1 files changed, 94 insertions, 25 deletions
diff --git a/plugins/static/plugin.go b/plugins/static/plugin.go
index 76cb9e68..b6c25f3d 100644
--- a/plugins/static/plugin.go
+++ b/plugins/static/plugin.go
@@ -1,8 +1,10 @@
 package static
 
 import (
+	"io/fs"
 	"net/http"
 	"path"
+	"strings"
 
 	"github.com/spiral/errors"
 	"github.com/spiral/roadrunner/v2/plugins/config"
@@ -23,6 +25,14 @@ type Plugin struct {
 
 	// root is initiated http directory
 	root http.Dir
+
+	// file extensions which are allowed to be served
+	allowedExtensions map[string]struct{}
+
+	// file extensions which are forbidden to be served
+	forbiddenExtensions map[string]struct{}
+
+	alwaysServe map[string]struct{}
 }
 
 // Init must return configure service and return true if service hasStatus enabled. Must return error in case of
@@ -50,6 +60,33 @@ func (s *Plugin) Init(cfg config.Configurer, log logger.Logger) error {
 		return errors.E(op, err)
 	}
 
+	// create 2 hashmaps with the allowed and forbidden file extensions
+	s.allowedExtensions = make(map[string]struct{}, len(s.cfg.Static.Allow))
+	s.forbiddenExtensions = make(map[string]struct{}, len(s.cfg.Static.Forbid))
+	s.alwaysServe = make(map[string]struct{}, len(s.cfg.Static.Always))
+
+	for i := 0; i < len(s.cfg.Static.Forbid); i++ {
+		s.forbiddenExtensions[s.cfg.Static.Forbid[i]] = struct{}{}
+	}
+
+	for i := 0; i < len(s.cfg.Static.Allow); i++ {
+		s.forbiddenExtensions[s.cfg.Static.Allow[i]] = struct{}{}
+	}
+
+	// check if any forbidden items presented in the allowed
+	// if presented, delete such items from allowed
+	for k := range s.forbiddenExtensions {
+		if _, ok := s.allowedExtensions[k]; ok {
+			delete(s.allowedExtensions, k)
+		}
+	}
+
+	for i := 0; i < len(s.cfg.Static.Always); i++ {
+		s.alwaysServe[s.cfg.Static.Always[i]] = struct{}{}
+	}
+
+	// at this point we have distinct allowed and forbidden hashmaps, also with alwaysServed
+
 	return nil
 }
 
@@ -73,45 +110,77 @@ func (s *Plugin) Middleware(next http.Handler) http.HandlerFunc {
 			}
 		}
 
-		if !s.handleStatic(w, r) {
-			next.ServeHTTP(w, r)
+		fPath := path.Clean(r.URL.Path)
+		ext := strings.ToLower(path.Ext(fPath))
+
+		// check that file is in forbidden list
+		if _, ok := s.forbiddenExtensions[ext]; ok {
+			http.Error(w, "file is forbidden", 404)
+			return
+		}
+
+		f, err := s.root.Open(fPath)
+		if err != nil {
+			// if we should always serve files with some extensions
+			// show error to the user and invoke next middleware
+			if _, ok := s.alwaysServe[ext]; ok {
+				//http.Error(w, err.Error(), 404)
+				w.WriteHeader(404)
+				next.ServeHTTP(w, r)
+				return
+			}
+			// else, return with error
+			http.Error(w, err.Error(), 404)
+			return
 		}
-	}
-}
 
-func (s *Plugin) handleStatic(w http.ResponseWriter, r *http.Request) bool {
-	fPath := path.Clean(r.URL.Path)
+		defer func() {
+			err = f.Close()
+			if err != nil {
+				s.log.Error("file close error", "error", err)
+			}
+		}()
 
-	if s.cfg.AlwaysForbid(fPath) {
-		return false
-	}
+		// here we know, that file extension is not in the AlwaysServe and file exists
+		// (or by some reason, there is no error from the http.Open method)
 
-	f, err := s.root.Open(fPath)
-	if err != nil {
-		if s.cfg.AlwaysServe(fPath) {
-			w.WriteHeader(404)
-			return true
+		// if we have some allowed extensions, we should check them
+		if len(s.allowedExtensions) > 0 {
+			if _, ok := s.allowedExtensions[ext]; ok {
+				d, err := s.check(f)
+				if err != nil {
+					http.Error(w, err.Error(), 404)
+					return
+				}
+
+				http.ServeContent(w, r, d.Name(), d.ModTime(), f)
+			}
+			// otherwise we guess, that all file extensions are allowed
+		} else {
+			d, err := s.check(f)
+			if err != nil {
+				http.Error(w, err.Error(), 404)
+				return
+			}
+
+			http.ServeContent(w, r, d.Name(), d.ModTime(), f)
 		}
 
-		return false
+		next.ServeHTTP(w, r)
 	}
-	defer func() {
-		err = f.Close()
-		if err != nil {
-			s.log.Error("file closing error", "error", err)
-		}
-	}()
+}
 
+func (s *Plugin) check(f http.File) (fs.FileInfo, error) {
+	const op = errors.Op("http_file_check")
 	d, err := f.Stat()
 	if err != nil {
-		return false
+		return nil, err
 	}
 
 	// do not serve directories
 	if d.IsDir() {
-		return false
+		return nil, errors.E(op, errors.Str("directory path provided, should be path to the file"))
 	}
 
-	http.ServeContent(w, r, d.Name(), d.ModTime(), f)
-	return true
+	return d, nil
 }