bundle-server: serve correct bundle routes for request

Update 'bundleServer.serve()' to serve the correct bundle list file for the
request URI. If the URI has no trailing slash (e.g.
'https://<host>:<port>/<org>/<repo>'), serve the 'repo-bundle-list' file
contents, which prepends '<repo>' to the relative bundle paths. If the URI
has a trailing slash, serve 'bundle-list' as normal.

Also, prevent users from directly reading 'bundle-list' and
'repo-bundle-list' based on the URI; the latter's relative paths would be
incorrect, and in general these files are an internal implementation detail
that should not be visible to users. If a user requests one of these files,
return a 404.

Signed-off-by: Victoria Dye <[email protected]>

Author: vdye

cmd/git-bundle-web-server/bundle-server.go

@@ -12,6 +12,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/github/git-bundle-server/internal/bundles"
 	"github.com/github/git-bundle-server/internal/common"
 	"github.com/github/git-bundle-server/internal/core"
 	"github.com/github/git-bundle-server/internal/log"
@@ -101,7 +102,20 @@ func (b *bundleWebServer) serve(w http.ResponseWriter, r *http.Request) {
 
 	var fileToServe string
 	if filename == "" {
-		fileToServe = filepath.Join(repository.WebDir, "bundle-list")
+		if path[len(path)-1] == '/' {
+			// Trailing slash, so the bundle URIs should be relative to the
+			// request's URL as if it were a directory
+			fileToServe = filepath.Join(repository.WebDir, bundles.BundleListFilename)
+		} else {
+			// No trailing slash, so the bundle URIs should be relative to the
+			// request's URL as if it were a file
+			fileToServe = filepath.Join(repository.WebDir, bundles.RepoBundleListFilename)
+		}
+	} else if filename == bundles.BundleListFilename || filename == bundles.RepoBundleListFilename {
+		// If the request identifies a non-bundle "reserved" file, return 404
+		w.WriteHeader(http.StatusNotFound)
+		fmt.Printf("Failed to open file\n")
+		return
 	} else {
 		fileToServe = filepath.Join(repository.WebDir, filename)
 	}