- commit
- 9d5a8dd
- parent
- 09d20c7
- author
- Eric Bower
- date
- 2025-04-05 11:26:25 -0400 EDT
fix(pgs): do not expose `_redirects` and `_headers` over https.
2 files changed,
+45,
-0
+6,
-0
1@@ -426,6 +426,12 @@ func (web *WebRouter) ServeAsset(fname string, opts *storage.ImgProcessOpts, fro
2 "host", r.Host,
3 )
4
5+ if fname == "_headers" || fname == "_redirects" || fname == "_pgs_ignore" {
6+ logger.Info("special file names are not allowed to be served over http")
7+ http.Error(w, "404 not found", http.StatusNotFound)
8+ return
9+ }
10+
11 props, err := shared.GetProjectFromSubdomain(subdomain)
12 if err != nil {
13 logger.Info(
+39,
-0
1@@ -145,6 +145,45 @@ func TestApiBasic(t *testing.T) {
2 bucketName: {},
3 },
4 },
5+ {
6+ name: "_redirects",
7+ path: "/_redirects",
8+ want: "404 not found",
9+ status: http.StatusNotFound,
10+ contentType: "text/plain; charset=utf-8",
11+
12+ storage: map[string]map[string]string{
13+ bucketName: {
14+ "/test/_redirects": "/ok /index.html 200",
15+ },
16+ },
17+ },
18+ {
19+ name: "_headers",
20+ path: "/_headers",
21+ want: "404 not found",
22+ status: http.StatusNotFound,
23+ contentType: "text/plain; charset=utf-8",
24+
25+ storage: map[string]map[string]string{
26+ bucketName: {
27+ "/test/_headers": "/templates/index.html\n\tX-Frame-Options: DENY",
28+ },
29+ },
30+ },
31+ {
32+ name: "_pgs_ignore",
33+ path: "/_pgs_ignore",
34+ want: "404 not found",
35+ status: http.StatusNotFound,
36+ contentType: "text/plain; charset=utf-8",
37+
38+ storage: map[string]map[string]string{
39+ bucketName: {
40+ "/test/_pgs_ignore": "# nothing",
41+ },
42+ },
43+ },
44 {
45 name: "not-found-custom",
46 path: "/anything",