Added list of all pages to prevent some attacks

app/__init__.py

@@ -1,7 +1,7 @@
 from flask import Flask, url_for, render_template, abort
 import os
 import json
-from app.config import PANDOC_LINK, PANDOC_PATH
+from app.config import PANDOC_LINK, PANDOC_PATH, WHITELIST_PATH
 from app.hash_manager import hash_file_sha512
 import subprocess
 
@@ -27,6 +27,10 @@ def dated_url_for(endpoint, **values):
 
 def render_page(page):
     path = f'{PANDOC_PATH}/{page}'
+    whitelist = WHITELIST_PATH
+    with open(whitelist, 'r') as f:
+        if page not in f.readlines():
+            raise Exception("Page doesn't exist!")
     if not os.path.exists(f'{path}'):
         raise Exception("Page doesn't exist!")
     in_filename = f'{path}/main.md'
@@ -39,6 +43,10 @@ def render_page(page):
 @app.route(f'/{PANDOC_LINK}/<page>')
 def get_pandoc_page(page):
     path = f'{PANDOC_PATH}/{page}'
+    whitelist = WHITELIST_PATH
+    with open(whitelist, 'r') as f:
+        if page not in f.readlines():
+            return 'This page does not exist'
     if not os.path.exists(f'{path}'):
         # TODO: Add 404 handler
         return 'This page does not exist'

app/config.py

@@ -1,2 +1,3 @@
 PANDOC_LINK = 'page'
 PANDOC_PATH = '/home/thematdev/pandoc_pages'
+WHITELIST_PATH = f'{PANDOC_PATH}/pages'