From 42749b250171f08284f8f88c9bb5936cd060d940 Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Wed, 16 Dec 2020 17:12:17 +0100
Subject: [PATCH] Fix: Do not allow git dir to be exposed

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 assets.go | 6 ++++++
 main.go   | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/assets.go b/assets.go
index 2eb65dd..aed89fa 100644
--- a/assets.go
+++ b/assets.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 	"sort"
+	"strings"
 	"sync"
 
 	"github.com/pkg/errors"
@@ -62,6 +63,11 @@ func (a *assetVersionStore) UpdateAssetHashes(dir string) error {
 			return nil
 		}
 
+		if strings.Contains(path, ".git/") {
+			// We shouldn't include .git dir in hashes
+			return nil
+		}
+
 		hash := sha256.New()
 		f, err := os.Open(path)
 		if err != nil {
diff --git a/main.go b/main.go
index 4f672ea..fff3aee 100644
--- a/main.go
+++ b/main.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/gofrs/uuid"
@@ -73,6 +74,12 @@ func main() {
 	registerAPI(router)
 
 	router.PathPrefix("/public").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.Contains(r.RequestURI, "/.git/") {
+			// Prevent git dir to be exposed
+			http.NotFound(w, r)
+			return
+		}
+
 		w.Header().Set("Cache-Control", "no-cache")
 		assetServer.ServeHTTP(w, r)
 	})