site/worker.js: allow year-month archive index pages

The hardening commit f2939e7 introduced a path allowlist but
forgot to allow the YYYY/MM/index.html archive pages generated
by rss._generate_month_pages. Existing pages on R2 became
invisible: every monthly archive URL returned 404 even though
the underlying object was present.

Add a regex match for the year-month archive pattern and
rewrite bare directory URLs (/2026/04/) to their index.html
since the publish-site only uploads at the explicit key.

The pattern is tight: only [0-9]{4}/[0-9]{2}/(index.html)?
matches. Single-digit months, nested paths, and arbitrary
files under year-month directories are still rejected.

Add tests covering both the index.html and bare directory
forms, plus negative cases for malformed paths.

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>

Author: mcgrof

site/worker.js

@@ -46,6 +46,11 @@ const DENIED_PREFIXES = [
   'manifest.json',
 ];
 
+// Year-month archive pages: YYYY/MM/index.html (e.g. 2026/04/index.html)
+// Generated by rss._generate_month_pages and uploaded by gen-podcast
+// publish-site. Allowed only as exact index.html or bare directory.
+const ARCHIVE_MONTH_RE = /^[0-9]{4}\/[0-9]{2}\/(index\.html)?$/;
+
 function isAllowedPath(key) {
   // Deny-first: block sensitive prefixes
   for (const denied of DENIED_PREFIXES) {
@@ -60,6 +65,9 @@ function isAllowedPath(key) {
     if (key.startsWith(prefix)) return true;
   }
 
+  // Year-month archive pages
+  if (ARCHIVE_MONTH_RE.test(key)) return true;
+
   return false;
 }
 
@@ -96,6 +104,13 @@ export default {
       return new Response('Not found', { status: 404 });
     }
 
+    // Rewrite bare year-month directory URLs to their index.html.
+    // /2026/04/ -> 2026/04/index.html. The publish-site only uploads
+    // archive pages at the explicit index.html key.
+    if (/^[0-9]{4}\/[0-9]{2}\/$/.test(key)) {
+      key = key + 'index.html';
+    }
+
     // Support Range requests for audio seeking
     const rangeHeader = request.headers.get('Range');
     let object;

site/worker.test.js

@@ -234,3 +234,40 @@ test('missing objects return 404 even if path is allowed', async () => {
   const resp = await worker.fetch(req, env);
   assert.equal(resp.status, 404);
 });
+
+
+test('year-month archive index.html is served', async () => {
+  const env = makeEnv({
+    '2026/04/index.html': '<html>April 2026 archive</html>',
+  });
+  const req = makeRequest('/2026/04/index.html');
+  const resp = await worker.fetch(req, env);
+  assert.equal(resp.status, 200);
+  const body = await resp.text();
+  assert.ok(body.includes('April 2026 archive'));
+});
+
+
+test('year-month archive bare directory rewrites to index.html', async () => {
+  const env = makeEnv({
+    '2026/04/index.html': '<html>April 2026 archive</html>',
+  });
+  const req = makeRequest('/2026/04/');
+  const resp = await worker.fetch(req, env);
+  assert.equal(resp.status, 200);
+  const body = await resp.text();
+  assert.ok(body.includes('April 2026 archive'));
+});
+
+
+test('isAllowedPath accepts year-month archive paths', () => {
+  assert.ok(isAllowedPath('2026/04/index.html'));
+  assert.ok(isAllowedPath('2025/12/index.html'));
+  assert.ok(isAllowedPath('2026/04/'));
+  // Reject malformed year-month paths
+  assert.ok(!isAllowedPath('2026/4/index.html'));        // single-digit month
+  assert.ok(!isAllowedPath('2026/04/something.html'));    // non-index file
+  assert.ok(!isAllowedPath('2026/04/secrets.json'));      // non-index file
+  assert.ok(!isAllowedPath('20266/04/index.html'));       // 5-digit year
+  assert.ok(!isAllowedPath('2026/04/sub/index.html'));    // nested
+});