Merge pull request #1324 from repotag/secure_customs

Secure custom JS and CSS. Resolves #665
2018-10-03 22:27:05 +02:00
parent eb9b71e94a ff52933320
commit daaa82fab5
13 changed files with 44 additions and 1 deletions
@@ -144,6 +144,18 @@ module Precious
      end
    end

+    get %r{/(edit|create)/custom\.(js|css)} do
+      forbid('Changing this resource is not allowed.')
+    end
+
+    post %r{/(deleteFile|rename|edit|create)/custom\.(js|css)} do
+      forbid('Changing this resource is not allowed.')
+    end
+
+    post %r{/revert/custom\.(js|css)/.*/.*} do
+      forbid('Changing this resource is not allowed.')
+    end
+
    get '/edit/*' do
      forbid unless @allow_editing
      wikip = wiki_page(params[:splat].first)
@@ -2,3 +2,4 @@
 7c45b5f16ff3bae2a0063191ef832701214d4df5 f403b791119f8232b7cb0ba455c624ac6435f433 rick <technoweenie@gmail.com> 1291942743 -0800	commit: add footer and sidebar
 f403b791119f8232b7cb0ba455c624ac6435f433 ed6c9f63b98acf73c25b5ffbb38da557d3682023 bootstraponline <cafe@bootstraponline.com> 1336421777 -0600	commit: Add header.
 ed6c9f63b98acf73c25b5ffbb38da557d3682023 084a558a1fb3cded23129e2dfad3a17d07d73fd3 Daniel Kimsey <dekimsey@ufl.edu> 1354899095 -0500	push
+084a558a1fb3cded23129e2dfad3a17d07d73fd3 02796b1450691f90db5d6dc6a816a4980ce80d07 Dawa Ometto <dawa.ometto@phil.uu.nl> 1538516954 +0200	push
@@ -2,3 +2,4 @@
 7c45b5f16ff3bae2a0063191ef832701214d4df5 f403b791119f8232b7cb0ba455c624ac6435f433 rick <technoweenie@gmail.com> 1291942743 -0800	commit: add footer and sidebar
 f403b791119f8232b7cb0ba455c624ac6435f433 ed6c9f63b98acf73c25b5ffbb38da557d3682023 bootstraponline <cafe@bootstraponline.com> 1336421777 -0600	commit: Add header.
 ed6c9f63b98acf73c25b5ffbb38da557d3682023 084a558a1fb3cded23129e2dfad3a17d07d73fd3 Daniel Kimsey <dekimsey@ufl.edu> 1354899095 -0500	push
+084a558a1fb3cded23129e2dfad3a17d07d73fd3 02796b1450691f90db5d6dc6a816a4980ce80d07 Dawa Ometto <dawa.ometto@phil.uu.nl> 1538516954 +0200	push
@@ -0,0 +1 @@
+xÁÁ€0@ß©âŠða;A‡„úwW<çuhß�}QÄ]ÌXxÙrL‚#Ê;b0�ÙÅý3£Ù
@@ -0,0 +1,2 @@
+x�ÎMjÃ0@á®uŠÙÌè_†RÈ¾g˜hFÄÅ¶‚%“ëÇø]~‹/×e™:—¾ú&cvS "íGëI0™`–èJÈ&…˜É©m²vÀäÈûDº<lfacµÅp!¶¤#cäh[E{Ö
+îô&ø]¤÷
@@ -0,0 +1 @@
+xÁAÀ Àž}Å>¢—>G„T*‰ÿïŒxîçÒ¾_;QÄ(f|dË¹Î(WìHˆÁte·öJF
@@ -1 +1 @@
-084a558a1fb3cded23129e2dfad3a17d07d73fd3
+02796b1450691f90db5d6dc6a816a4980ce80d07
@@ -505,6 +505,31 @@ context "Frontend" do
    Precious::App.set(:wiki_options, { :js => nil })
  end

+  test "don't allow changing custom js or css" do
+    Precious::App.set(:wiki_options, { :js => true, :css => true })
+  
+    ['create', 'edit'].each do |route|
+      ['.css', '.js'].each do |ext|
+        get "/#{route}/custom#{ext}"
+        assert_equal 403, last_response.status, "get /#{route}/custom#{ext} -- #{last_response.inspect}"
+      end
+    end
+
+    ['deleteFile', 'rename', 'edit', 'create'].each do |route|
+      ['.css', '.js'].each do |ext|
+        post "/#{route}/custom#{ext}"
+        assert_equal 403, last_response.status, "post /#{route}/custom#{ext} -- #{last_response.inspect}"
+      end
+    end
+
+    ['.css', '.js'].each do |ext|
+      post "/revert/custom#{ext}/02796b1450691f90db5d6dc6a816a4980ce80d07/2f6485c2702c7c8b9b6613672337ffa7d933ddcf"
+      assert_equal 403, last_response.status, "post /revert/custom#{ext} -- #{last_response.inspect}"
+    end
+
+    Precious::App.set(:wiki_options, { :js => nil })
+  end
+
  test "change custom.css path if page-file-dir is set" do
    Precious::App.set(:wiki_options, { :css => true, :page_file_dir => 'docs'})
    page = 'docs/yaycustom'
				`@@ -0,0 +1 @@`
				`xÁÁ€0@ß©âŠða;A‡„úwW<çuhß�}QÄ]ÌXxÙrL‚#Ê;b0�ÙÅý3£Ù`
				`@@ -0,0 +1 @@`
				`xÁAÀ Àž}Å>¢—>G„T*‰ÿïŒxîçÒ¾_;QÄ(f\|dË¹Î(WìHˆÁte·öJF`