denied patterns flag option

fixes #12
rif · Oct 23, 2018 · 7066e5c · 7066e5c
1 parent 8b891be
commit 7066e5c
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -17,6 +17,7 @@ Usage of spark:
   -sslPort="10433": SSL listening port
   -status=200: Returned HTTP status code
   -path="/": URL path
+  -deny="": Sesitive directory or file patterns to be denied when listing path (comma sperated)
 
 ```
 
@@ -27,6 +28,7 @@ $ spark message.html
 $ spark "<h1>Out of order</h1><p>Working on it...</p>"
 $ spark static_site/
 $ spark -port 80 -sslPort 443 "<h1>Ooops!</h1>"
+$ spark -deny ".git*,LICENSE" ~/go/rif/spark
 ```
 
 To quickly generate a ssl certificate run:
@@ -43,8 +45,3 @@ go get github.com/rif/spark
 - static binaries (linux/arm/osx/windows):
 
 <a href="https://github.com/rif/spark/releases" target="_blank">Binary downloads</a>
-
-## crossbuild
-
-Just run ./crossbuild.sh (needs go 1.5 or later). It also compresses the binaries with upx, comment those lines if you don't need compression.
-
diff --git a/spark.go b/spark.go
@@ -6,13 +6,16 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
+	"strings"
 )
 
 var (
 	address = flag.String("address", "0.0.0.0", "Listening address")
 	port    = flag.String("port", "8080", "Listening port")
 	sslPort = flag.String("sslPort", "10433", "SSL listening port")
 	path    = flag.String("path", "/", "URL path")
+	deny    = flag.String("deny", "", "Sesitive directories or files to be forbidden when listing path (comma sperated)")
 	status  = flag.Int("status", 200, "Returned HTTP status code")
 	cert    = flag.String("cert", "cert.pem", "SSL certificate path")
 	key     = flag.String("key", "key.pem", "SSL private Key path")
@@ -26,6 +29,35 @@ func (h bytesHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	w.Write(h)
 }
 
+func isDenied(path, denyList string) bool {
+	if len(denyList) == 0 {
+		return false
+	}
+	for _, pathElement := range strings.Split(path, string(filepath.Separator)) {
+		for _, denyElement := range strings.Split(denyList, ",") {
+			match, err := filepath.Match(strings.TrimSpace(denyElement), pathElement)
+			if err != nil {
+				log.Print("error matching file path element: ", err)
+			}
+			if match {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+type protectdFileSystem struct {
+	fs http.FileSystem
+}
+
+func (pfs protectdFileSystem) Open(path string) (http.File, error) {
+	if isDenied(path, *deny) {
+		return nil, os.ErrPermission
+	}
+	return pfs.fs.Open(path)
+}
+
 func main() {
 	flag.Parse()
 	listen := *address + ":" + *port
@@ -38,7 +70,7 @@ func main() {
 	if fi, err := os.Stat(body); err == nil {
 		switch mode := fi.Mode(); {
 		case mode.IsDir():
-			handler = http.StripPrefix(*path, http.FileServer(http.Dir(body)))
+			handler = http.StripPrefix(*path, http.FileServer(protectdFileSystem{http.Dir(body)}))
 		case mode.IsRegular():
 			if content, err := ioutil.ReadFile(body); err != nil {
 				log.Fatal("Error reading file: ", err)