From e756ff847fe060bac4e15ad4064ad59b3248de5e Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@rose-ash.com>
Date: Sat, 28 Mar 2026 17:36:10 +0000
Subject: [PATCH] sx-http: block .assets/ and .map files from static serving

Prevents serving WASM build artifacts and source maps.
.assets/ directories and .map files return 403 Forbidden.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 hosts/ocaml/bin/sx_server.ml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/hosts/ocaml/bin/sx_server.ml b/hosts/ocaml/bin/sx_server.ml
index ffa7056e..60e6c028 100644
--- a/hosts/ocaml/bin/sx_server.ml
+++ b/hosts/ocaml/bin/sx_server.ml
@@ -1562,7 +1562,16 @@ let serve_static_file static_dir url_path =
     let rel = String.sub url_path 8 (String.length url_path - 8) in
     let rel = match String.index_opt rel '?' with
       | Some i -> String.sub rel 0 i | None -> rel in
-    if String.contains rel '\x00' || (String.length rel > 1 && String.sub rel 0 2 = "..") then
+    let has_substring s sub =
+      let slen = String.length s and sublen = String.length sub in
+      if sublen > slen then false
+      else let rec check i = if i > slen - sublen then false
+        else if String.sub s i sublen = sub then true else check (i + 1)
+      in check 0
+    in
+    if String.contains rel '\x00' || (String.length rel > 1 && String.sub rel 0 2 = "..")
+       || has_substring rel ".assets/"
+       || Filename.check_suffix rel ".map" then
       http_response ~status:403 "Forbidden"
     else
       let file_path = static_dir ^ "/" ^ rel in