Fixes #11 - html template allow list

magratheaguide · Aug 26, 2021 · 501df6a · 501df6a
1 parent b717092
commit 501df6a
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 5 deletions.
diff --git a/pkg/theme/html_templates.go b/pkg/theme/html_templates.go
@@ -0,0 +1,16 @@
+package theme
+
+var allowedHTMLTemplates = []string{
+	"board_stats.html",
+	"cat_head.html",
+	"forum_row.html",
+	"profile.html",
+	"memberlist_head.html",
+	"memberlist_row.html",
+	"mini_profile.html",
+	"post_row.html",
+	"redirect_row.html",
+	"subf_head.html",
+	"topic_list_head.html",
+	"topic_row.html",
+}
diff --git a/pkg/theme/theme.go b/pkg/theme/theme.go
@@ -73,6 +73,7 @@ func (c Config) Construct() (*string, error) {
 	}
 	output.Wrappers = wrapperString
 
+	// Get Macros
 	macroFiles, err := c.getMacroFiles()
 	if err != nil {
 		return nil, err
@@ -86,16 +87,14 @@ func (c Config) Construct() (*string, error) {
 	output.Macros.Item = macros
 
 	// Templates
-	templateFiles, err := c.listDirectory(c.TemplateFolder)
-	if err != nil {
-		return nil, err
-	}
+	templateFiles, err := c.getTemplateFiles()
 	templates, err := c.buildItems(templateFiles)
 	if err != nil {
 		return nil, err
 	}
 	output.Templates.Item = templates
 
+	// marshal the xml file
 	data, err := xml.MarshalIndent(output, "	", "	")
 	if err != nil {
 		return nil, err
@@ -129,6 +128,24 @@ func (c Config) getMacroFiles() ([]string, error) {
 	return finalMacroList, nil
 }
 
+func (c Config) getTemplateFiles() ([]string, error) {
+	finalTemplateList := []string{}
+	templateFiles, err := c.listDirectory(c.TemplateFolder)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, templateFile := range templateFiles {
+		if !funk.Contains(allowedHTMLTemplates, filepath.Base(templateFile)) {
+			klog.Errorf("skipping non-allowed HTML template: %s", filepath.Base(templateFile))
+			continue
+		}
+		finalTemplateList = append(finalTemplateList, templateFile)
+	}
+
+	return finalTemplateList, nil
+}
+
 // buildItems returns a list of items from a list of files
 func (c Config) buildItems(files []string) ([]Item, error) {
 	items := []Item{}

diff --git a/test_data/Test Theme.xml b/test_data/Test Theme.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 	<skin>
 		<skinname>Test Theme</skinname>
-		<date>Wednesday 25 of Aug 2021 21:15:26 PM</date>
+		<date>Wednesday 25 of Aug 2021 21:28:25 PM</date>
 		<stylesheet>
 /* THIS IS A TEST CSS FILE */
 .post1 {} /* this is required to pass JCINK upload validation */

diff --git a/test_data/html-templates/bad_template.html b/test_data/html-templates/bad_template.html
@@ -0,0 +1 @@
+<!-- Non-allowed template file -->