2021-02-22 17:27:13 +05:30
|
|
|
package staticpages
|
|
|
|
|
|
|
|
import (
|
2021-03-05 16:19:46 +05:30
|
|
|
"errors"
|
|
|
|
"fmt"
|
2021-02-22 17:27:13 +05:30
|
|
|
"net/http"
|
|
|
|
"os"
|
|
|
|
"path/filepath"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"gitlab.com/gitlab-org/labkit/mask"
|
|
|
|
|
|
|
|
"gitlab.com/gitlab-org/gitlab-workhorse/internal/helper"
|
2021-03-08 18:12:59 +05:30
|
|
|
"gitlab.com/gitlab-org/gitlab-workhorse/internal/log"
|
2021-02-22 17:27:13 +05:30
|
|
|
"gitlab.com/gitlab-org/gitlab-workhorse/internal/urlprefix"
|
|
|
|
)
|
|
|
|
|
|
|
|
type CacheMode int
|
|
|
|
|
|
|
|
const (
|
|
|
|
CacheDisabled CacheMode = iota
|
|
|
|
CacheExpireMax
|
|
|
|
)
|
|
|
|
|
|
|
|
// BUG/QUIRK: If a client requests 'foo%2Fbar' and 'foo/bar' exists,
|
|
|
|
// handleServeFile will serve foo/bar instead of passing the request
|
|
|
|
// upstream.
|
|
|
|
func (s *Static) ServeExisting(prefix urlprefix.Prefix, cache CacheMode, notFoundHandler http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2021-03-05 16:19:46 +05:30
|
|
|
if notFoundHandler == nil {
|
|
|
|
notFoundHandler = http.HandlerFunc(http.NotFound)
|
|
|
|
}
|
|
|
|
|
|
|
|
// We intentionally use r.URL.Path instead of r.URL.EscaptedPath() below.
|
|
|
|
// This is to make it possible to serve static files with e.g. a space
|
|
|
|
// %20 in their name.
|
|
|
|
relativePath, err := s.validatePath(prefix.Strip(r.URL.Path))
|
|
|
|
if err != nil {
|
|
|
|
notFoundHandler.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
2021-02-22 17:27:13 +05:30
|
|
|
|
2021-03-05 16:19:46 +05:30
|
|
|
file := filepath.Join(s.DocumentRoot, relativePath)
|
2021-02-22 17:27:13 +05:30
|
|
|
if !strings.HasPrefix(file, s.DocumentRoot) {
|
2021-03-08 18:12:59 +05:30
|
|
|
log.WithRequest(r).WithError(errPathTraversal).Error()
|
2021-03-05 16:19:46 +05:30
|
|
|
notFoundHandler.ServeHTTP(w, r)
|
2021-02-22 17:27:13 +05:30
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var content *os.File
|
|
|
|
var fi os.FileInfo
|
|
|
|
|
|
|
|
// Serve pre-gzipped assets
|
|
|
|
if acceptEncoding := r.Header.Get("Accept-Encoding"); strings.Contains(acceptEncoding, "gzip") {
|
|
|
|
content, fi, err = helper.OpenFile(file + ".gz")
|
|
|
|
if err == nil {
|
|
|
|
w.Header().Set("Content-Encoding", "gzip")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// If not found, open the original file
|
|
|
|
if content == nil || err != nil {
|
|
|
|
content, fi, err = helper.OpenFile(file)
|
|
|
|
}
|
|
|
|
if err != nil {
|
2021-03-05 16:19:46 +05:30
|
|
|
notFoundHandler.ServeHTTP(w, r)
|
2021-02-22 17:27:13 +05:30
|
|
|
return
|
|
|
|
}
|
|
|
|
defer content.Close()
|
|
|
|
|
|
|
|
switch cache {
|
|
|
|
case CacheExpireMax:
|
|
|
|
// Cache statically served files for 1 year
|
|
|
|
cacheUntil := time.Now().AddDate(1, 0, 0).Format(http.TimeFormat)
|
|
|
|
w.Header().Set("Cache-Control", "public")
|
|
|
|
w.Header().Set("Expires", cacheUntil)
|
|
|
|
}
|
|
|
|
|
|
|
|
log.WithContextFields(r.Context(), log.Fields{
|
|
|
|
"file": file,
|
|
|
|
"encoding": w.Header().Get("Content-Encoding"),
|
|
|
|
"method": r.Method,
|
|
|
|
"uri": mask.URL(r.RequestURI),
|
|
|
|
}).Info("Send static file")
|
|
|
|
|
|
|
|
http.ServeContent(w, r, filepath.Base(file), fi.ModTime(), content)
|
|
|
|
})
|
|
|
|
}
|
2021-03-05 16:19:46 +05:30
|
|
|
|
|
|
|
var errPathTraversal = errors.New("path traversal")
|
|
|
|
|
|
|
|
func (s *Static) validatePath(filename string) (string, error) {
|
|
|
|
filename = filepath.Clean(filename)
|
|
|
|
|
|
|
|
for _, exc := range s.Exclude {
|
|
|
|
if strings.HasPrefix(filename, exc) {
|
|
|
|
return "", fmt.Errorf("file is excluded: %s", exc)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return filename, nil
|
|
|
|
}
|