From 7480742e9eb7d61af363f48496bfba8b10298c82 Mon Sep 17 00:00:00 2001
From: Sasha Koshka <sashakoshka@tebibyte.media>
Date: Tue, 10 Dec 2024 00:38:47 -0500
Subject: [PATCH] http: Add mechanism to forbid certain files/directories

---
 http/handler.go | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/http/handler.go b/http/handler.go
index 1afd36c..f6af32b 100644
--- a/http/handler.go
+++ b/http/handler.go
@@ -17,12 +17,13 @@ type ErrorData struct {
 }
 
 type Handler struct {
-	Environment *step.Environment
-	Directories bool
-	StepExt     ucontainer.Set[string]
-	Index       []string
+	Environment       *step.Environment
+	Directories       bool
+	StepExt           ucontainer.Set[string]
+	Index             []string
 	ErrorDocument     string
 	DirectoryDocument string
+	DenyAll           ucontainer.Set[string]
 }
 
 func (this *Handler) ServeHTTP (res http.ResponseWriter, req *http.Request) {
@@ -43,8 +44,15 @@ func (this *Handler) ServeHTTP (res http.ResponseWriter, req *http.Request) {
 	}
 	hasTrailingSlash := strings.HasSuffix(pat, "/")
 	pat = path.Clean(req.URL.Path)
+	name := pathToName(pat)
 
-	info, err := statFile(filesystem, pathToName(pat))
+	// access control
+	if this.DenyAll.Has(name) {
+		this.serveError(res, req, http.StatusForbidden, req.URL, false)
+		return
+	}
+
+	info, err := statFile(filesystem, name)
 	if err != nil {
 		this.serveError(res, req, http.StatusNotFound, req.URL, false)
 		return