Add special handling for namespace projects to avoid existence leak

1 files changed, 25 insertions, 2 deletions

diff --git a/app.go b/app.go
index 6edf0ae5..295bc7c8 100644
--- a/app.go
+++ b/app.go
@@ -184,14 +184,37 @@ func (a *theApp) serveContent(ww http.ResponseWriter, r *http.Request, https boo
 
 	// Serve static file, applying CORS headers if necessary
 	if a.DisableCrossOriginRequests {
-		domain.ServeHTTP(&w, r)
+		a.serveFileOrNotFound(domain, &w, r)
 	} else {
-		corsHandler.ServeHTTP(&w, r, domain.ServeHTTP)
+		corsHandler.ServeHTTP(&w, r, a.serveFileOrNotFound(domain, &w, r))
 	}
 
 	metrics.ProcessedRequests.WithLabelValues(strconv.Itoa(w.status), r.Method).Inc()
 }
 
+func (a *theApp) serveFileOrNotFound(domain *domain.D, ww http.ResponseWriter, r *http.Request) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		fileServed := domain.ServeFileHTTP(w, r)
+
+		if !fileServed {
+			// We need to trigger authentication flow here if file does not exist to prevent exposing possibly private project existence,
+			// because the projects override the paths of the namespace project and they might be private even though
+			// namespace project is public.
+			if domain.IsNamespaceProject(r) {
+
+				if a.Auth.CheckAuthenticationWithoutProject(ww, r) {
+					return
+				}
+
+				httperrors.Serve404(ww)
+				return
+			}
+
+			domain.ServeNotFoundHTTP(w, r)
+		}
+	}
+}
+
 func (a *theApp) ServeHTTP(ww http.ResponseWriter, r *http.Request) {
 	https := r.TLS != nil
 	a.serveContent(ww, r, https)