From 1c723edad7030091a3f4e51fd8c963a7d8d22173 Mon Sep 17 00:00:00 2001
From: Pietro Albini <pietro@pietroalbini.org>
Date: Thu, 12 Dec 2024 11:50:02 +0100
Subject: [PATCH] add an index.html to the static api

---
 src/static_api.rs                     | 44 ++++++++++++++++++++++-----
 tests/static-api/_expected/index.html |  3 ++
 2 files changed, 39 insertions(+), 8 deletions(-)
 create mode 100644 tests/static-api/_expected/index.html

diff --git a/src/static_api.rs b/src/static_api.rs
index 5c093e1f6..c5e21a8f5 100644
--- a/src/static_api.rs
+++ b/src/static_api.rs
@@ -34,6 +34,7 @@ impl<'a> Generator<'a> {
         self.generate_rfcbot()?;
         self.generate_zulip_map()?;
         self.generate_people()?;
+        self.generate_index_html()?;
         Ok(())
     }
 
@@ -423,20 +424,36 @@ impl<'a> Generator<'a> {
         Ok(())
     }
 
+    fn generate_index_html(&self) -> Result<(), Error> {
+        const CONTENT: &[u8] = b"\
+            <!DOCTYPE html>\n\
+            <meta charset=\"utf-8\">\n\
+            <p>See <a href=\"https://github.com/rust-lang/team\">rust-lang/team</a>.</p>\n\
+        ";
+
+        // GitHub has a security issue where a domain can point to GitHub Pages without any
+        // repository attached to it. In that case, anyone can attach their own (malicious)
+        // repo to the domain, effectively taking over it.
+        //
+        // This is not a problem for us, because team-api.infra.rust-lang.org does have content
+        // (generated by this module!). Unfortunately, when there is no repo attached to a domain
+        // GitHub serves the same 404 page as if there is no index.html file. This leads to *many*
+        // people running automated scanners and emailing security@rust-lang.org claiming they
+        // found a severe vulnerability and asking for a bounty.
+        //
+        // So let's just generate an index.html and reduce the volume of bogus reports.
+
+        info!("writing index.html...");
+        self.write("index.html", CONTENT)
+    }
+
     fn add<T>(&self, path: &str, obj: &T) -> Result<(), Error>
     where
         T: serde::Serialize + serde::de::DeserializeOwned + PartialEq,
     {
         info!("writing API object {}...", path);
-        let dest = self.dest.join(path);
-        if let Some(parent) = dest.parent() {
-            if !parent.exists() {
-                std::fs::create_dir_all(parent)?;
-            }
-        }
-
         let json = serde_json::to_string_pretty(obj)?;
-        std::fs::write(&dest, json.as_bytes())?;
+        self.write(path, json.as_bytes())?;
 
         let obj2: T =
             serde_json::from_str(&json).with_context(|| format!("failed to deserialize {path}"))?;
@@ -447,4 +464,15 @@ impl<'a> Generator<'a> {
 
         Ok(())
     }
+
+    fn write(&self, path: &str, bytes: &[u8]) -> Result<(), Error> {
+        let dest = self.dest.join(path);
+        if let Some(parent) = dest.parent() {
+            if !parent.exists() {
+                std::fs::create_dir_all(parent)?;
+            }
+        }
+        std::fs::write(&dest, bytes)?;
+        Ok(())
+    }
 }
diff --git a/tests/static-api/_expected/index.html b/tests/static-api/_expected/index.html
new file mode 100644
index 000000000..c63b1e091
--- /dev/null
+++ b/tests/static-api/_expected/index.html
@@ -0,0 +1,3 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<p>See <a href="https://github.com/rust-lang/team">rust-lang/team</a>.</p>