neale/moth
neale
/
moth
mirror of https://github.com/dirtbags/moth.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Path traversal fix, beginning to work on teamid as auth

This commit is contained in:
Neale Pickett 2019-02-21 22:08:21 -07:00
parent 3a11cc65ef
commit 651c8fdfa4
3 changed files with 27 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/instance.go
View File

@ -102,18 +102,31 @@ func (ctx *Instance) MaybeInitialize() {
fmt.Fprintln(f, "Remove this file to reinitialize the contest")
}
func pathCleanse(parts []string) string {
clean := make([]string, len(parts))
for i := range parts {
part := parts[i]
part = strings.TrimLeft(part, ".")
if p := strings.LastIndex(part, "/"); p >= 0 {
part = part[p+1:]
}
clean[i] = part
}
return path.Join(clean...)
}
func (ctx Instance) MothballPath(parts ...string) string {
tail := path.Join(parts...)
tail := pathCleanse(parts)
return path.Join(ctx.MothballDir, tail)
}
func (ctx *Instance) StatePath(parts ...string) string {
tail := path.Join(parts...)
tail := pathCleanse(parts)
return path.Join(ctx.StateDir, tail)
}
func (ctx *Instance) ResourcePath(parts ...string) string {
tail := path.Join(parts...)
tail := pathCleanse(parts)
return path.Join(ctx.ResourcesDir, tail)
}

27
theme/index.html
View File

@ -1,30 +1,25 @@
<!DOCTYPE html>
<html>
<head>
<title>Welcome</title>
<link rel="stylesheet" href="basic.css">
<title>Sign In</title>
<meta name="viewport" content="width=device-width">
<link rel="stylesheet" href="basic.css">
<script src="moth.js"></script>
</head>
<body>
<h1>Welcome</h1>
<h1 id="title">Sign In</h1>
<section>
<h2>Register your team</h2>
<form action="register" method="post">
Team ID: <input name="id"> <br>
<div id="login">
Team name: <input name="name">
<input type="submit" value="Register">
</form>
<p>
If someone on your team has already registered,
proceed to the
<a href="puzzle-list.html">puzzles overview</a>.
</p>
Team ID: <input name="id"> <br>
<button id="submit">Sign In</button>
</div>
<div id="puzzles"></div>
</section>
<nav>
<ul>
<li><a href="puzzle-list.html">Puzzles</a></li>
<li><a href="scoreboard.html">Scoreboard</a></li>
</ul>
</nav>

76
theme/puzzle-list.html
View File

@ -7,82 +7,6 @@
<meta charset="utf-8">
<script>
function render(obj) {
puzzlesElement = document.createElement('div');
// Create a sorted list of category names
let cats = Object.keys(obj);
cats.sort();
for (let cat of cats) {
if (cat.startsWith("__")) {
// Metadata or something
continue;
}
let puzzles = obj[cat];
let pdiv = document.createElement('div');
pdiv.className = 'category';
let h = document.createElement('h2');
pdiv.appendChild(h);
h.textContent = cat;
// Extras if we're running a devel server
if (obj.__devel__) {
var a = document.createElement('a');
h.insertBefore(a, h.firstChild);
a.textContent = "⬇️";
a.href = "mothballer/" + cat;
a.classList.add("mothball");
a.title = "Download a compiled puzzle for this category";
}
let l = document.createElement('ul');
pdiv.appendChild(l);
for (var puzzle of puzzles) {
var points = puzzle[0];
var id = puzzle[1];
var i = document.createElement('li');
l.appendChild(i);
i.textContent = " ";
if (points === 0) {
// Sentry: there are no more puzzles in this category
i.textContent = "✿";
} else {
var a = document.createElement('a');
i.appendChild(a);
a.textContent = points;
a.href = "puzzle.html?cat=" + cat + "&points=" + points + "&pid=" + id;
}
}
puzzlesElement.appendChild(pdiv);
document.getElementById("puzzles").appendChild(puzzlesElement);
}
}
function init() {
fetch("puzzles.json")
.then(resp => {
return resp.json();
})
.then(obj => {
render(obj);
})
.catch(err => {
console.log("Error", err);
});
}
if (document.readyState === "loading") {
document.addEventListener("DOMContentLoaded", init);
} else {
init();
}
</script>
</head>
<body>