From dddab4375b87d847e4a0f2bcead51194b93e9d1c Mon Sep 17 00:00:00 2001
From: Eric Van Albert <eric@van.al>
Date: Mon, 19 Jun 2017 21:50:20 -0400
Subject: [PATCH] make serve.py slightly more secure

---
 bin/serve.py  | 28 +++++++++++++++++++---------
 web/keygen.js |  2 +-
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/bin/serve.py b/bin/serve.py
index 281273f..37d6965 100755
--- a/bin/serve.py
+++ b/bin/serve.py
@@ -7,6 +7,7 @@ import tempfile
 import subprocess
 import os
 import shutil
+import re
 
 PORT_NUMBER = 8080
 MAX_STR_LEN = 100
@@ -24,6 +25,14 @@ class MyHandler(BaseHTTPRequestHandler):
             self.end_headers()
             self.wfile.write(b)
         else:
+            key_filename = query_components["key"][0]
+            if not re.match(r"scad/[A-Za-z0-9_]+.scad$", key_filename):
+                self.send_response(400)
+                self.send_header("Content-type", "text/plain; charset=utf-8")
+                self.end_headers()
+                self.wfile.write(b"Bad filename")
+                return
+
             opts = [str(query_components["key"][0])]
             if "bitting" in query_components and len(query_components["bitting"]) == 1:
                 opts += ["-b", str(query_components["bitting"][0])[0:MAX_STR_LEN]]
@@ -40,15 +49,16 @@ class MyHandler(BaseHTTPRequestHandler):
                     self.send_header("Content-type", "text/plain; charset=utf-8")
                     self.end_headers()
                     self.wfile.write(b"Command exited with non-zero return code")
-                else:
-                    length = os.stat(tf.name).st_size
-                    self.send_response(200)
-                    self.send_header("Content-type", "application/sla")
-                    self.send_header("Content-length", str(length))
-                    self.send_header("Content-Disposition", 'inline; filename="key.stl"')
-                    self.end_headers()
-                    with open(tf.name, 'rb') as stl:
-                        shutil.copyfileobj(stl, self.wfile)
+                    return
+
+                length = os.stat(tf.name).st_size
+                self.send_response(200)
+                self.send_header("Content-type", "application/sla")
+                self.send_header("Content-length", str(length))
+                self.send_header("Content-Disposition", 'inline; filename="key.stl"')
+                self.end_headers()
+                with open(tf.name, 'rb') as stl:
+                    shutil.copyfileobj(stl, self.wfile)
 
 class ForkingSimpleServer(ForkingMixIn, HTTPServer):
     pass
diff --git a/web/keygen.js b/web/keygen.js
index f1abf08..ee856f8 100644
--- a/web/keygen.js
+++ b/web/keygen.js
@@ -1,4 +1,4 @@
-keygen_endpoint = "http://localhost:8080";
+keygen_endpoint = "http://localhost:8080"; // Change me to your serve.py endpoint
 
 var key_metadata;