diff options
| -rw-r--r-- | gitsrht/blueprints/api.py | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/gitsrht/blueprints/api.py b/gitsrht/blueprints/api.py index e40ad4f..121b7e0 100644 --- a/gitsrht/blueprints/api.py +++ b/gitsrht/blueprints/api.py @@ -122,7 +122,7 @@ def repo_commits_GET(username, reponame, ref, path): defaults={"ref": None, "path": ""}) @data.route("/api/<username>/repos/<reponame>/tree/<path:ref>", defaults={"path": ""}) -@data.route("/api/repos/<username>/<reponame>/tree/<ref>/<path:path>") +@data.route("/api/<username>/repos/<reponame>/tree/<ref>/<path:path>") @oauth("data:read") def repo_tree_GET(username, reponame, ref, path): user = get_user(username) @@ -136,6 +136,17 @@ def repo_tree_GET(username, reponame, ref, path): tree = commit else: abort(404) + + path = [p for p in path.split("/") if p] + for part in path: + if not tree or part not in tree: + abort(404) + entry = tree[part] + if entry.type == "blob": + abort(404) + tree = git_repo.get(entry.id) + if not tree: + abort(404) return tree_to_dict(tree) @data.route("/api/repos/<reponame>/annotate", methods=["PUT"]) @@ -170,7 +181,7 @@ def repo_annotate_PUT(username, reponame): defaults={"username": None}) @data.route("/api/<username>/blob/<reponame>/blob/<path:ref>", defaults={"path": ""}) -@data.route("/api/repos/<username>/<reponame>/blob/<ref>/<path:path>") +@data.route("/api/<username>/repos/<reponame>/blob/<ref>/<path:path>") @oauth("data:read") def repo_blob_GET(username, reponame, ref, path): user = get_user(username) |