block-tot-files_test.js
@ -0,0 +1,67 @@
+"use struct";
+"use server";
+
+require("c9/inline-mocha")(module);
+
+var blockDotFiles = require("./block-dot-files");
+var async = require("async");
+var format = require("util").format;
+var assert = require("assert-diff");
+
+var HttpError = require("http-error");
+
+describe(__filename, function() {
+    it("should block acess to files starting with a dot", function(done) {
+
+        var err404 = new HttpError.NotFound("File does not exist");
+
+        var cases = [
+            {
+                label: "Block ../",
+                path: "../../../../etc/password",
+                err: err404
+            }, 
+            {
+                label: "Block anything starting with a .",
+                path: ".ssh/id_rsa",
+                err: err404
+            }, 
+            {
+                label: "Block anything starting with a .",
+                path: ".git/config",
+                err: err404
+            }, 
+            {
+                label: "Block anything with a . in the start of a pathpart",
+                path: "deep/.git/config",
+                err: err404
+            }, 
+            {
+                label: "Don't block normal paths",
+                path: "one/two/three.txt",
+            }, 
+            {
+                label: "Don't block empty paths",
+                path: "",
+            }, 
+            {
+                label: "Don't choke on undefineds",
+            }, 
+        
+        ];
+
+
+        async.each(cases, function(testCase, next) {
+            var mockReq = {
+                params: {
+                    path: testCase.path
+                }
+            };
+
+            blockDotFiles(mockReq, null, function(err) {
+                assert.deepEqual(err, testCase.err, testCase.label);
+                next();
+            });
+        }, done);
+    });
+});
--- a/plugins/c9.preview/preview.js
+++ b/plugins/c9.preview/preview.js
@ -52,6 +52,7 @@ define(function(require, exports, module) {
        }, [
            requestTimeout(15*60*1000),
            require("./lib/middleware/sanitize-path-param"),
+            require("./lib/middleware/block-dot-files"),
            ratelimit("username", 20 * 1000, 1000),
            handler.getProjectSession(),
            handler.getRole(db),