diff --git a/internal/httpd/httpd.go b/internal/httpd/httpd.go index a0043e1b8..8bb89af74 100644 --- a/internal/httpd/httpd.go +++ b/internal/httpd/httpd.go @@ -1047,7 +1047,7 @@ func getServicesStatus() *ServicesStatus { return status } -func fileServer(r chi.Router, path string, root http.FileSystem) { +func fileServer(r chi.Router, path string, root http.FileSystem, disableDirectoryIndex bool) { if path != "/" && path[len(path)-1] != '/' { r.Get(path, http.RedirectHandler(path+"/", http.StatusMovedPermanently).ServeHTTP) path += "/" @@ -1057,7 +1057,11 @@ func fileServer(r chi.Router, path string, root http.FileSystem) { r.Get(path, func(w http.ResponseWriter, r *http.Request) { rctx := chi.RouteContext(r.Context()) pathPrefix := strings.TrimSuffix(rctx.RoutePattern(), "/*") - fs := http.StripPrefix(pathPrefix, http.FileServer(root)) + handler := http.FileServer(root) + if disableDirectoryIndex { + handler = neuter(handler) + } + fs := http.StripPrefix(pathPrefix, handler) fs.ServeHTTP(w, r) }) } diff --git a/internal/httpd/httpd_test.go b/internal/httpd/httpd_test.go index 70c4b2981..28697d8fd 100644 --- a/internal/httpd/httpd_test.go +++ b/internal/httpd/httpd_test.go @@ -24269,7 +24269,7 @@ func TestStaticFilesMock(t *testing.T) { req, err = http.NewRequest(http.MethodGet, location, nil) assert.NoError(t, err) rr = executeRequest(req) - checkResponseCode(t, http.StatusOK, rr) + checkResponseCode(t, http.StatusForbidden, rr) req, err = http.NewRequest(http.MethodGet, "/openapi", nil) assert.NoError(t, err) diff --git a/internal/httpd/middleware.go b/internal/httpd/middleware.go index 095b68a9e..c8381ee12 100644 --- a/internal/httpd/middleware.go +++ b/internal/httpd/middleware.go @@ -386,7 +386,7 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope) } if k.Scope != scope { handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck - logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wnated: %d", + logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wanted: %d", apiKey, k.Scope, scope) sendAPIResponse(w, r, fmt.Errorf("the provided api key is invalid for this request"), "", http.StatusForbidden) return @@ -553,3 +553,14 @@ func checkPartialAuth(w http.ResponseWriter, r *http.Request, audience string, t } return nil } + +func neuter(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if strings.HasSuffix(r.URL.Path, "/") { + http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden) + return + } + + next.ServeHTTP(w, r) + }) +} diff --git a/internal/httpd/resources.go b/internal/httpd/resources.go index edb78ee14..5d33fccd1 100644 --- a/internal/httpd/resources.go +++ b/internal/httpd/resources.go @@ -23,6 +23,6 @@ import ( "github.com/go-chi/chi/v5" ) -func serveStaticDir(router chi.Router, path, fsDirPath string) { - fileServer(router, path, http.Dir(fsDirPath)) +func serveStaticDir(router chi.Router, path, fsDirPath string, disableDirectoryIndex bool) { + fileServer(router, path, http.Dir(fsDirPath), disableDirectoryIndex) } diff --git a/internal/httpd/resources_embedded.go b/internal/httpd/resources_embedded.go index 73c619c72..41b2f6727 100644 --- a/internal/httpd/resources_embedded.go +++ b/internal/httpd/resources_embedded.go @@ -18,16 +18,20 @@ package httpd import ( + "net/http" + "github.com/go-chi/chi/v5" "github.com/drakkan/sftpgo/v2/internal/bundle" ) -func serveStaticDir(router chi.Router, path, _ string) { +func serveStaticDir(router chi.Router, path, fsDirPath string, disableDirectoryIndex bool) { switch path { case webStaticFilesPath: - fileServer(router, path, bundle.GetStaticFs()) + fileServer(router, path, bundle.GetStaticFs(), disableDirectoryIndex) case webOpenAPIPath: - fileServer(router, path, bundle.GetOpenAPIFs()) + fileServer(router, path, bundle.GetOpenAPIFs(), disableDirectoryIndex) + default: + fileServer(router, path, http.Dir(fsDirPath), disableDirectoryIndex) } } diff --git a/internal/httpd/server.go b/internal/httpd/server.go index a99055820..6db92f259 100644 --- a/internal/httpd/server.go +++ b/internal/httpd/server.go @@ -1237,7 +1237,7 @@ func (s *httpdServer) initializeRouter() { if hasHTTPSRedirect { if p := acme.GetHTTP01WebRoot(); p != "" { - serveStaticDir(s.router, acmeChallengeURI, p) + serveStaticDir(s.router, acmeChallengeURI, p, true) } } @@ -1434,7 +1434,7 @@ func (s *httpdServer) initializeRouter() { if s.renderOpenAPI { s.router.Group(func(router chi.Router) { router.Use(compressor.Handler) - serveStaticDir(router, webOpenAPIPath, s.openAPIPath) + serveStaticDir(router, webOpenAPIPath, s.openAPIPath, false) }) } } @@ -1442,7 +1442,7 @@ func (s *httpdServer) initializeRouter() { if s.enableWebAdmin || s.enableWebClient { s.router.Group(func(router chi.Router) { router.Use(compressor.Handler) - serveStaticDir(router, webStaticFilesPath, s.staticFilesPath) + serveStaticDir(router, webStaticFilesPath, s.staticFilesPath, true) }) if s.binding.OIDC.isEnabled() { s.router.Get(webOIDCRedirectPath, s.handleOIDCRedirect)