diff options
author | Tuomo Ala-Vannesluoma <tuomoav@gmail.com> | 2018-09-22 14:52:47 +0300 |
---|---|---|
committer | Tuomo Ala-Vannesluoma <tuomoav@gmail.com> | 2018-09-22 14:52:47 +0300 |
commit | 0cb2e9714fc66486b8deaeeb06c60ae7b701698f (patch) | |
tree | db18b677b5bc60582e9ad054e15c270519883eb8 /app.go | |
parent | 2c766aba4f008c4a80e328a4eabbaae186276fc9 (diff) |
Add special handling for namespace projects to avoid existence leak
Diffstat (limited to 'app.go')
-rw-r--r-- | app.go | 27 |
1 files changed, 25 insertions, 2 deletions
@@ -184,14 +184,37 @@ func (a *theApp) serveContent(ww http.ResponseWriter, r *http.Request, https boo // Serve static file, applying CORS headers if necessary if a.DisableCrossOriginRequests { - domain.ServeHTTP(&w, r) + a.serveFileOrNotFound(domain, &w, r) } else { - corsHandler.ServeHTTP(&w, r, domain.ServeHTTP) + corsHandler.ServeHTTP(&w, r, a.serveFileOrNotFound(domain, &w, r)) } metrics.ProcessedRequests.WithLabelValues(strconv.Itoa(w.status), r.Method).Inc() } +func (a *theApp) serveFileOrNotFound(domain *domain.D, ww http.ResponseWriter, r *http.Request) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + fileServed := domain.ServeFileHTTP(w, r) + + if !fileServed { + // We need to trigger authentication flow here if file does not exist to prevent exposing possibly private project existence, + // because the projects override the paths of the namespace project and they might be private even though + // namespace project is public. + if domain.IsNamespaceProject(r) { + + if a.Auth.CheckAuthenticationWithoutProject(ww, r) { + return + } + + httperrors.Serve404(ww) + return + } + + domain.ServeNotFoundHTTP(w, r) + } + } +} + func (a *theApp) ServeHTTP(ww http.ResponseWriter, r *http.Request) { https := r.TLS != nil a.serveContent(ww, r, https) |