From 54608a711ec6b27ccae9b6ce8756590c04c820dd Mon Sep 17 00:00:00 2001 From: gmpassos Date: Tue, 5 Dec 2023 15:09:38 -0300 Subject: [PATCH 1/5] Add context to `Response.notFound` and `Response.notModified` for including `file` and `file_not_found` to be identified by other Shelf `Middleware`. --- pkgs/shelf_static/lib/src/static_handler.dart | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/pkgs/shelf_static/lib/src/static_handler.dart b/pkgs/shelf_static/lib/src/static_handler.dart index 92b50093..8d72bb0b 100644 --- a/pkgs/shelf_static/lib/src/static_handler.dart +++ b/pkgs/shelf_static/lib/src/static_handler.dart @@ -82,7 +82,10 @@ Handler createStaticHandler(String fileSystemPath, } if (fileFound == null) { - return Response.notFound('Not Found'); + return Response.notFound( + 'Not Found', + context: _buildResponseContext(fileNotFound: fileFound), + ); } final file = fileFound; @@ -120,6 +123,18 @@ Handler createStaticHandler(String fileSystemPath, }; } +Map? _buildResponseContext({File? file, File? fileNotFound}) { + if (file == null && fileNotFound == null) return null; + + // Ensure other Shelf `Middleware` can identify + // the processed file in the `Response` by + // including `file` and `file_not_found` in the context: + return { + if (file != null) 'shelf_static:file': file, + if (fileNotFound != null) 'shelf_static:file_not_found': fileNotFound, + }; +} + Response _redirectToAddTrailingSlash(Uri uri) { final location = Uri( scheme: uri.scheme, @@ -184,7 +199,9 @@ Future _handleFile(Request request, File file, if (ifModifiedSince != null) { final fileChangeAtSecResolution = toSecondResolution(stat.modified); if (!fileChangeAtSecResolution.isAfter(ifModifiedSince)) { - return Response.notModified(); + return Response.notModified( + context: _buildResponseContext(file: file), + ); } } @@ -199,6 +216,7 @@ Future _handleFile(Request request, File file, Response.ok( request.method == 'HEAD' ? null : file.openRead(), headers: headers..[HttpHeaders.contentLengthHeader] = '${stat.size}', + context: _buildResponseContext(file: file), ); } From 7923a7f009b13245f2573b34fcf3003f8591d026 Mon Sep 17 00:00:00 2001 From: gmpassos Date: Tue, 5 Dec 2023 15:09:38 -0300 Subject: [PATCH 2/5] Add context to `Response` for including `file` and `file_not_found` to be identified by other Shelf `Middleware`. --- pkgs/shelf_static/lib/src/static_handler.dart | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/pkgs/shelf_static/lib/src/static_handler.dart b/pkgs/shelf_static/lib/src/static_handler.dart index 92b50093..8d72bb0b 100644 --- a/pkgs/shelf_static/lib/src/static_handler.dart +++ b/pkgs/shelf_static/lib/src/static_handler.dart @@ -82,7 +82,10 @@ Handler createStaticHandler(String fileSystemPath, } if (fileFound == null) { - return Response.notFound('Not Found'); + return Response.notFound( + 'Not Found', + context: _buildResponseContext(fileNotFound: fileFound), + ); } final file = fileFound; @@ -120,6 +123,18 @@ Handler createStaticHandler(String fileSystemPath, }; } +Map? _buildResponseContext({File? file, File? fileNotFound}) { + if (file == null && fileNotFound == null) return null; + + // Ensure other Shelf `Middleware` can identify + // the processed file in the `Response` by + // including `file` and `file_not_found` in the context: + return { + if (file != null) 'shelf_static:file': file, + if (fileNotFound != null) 'shelf_static:file_not_found': fileNotFound, + }; +} + Response _redirectToAddTrailingSlash(Uri uri) { final location = Uri( scheme: uri.scheme, @@ -184,7 +199,9 @@ Future _handleFile(Request request, File file, if (ifModifiedSince != null) { final fileChangeAtSecResolution = toSecondResolution(stat.modified); if (!fileChangeAtSecResolution.isAfter(ifModifiedSince)) { - return Response.notModified(); + return Response.notModified( + context: _buildResponseContext(file: file), + ); } } @@ -199,6 +216,7 @@ Future _handleFile(Request request, File file, Response.ok( request.method == 'HEAD' ? null : file.openRead(), headers: headers..[HttpHeaders.contentLengthHeader] = '${stat.size}', + context: _buildResponseContext(file: file), ); } From c44971737f640448bfe9143634d60941135c919f Mon Sep 17 00:00:00 2001 From: gmpassos Date: Tue, 5 Dec 2023 16:10:17 -0300 Subject: [PATCH 3/5] Remove unnecessary context build when `fileFound == null`. --- pkgs/shelf_static/lib/src/static_handler.dart | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pkgs/shelf_static/lib/src/static_handler.dart b/pkgs/shelf_static/lib/src/static_handler.dart index 8d72bb0b..a7078db6 100644 --- a/pkgs/shelf_static/lib/src/static_handler.dart +++ b/pkgs/shelf_static/lib/src/static_handler.dart @@ -82,11 +82,9 @@ Handler createStaticHandler(String fileSystemPath, } if (fileFound == null) { - return Response.notFound( - 'Not Found', - context: _buildResponseContext(fileNotFound: fileFound), - ); + return Response.notFound('Not Found'); } + final file = fileFound; if (!serveFilesOutsidePath) { From 688969f03514e364e2a4eba20a86600a5a646f20 Mon Sep 17 00:00:00 2001 From: gmpassos Date: Tue, 5 Dec 2023 16:23:34 -0300 Subject: [PATCH 4/5] Build `fileNotFound` and ensure to not expose a file path outside of the original fileSystemPath. Add `Response.context` documentation. --- pkgs/shelf_static/lib/src/static_handler.dart | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/pkgs/shelf_static/lib/src/static_handler.dart b/pkgs/shelf_static/lib/src/static_handler.dart index a7078db6..58c5bf1b 100644 --- a/pkgs/shelf_static/lib/src/static_handler.dart +++ b/pkgs/shelf_static/lib/src/static_handler.dart @@ -39,6 +39,11 @@ final _defaultMimeTypeResolver = MimeTypeResolver(); /// /// Specify a custom [contentTypeResolver] to customize automatic content type /// detection. +/// +/// The [Response.context] will be populated with "shelf_static:file" or +/// "shelf_static:file_not_found" with the resolved [File] for the [Response], +/// while respecting [serveFilesOutsidePath] to prevent exposing a [File] path +/// outside of the [fileSystemPath]. Handler createStaticHandler(String fileSystemPath, {bool serveFilesOutsidePath = false, String? defaultDocument, @@ -82,7 +87,18 @@ Handler createStaticHandler(String fileSystemPath, } if (fileFound == null) { - return Response.notFound('Not Found'); + File? fileNotFound = File(fsPath); + + // Do not expose a file path outside of the original fileSystemPath: + if (!serveFilesOutsidePath && + !p.isWithin(fileSystemPath, fileNotFound.path)) { + fileNotFound = null; + } + + return Response.notFound( + 'Not Found', + context: _buildResponseContext(fileNotFound: fileNotFound), + ); } final file = fileFound; From 9d22a8136705bc68d2b3e80baf4f4bc99e0df394 Mon Sep 17 00:00:00 2001 From: gmpassos Date: Tue, 5 Dec 2023 22:44:31 -0300 Subject: [PATCH 5/5] `createStaticHandler`: update `Response.context` documentation. --- pkgs/shelf_static/lib/src/static_handler.dart | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pkgs/shelf_static/lib/src/static_handler.dart b/pkgs/shelf_static/lib/src/static_handler.dart index 58c5bf1b..83fd3c86 100644 --- a/pkgs/shelf_static/lib/src/static_handler.dart +++ b/pkgs/shelf_static/lib/src/static_handler.dart @@ -41,9 +41,10 @@ final _defaultMimeTypeResolver = MimeTypeResolver(); /// detection. /// /// The [Response.context] will be populated with "shelf_static:file" or -/// "shelf_static:file_not_found" with the resolved [File] for the [Response], -/// while respecting [serveFilesOutsidePath] to prevent exposing a [File] path -/// outside of the [fileSystemPath]. +/// "shelf_static:file_not_found" with the resolved [File] for the [Response]. +/// If the file is considered not found because it is outside of the +/// [fileSystemPath] and [serveFilesOutsidePath] is false, then neither key +/// will be included in the context. Handler createStaticHandler(String fileSystemPath, {bool serveFilesOutsidePath = false, String? defaultDocument, @@ -140,7 +141,7 @@ Handler createStaticHandler(String fileSystemPath, Map? _buildResponseContext({File? file, File? fileNotFound}) { if (file == null && fileNotFound == null) return null; - // Ensure other Shelf `Middleware` can identify + // Ensure other shelf `Middleware` can identify // the processed file in the `Response` by // including `file` and `file_not_found` in the context: return {