filter out request to chroots - send back 403 HTTP status

debomatic-webui/debomatic-webui

@@ -34,26 +34,44 @@ if ('development' == env) {
 app.set('views', __dirname + '/views');
 app.set('view engine', 'ejs');
 
-// Routes
+// index page
 app.get('/', routes.index);
+
 // distibution page
 app.get(config.routes.distribution, routes.distribution);
+
 // parefernces page
 if (config.routes.preferences)
     app.get(config.routes.preferences, routes.preferences);
+
 // commands page
 if (config.routes.commands)
     app.get(config.routes.commands, routes.commands);
+
 // debomatic static page
 if (config.routes.debomatic) {
+    app.all(config.routes.debomatic + '*', function (req, res, next) {
+        // send 403 status when users want to browse the chroots:
+        // - unstable/unstable
+        // - unstable/build/*
+        // this prevents system crashes
+        var base = config.routes.debomatic;
+        base += base[base.length - 1] != '/' ? '/' : ''; // append /
+        var match = req.url.replace(base, '').split('/');
+        if (match[match.length - 1] === '') match.pop();
+        if (match.length >= 2 && (
+            (match[0] == match[1]) || /* case unstable/unstable */
+            (match[1] == 'build' && match.length > 2) /* case unstable/build/* */
+        )) {
+            res.status(403).send('<h1>403 Forbidden</h1>');
+        } else
+            next(); // call next() here to move on to next middleware/router
+    });
+
     app.use(config.routes.debomatic, serve_static(config.debomatic.path));
-    app.use(config.routes.debomatic, serve_index(config.debomatic.path, {
-        filter: function (filename) {
-            // do not show these files and directories
-            return ['dev', 'sys'].indexOf(filename) < 0;
-        }
-    }));
+    app.use(config.routes.debomatic, serve_index(config.debomatic.path));
 }
+
 // serve stylesheet-javascript
 app.use(serve_static(__dirname + '/public'));