prevent drive traversal in windows

2024-11-22 09:31:10 +00:00 · 2022-01-25 16:44:05 +00:00 · 2022-01-25 16:44:05 +00:00 · 1bd2076b35
commit 1bd2076b35
parent 5454699bab
1 changed files with 29 additions and 1 deletions
--- a/actix-files/src/path_buf.rs
+++ b/actix-files/src/path_buf.rs
@ -59,6 +59,8 @@ impl PathBufWrap {
                continue;
            } else if cfg!(windows) && segment.contains('\\') {
                return Err(UriSegmentError::BadChar('\\'));
+            } else if cfg!(windows) && segment.contains(':') {
+                return Err(UriSegmentError::BadChar(':'));
            } else {
                buf.push(segment)
            }
@ -66,7 +68,11 @@ impl PathBufWrap {

        // make sure we agree with stdlib parser
        for (i, component) in buf.components().enumerate() {
-            assert!(matches!(component, Component::Normal(_)));
+            assert!(
+                matches!(component, Component::Normal(_)),
+                "component `{:?}` is not normal",
+                component
+            );
            assert!(i < segment_count);
        }

@ -159,4 +165,26 @@ mod tests {
            PathBuf::from_iter(vec!["etc/passwd"])
        );
    }
+
+    #[test]
+    #[cfg_attr(windows, should_panic)]
+    fn windows_drive_traversal() {
+        // detect issues in windows that could lead to path traversal
+        // see <https://github.com/SergioBenitez/Rocket/issues/1949
+
+        assert_eq!(
+            PathBufWrap::parse_path("C:test.txt", false).unwrap().0,
+            PathBuf::from_iter(vec!["C:test.txt"])
+        );
+
+        assert_eq!(
+            PathBufWrap::parse_path("C:../whatever", false).unwrap().0,
+            PathBuf::from_iter(vec!["C:../whatever"])
+        );
+
+        assert_eq!(
+            PathBufWrap::parse_path(":test.txt", false).unwrap().0,
+            PathBuf::from_iter(vec![":test.txt"])
+        );
+    }
 }