diff options
| author | mrw1593 <botahamec@outlook.com> | 2023-06-03 09:47:46 -0400 |
|---|---|---|
| committer | mrw1593 <botahamec@outlook.com> | 2023-06-03 09:47:46 -0400 |
| commit | c47c78773aa4affbf47386ca9080604048ebeace (patch) | |
| tree | 750416da1f6a6d8d2783f8fe3e4ab095d79df101 | |
| parent | f1a64b059d430cd2e334e297c43ae8053104ab05 (diff) | |
Fixed security bugs with reading files
| -rw-r--r-- | Cargo.lock | 7 | ||||
| -rw-r--r-- | Cargo.toml | 1 | ||||
| -rw-r--r-- | src/resources/scripts.rs | 5 | ||||
| -rw-r--r-- | src/resources/style.rs | 5 |
4 files changed, 14 insertions, 4 deletions
@@ -1326,6 +1326,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9f746c4065a8fa3fe23974dd82f15431cc8d40779821001404d10d2e79ca7d79" [[package]] +name = "path-clean" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "17359afc20d7ab31fdb42bb844c8b3bb1dabd7dcf7e68428492da7f16966fcef" + +[[package]] name = "pem-rfc7468" version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1640,6 +1646,7 @@ dependencies = [ "hex", "log", "parking_lot 0.12.1", + "path-clean", "raise", "rand", "rust-argon2", @@ -11,6 +11,7 @@ tera = "1" serde = "1" thiserror = "1" rust-argon2 = "1" +path-clean = "1" uuid = { version = "1", features = [ "v4", "fast-rng", "serde" ] } url = { version = "2", features = ["serde"] } raise = "2" diff --git a/src/resources/scripts.rs b/src/resources/scripts.rs index 3e2d869..1b27859 100644 --- a/src/resources/scripts.rs +++ b/src/resources/scripts.rs @@ -1,7 +1,8 @@ -use std::path::{Path, PathBuf}; +use std::path::Path; use actix_web::{get, http::StatusCode, web, HttpResponse, ResponseError}; use exun::{Expect, ResultErrorExt}; +use path_clean::clean; use raise::yeet; use serde::Serialize; use thiserror::Error; @@ -21,7 +22,7 @@ impl ResponseError for LoadScriptError { } fn load(script: &str) -> Result<String, Expect<LoadScriptError>> { - let path = PathBuf::from(format!("static/scripts/{}.js", script)); + let path = clean(format!("static/scripts/{}.js", script)); if !path.exists() { yeet!(LoadScriptError::FileNotFound(path.into()).into()); } diff --git a/src/resources/style.rs b/src/resources/style.rs index 2777a82..3ea56d2 100644 --- a/src/resources/style.rs +++ b/src/resources/style.rs @@ -1,8 +1,9 @@ -use std::path::{Path, PathBuf}; +use std::path::Path; use actix_web::{get, http::StatusCode, web, HttpResponse, ResponseError}; use exun::{Expect, ResultErrorExt}; use grass::OutputStyle; +use path_clean::clean; use raise::yeet; use serde::Serialize; use thiserror::Error; @@ -37,7 +38,7 @@ impl ResponseError for LoadStyleError { pub fn load(stylesheet: &str) -> Result<String, Expect<LoadStyleError>> { let options = options(); - let path = PathBuf::from(format!("static/style/{}.scss", stylesheet)); + let path = clean(format!("static/style/{}.scss", stylesheet)); if !path.exists() { yeet!(LoadStyleError::FileNotFound(path.into()).into()); } |