From 651c8fdfa4e1aa2429b83871c1249ddfdc87ea5e Mon Sep 17 00:00:00 2001
From: Neale Pickett <neale@lanl.gov>
Date: Thu, 21 Feb 2019 22:08:21 -0700
Subject: [PATCH] Path traversal fix, beginning to work on teamid as auth

---
 src/instance.go        | 19 +++++++++--
 theme/index.html       | 27 ++++++---------
 theme/puzzle-list.html | 76 ------------------------------------------
 3 files changed, 27 insertions(+), 95 deletions(-)

diff --git a/src/instance.go b/src/instance.go
index 3a4021a..c226869 100644
--- a/src/instance.go
+++ b/src/instance.go
@@ -102,18 +102,31 @@ func (ctx *Instance) MaybeInitialize() {
 	fmt.Fprintln(f, "Remove this file to reinitialize the contest")
 }
 
+func pathCleanse(parts []string) string {
+	clean := make([]string, len(parts))
+	for i := range parts {
+		part := parts[i]
+		part = strings.TrimLeft(part, ".")
+		if p := strings.LastIndex(part, "/"); p >= 0 {
+			part = part[p+1:]
+		}
+		clean[i] = part
+	}
+	return path.Join(clean...)
+}
+
 func (ctx Instance) MothballPath(parts ...string) string {
-	tail := path.Join(parts...)
+	tail := pathCleanse(parts)
 	return path.Join(ctx.MothballDir, tail)
 }
 
 func (ctx *Instance) StatePath(parts ...string) string {
-	tail := path.Join(parts...)
+	tail := pathCleanse(parts)
 	return path.Join(ctx.StateDir, tail)
 }
 
 func (ctx *Instance) ResourcePath(parts ...string) string {
-	tail := path.Join(parts...)
+	tail := pathCleanse(parts)
 	return path.Join(ctx.ResourcesDir, tail)
 }
 
diff --git a/theme/index.html b/theme/index.html
index 51ad704..ad385c2 100644
--- a/theme/index.html
+++ b/theme/index.html
@@ -1,30 +1,25 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <title>Welcome</title>
-    <link rel="stylesheet" href="basic.css">
+    <title>Sign In</title>
     <meta name="viewport" content="width=device-width">
+    <link rel="stylesheet" href="basic.css">
+    <script src="moth.js"></script>
   </head>
   <body>
-    <h1>Welcome</h1>
+    <h1 id="title">Sign In</h1>
     <section>
-      <h2>Register your team</h2>
-      
-      <form action="register" method="post">
-        Team ID: <input name="id"> <br>
+      <div id="login">
         Team name: <input name="name">
-        <input type="submit" value="Register">
-      </form>
-      
-      <p>
-        If someone on your team has already registered,
-        proceed to the
-        <a href="puzzle-list.html">puzzles overview</a>.
-      </p>
+        Team ID: <input name="id"> <br>
+        <button id="submit">Sign In</button>
+      </div>
+
+      <div id="puzzles"></div>
+
 		</section>
     <nav>
       <ul>
-        <li><a href="puzzle-list.html">Puzzles</a></li>
         <li><a href="scoreboard.html">Scoreboard</a></li>
       </ul>
     </nav>
diff --git a/theme/puzzle-list.html b/theme/puzzle-list.html
index af42db5..3d1915b 100644
--- a/theme/puzzle-list.html
+++ b/theme/puzzle-list.html
@@ -7,82 +7,6 @@
     <meta charset="utf-8">
     <script>
 
-function render(obj) {
-  puzzlesElement = document.createElement('div');
-
-  // Create a sorted list of category names
-  let cats = Object.keys(obj);
-  cats.sort();
-
-  for (let cat of cats) {
-    if (cat.startsWith("__")) {
-      // Metadata or something
-      continue;
-    }
-    let puzzles = obj[cat];
-    
-    let pdiv = document.createElement('div');
-    pdiv.className = 'category';
-    
-    let h = document.createElement('h2');
-    pdiv.appendChild(h);
-    h.textContent = cat;
-    
-    // Extras if we're running a devel server
-    if (obj.__devel__) {
-      var a = document.createElement('a');
-      h.insertBefore(a, h.firstChild);
-      a.textContent = "⬇️";
-      a.href = "mothballer/" + cat;
-      a.classList.add("mothball");
-      a.title = "Download a compiled puzzle for this category";
-    }
-
-    let l = document.createElement('ul');
-    pdiv.appendChild(l);
-
-    for (var puzzle of puzzles) {
-      var points = puzzle[0];
-      var id = puzzle[1];
-  
-      var i = document.createElement('li');
-      l.appendChild(i);
-      i.textContent = " ";
-  
-      if (points === 0) {
-        // Sentry: there are no more puzzles in this category
-        i.textContent = "✿";
-      } else {
-        var a = document.createElement('a');
-        i.appendChild(a);
-        a.textContent = points;
-        a.href = "puzzle.html?cat=" + cat + "&points=" + points + "&pid=" + id;
-      }
-    }
-    
-    puzzlesElement.appendChild(pdiv);
-    document.getElementById("puzzles").appendChild(puzzlesElement);
-  }
-}
-
-function init() {
-  fetch("puzzles.json")
-  .then(resp => {
-    return resp.json();
-  })
-  .then(obj => {
-    render(obj);
-  })
-  .catch(err => {
-    console.log("Error", err);
-  });
-}
-
-if (document.readyState === "loading") {
-  document.addEventListener("DOMContentLoaded", init);
-} else {
-  init();
-}
     </script>
   </head>
   <body>