From c85e14336e83227f0c7f1984e04c8070665847c8 Mon Sep 17 00:00:00 2001
From: Dawa Ometto <dawa.ometto@phil.uu.nl>
Date: Tue, 2 Oct 2018 23:31:07 +0200
Subject: [PATCH] Lockdown access to custom css and js files in repo

---
 lib/gollum/app.rb |  8 ++++++++
 test/test_app.rb  | 22 ++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/lib/gollum/app.rb b/lib/gollum/app.rb
index cfe35031..21700bb3 100644
--- a/lib/gollum/app.rb
+++ b/lib/gollum/app.rb
@@ -144,6 +144,10 @@ module Precious
       end
     end
 
+    get %r{\/edit\/custom.(js|css)} do
+      forbid
+    end
+
     get '/edit/*' do
       forbid unless @allow_editing
       wikip = wiki_page(params[:splat].first)
@@ -212,6 +216,10 @@ module Precious
       end
     end
 
+    post %r{\/(deleteFile|rename|edit|revert)\/custom.(js|css)} do
+      forbid
+    end
+
     post '/deleteFile/*' do
       forbid unless @allow_editing
       wiki = wiki_new
diff --git a/test/test_app.rb b/test/test_app.rb
index 8e8e4433..d9b69fe5 100644
--- a/test/test_app.rb
+++ b/test/test_app.rb
@@ -505,6 +505,28 @@ context "Frontend" do
     Precious::App.set(:wiki_options, { :js => nil })
   end
 
+  test "don't allow editing custom js or css" do
+    Precious::App.set(:wiki_options, { :js => true, :css => true })
+    page = 'yaycustom'
+    text = 'customized!'
+
+    @wiki.write_page(page, :markdown, text,
+                     { :name => 'user1', :email => 'user1' });
+
+    ['.css', '.js'].each do |ext|
+      get "/edit/custom#{ext}"
+      assert_equal last_response.status 403
+    end
+
+    ['deleteFile', 'rename', 'edit', 'revert'].each do |route|
+      ['.css', '.js'].each do |ext|
+        post "/#{route}/custom#{ext}"
+        assert_equal last_response.status 403
+      end
+    end
+    Precious::App.set(:wiki_options, { :js => nil })
+  end
+
   test "change custom.css path if page-file-dir is set" do
     Precious::App.set(:wiki_options, { :css => true, :page_file_dir => 'docs'})
     page = 'docs/yaycustom'