When .hidden is false, also hide files from a hidden directory

[yf-hk]

See koajs/file-server#5
We should protect files in directories like /webroot/public/static/.git/config, but not /webroot/.www/public/static/index.html

[coveralls]

Coverage remained the same at 95.0% when pulling 0ad4919 on andyhu:fix-hidden into e86357b on koajs:master.

[yf-hk]

It's weird that even I don't touch anything with the original git clone of this repo, I still get a lot of errors in the test.

[coveralls]

Coverage remained the same at 95.0% when pulling 4585109 on andyhu:fix-hidden into e86357b on koajs:master.

[haoxins]

@andyhu it seems that the gzip.json.gz is wrong.

[haoxins]

@andyhu rebase with master, and it should be OK.

[yf-hk]

will try to fix it

[yf-hk]

Now it should be ok, all the tests are passed

[haoxins]

@andyhu you check path before normalize, so /./ will treated as is hidden.

I'd rather this
https://github.com/pillarjs/send/blob/master/index.js#L736-L744

wait @jonathanong 's decision

[jonathanong]

i like this method better simply because it's easier to understand.

[yf-hk]

OK, I agree with that. Using regex is actually more verbose since I have to explain it in the comment..

[yf-hk]

@coderhaoxin I see what you mean, will modify the code to address it
The reason why I put the check before normalize is that if the user put the webroot to let's say /home/.www/public, then all of static files will be hidden. But as you pointed out, it's not correct. (I've fixed that in the commit below)

[coveralls]

Coverage remained the same at 95.0% when pulling c39a7f1 on andyhu:fix-hidden into 3e9bc12 on koajs:master.

[coveralls]

Coverage increased (+0.08%) to 95.08% when pulling d2c3c46 on andyhu:fix-hidden into 3e9bc12 on koajs:master.

[jonathanong]

i was looking to use https://github.com/pillarjs/resolve-path for this module, but ran into issues. ideally, this would be solved by resolve-path and this module would simply require it.

[jonathanong]

actually no... this isn't a security issue...

[yf-hk]

Yes it's probably not a security issue, the end user has some responsibility to take care of their public directories. So for this specific issue, do you suggest to raise an issue or PR on resolve-path? I'm building a framework based on a bunch of koa-* modules and used this module to serve static files, so I hope it will be rock solid and configurable to the end user.

[jonathanong]

it makes sense for it to be covered by .hidden.

i just merged your other PR so you're going to need to rebase this PR!

[jonathanong]

btw you should be using git rebase more!

[yf-hk]

Thanks! It's a shame that I never read git doc carefully

[jonathanong]

will you be rebasing soon?

[yf-hk]

Sorry, not sure why it's automatically closed after rebase, but I will open a new PR soon