🔥 Removed serving files w/o extension from themes

ref https://linear.app/ghost/issue/PROD-2214/return-404-from-frontends-assets-folder
ref https://linear.app/ghost/issue/PROD-2322/improve-theme-static-asset-handling

- If the path of a request doesn't have an extension, it's probably not a file
- If there's no extension, skip the static theme middleware as that is for serving files
- This change allows us to add fallthrough to theme assets, helping us to render
  404s properly
- However, this change also has the side effect of meaning any file that doesn't
  have an extension won't get served from the theme by Ghost anymore

Author: ErisDS

ghost/core/core/frontend/web/middleware/static-theme.js

@@ -69,6 +69,10 @@ function forwardToExpressStatic(req, res, next) {
 
 function staticTheme() {
     return function denyStatic(req, res, next) {
+        if (!path.extname(req.path)) {
+            return next();
+        }
+
         if (!isAllowedFile(req.path.toLowerCase()) && isDeniedFile(req.path.toLowerCase())) {
             return next();
         }

ghost/core/test/legacy/site/frontend.test.js

@@ -101,8 +101,8 @@ describe('Frontend Routing', function () {
             });
 
             it('Single post should sanitize double slashes when redirecting uppercase', function (done) {
-                request.get('///Google.com/')
-                    .expect('Location', '/google.com/')
+                request.get('///Google/')
+                    .expect('Location', '/google/')
                     .expect('Cache-Control', testUtils.cacheRules.year)
                     .expect(301)
                     .end(doEnd(done));

ghost/core/test/unit/frontend/web/middleware/static-theme.test.js

@@ -13,13 +13,17 @@ describe('staticTheme', function () {
 
     beforeEach(function () {
         req = {};
-        res = {};
+        res = {
+            setHeader: sinon.stub()
+        };
 
         activeThemeStub = sinon.stub(themeEngine, 'getActive').returns({
             path: 'my/fake/path'
         });
 
-        expressStaticStub = sinon.spy(express, 'static');
+        expressStaticStub = sinon.stub(express, 'static').returns(function (_req, _res, _next) {
+            _next();
+        });
     });
 
     afterEach(function () {
@@ -225,4 +229,101 @@ describe('staticTheme', function () {
             done();
         });
     });
+
+    describe('paths without file extensions', function () {
+        it('should skip for root path /', function (done) {
+            req.path = '/';
+
+            staticTheme()(req, res, function next() {
+                activeThemeStub.called.should.be.false();
+                expressStaticStub.called.should.be.false();
+
+                done();
+            });
+        });
+
+        it('should skip for /about/', function (done) {
+            req.path = '/about/';
+
+            staticTheme()(req, res, function next() {
+                activeThemeStub.called.should.be.false();
+                expressStaticStub.called.should.be.false();
+
+                done();
+            });
+        });
+
+        it('should skip for /blog/my-post/', function (done) {
+            req.path = '/blog/my-post/';
+
+            staticTheme()(req, res, function next() {
+                activeThemeStub.called.should.be.false();
+                expressStaticStub.called.should.be.false();
+
+                done();
+            });
+        });
+
+        it('should skip for path without trailing slash /contact', function (done) {
+            req.path = '/contact';
+
+            staticTheme()(req, res, function next() {
+                activeThemeStub.called.should.be.false();
+                expressStaticStub.called.should.be.false();
+
+                done();
+            });
+        });
+
+        it('should NOT skip for file with extension without trailing slash', function (done) {
+            req.path = '/somefile.txt';
+
+            staticTheme()(req, res, function next() {
+                // Specifically gets called twice
+                activeThemeStub.calledTwice.should.be.true();
+                expressStaticStub.called.should.be.true();
+
+                // Check that express static gets called with the theme path + maxAge
+                should.exist(expressStaticStub.firstCall.args);
+                expressStaticStub.firstCall.args[0].should.eql('my/fake/path');
+                expressStaticStub.firstCall.args[1].should.be.an.Object().with.property('maxAge');
+
+                done();
+            });
+        });
+
+        it('should NOT skip for file with extension with trailing slash', function (done) {
+            req.path = '/somefile.txt/';
+
+            staticTheme()(req, res, function next() {
+                // Specifically gets called twice
+                activeThemeStub.calledTwice.should.be.true();
+                expressStaticStub.called.should.be.true();
+
+                // Check that express static gets called with the theme path + maxAge
+                should.exist(expressStaticStub.firstCall.args);
+                expressStaticStub.firstCall.args[0].should.eql('my/fake/path');
+                expressStaticStub.firstCall.args[1].should.be.an.Object().with.property('maxAge');
+
+                done();
+            });
+        });
+
+        it('should NOT skip for deeply nested file with extension', function (done) {
+            req.path = '/deep/nested/path/file.css';
+
+            staticTheme()(req, res, function next() {
+                // Specifically gets called twice
+                activeThemeStub.calledTwice.should.be.true();
+                expressStaticStub.called.should.be.true();
+
+                // Check that express static gets called with the theme path + maxAge
+                should.exist(expressStaticStub.firstCall.args);
+                expressStaticStub.firstCall.args[0].should.eql('my/fake/path');
+                expressStaticStub.firstCall.args[1].should.be.an.Object().with.property('maxAge');
+
+                done();
+            });
+        });
+    });
 });