From eafb4456c45c9c6e9fb7e4faac12552480aa80ba Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Thu, 24 Sep 2020 16:13:21 +0200
Subject: [PATCH] Validation on path

---
 web/web.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/web/web.go b/web/web.go
index 0d1077e..9b7a5aa 100644
--- a/web/web.go
+++ b/web/web.go
@@ -6,6 +6,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"regexp"
 
 	"github.com/pion/webrtc/v3"
 	"gitlab.crans.org/nounous/ghostream/internal/monitoring"
@@ -29,6 +30,9 @@ var (
 
 	// Preload templates
 	templates = template.Must(template.ParseGlob("web/template/*.html"))
+
+	// Precompile regex
+	validPath = regexp.MustCompile("^\\/[a-z0-9_-]*\\/?$")
 )
 
 // Handle WebRTC session description exchange via POST
@@ -82,7 +86,12 @@ func viewerGetHandler(w http.ResponseWriter, r *http.Request) {
 // Handle site index and viewer pages
 // POST requests are used to exchange WebRTC session descriptions
 func viewerHandler(w http.ResponseWriter, r *http.Request) {
-	// FIXME validation on path: https://golang.org/doc/articles/wiki/#tmp_11
+	// Validation on path
+	if validPath.FindStringSubmatch(r.URL.Path) == nil {
+		http.NotFound(w, r)
+		log.Print(r.URL.Path)
+		return
+	}
 
 	// Route depending on HTTP method
 	switch r.Method {