Fix tree path traversal for repo tree API endpoint

Take the path parameter into account by traversing the given tree with
the given path from lookup_ref() in repo_tree_GET().

1 files changed, 13 insertions, 2 deletions

diff --git a/gitsrht/blueprints/api.py b/gitsrht/blueprints/api.py
index e40ad4f..121b7e0 100644
--- a/gitsrht/blueprints/api.py
+++ b/gitsrht/blueprints/api.py
@@ -122,7 +122,7 @@ def repo_commits_GET(username, reponame, ref, path):
         defaults={"ref": None, "path": ""})
 @data.route("/api/<username>/repos/<reponame>/tree/<path:ref>",
         defaults={"path": ""})
-@data.route("/api/repos/<username>/<reponame>/tree/<ref>/<path:path>")
+@data.route("/api/<username>/repos/<reponame>/tree/<ref>/<path:path>")
 @oauth("data:read")
 def repo_tree_GET(username, reponame, ref, path):
     user = get_user(username)
@@ -136,6 +136,17 @@ def repo_tree_GET(username, reponame, ref, path):
             tree = commit
         else:
             abort(404)
+
+        path = [p for p in path.split("/") if p]
+        for part in path:
+            if not tree or part not in tree:
+                abort(404)
+            entry = tree[part]
+            if entry.type == "blob":
+                abort(404)
+            tree = git_repo.get(entry.id)
+        if not tree:
+            abort(404)
         return tree_to_dict(tree)
 
 @data.route("/api/repos/<reponame>/annotate", methods=["PUT"])
@@ -170,7 +181,7 @@ def repo_annotate_PUT(username, reponame):
         defaults={"username": None})
 @data.route("/api/<username>/blob/<reponame>/blob/<path:ref>",
         defaults={"path": ""})
-@data.route("/api/repos/<username>/<reponame>/blob/<ref>/<path:path>")
+@data.route("/api/<username>/repos/<reponame>/blob/<ref>/<path:path>")
 @oauth("data:read")
 def repo_blob_GET(username, reponame, ref, path):
     user = get_user(username)