better code to forbid accesses to chroots

cd7f5c26 · Leo Iannacone · c931a2a0 · cd7f5c26
Commit cd7f5c26 authored Aug 29, 2014 by Leo Iannacone
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 18 deletions

debomatic-webui/lib/app.coffee debomatic-webui/lib/app.coffee +11 -18

No files found.
--- a/debomatic-webui/lib/app.coffee
+++ b/debomatic-webui/lib/app.coffee
@@ -45,25 +45,18 @@ if config.routes.commands
 # debomatic static page
 if config.routes.debomatic
-    app.all config.routes.debomatic + "*", (req, res, next) ->
+    chroot_forbidden = (res) ->
-        # send 403 status when users want to browse the chroots:
-        # - unstable/unstable
-        # - unstable/build/*
-        # this prevents system crashes
-        base = config.routes.debomatic
-        base += "/" if base[base.length - 1] isnt "/" # append /
-        match = req.url.replace(base, "").split("/")
-        match.pop() if match[match.length - 1] is ""
-        if match.length >= 2 and
-        ((match[0] is match[1]) or # case unstable/unstable
-        (match[1] is "build" and match.length > 2)) # case unstable/build/*
        res.status(403).send """<h1>403 Forbidden</h1>
-                                 <h2>You cannot see the chroot internals</h2>
+                                 <h2>You cannot see the chroot internals</h2>"""
-                                 """
-        else # call next() here to move on to next middleware/router
+    app.get config.routes.debomatic + '/:distribution/:subdir', (req, res, next) ->
+        if req.params.distribution == req.params.subdir
+            chroot_forbidden(res)
+        else
            next()
-        return
+    app.get config.routes.debomatic + '/:distribution/build/:subdir', (req, res) ->
+        chroot_forbidden(res)
    app.get config.routes.debomatic + '/:distribution/logs/:file', (req, res) ->
        distribution = req.params.distribution