Security fixes (#196)

* Allow web UI to be turned off * Remove ability to request identical tables in multi-layer request
CrunchyData · Nov 21, 2023 · 8dff97a · 8dff97a
1 parent 504131e
commit 8dff97a
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -174,6 +174,8 @@ After start-up you can connect to the server and explore the published tables an
 
 * http://localhost:7800
 
+To disable the web interface, supply the run time flag `--no-preview`
+
 ## Layers List
 
 A list of layers is available in JSON at:

diff --git a/main.go b/main.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -82,6 +83,7 @@ func init() {
 	viper.SetDefault("DefaultMinZoom", 0)
 	viper.SetDefault("DefaultMaxZoom", 22)
 	viper.SetDefault("Debug", false)
+	viper.SetDefault("ShowPreview", true)
 	viper.SetDefault("AssetsPath", "./assets")
 	// 1d, 1h, 1m, 1s, see https://golang.org/pkg/time/#ParseDuration
 	viper.SetDefault("DbPoolMaxConnLifeTime", "1h")
@@ -107,6 +109,7 @@ func main() {
 	flagConfigFile := getopt.StringLong("config", 'c', "", "full path to config file", "config.toml")
 	flagHelpOn := getopt.BoolLong("help", 'h', "display help output")
 	flagVersionOn := getopt.BoolLong("version", 'v', "display version number")
+	flagHidePreview := getopt.BoolLong("no-preview", 'n', "hide web interface")
 	getopt.Parse()
 
 	if *flagHelpOn {
@@ -138,6 +141,10 @@ func main() {
 		viper.AddConfigPath("/etc")
 	}
 
+	if *flagHidePreview {
+		viper.Set("ShowPreview", false)
+	}
+
 	// Report our status
 	log.Infof("%s %s", programName, programVersion)
 	log.Info("Run with --help parameter for commandline options")
@@ -361,12 +368,18 @@ func requestTiles(w http.ResponseWriter, r *http.Request) error {
 	vars := mux.Vars(r)
 
 	sources := strings.Split(vars["name"], ",")
+	var extant []string
 	for _, source := range sources {
-		layer, err := requestTile(r, source)
-		if err != nil {
-			return err
+		if !slices.Contains(extant, source) {
+			layer, err := requestTile(r, source)
+			if err != nil {
+				return err
+			}
+			layers = append(layers, layer...)
+			extant = append(extant, source)
+		} else {
+			log.Debugf("Skipping duplicate layer %s in request %s", source, sources)
 		}
-		layers = append(layers, layer...)
 	}
 
 	w.Header().Add("Content-Type", "application/vnd.mapbox-vector-tile")
@@ -461,12 +474,14 @@ func tileRouter() *mux.Router {
 		Subrouter()
 
 	// Front page and layer list
-	r.Handle("/", tileAppHandler(requestListHTML))
-	r.Handle("/index.html", tileAppHandler(requestListHTML))
-	r.Handle("/index.json", tileAppHandler(requestListJSON))
-	// Layer detail and demo pages
-	r.Handle("/{name}.html", tileAppHandler(requestPreview))
-	r.Handle("/{name}.json", tileAppHandler(requestDetailJSON))
+	if viper.GetBool("ShowPreview") {
+		r.Handle("/", tileAppHandler(requestListHTML))
+		r.Handle("/index.html", tileAppHandler(requestListHTML))
+		r.Handle("/index.json", tileAppHandler(requestListJSON))
+		// Layer detail and demo pages
+		r.Handle("/{name}.html", tileAppHandler(requestPreview))
+		r.Handle("/{name}.json", tileAppHandler(requestDetailJSON))
+	}
 	// Tile requests
 	r.Handle("/{name}/{z:[0-9]+}/{x:[0-9]+}/{y:[0-9]+}.{ext}", tileMetrics(tileAppHandler(requestTiles)))