feat: disable directory listings for static files (#12229)

* feat: disable directory listings for static files Static file server handles serving static asset files (js, css, etc). The default file server would also list all files in a directory. This has been changed to only serve files.
2025-07-06 15:41:45 +00:00 · 2024-02-20 15:50:30 -06:00
parent 2dac34276a
commit 07cccf9033
5 changed files with 91 additions and 14 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -1067,6 +1067,14 @@ func New(options *Options) *API {
 		// See globalHTTPSwaggerHandler comment as to why we use a package
 		// global variable here.
 		r.Get("/swagger/*", globalHTTPSwaggerHandler)
+	} else {
+		swaggerDisabled := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			httpapi.Write(context.Background(), rw, http.StatusNotFound, codersdk.Response{
+				Message: "Swagger documentation is disabled.",
+			})
+		})
+		r.Get("/swagger", swaggerDisabled)
+		r.Get("/swagger/*", swaggerDisabled)
 	}

 	// Add CSP headers to all static assets and pages. CSP headers only affect
--- a/coderd/coderd_test.go
+++ b/coderd/coderd_test.go
@ -312,12 +312,9 @@ func TestSwagger(t *testing.T) {

 		resp, err := requestWithRetries(ctx, t, client, http.MethodGet, swaggerEndpoint, nil)
 		require.NoError(t, err)
-
-		body, err := io.ReadAll(resp.Body)
-		require.NoError(t, err)
 		defer resp.Body.Close()

-		require.Equal(t, "<pre>\n</pre>\n", string(body))
+		require.Equal(t, http.StatusNotFound, resp.StatusCode)
 	})
 	t.Run("doc.json disabled by default", func(t *testing.T) {
 		t.Parallel()
@ -329,12 +326,9 @@ func TestSwagger(t *testing.T) {

 		resp, err := requestWithRetries(ctx, t, client, http.MethodGet, swaggerEndpoint+"/doc.json", nil)
 		require.NoError(t, err)
-
-		body, err := io.ReadAll(resp.Body)
-		require.NoError(t, err)
 		defer resp.Body.Close()

-		require.Equal(t, "<pre>\n</pre>\n", string(body))
+		require.Equal(t, http.StatusNotFound, resp.StatusCode)
 	})
 }