From 2b441cdb9f862f36982984f480f247b269cfc1be Mon Sep 17 00:00:00 2001
From: samcrowther <sam.crowther@usig.com.au>
Date: Fri, 10 Apr 2015 11:10:59 +1000
Subject: [PATCH] Security fix -

Restrict access to files on webserver by monitoring the request path content before allowing it to be accessed.
---
 lib/webPanel.js | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/lib/webPanel.js b/lib/webPanel.js
index b41d58d..a19e742 100644
--- a/lib/webPanel.js
+++ b/lib/webPanel.js
@@ -133,6 +133,50 @@
 
         };
 
+         /**
+
+        * This function scans through any webPanel request.
+        * if the request contains the 'path' query parameter then it will pass it
+        * through a check that ensures the following:
+            - it contains logs
+            - it contains 20xx
+            - it is accessing a .json file
+        * if it passess the checks it sends the request to the next webPanel function
+        * otherwise it returns a json error message
+
+
+
+        */
+
+        webPanel.use(function(req, res, next){
+
+            var path = req.query.path
+
+            if(path!=null){
+
+                if(path.indexOf("logs")!=-1 && path.indexOf("20")!=-1 && path.indexOf(".json")!=-1) {
+
+                    next();
+
+                } else {
+
+                    var response = {};
+                    response.error = true;
+                    res.json(response);
+
+
+                }
+
+            } else {
+
+                next();
+            }
+
+
+
+
+        });
+
 
         /**
          * /api