Add some CI for security testing
This commit is contained in:
@ -1,7 +1,7 @@
|
||||
from pathlib import Path
|
||||
from src.config.config import Configuration
|
||||
from src.rendering.renderer import render_page, render_error_page
|
||||
from flask import send_file
|
||||
from flask import send_file
|
||||
from src.rendering.image import generate_thumbnail
|
||||
from functools import lru_cache
|
||||
|
||||
@ -10,7 +10,39 @@ class RouteManager:
|
||||
def __init__(self, config: Configuration):
|
||||
self.config = config
|
||||
|
||||
def _ensure_route(self, path: str):
|
||||
"""
|
||||
Escapes the path for anything like
|
||||
a path execution or injection attack
|
||||
evaluates the path and ensures that it it does not
|
||||
go above the self.content.content_dir
|
||||
If any part of the path contains __, __{foldername}, or __{filename},
|
||||
that is a hidden file or folder and should raise an exception
|
||||
Any illegal path should raise an exception
|
||||
"""
|
||||
file_path: Path = self.config.content_dir / (path if path else "index.md")
|
||||
print(file_path)
|
||||
if file_path < self.config.content_dir:
|
||||
raise Exception("Illegal path")
|
||||
|
||||
for part in file_path.parts:
|
||||
if part.startswith("__"):
|
||||
raise Exception("Illegal path")
|
||||
|
||||
def default_route(self, path: str):
|
||||
try:
|
||||
self._ensure_route(path)
|
||||
print("all good")
|
||||
print(path)
|
||||
print("=============")
|
||||
except Exception as e:
|
||||
print(e)
|
||||
return render_error_page(
|
||||
403,
|
||||
"Forbidden",
|
||||
"You do not have permission to access this resource.",
|
||||
self.config.templates_dir,
|
||||
)
|
||||
file_path: Path = self.config.content_dir / (path if path else "index.md")
|
||||
return render_page(
|
||||
file_path,
|
||||
@ -18,26 +50,38 @@ class RouteManager:
|
||||
template_path=self.config.templates_dir,
|
||||
style_path=self.config.styles_dir,
|
||||
)
|
||||
|
||||
|
||||
def get_style(self, path: str):
|
||||
file_path: Path = self.config.styles_dir / path
|
||||
if file_path.exists():
|
||||
return send_file(file_path)
|
||||
else:
|
||||
return render_error_page(404, "Not Found", "The requested resource was not found on this server.", self.config.templates_dir)
|
||||
return render_error_page(
|
||||
404,
|
||||
"Not Found",
|
||||
"The requested resource was not found on this server.",
|
||||
self.config.templates_dir,
|
||||
)
|
||||
|
||||
@lru_cache(maxsize=128)
|
||||
@lru_cache(maxsize=None)
|
||||
def get_static(self, path: str):
|
||||
file_path: Path = self.config.content_dir / path
|
||||
if file_path.exists():
|
||||
# Check to see if the file is an image, if it is, render a thumbnail
|
||||
# Check to see if the file is an image, if it is, render a thumbnail
|
||||
if file_path.suffix.lower() in [".jpg", ".jpeg", ".png", ".gif"]:
|
||||
thumbnail_bytes, img_format = generate_thumbnail(str(file_path), 10, 300)
|
||||
thumbnail_bytes, img_format = generate_thumbnail(
|
||||
str(file_path), 10, 2048
|
||||
)
|
||||
return (
|
||||
thumbnail_bytes.getvalue(),
|
||||
thumbnail_bytes,
|
||||
200,
|
||||
{"Content-Type": f"image/{img_format.lower()}"},
|
||||
)
|
||||
return send_file(file_path)
|
||||
else:
|
||||
return render_error_page(404, "Not Found", "The requested resource was not found on this server.", self.config.templates_dir)
|
||||
return render_error_page(
|
||||
404,
|
||||
"Not Found",
|
||||
"The requested resource was not found on this server.",
|
||||
self.config.templates_dir,
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user