From a0cfc7bf1c814279618e1060047fd863eb9fffb1 Mon Sep 17 00:00:00 2001
From: TLSM <104547575+TLSM@users.noreply.github.com>
Date: Thu, 5 May 2022 04:46:20 -0400
Subject: [PATCH] Add admin status git revision. (#244)

Adds a line in admin_home which displays the currently active git
revision. Current methodology is via manually parsing files in .git.
Consider revising if the application ever has access to `git` shell,
which would obviate some minor security concerns around directory
traversal attacks.
---
 files/routes/admin.py                 | 23 ++++++++++++++++++++++-
 files/templates/admin/admin_home.html |  7 ++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/files/routes/admin.py b/files/routes/admin.py
index d640a2b46..67d3aa463 100644
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@@ -1,4 +1,5 @@
 import time
+import re
 from os import remove
 from PIL import Image as IMAGE
 
@@ -520,8 +521,28 @@ def admin_home(v):
 	else: response = requests.get(f'https://api.cloudflare.com/client/v4/zones/{CF_ZONE}/settings/security_level', headers=CF_HEADERS, timeout=5).json()['result']['value']
 	under_attack = response == 'under_attack'
 
-	return render_template("admin/admin_home.html", v=v, under_attack=under_attack, site_settings=app.config['SETTINGS'])
+	gitref = admin_git_head()
+	
+	return render_template("admin/admin_home.html", v=v, 
+		under_attack=under_attack, 
+		site_settings=app.config['SETTINGS'],
+		gitref=gitref)
 
+def admin_git_head():
+	short_len = 12
+	# Note: doing zero sanitization. Git branch names are extremely permissive.
+	# However, they forbid '..', so I don't see an obvious dir traversal attack.
+	# Also, a malicious branch name would mean someone already owned the server
+	# or repo, so I think this isn't a weak link.
+	try:
+		with open('.git/HEAD') as head_f:
+			head_txt = head_f.read()
+			head_path = re.match('ref: (refs/.+)', head_txt).group(1)
+			with open('.git/' + head_path) as ref_f:
+				gitref = ref_f.read()[0:short_len]
+	except:
+		return '<unable to read>'
+	return gitref
 
 @app.post("/admin/site_settings/<setting>")
 @admin_level_required(3)
diff --git a/files/templates/admin/admin_home.html b/files/templates/admin/admin_home.html
index 455845e28..eae08bb84 100644
--- a/files/templates/admin/admin_home.html
+++ b/files/templates/admin/admin_home.html
@@ -85,7 +85,12 @@
 		<label class="custom-control-label" for="under_attack">Under attack mode</label>
 	</div>
 
-	<button class="btn btn-primary mt-3" onclick="post_toast(this,'/admin/purge_cache');">PURGE CACHE</button>
+	<button class="btn btn-primary mt-3" onclick="post_toast(this,'/admin/purge_cache');" style="margin-bottom: 2em;">PURGE CACHE</button>
 {% endif %}
 
+<h4>Server Status</h4>
+<div>
+	Live Revision: <code>{{ gitref }}</code> <br>
+</div>
+
 {% endblock %}
\ No newline at end of file