From c85e14336e83227f0c7f1984e04c8070665847c8 Mon Sep 17 00:00:00 2001 From: Dawa Ometto Date: Tue, 2 Oct 2018 23:31:07 +0200 Subject: [PATCH 1/5] Lockdown access to custom css and js files in repo --- lib/gollum/app.rb | 8 ++++++++ test/test_app.rb | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/lib/gollum/app.rb b/lib/gollum/app.rb index cfe35031..21700bb3 100644 --- a/lib/gollum/app.rb +++ b/lib/gollum/app.rb @@ -144,6 +144,10 @@ module Precious end end + get %r{\/edit\/custom.(js|css)} do + forbid + end + get '/edit/*' do forbid unless @allow_editing wikip = wiki_page(params[:splat].first) @@ -212,6 +216,10 @@ module Precious end end + post %r{\/(deleteFile|rename|edit|revert)\/custom.(js|css)} do + forbid + end + post '/deleteFile/*' do forbid unless @allow_editing wiki = wiki_new diff --git a/test/test_app.rb b/test/test_app.rb index 8e8e4433..d9b69fe5 100644 --- a/test/test_app.rb +++ b/test/test_app.rb @@ -505,6 +505,28 @@ context "Frontend" do Precious::App.set(:wiki_options, { :js => nil }) end + test "don't allow editing custom js or css" do + Precious::App.set(:wiki_options, { :js => true, :css => true }) + page = 'yaycustom' + text = 'customized!' + + @wiki.write_page(page, :markdown, text, + { :name => 'user1', :email => 'user1' }); + + ['.css', '.js'].each do |ext| + get "/edit/custom#{ext}" + assert_equal last_response.status 403 + end + + ['deleteFile', 'rename', 'edit', 'revert'].each do |route| + ['.css', '.js'].each do |ext| + post "/#{route}/custom#{ext}" + assert_equal last_response.status 403 + end + end + Precious::App.set(:wiki_options, { :js => nil }) + end + test "change custom.css path if page-file-dir is set" do Precious::App.set(:wiki_options, { :css => true, :page_file_dir => 'docs'}) page = 'docs/yaycustom' From 6d4f97fdc4ddb7a47297745d11b7faab82b492e8 Mon Sep 17 00:00:00 2001 From: Dawa Ometto Date: Tue, 2 Oct 2018 23:56:16 +0200 Subject: [PATCH 2/5] Add custom.css and custom.js files to example repo --- test/examples/revert.git/logs/HEAD | 1 + test/examples/revert.git/logs/refs/heads/master | 1 + .../02/796b1450691f90db5d6dc6a816a4980ce80d07 | Bin 0 -> 177 bytes .../14/d1d34f13b0f9aa2e2edf7a3600d2869ff7dd40 | 1 + .../21/fc5ed900545b5b99ab7d59182451b51c6d6036 | Bin 0 -> 36 bytes .../2f/6485c2702c7c8b9b6613672337ffa7d933ddcf | 2 ++ .../33/f46b0e5d1f96038f3fa104ce5c9905fc8013da | Bin 0 -> 257 bytes .../9c/47086afeb15935ae08263f0a0f74f6c2867ca4 | Bin 0 -> 256 bytes .../f4/731572638856ffc49842eef711ad9fa1078467 | 1 + .../fc/f78f665505a6da57648237e5b73062661eab79 | Bin 0 -> 37 bytes test/examples/revert.git/refs/heads/master | 2 +- 11 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 test/examples/revert.git/objects/02/796b1450691f90db5d6dc6a816a4980ce80d07 create mode 100644 test/examples/revert.git/objects/14/d1d34f13b0f9aa2e2edf7a3600d2869ff7dd40 create mode 100644 test/examples/revert.git/objects/21/fc5ed900545b5b99ab7d59182451b51c6d6036 create mode 100644 test/examples/revert.git/objects/2f/6485c2702c7c8b9b6613672337ffa7d933ddcf create mode 100644 test/examples/revert.git/objects/33/f46b0e5d1f96038f3fa104ce5c9905fc8013da create mode 100644 test/examples/revert.git/objects/9c/47086afeb15935ae08263f0a0f74f6c2867ca4 create mode 100644 test/examples/revert.git/objects/f4/731572638856ffc49842eef711ad9fa1078467 create mode 100644 test/examples/revert.git/objects/fc/f78f665505a6da57648237e5b73062661eab79 diff --git a/test/examples/revert.git/logs/HEAD b/test/examples/revert.git/logs/HEAD index ca534187..62fed8fc 100644 --- a/test/examples/revert.git/logs/HEAD +++ b/test/examples/revert.git/logs/HEAD @@ -2,3 +2,4 @@ 7c45b5f16ff3bae2a0063191ef832701214d4df5 f403b791119f8232b7cb0ba455c624ac6435f433 rick 1291942743 -0800 commit: add footer and sidebar f403b791119f8232b7cb0ba455c624ac6435f433 ed6c9f63b98acf73c25b5ffbb38da557d3682023 bootstraponline 1336421777 -0600 commit: Add header. ed6c9f63b98acf73c25b5ffbb38da557d3682023 084a558a1fb3cded23129e2dfad3a17d07d73fd3 Daniel Kimsey 1354899095 -0500 push +084a558a1fb3cded23129e2dfad3a17d07d73fd3 02796b1450691f90db5d6dc6a816a4980ce80d07 Dawa Ometto 1538516954 +0200 push diff --git a/test/examples/revert.git/logs/refs/heads/master b/test/examples/revert.git/logs/refs/heads/master index ca534187..62fed8fc 100644 --- a/test/examples/revert.git/logs/refs/heads/master +++ b/test/examples/revert.git/logs/refs/heads/master @@ -2,3 +2,4 @@ 7c45b5f16ff3bae2a0063191ef832701214d4df5 f403b791119f8232b7cb0ba455c624ac6435f433 rick 1291942743 -0800 commit: add footer and sidebar f403b791119f8232b7cb0ba455c624ac6435f433 ed6c9f63b98acf73c25b5ffbb38da557d3682023 bootstraponline 1336421777 -0600 commit: Add header. ed6c9f63b98acf73c25b5ffbb38da557d3682023 084a558a1fb3cded23129e2dfad3a17d07d73fd3 Daniel Kimsey 1354899095 -0500 push +084a558a1fb3cded23129e2dfad3a17d07d73fd3 02796b1450691f90db5d6dc6a816a4980ce80d07 Dawa Ometto 1538516954 +0200 push diff --git a/test/examples/revert.git/objects/02/796b1450691f90db5d6dc6a816a4980ce80d07 b/test/examples/revert.git/objects/02/796b1450691f90db5d6dc6a816a4980ce80d07 new file mode 100644 index 0000000000000000000000000000000000000000..88e10def8dc0d3beb28b62925e2e92a13e603787 GIT binary patch literal 177 zcmV;i08amS0iDi0YQ!)QK;hIn#q< f{jWDad*NO|uCuol-0S-^E1%Xy_ literal 0 HcmV?d00001 diff --git a/test/examples/revert.git/objects/14/d1d34f13b0f9aa2e2edf7a3600d2869ff7dd40 b/test/examples/revert.git/objects/14/d1d34f13b0f9aa2e2edf7a3600d2869ff7dd40 new file mode 100644 index 00000000..0dcc9c9f --- /dev/null +++ b/test/examples/revert.git/objects/14/d1d34f13b0f9aa2e2edf7a3600d2869ff7dd40 @@ -0,0 +1 @@ +x0@ߩa;AwW<uhߏ}Q]XxrL#;b0ŭ3 \ No newline at end of file diff --git a/test/examples/revert.git/objects/21/fc5ed900545b5b99ab7d59182451b51c6d6036 b/test/examples/revert.git/objects/21/fc5ed900545b5b99ab7d59182451b51c6d6036 new file mode 100644 index 0000000000000000000000000000000000000000..ce80b94e9ad852f0f794148dc11fcf0defc8cea9 GIT binary patch literal 36 scmb6x4-Twecdn*Jzc$%=R;3uJ!4|%GUQwX0QoWvV*mgE literal 0 HcmV?d00001 diff --git a/test/examples/revert.git/objects/2f/6485c2702c7c8b9b6613672337ffa7d933ddcf b/test/examples/revert.git/objects/2f/6485c2702c7c8b9b6613672337ffa7d933ddcf new file mode 100644 index 00000000..540a4a06 --- /dev/null +++ b/test/examples/revert.git/objects/2f/6485c2702c7c8b9b6613672337ffa7d933ddcf @@ -0,0 +1,2 @@ +xMj0@u_RȾghFŶ%]~/e:&cvS"GI0` J&ɩmvDhoa.hU>/W7f{uj 4KSO= \ No newline at end of file diff --git a/test/examples/revert.git/objects/33/f46b0e5d1f96038f3fa104ce5c9905fc8013da b/test/examples/revert.git/objects/33/f46b0e5d1f96038f3fa104ce5c9905fc8013da new file mode 100644 index 0000000000000000000000000000000000000000..cae3dfd1f843c219f8fdc30d3f51dbd487a92f44 GIT binary patch literal 257 zcmV+c0sj7Y0V^p=O;s?mFk&z?FfcPQQE=4DO<`~l*pS>M%`}B!dBzh)Yv$FLq(5$j z$~%GN|5dy0bO<-lSh|x@bY`5P4&(YSj3x#^py1BnX0!Ur{N=Zn##Ur)Wm&(whjI4$ z9Z@U3G=PEtD`&DKPm)hokzv}=1 HGu?Abm$-!& literal 0 HcmV?d00001 diff --git a/test/examples/revert.git/objects/9c/47086afeb15935ae08263f0a0f74f6c2867ca4 b/test/examples/revert.git/objects/9c/47086afeb15935ae08263f0a0f74f6c2867ca4 new file mode 100644 index 0000000000000000000000000000000000000000..3c59f61ac27f54c4557b46a654b4052df7710d51 GIT binary patch literal 256 zcmV+b0ssDZ0V^p=O;s?mFk&z?FfcPQQE=4DO<`~l*pS>M%`}B!dBzh)Yv$FLq(5$j z$~%GN|5dy0bO<-lSh|x@bY`5P4&(YSj3x#^py1BnX0!Ur{N=Zn##Ur)Wm&(whjI4$ z9ZKN6%bc8!4d@xK$=M!3+Qo GT5v4Rw||EK literal 0 HcmV?d00001 diff --git a/test/examples/revert.git/objects/f4/731572638856ffc49842eef711ad9fa1078467 b/test/examples/revert.git/objects/f4/731572638856ffc49842eef711ad9fa1078467 new file mode 100644 index 00000000..c648869b --- /dev/null +++ b/test/examples/revert.git/objects/f4/731572638856ffc49842eef711ad9fa1078467 @@ -0,0 +1 @@ +xA }>>GT* xҾ_;Q(f|d˹(WHteJF \ No newline at end of file diff --git a/test/examples/revert.git/objects/fc/f78f665505a6da57648237e5b73062661eab79 b/test/examples/revert.git/objects/fc/f78f665505a6da57648237e5b73062661eab79 new file mode 100644 index 0000000000000000000000000000000000000000..10a3851bb30ace2c2513600234581762e7175313 GIT binary patch literal 37 tcmbOxeOE2>=3c4HN(X literal 0 HcmV?d00001 diff --git a/test/examples/revert.git/refs/heads/master b/test/examples/revert.git/refs/heads/master index 1b87d8e5..56d1ca4a 100644 --- a/test/examples/revert.git/refs/heads/master +++ b/test/examples/revert.git/refs/heads/master @@ -1 +1 @@ -084a558a1fb3cded23129e2dfad3a17d07d73fd3 +02796b1450691f90db5d6dc6a816a4980ce80d07 From f8673f565a6076ff4d991f5127f31e62adc2f6e2 Mon Sep 17 00:00:00 2001 From: Dawa Ometto Date: Tue, 2 Oct 2018 23:56:46 +0200 Subject: [PATCH 3/5] Lockdown write access to custom.css and js --- lib/gollum/app.rb | 10 +++++----- test/test_app.rb | 33 ++++++++++++++++++--------------- 2 files changed, 23 insertions(+), 20 deletions(-) diff --git a/lib/gollum/app.rb b/lib/gollum/app.rb index 21700bb3..7c60c7f2 100644 --- a/lib/gollum/app.rb +++ b/lib/gollum/app.rb @@ -144,7 +144,11 @@ module Precious end end - get %r{\/edit\/custom.(js|css)} do + get %r{\/(edit|create)\/custom.(js|css)} do + forbid + end + + post %r{\/(deleteFile|rename|edit|revert|create)\/custom.(js|css)(\/.*)?} do forbid end @@ -216,10 +220,6 @@ module Precious end end - post %r{\/(deleteFile|rename|edit|revert)\/custom.(js|css)} do - forbid - end - post '/deleteFile/*' do forbid unless @allow_editing wiki = wiki_new diff --git a/test/test_app.rb b/test/test_app.rb index d9b69fe5..84cf9ab3 100644 --- a/test/test_app.rb +++ b/test/test_app.rb @@ -505,25 +505,28 @@ context "Frontend" do Precious::App.set(:wiki_options, { :js => nil }) end - test "don't allow editing custom js or css" do + test "don't allow changing custom js or css" do Precious::App.set(:wiki_options, { :js => true, :css => true }) - page = 'yaycustom' - text = 'customized!' - - @wiki.write_page(page, :markdown, text, - { :name => 'user1', :email => 'user1' }); - - ['.css', '.js'].each do |ext| - get "/edit/custom#{ext}" - assert_equal last_response.status 403 - end - - ['deleteFile', 'rename', 'edit', 'revert'].each do |route| + + ['create', 'edit'].each do |route| ['.css', '.js'].each do |ext| - post "/#{route}/custom#{ext}" - assert_equal last_response.status 403 + get "/#{route}/custom#{ext}" + assert_equal 403, last_response.status, "get /#{route}/custom#{ext} -- #{last_response.inspect}" end end + + ['deleteFile', 'rename', 'edit', 'create'].each do |route| + ['.css', '.js'].each do |ext| + post "/#{route}/custom#{ext}" + assert_equal 403, last_response.status, "post /#{route}/custom#{ext} -- #{last_response.inspect}" + end + end + + ['.css', '.js'].each do |ext| + post "/revert/custom#{ext}/02796b1450691f90db5d6dc6a816a4980ce80d07/2f6485c2702c7c8b9b6613672337ffa7d933ddcf" + assert_equal 403, last_response.status, "post /revert/custom#{ext} -- #{last_response.inspect}" + end + Precious::App.set(:wiki_options, { :js => nil }) end From 84c01bb69b001419d92824e88acfdda654e13646 Mon Sep 17 00:00:00 2001 From: Dawa Ometto Date: Wed, 3 Oct 2018 22:13:38 +0200 Subject: [PATCH 4/5] Improve regexps --- lib/gollum/app.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/gollum/app.rb b/lib/gollum/app.rb index 7c60c7f2..bf9c629c 100644 --- a/lib/gollum/app.rb +++ b/lib/gollum/app.rb @@ -144,11 +144,15 @@ module Precious end end - get %r{\/(edit|create)\/custom.(js|css)} do + get %r{/(edit|create)/custom\.(js|css)} do forbid end - post %r{\/(deleteFile|rename|edit|revert|create)\/custom.(js|css)(\/.*)?} do + post %r{/(deleteFile|rename|edit|create)/custom\.(js|css)} do + forbid + end + + post %r{/revert/custom\.(js|css)/.*/.*} do forbid end From ff52933320e56ee6b883b6052e57ae288d332c91 Mon Sep 17 00:00:00 2001 From: Dawa Ometto Date: Wed, 3 Oct 2018 22:19:39 +0200 Subject: [PATCH 5/5] Improve error message --- lib/gollum/app.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/gollum/app.rb b/lib/gollum/app.rb index bf9c629c..eb8b2934 100644 --- a/lib/gollum/app.rb +++ b/lib/gollum/app.rb @@ -145,15 +145,15 @@ module Precious end get %r{/(edit|create)/custom\.(js|css)} do - forbid + forbid('Changing this resource is not allowed.') end post %r{/(deleteFile|rename|edit|create)/custom\.(js|css)} do - forbid + forbid('Changing this resource is not allowed.') end post %r{/revert/custom\.(js|css)/.*/.*} do - forbid + forbid('Changing this resource is not allowed.') end get '/edit/*' do