Handle paths safely
This commit is contained in:
parent
1b0259e084
commit
d2a3b29e43
1 changed files with 13 additions and 4 deletions
|
|
@ -2,11 +2,17 @@ let src = Logs.Src.create "builder-web" ~doc:"Builder_web"
|
|||
module Log = (val Logs.src_log src : Logs.LOG)
|
||||
|
||||
open Opium
|
||||
open Rresult.R.Infix
|
||||
|
||||
type t = Model.t = {
|
||||
dir : Fpath.t
|
||||
}
|
||||
|
||||
let safe_seg path =
|
||||
if Fpath.is_seg path && not (Fpath.is_rel_seg path)
|
||||
then Ok (Fpath.v path)
|
||||
else Rresult.R.error_msgf "unsafe path %S" path
|
||||
|
||||
let routes (t : Model.t) =
|
||||
let builder _req =
|
||||
match Model.jobs t with
|
||||
|
|
@ -20,19 +26,22 @@ let routes (t : Model.t) =
|
|||
|
||||
let job req =
|
||||
let job = Router.param req "job" in
|
||||
match Model.job t (Fpath.v job) with
|
||||
match safe_seg job >>= fun job ->
|
||||
Model.job t job with
|
||||
| Ok job ->
|
||||
Views.job job |> Response.of_html |> Lwt.return
|
||||
| Error (`Msg e) ->
|
||||
Log.warn (fun m -> m "Error getting job: %s" e);
|
||||
Response.of_plain_text ~status:`Internal_server_error
|
||||
"Error getting job" |> Lwt.return
|
||||
| Ok job ->
|
||||
Views.job job |> Response.of_html |> Lwt.return
|
||||
in
|
||||
|
||||
let job_run req =
|
||||
let job = Router.param req "job"
|
||||
and run = Router.param req "run" in
|
||||
match Model.read_full t (Fpath.v job) (Fpath.v run) with
|
||||
match safe_seg job >>= fun job ->
|
||||
safe_seg run >>= fun run ->
|
||||
Model.read_full t job run with
|
||||
| Error (`Msg e) ->
|
||||
Log.warn (fun m -> m "Error getting job run: %s" e);
|
||||
Response.of_plain_text ~status:`Internal_server_error
|
||||
|
|
|
|||
Loading…
Reference in a new issue