From 227c042642f16a30bb6f2e0dd8f604f02a9995a7 Mon Sep 17 00:00:00 2001
From: thematdev <thematdev@gmail.com>
Date: Mon, 4 Apr 2022 21:43:51 +0300
Subject: [PATCH] Added list of all pages to prevent some attacks

---
 app/__init__.py | 10 +++++++++-
 app/config.py   |  1 +
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/__init__.py b/app/__init__.py
index 4908316..aecd424 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -1,7 +1,7 @@
 from flask import Flask, url_for, render_template, abort
 import os
 import json
-from app.config import PANDOC_LINK, PANDOC_PATH
+from app.config import PANDOC_LINK, PANDOC_PATH, WHITELIST_PATH
 from app.hash_manager import hash_file_sha512
 import subprocess
 
@@ -27,6 +27,10 @@ def dated_url_for(endpoint, **values):
 
 def render_page(page):
     path = f'{PANDOC_PATH}/{page}'
+    whitelist = WHITELIST_PATH
+    with open(whitelist, 'r') as f:
+        if page not in f.readlines():
+            raise Exception("Page doesn't exist!")
     if not os.path.exists(f'{path}'):
         raise Exception("Page doesn't exist!")
     in_filename = f'{path}/main.md'
@@ -39,6 +43,10 @@ def render_page(page):
 @app.route(f'/{PANDOC_LINK}/<page>')
 def get_pandoc_page(page):
     path = f'{PANDOC_PATH}/{page}'
+    whitelist = WHITELIST_PATH
+    with open(whitelist, 'r') as f:
+        if page not in f.readlines():
+            return 'This page does not exist'
     if not os.path.exists(f'{path}'):
         # TODO: Add 404 handler
         return 'This page does not exist'
diff --git a/app/config.py b/app/config.py
index 232863d..b77b5cd 100644
--- a/app/config.py
+++ b/app/config.py
@@ -1,2 +1,3 @@
 PANDOC_LINK = 'page'
 PANDOC_PATH = '/home/thematdev/pandoc_pages'
+WHITELIST_PATH = f'{PANDOC_PATH}/pages'