From a2a12b4c490191188ca8f0099369e4d90773bee6 Mon Sep 17 00:00:00 2001
From: voldemort <5692900+yell0wsuit@users.noreply.github.com>
Date: Wed, 23 Jul 2025 01:45:05 +0700
Subject: [PATCH] Refactor React route handling to improve security and
 clarity; add module docstring, normalize path to prevent directory traversal,
 and ensure static folder is configured.

---
 routes/react.py | 38 ++++++++++++++++++++++++++------------
 1 file changed, 26 insertions(+), 12 deletions(-)

diff --git a/routes/react.py b/routes/react.py
index e4296c4..678d015 100644
--- a/routes/react.py
+++ b/routes/react.py
@@ -1,10 +1,13 @@
-import sys
+"""Module to handle the React routes."""
+
 import os
-from flask import Blueprint, send_from_directory, request, render_template
+import sys
+
+from flask import Blueprint, send_from_directory, render_template
 from configs import index_tags
 
 if getattr(sys, "frozen", False):  # Running as a bundled app
-    base_path = sys._MEIPASS
+    base_path = getattr(sys, "_MEIPASS", os.path.abspath("."))
 else:  # Running in a normal Python environment
     base_path = os.path.abspath(".")
 
@@ -23,12 +26,23 @@ react_bp = Blueprint(
 @react_bp.route("/<path:path>", methods=["GET"])
 @react_bp.route("/<path>", methods=["GET"])
 def index(path=""):
-    if request.method == "GET":
-        file_path = os.path.join(react_bp.static_folder, path)
-        if path != "" and os.path.exists(file_path):
-            return send_from_directory(react_bp.static_folder, path)
-        elif path.lower() in ["", "cache", "api", "testplayer", "account"]:
-            data = index_tags.tags.get(path.lower(), index_tags.tags["index"])
-            return render_template("index.html", data=data)
-        else:
-            return send_from_directory(react_bp.static_folder, "index.html")
+    """Handle the index route."""
+    # Ensure static_folder is not None
+    if react_bp.static_folder is None:
+        raise ValueError("Static folder is not configured for the blueprint")
+
+    # Normalize the path to prevent directory traversal
+    safe_path = os.path.normpath(path)
+    file_path = os.path.join(react_bp.static_folder, safe_path)
+
+    if path and os.path.exists(file_path):
+        return send_from_directory(react_bp.static_folder, safe_path)
+
+    # Only allow certain paths to render index.html with tags
+    allowed_paths = ["", "cache", "api", "testplayer", "account"]
+    if safe_path.lower() in allowed_paths:
+        data = index_tags.tags.get(safe_path.lower(), index_tags.tags.get("index", {}))
+        return render_template("index.html", data=data)
+
+    # Fallback: serve index.html for all other routes (SPA)
+    return send_from_directory(react_bp.static_folder, "index.html")